It seems unusual that news articles such as this would indicate so many people would quit the cloud over PRISM. The crux of the matter is that most of the places that people would host with, could be easily accessible to any law enforcement that really wants it anyway? The real news is how quickly they can get it, and that the court order frameworks are really just rubber stamping. This is not a surprise to many in the security community – in fact, I think it shows they are just doing the job properly.
It’s key to note that should a company or person choose to host any of their data in a hosted location – it will be available to local law enforcement. This isn’t anything new, only the data provided by major US companies is. The worrying thing isn’t those that publish the information, it’s the ones that don’t.
Also of concern to people is that foreign governments are cooperating with the US in data collection. To that I say – isn’t that the point? Don’t we want Allies combining their data to allow them to pursue the investigations they need to? This is the real reason many hosters are not harping on about PRISM, and in particular why Australian hosters aren’t jumping on the ‘Host-Here- Avoid-PRISM’ bandwagon. They simply won’t know, or likely many know that indeed it does occur, or they’d be silly to risk a statement like that backfiring.
Users of any off-site service should know:
- Your information can be intercepted at any point by law enforcement or others if not encrypted from endpoint to endpoint. This isn’t new, but be aware of the issues with intra-datacentre traffic too.
- Any device can typically be imaged by law enforcement if they need to in the course of an investigation. This is certainly more invasive and annoying for law enforcement than PRISM-like data collection, but possible.
- Information can (and should) be shared between jurisdictions if needed. Again, not news, and less than the revelations around wholesale data sharing between intelligence groups – but the fact they can justify this level of expense means they were doing it a lot before anyway, but this method is cheaper, easier, faster.
- Personal data is available from many, many sources of probably equal scariness around your shopping habits, activities, things like search history, visited pages etc. This information is given away by free apps to enable them to make money to provide services. It ain’t cheap to be facebook – so how do they make money, off selling our data of course!
- Giving away data to foreign companies in terms of industrial espionage can, and is, in a lot of cases by some obvious candidates, state sponsored. This sort of thing is absolutely to be worried about by large-scale corporates with useful IP, or large-scale deals in play. The ease of eavsdropping and bugging at all levels of the data/telco stack is huge, and shouldn’t be discounted.
- Encrypt. And keep those keys secure!
- Use anonymising services, but don’t think it protects you that much. Things like DuckDuckGo just make the tracking a little harder to get around (it’s unlikely they are using proper obfuscation techniques to prevent analysis of network traffic from identifying searches) and won’t stop information from being transferred via other uses of free services. Get used to it, or opt out of modern social networks and services.
- Intelligence services now have reams and reams of easily accessible data from the internet, and don’t need court orders to get at it. That just means they are able to act at the speed they hope they would, and big data is being used for something other than marketing. Which is good.