Microsoft is currently fighting a legal battle against the US government over a warrant that requires it to hand over emails stored on a server in Dublin. This demand, made under the terms of the Stored Communications Act of 1986, is seemingly in violation of the Safe Harbor agreement, drawn up between the EU and the US in 2000 to allow the interchange of data despite differences in data protection laws. Under that agreement, US companies operating in the EU or processing or storing EU data must follow a set of privacy practices, such as informing individuals that their data is being collected and how it will be used.
Surprisingly, perhaps, privacy campaigner Caspar Bowden (pictured) says he hopes that Microsoft will lose the case. His reasoning is that the US government can use other legal instruments, such as FISA 702 or Executive Order 12333, to brush aside such niceties as Safe Harbor or binding corporate rules (BCR) to get its hands on such data perfectly legally any time it likes, and as such the whole case is a smokescreen that actually suits both parties.
“Even if Microsoft wins that case, and I hope they don’t because that’ll just shore up the whole rotten system, it will make no difference to surveillance by the NSA under FISA 702 or Executive Order 12333 [see below],” he told Computing.
Bowden – who was the chief privacy adviser to 40 national technology officers at Microsoft before he was “let go” in 2011 after revealing what FISA 702 implies for the firm’s non-US customers – believes that this is all for show. It is part of a campaign of “cloudwashing” on the part of government and the industry, he says, that deliberately conflates data security – over which US cloud companies and their customers can take an active role – and government surveillance, over which, for legal reasons, they cannot. FISA 702 allows the US government to install surveillance apparatus inside the data centres of US companies. These interventions are covered by the espionage law, and anyone revealing their existence could face a lengthy jail sentence, as Yahoo’s Marissa Mayer revealed.
Section 702 is a 2008 amendment to the original Foreign Intelligence Surveillance Act (FISA) that permits the targeting of the electronic communications of individuals reasonably believed to be located outside the US, but is limited to targeting non-US persons. Section 702 underpins the NSA’s Prism surveillance programme.Executive Order 12333 (EO 12333) grants surveillance powers to US intelligence agencies. It can be amended at any time by the US president without recourse to Congress.
A one-way street
The legal arrangements between the EU and US on matters of privacy and data protection are very much a one-way street. While US law broadly protects US citizens against blanket surveillance of their electronic communications, non-US residents – i.e. 95 per cent of the world’s population – are offered no such safeguards. What’s more, the FISA definition of the “foreign intelligence information”, that is the information NSA is allowed to collect from “non-US citizens outside of the US”, is extremely broad, going far beyond that pertaining to national security, terrorism or criminal activities and making most data fair game for collection. Finally, the burden of proof allowing the collection of data is far less stringent when it concerns foreigners than it is for US residents.
“This is the only law I know of where the very term of the intelligence to be collected is conditioned by the nationality of the person. It’s quite unique,” Bowden said.
“The USA is exceptionally exceptionalist. If you look for examples of discrimination by nationality rather than the geography of the communication path there are about 40 in US law counting up FISA, FISAA, Patriot Act, First and Fourth Amendment protections, and so on; by contrast the UK has zero … With EU data that’s in the US, you have no rights at all. That’s what’s changed with cloud.”
What does all this mean for cloud customers of US firms?
First, there is a need to differentiate between data that is merely stored on remote servers and data that is processed in the cloud. Stored data can be encrypted, thus providing an effective barrier against snooping. However, data that is processed is vulnerable.
“If you want to do useful work on data in somebody else’s data centre, there’s no technical way to protect it because even if the data is encrypted on disk, when it passes through the CPU it has to be in plaintext,” he said.
There are various levels in a PaaS software stack where surveillance code could potentially be introduced, perhaps disguised as a patch. It could then scale with the deployment to hoover up the unencrypted data.
While no hard evidence has yet emerged of such practices being carried out, Bowden says “the writing’s on the wall”, pointing out that that FISA 702 allows the NSA to force US cloud companies to comply with such techniques.
Time for a European cloud?
The NSA’s reach, both legal and technical, means that non-US organisations should never allow personal or sensitive data to be processed by US public cloud providers, Bowden believes. However, this goes very much against the current direction of travel, with the scalability and convenience of cloud processing winning over many converts.
In the absence of legislation to rein in the activity of the security services (Bowden holds little hope that the upcoming EU General Data Protection Regulation will be of much help) what should organisations be doing to protect themselves in the cloud? Could a wider adoption of tokenisation perhaps be a way to evade the spooks? Bowden thinks not.
“Tokenisation is vulnerable to traffic analysis, and ultimately it destroys the rationale for cloud as scalable and elastic processing power, because the token gateway becomes a bottleneck for scalability,” he said, adding that routing traffic through proxies to evade interception would negate the simplicity that makes processing in the cloud so attractive in the first place.
So, there is currently no technological silver bullet. But there are ways that life can be made considerably more difficult for the NSA spooks: by selecting a data centre that is located, owned and operated in the EU and that deploys open-source software, for one.
“The best security strategy from now on will be to use audited, GPL-licensed (and probably AGPL) code, where the source is scrutable by modern bug-finding automated techniques,” Bowden said.
While its reach may be longest, the US is far from alone in its government’s desire to monitor internet activitiy, and companies need to take more responsibility in their selection of cloud providers to minimise the opportunities for surveillance.
Bowden recommends that hypervisors should be Type-1, to avoid guest operating systems (which might be compromised) having too much access; operating systems should be security-hardened; and hardware should also be open-source where possible.
There are few, if any, cloud providers that can fulfil all these criteria but each item on the list will make some difference.
“Until now, GCHQ and NSA have been snatching candy from blind babies. Hardening the infrastructure to both legal and technical attack will severely curtail their options, leaving penetrations, which are risky because detectable,” said Bowden.
Ultimately, though, however hard it may be, reining in the security services is a political rather than a technical task.
“Lobby the US government to change the law to prohibit any discrimination by nationality. Lobby the EU and other countries to introduce whistleblower protection. Stop lobbying to dilute and defang global and especially EU privacy laws,” Bowden urged.
But with security services and politicians pushing for ever greater powers in the wake of recent terrorist attacks (which, incidentally, surveillance failed to stop), that fight is going to be a tough one.