Internet Surveillance, Online Security and Privacy

Whether your business does all its business online or not, if you are starting or running a business today you will have some form of online presence. You’ll use email, you may use a web based accounting package, you may use a payment gateway, backup services, etc.

So, you will be using one or more of those services somewhere “in the cloud”. Does this mean you don’t have to think about privacy and security?

I reckon that the answer most companies give will, if not explicitly referring to the service provider, imply that they have essentially outsourced these aspects to the cloud provider, as a consequence of using them for the service. After all, the cloud service provider will have policies on this.

However, I also think that this is fundamentally wrong, and companies can’t outsource their obligations like that. Whether they can legally do this, I do not know – I am not a lawyer.

Let’s presume for a moment that you can legally do this, why would we bother thinking about it any further? Let me give you a few suggestions of why you might care about this.

If your service provider has a security breach, your data could end up in places it shouldn’t. Never mind competitors or perceived strategic information, I think that’s actually minor or irrelevant stuff.

But if you happen to have addresses of clients, and that list ends up in a spam database, then in many cases it can actually get traced back to you. This is because enough people use one address per company or mailing list they subscribe to, so when one address “leaks” they know exactly where it comes from. Apart from possible liability issues, publicity (or even rumours) involving your company name in this context is of course quite damaging.

And if your company maintains additional data related to clients, a leak may mean that you’ve breached the confidentiality agreement between your company and those clients.

Such things are not good for business.

One lesson is to not collect or store data you don’t really need, as this very basic considerations can significantly reduce the breadth and depth of data you will be responsible for. Collecting lots of data is cheap these days, but (and that’s aside from privacy and other legal factors) never forget that it implicitly comes with responsibility.

The other lesson is that you do need to care about what you host, where, and how.

On a related note, read the following article by Bruce Schneier: A Fraying of the Public/Private Surveillance Partnership. Insightful quote:

[…] today’s secret NSA programs become tomorrow’s PhD theses, and the next day’s criminal hacker tools. It’s impossible to build an Internet where the good guys can eavesdrop, and the bad guys cannot. We have a choice between an Internet that is vulnerable to all attackers, or an Internet that is safe from all attackers. And a safe and secure Internet is in everyone’s best interest […]

Seeing people such as Edward Snowdon as the problem doesn’t solve anything. I don’t want to get into a discussion on their actions as it’s irrelevant to the matter at hand. Without them, the issues would still exist, we just would learn about them later (or never). A house can be on fire regardless of whether anybody is watching it.

Also, what Bruce alludes to is the fallacy that a few “good guys” may have skills and access to particular technology or data, and others have not. Others not just being foreign governments, but also criminal organisations and other private enterprise.

The term I typically use when such a statement is presented: “arrogance”. As with all inventions, it is exceedingly arrogant, and provably wrong, to presume that no one else on the planet has (or can) come up with that idea. Typically, several people come up with the same idea around the same time.¬† These days we hear about this more often, which is a healthy lesson. Some may not be able to use the idea at that time (for whatever reason), but that’s a sideline and not something to rely on.

When you have a physical file in your office, and someone either copies it or walks off with it, the issue is more clear and fairly well understood. There might be signs that your office has been broken in to, or perhaps someone on the inside was involved. Some of these things can still be visible in an electronic environment, but it is possible to copy or eavesdrop on bits of data without getting detected [as a techie, I would note that it does depend on the mechanisms in place and how secuarity is monitored, but suffice to say it is possible and not likely to completely prevent as it becomes prohibitively expensive as well as too arduous to work with]. If your hosting provider has been breached somehow, others can have access to traffic on what you thought was a private network.

If you take a backup disk home, that’s pretty clear. If you store your backups “in the cloud”, someone else might be able to get to it either in storage or along the way.

I predict that with so many services and datasets now “in the cloud” and so many companies using these services, there is a significant (and sufficient) economic incentive for criminal organisations to capitalise on this. Corporate espionage, extortion scams (pay us or we’ll publish this info or give it to someone else). Based on this, I would guess that this is happening already. The problem will exist. At some point it will come to light that some big provider was breached years before, retrospectively accounting for many nasty things that happened to numerous companies in different countries.

I’m not saying to not use any cloud service. You could go that way if you have the tech savvy to do it all yourself including the skills and resources to make and keep that secure. But generally speaking many of these services have merit. They just come with additional responsibilities and considerations that are generally not covered by the services’ own information texts. So, what I’m saying is that by being aware of these matters, you can take more informed decisions, and be a more responsible keeper of information. When something happens, you might then be a vindicated observer, rather than a victim.

And of course, if you are (or are considering starting up) a provider of online services, be and stay aware of your responsibilities. Please do mention the issues described above in your communications, and specifically state how you address these issues. That’d be good marketing.