Major Internet Companies Call for Government Surveillance Reforms to Ensure Greater Cloud Data Privacy
“Recent revelations about government surveillance activities have shaken the trust of our users…”
-Marissa Mayer, CEO, Yahoo
This week, major American tech companies’ resistance to government surveillance practices went public in a big way with Reform Government Surveillance, an open letter to President Obama and Congress signed by Google, Microsoft, Facebook, LinkedIn, Twitter, Yahoo, and AOL. Concerns about cloud data privacy threaten “America’s leadership role in consumer-facing internet technology,” as Anthony Wing Kosner wrote for Forbes. And the footprint that cloud services from companies like Google and Microsoft have in the enterprise means that the issue extends far beyond individual consumers’ data privacy worries.
“People won’t use technology they don’t trust. Governments have put this trust at risk…”
-Brad Smith, General Counsel and Executive Vice President, Legal and Corporate Affairs, Microsoft
To address problems caused by the alarming scope of government surveillance activities alleged by this year’s NSA spying revelations, Reform Government Surveillance’s signatories call on the U.S. government to take five actions:
- Set “sensible limitations on their ability to compel service providers to disclose user data.” These limitations should, according to Reform Government Surveillance, preclude the indiscriminate collection of bulk data. This is especially vital for enterprises with data stored in multi-tenant clouds.
- Enforce “strong checks and balances” on the agencies charged with collecting data from cloud providers. Among these checks and balances, Reform Government Surveillance places particular emphasis on independent reviewing courts with public, adversarial process “so that the courts are accountable to an informed citizenry.”
- Create an environment of transparency around government surveillance programs and activities. Companies should be free “to publish the number and nature of government demands for user information,” Reform Government Surveillance states, and “should also promptly disclose this data publicly.”
- Permit data traffic across national borders, which Reform Government Surveillance calls “essential to a robust 21st century global economy.” Most of the major cloud service providers maintain data centers in multiple countries. Restrictive data residency regulations can severely restrict their ability to function at the levels customers require.
- Create a “robust, principled, and transparent framework to govern lawful requests for data across jurisdictions” to further support the international operations of major cloud companies and prevent what the Guardian‘s Dan Roberts and Jemima Kiss called “a balkanisation of the web as governments try to prevent internet companies from escaping overseas” and the companies themselves look for ways to protect their data and interests.
“The security of users’ data is critical, which is why we’ve invested so much in encryption and fight for transparency around government requests for information. This is undermined by the apparent wholesale collection of data, in secret and without independent oversight, by many governments around the world.”
-Larry Page, CEO, Google
If the U.S. government takes these actions, cloud data privacy will gain a powerful defender. Is such an outcome likely, though? The fact that every NSA revelation Edward Snowden leaks paints a bleaker picture of data privacy than the one before does not encourage optimism.
In an environment like this, some might argue that it’s simply safer to stay away from the cloud. At CipherCloud, however, we believe that enterprises can still safely adopt the cloud, and can safely adopt the cloud today. That’s because encryption is still ultimately the key to cloud data privacy.
The cloud providers already know this. In an effort to bolster cloud data privacy within their internal network, Microsoft has promised to encrypt customer information as it moves between its data centers. Google and Yahoo also plan to enhance encryption within their networks, as John Ribeiro reported for PCWorld. But encryption across their hyperscale infrastructures is no easy task. Microsoft’s encryption efforts may take until the end of 2014. And as we know, handing the responsibility for encryption over to a third party means handing access to the encryption keys over, too.
Appropriately encrypting your cloud-destined data and retaining exclusive access to the encryption keys is still the best way to address cloud data privacy concerns. Doing so means that even if government agencies gain access to enterprise data you’ve stored in the cloud, they cannot decrypt its contents without your enterprise’s knowledge and consent. That puts control of your cloud data privacy back in your hands.
Recent events continue to demonstrate the importance of the principles behind CipherCloud’s Cloud Information Protection platform. In the absence of governments committed to protecting cloud data privacy, total control of the encryption of your data matters.
Do you think the U.S. government will listen to Reform Government Surveillance’s pleas? Let us know in the comments.