Friday, 9 August 2013

Why PRISM etc. makes me really nervous

So many people have said recently, "if you haven't done anything wrong, you have nothing to worry about". What a load of garbage/trash/rubbish/hogwash. In the last couple of weeks, I have already heard of a few people who have felt the brush of the FBI when they didn't do anything wrong and today I have read the sad news of Lavabit deciding to close their company rather than comply with the shady dealings of the US government. Try telling the owners of their company that they have nothing to worry about.
For US companies, this is really bad news. Being compelled secretly to compromise your user's privacy and security is rather frightening. You trust the US government? Then you are foolish. What kind of government thinks it is acceptable to spy secretly on their own citizens (despite the fact they are only supposed to spy on foreign nationals!). Where is it OK that a Court, supposedly setup to provide a judicial oversight for the executive, is held in secret, whose proceedings are secret and in some cases, the people who are prosecuted either do not know they are being prosecuted or they are not privy to the evidence used against them - all in complete opposition to the idea of a Court - a public and defensible case against an individual by society. In what country is it OK for someone to search your apartment, access your emails, dig into your life, all without even telling you about it? Russia? China? The Banana republics? Nope. The USA, for many years the world leader in technology and where many IT companies are based.
Why am I nervous? I live in the UK so I am not bound by the Patriot Act and all the sordid laws that were somehow not only passed under George W Bush but have been upheld by Obama, no doubt to appease the paranoid law agencies in the US. Well, I use a Cloud provider (Microsoft) to host my service, a single-sign-on service. They have a data centre in Ireland but it is a US company so no doubt, if the US wanted information on one of my customers, MS could give them access to the Virtual Machines that host my data. They wouldn't bother approaching me because they would not be able to compel me to give them the information (and I would rather go to Court than provide it) but can MS access my servers? My web application? My database server? I would imagine so. I happen to encrypt most of the data I host in my web application (which many people don't) but the keys are obviously there somewhere, otherwise the web application would be useless. Can the US mine this information? The thing that makes me nervous is I have no way of knowing. Microsoft can say whatever they want but in reality, I know they are compelled not to reveal anything of the truth of the NSA access, although I doubt they would admit to it anyway since it looks bad if they allow a back door. The US government can say whatever they want about it only being for targeting people who are suspected terrorists but, no offence USA, your history of paranoia means you think everyone is a terrorist. What about the couple who searched for pressure cooker and backpack on the internet and got a visit from law enforcement? What about your contempt for Russia who have offered Edward Snowden asylum even though that is the normal course for anyone accused of political crimes. What about the way you have treated everyone who has told people some of what you get up to, revealing how much you have been lying to your houses of Senate and Congress even though they are supposed to have oversight? Basically, I have to assume my data is accessible by the NSA and if that is a problem, I have to do one of 3 things. Firstly, like Lavabit, I can close my company - not something I would like to do but probably something I would do if I was compelled to act like the US companies. Secondly, I could move everything in-house where I at least have control over access and at least I would know what data I have to share with the government because the request would have to come to me instead of my service provider or thirdly, I would have to try and be clever and set the system up to separate keys from data, split things across service providers and do all kinds of clever stuff to make it impossible for them to recreate my data without my help.
I'm not holding my breath for a solution though.
Post a Comment