Prism, spying and cloud computing: should businesses be worried?

Michael Wigley

Our clients over the years have asked questions like: “Do  privacy and security considerations mean we shouldn’t move our data and its processing from our internal servers to cloud computing? And should we allow it to go to the States, given spying powers in legislation such as  the Patriot Act?”.

How do the answers to those questions change with this month’s revelations?

In his NBR Weekend Review article, How I learned to stop worrying and love Prism,  cloud computing consultant, Ian Apperley, argues there should be little change to the approach.

Is he right?

He says:

  • Such surveillance has been going on for years, via PRISM predecessors, Waihopai based surveillance and so on: PRISM is nothing more than a PR mess. 
  • If only the business holds the encryption key (i.e. the ability to get at the encrypted data)  for data held offshore, that provides protection. 
  • In relation to one key remaining area of weakness – access to data when it is decrypted to enable it to be processed – new techniques, called homomorphic cryptography,  are evolving which enable the processing to happen while the data remains encrypted.  When that happens, data can go off shore to be held and processed, without the ability for others to access it, if the key is only held here by the business.
  • Why are people so alarmed about Government spys accessing data, when private companies like Fly Buys continuously surveil us.

They’re all fair points with strength, even though they can be debated.  For some, that will be enough reason to continue off-shore cloud computing including in the States, assuming homomorphic cryptography is available.  But that is only in development.  Even without that, this may be enough for some businesses.  ICT security risk assessment involves weighing up risk, benefit and practicality.  Legal risk is but one facet but it is a real issue.

We’ve found that some things can be flavour of the month, leading to distorted outcomes.  For example, some will be saying, this month: “The ICT security risk of having data and its processing in the States is too high in view of the spy agencies’ wide-sweeping surveillance of billions of transactions”.  But that is too simplistic:

  • Having cloud computing done in a country – such as the USA – where such intrusive steps to protect against cyber-terrorism and the like  can ultimately mean that the business’s  overall data is more secure. For example,  cyber-attacks by non-USA governments and businesses may be less likely.
  • The alternatives could be worse. We’ve seen businesses choose to take cloud computing to countries that are less stable and secure than the US, because of the perceived problems around the Patriot Act etc. And continued processing and storage of data on internal servers can be riskier than that happening off shore on the cloud:  human error for example is a key risk of internal data storage and processing systems. When assessing the risk, the comparison is not the proposed system (off shore cloud computing in the States or elsewhere) against perfection, but the proposed system compared with the real-life status quo and/or other real-life options.
  • This is not just about intrusion by Government spys.  Big data use by businesses has exponentially increasing intrusion on other businesses and individuals, as we outlined in our article, Big Data in business–father learns of teenage daughter’s  pregnancy from retail chain.

The sort-of  gold plate standard for privacy and security has been the EU Data Protection Directive.   New Zealand recently joined the very small club of non-EU countries declared to be compliant with the EU’s requirements for international processing of data.  This opens up opportunities for New Zealand businesses to do cloud computing for other countries, inside and outside the US.  But:

  • There are the media reports that there may have been PRISM-like activities in EU countries: so where do they now stand?
  • If the new GCSB and telecommunications interception legislation is sub-optimal and does not contain appropriate controls on the spy agencies, NZ cloud computing suppliers may lose business.

It’s too early to jump to conclusions on what to do about these PRISM and other developments when assessing how businesses should handle cloud computing choices. That calls for balanced and careful consideration, not assessment based on one part of the story.  The picture will become clearer over the coming weeks and months.

Michael Wigley is principal at Wellington law firm Wigley and Company.

This article is tagged with the following keywords. Find out more about My Tags

Post Comment

5 Comments & Questions

Commenter icon key: Subscriber Verified

The Dotcom case illustrates the porous wall between the US Govt and US big business political contributors. I would not put anything unencrypted over international networks that I did not want either of the above to see or potentially to record and store for many years.

If you have nothing to hide, don't worry. But don't come bleating later you weren't warned either.

Reply
Share

I agree for the most part, though I think the Dotcom example, given their strange and unique business model, might be a poor example. In fact, he's pretty much dead in the water these days.

Encrypt encrypt encrypt and then encrypt some more. Sound advice.

Reply
Share

You seem to miss the point. Hollywood successfully co-opted the US and NZ spies to their purpose via the Obama administration. Dotcom's business model was merely the motivation. The linkage was exposed.

Reply
Share

Useful advice. The data gathering megabusiness has been with us for a very long time. It exists and we have to live with it simply because it won't go away. Regulation cannot keep up with innovation and we certainly don't want to loose innovation in business. It is all part of the global and regional economies we are inextricably embedded in. Quit looking for dramas and dedicate our time to doing what we do well without conspiracy theories always at the fore. (Get a life, guys)

Reply
Share

" ICT security risk assessment involves weighing up risk, benefit and practicality. Legal risk is but one facet but it is a real issue."

I agree. My article was somewhat flippant in a world that reacts quickly to perceived security threats as opposed to having a more, balanced view.

One of the things that I find the most difficult, working with different companies, is the legal perspective on data sovereignty. It is usually a long discussion, which doesn't seem to have any legal precedents in New Zealand.

On the upside, we are seeing strong alternatives in Cloud Services providers within New Zealand borders, which may make the discussion easier (if a little more expensive).

Reply
Share

Post New comment or question

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

NZ Market Snapshot

Forex

Sym Price Change
USD 0.7842 -0.0078 -0.98%
AUD 0.8914 -0.0023 -0.26%
EUR 0.6203 -0.0015 -0.24%
GBP 0.4896 -0.0010 -0.20%
HKD 6.0810 -0.0622 -1.01%
JPY 85.2860 -0.3520 -0.41%

Commods

Commodity Price Change Time
Gold Index 1229.0 2.000 2014-10-28T00:
Oil Brent 86.0 -0.650 2014-10-28T00:
Oil Nymex 81.4 0.410 2014-10-28T00:
Silver Index 17.2 0.065 2014-10-28T00:

Indices

Symbol Open High Last %
NZX 50 5338.3 5367.6 5338.3 0.33%
NASDAQ 4551.4 4564.4 4564.3 -0.33%
DAX 9139.0 9157.6 9068.2 0.16%
DJI 17005.1 17065.5 17005.8 -0.18%
FTSE 6402.2 6475.4 6402.2 0.81%
HKSE 23704.0 23855.7 23520.4 1.27%
NI225 15442.4 15595.3 15329.9 1.46%