In our second day of the Ars UNITE virtual conference, we looked at just how broken cloud privacy is and asked what can be done to fix it. Response to our feature on the topic, “Taking back privacy in the post-Snowden cloud,” fell primarily into two camps: “Don’t use the cloud!” and “build your own!” (The latter which can be loosely translated as... “don’t use the cloud.")
It seems unlikely that Congress will act to fix the problems with cloud privacy, which include a gap between privacy laws in the US and other countries. That was a source of concern long before the Snowden revelations, and it predates the extra-territorial reach of US law enforcement and intelligence damaging trust in cloud privacy overseas. Long-time Arsian Kilroy240 expressed cynicism over any government involvement in a fix. “Other than minimizing cyber-theft (personal/corporate data, IP), what would the government gain by improving the security of the cloud?” the user wrote. “This would just make it harder for them to monitor data traffic—strictly because they are trying to ‘save us from the terrorists.”
Both in the feature comments and in the live discussion, we explored whether government could (and would) do anything to fix the cloud’s privacy and security problems—many of which government agencies created in the first place. Perhaps more importantly, what could be done absent their help?
Our panelists debated whether the feds were in fact already helping. Cristian Borcea, associate chair of the Computer Science Department at the New Jersey Institute of Technology, said that the NSA was now actively making the cloud better by providing “certain security tools” to organizations to protect against malware. However, do such actions impede progress instead? “The thing that would encourage me,” said the Electronic Frontier Foundation’s Peter Eckersley, “would be the NSA, FBI, and DHS rolling up their sleeves and saying, ‘We're going to take defensive cyber security seriously, we're going to find and fix bugs in all of the standard tools and infrastructure until US businesses and individuals have meaningful protection against intrusion from China, from Russia, wherever it comes from.’ But instead we see those agencies still fighting to persuade US cloud providers to weaken their security.”
The complete transcript
For more in-depth details from the discussion, here's a complete transcript of today's event. It has been lightly edited for clarity (and to untangle responses), and questions from Ars and Ars readers are bolded for easier browsing.
Sean Gallagher: Hello, and welcome to our live conversation on privacy, security, and the future of cloud computing. We're just waiting for everyone to join us and will get started shortly. The topic of today's discussion is the future of cloud computing, and whether it's possible to find a balance between the low cost, convenience, and always-available (or at least almost always available) nature of cloud computing on the one hand... ...and preserving our privacy and the security of personal and corporate data on the other. I've got some prepared questions for our guests, who will be joining us shortly. But if you have any questions about the present and future of cloud, please submit them as comments. I'll be pushing those questions into the discussion throughout this session. Joining us today are Cristian Borcea, the Associate Chair of the Department of Computer Science at the New Jersey Institute of Technology... (There Cristian?)
Cristian Borcea: I'm here, Hello everyone!
Gallagher: Welcome, Cristian. Also joining us will be Peter Eckersley of the Electronic Frontier Foundation, and Arthur van der Wees of Arthur's Legal B.V. in Amsterdam.
Arthur van der Wees: Hi Sean, thanks for your invitation; it is great to join the dialogue.
Peter Eckersley: Hi Sean; hello everyone!
Gallagher: To get things rolling, let's talk about where we are with cloud. What, aside from just not using cloud services, can we do today to minimize the privacy risk of cloud? Cristian, feel free to take the first crack at that.
Borcea: With existing cloud platforms, the only realistic solution is to do client-side encryption; the customers will have to manage their keys. But this works for storage. if you want to use the data in the cloud, then you're in trouble. (J)And after Snowden's disclosure about RSA encryption, the question is: how much one should trust a certain encryption algorithm.
Eckersley: That's absolutely right. If your cloud provider can't read the content you store there, you've mitigated a lot (perhaps not all) of the associated risks. Historically that's only been possible for very technical individuals and organizations, but we're seeing a growing number of cloud providers that are offering products that work that way by default.
Van der Wees: I agree; encryption is one of the key topics to address. Same with the question 'what is cloud' goes for encryption though.
Gallagher: So, if you are dependent on an application that's sitting in the cloud for encryption—even if it's a virtual machine you've set up—you're basically out of luck.
Eckersley: Sean, that's approximately right. We don't know how to make virtual machines that are protected against surveillance from the hardware or hypervisors they're running on.
Van der Wees: Indeed, most cloud service vendors that do not have a data broker business model, offer encryption in some sort of way.
Gallagher: A couple of related questions here on encryption from our audience:
Tin-foil hat says: What is a truly paranoid person to do with his data? Do you need to just set up your own, personally controlled versions of all these cloud services? Never do anything except through Tor? Stop using the Internet altogether?
Cody Woodard says: Assuming that the solution may be to encrypt everything, but who should manage the keys? Should we trust cloud providers with keys to our encryption, or would putting that responsibility on end users be too much for the end user to bear?
Borcea: I believe we should not trust the cloud providers with managing the keys - it defeats the purpose in my opinion.
Van der Wees: Typically the initial data owner should have the key, on premise. But that implies that one has some kind of server that manages such key. Keys should not be with third parties, except if such are trusted third parties. In the enterprise market we see SLO's (service level objectives) regarding cryptography. Such as cryptography brute force resistance, being strength of a cryptographic protection applied to a resource based on its key length, for example using the ECRYPT II security level recommendations or the FIPS security levels for encryption. It may not be the perfect solution, but it improves unauthorized use.
Eckersley: So the most interesting new design in this space is Apple's design for iMessage and FaceTime where Apple has tried to use Hardware Security Modules (HSMs) to prevent themselves from disclosing your keys to anyone who doesn't guess your 4 digit pin correctly in within the first ten guesses.
Gallagher: Peter, those are essentially pass-through services, correct? They're only brokering the routing of the traffic in the cloud?
Eckersley: They're essentially pass-through messaging; where the complicated key management comes in is in adding new devices to accounts, or resetting passwords if people have forgotten them.
reader comments
21