Should Cloud Vendors Decrypt Data For The Government? (helpnetsecurity.com) 136
An anonymous Slashdot reader quotes an article by Help Net Security's editor-in-chief:
More than one in three IT pros believe cloud providers should turn over encrypted data to the government when asked, according to Bitglass and the Cloud Security Alliance (CSA). 35 percent believe cloud app vendors should be forced to provide government access to encrypted data while 55 percent are opposed. 64 percent of US-based infosec professionals are opposed to government cooperation, compared to only 42 percent of EMEA respondents.
Raj Samani, CTO EMEA at Intel Security, told Help Net Security the answers ranged from "no way, to help yourself, and even to I don't care..." But since vendors can't satisfy both camps, he believes the situation "demands some form of open debate on the best approach to take..."
Raj Samani, CTO EMEA at Intel Security, told Help Net Security the answers ranged from "no way, to help yourself, and even to I don't care..." But since vendors can't satisfy both camps, he believes the situation "demands some form of open debate on the best approach to take..."
Turn over: yes. Decrypt: no (Score:5, Insightful)
If they receive a legal and correct warrant, meaning one that has issued by a proper court, not a secret, shady, pseudo-military one, where the accused can challenge it, then yes, the cloud provider should turn over the data.
A smart provider however will have implemented its data management software in such a way that only his client has the key to decrypt the data it just turned over to the government. That way it cannot even be forced to decrypt it without violating the rules of mathematics and complexity theory.
If that is not the case, meaning that the cloud provider is able to decrypt the data themselves, then a warrant might be only the least problem a client will have with such a company. Most likely their biggest problem will be that the cloud provider uses that data to directly or indirectly harm them, either by selling it to advertisers or by being unable to protect it during hacking attacks.
Re: (Score:2)
Re: (Score:3)
Would you say the same for anyone who, instead of writing "THIS", would mod the comment up (at +5 right now)?
The original comment is 100% right - if you're storing sensitive data unencrypted on someone else's server, you're doing it wrong. Now I'm far from a millennial, but I would say THIS [slashdot.org] deserves to be modded to +10.
Re:Turn over: yes. Decrypt: no (Score:5, Insightful)
No sane entity stores unencrypted ASSETS anywhere. No network is safe from anything, let alone the bunglers in government. Unless you want the world to know and therefore own your assets, encrypt it. AES-256 with extra hashes at minimum is good, but there are others that are just as painful to decrypt.
Cloud providers may have their own encryption schemes, but one presumes they're vulnerable, which is why you used your own-- and let the cloud vendor's scheme scramble it more.
This moots the initial question, which is should cloud vendors deliver the goods to $government. The answer is: you don't care. Go ahead, cough up whatever, it's useless without the keys and hashes/hashing algorithms used.
This is what CASB schemes are all about: control your own assets.
Re: Turn over: yes. Decrypt: no (Score:2)
Re: (Score:2)
Take your shitty "this" back to reddit you fucking millenial cocksucker.
I'm not a millenial and I don't use reddit. I strongly agreed with GP's statement but I'd run out of mod points so I gave my approval in written form. If this is a problem for you, no need to cry about it, just ignore it. Simple.
Re: Turn over: yes. Decrypt: no (Score:1)
Honestly its spam. Its the equivalent of replying with "lol".
Re: Turn over: yes. Decrypt: no (Score:1)
And my axe!
Re: (Score:3)
As an user I wouldn't store my data with any kind of encryption that the provider offers, I would turn to only store it in Veracrypt [codeplex.com] archives or similar.
Re: (Score:2)
Re: (Score:2)
Translation: Here's the plans for the power substation. Sabotage the part outlined in red on March 15th. They decrypt the attachment, and proceed with their mission.
Re: (Score:2)
Re:Turn over: yes. Decrypt: no (Score:4, Informative)
Yes, But that's a known limitation of gmail. And if you're using the service, you've accepted that limitation.
Besides, it's a limitation that can be mitigated. Gmail allows access by standalone IMAP clients. So you can use whatever GPG-enabled client you like, on a computer running with full-disk encryption, and go ahead and use gmail. Google will know who you're talking to, but not what you're saying. And you would still be able to search your mailboxes locally.
Re: (Score:2)
The biggest problem with client side encryption anywhere is the requirement that everyone have a set of keys so you can encrypt data for the recipient. Outside of a business set up, no private citizen ever bothers to use public keys so even if you want to use it, you're forced to send unencrypted mail because not everyone (hardly anyone, actually) will have keys of their own. GPG and other solutions only work if you can convince your friends/family to also use encryption for communication. Since everyone is
Re: Turn over: yes. Decrypt: no (Score:2, Insightful)
Agreed 1000%! However, I believe soon cloud operators will face regulation on this issue and will be forced to provide a means to decrypt for the gov or not be able to operate in the country.
And don't be surprised if a cloud provider that does only provide encrypted data get hit with an obstruction of justice or aiding and abetting charge.
Re: (Score:2)
That way it cannot even be forced to decrypt it without violating the rules of mathematics and complexity theory.
As though stuff like that has ever stopped the government (aka: politicians) to date. The only rule to remember is: You can't argue with stupid.
Re: (Score:2)
Upon reception of a valid warrant, the cloud provider should comply, provide the data and decrypt the data if it was encrypted by itself. Why a cloud provider should take side and decide to protect a party against another without legal binding to do so? There is no ground for such an insane behavior from a cloud provider. The cloud provider is providing services. If the client wish to protect his own data, it is up to him to protect it and encrypt it or not put it in the cloud in first place. Why should a c
Re:Turn over: yes. Decrypt: no (Score:5, Insightful)
I'd like to add:
Search for evidence, or assist in doing so: No. The government should not be able to conscript you into actual and unwilling service. With a proper warrant, as you describe, sure: "Turn over the 12 emails between party $x and party $y, sent on 2015-09-14." is okay. "Search for and provide us with every email in the last three years where person $x discussed topic $y with persons $a, $b, or $c, or anyone residing in country $foo." is not acceptable. That requires affirmative work, not just turning over specific (virtual) items they ask for. It steals productivity from the person and the employer. And, frankly, if I liked government work, I could have stayed in the one government contractor job I had; or actually gone to work for the government. "Build custom software, that otherwise would not exist, to insert a backdoor and destroy your product's security for us." is obviously entirely unacceptable as well.
and:
Force you to break the laws you're subject to in your business: no, No, NO! If our government wants access to data stored in the EU, that is nominally illegal to export out of the EU thanks to their data privacy laws; it should go through proper international channels to get access to it within the EU. It should not do an end-run around the law, and force some admin from Microsoft (Yes, this is a specific and, I think, still-ongoing case.) to open himself up to liability, and perhaps criminal charges; should he ever go there for vacation.
Re: (Score:1)
Re: (Score:2)
A smart provider however will have implemented its data management software in such a way that only his client has the key to decrypt the data it just turned over to the government. That way it cannot even be forced to decrypt it without violating the rules of mathematics and complexity theory.
The problem is that sometimes the key is temporarily present on the providers machines, either sent with API requests for server-side encryption, or present on a VM running client software in provider cloud.
And as of recent stories it seems US govt believes it can't force the cloud provider to record the key when temporarily present. To me that is the equivalent for forcing the provider to spy on your behalf because the provider isn't merely providing stuff it has on file. Curious what is your take on thi
Re: (Score:2)
The problem is that sometimes the key is temporarily present on the providers machines, either sent with API requests for server-side encryption, or present on a VM running client software in provider cloud.
If your key is ever present, even temporarily, on a third party server then your security model is broken, period. You should not be relying on server-side encryption, nor should you be running client software that needs to decrypt sensitive stuff in a VM in the cloud.
Re: (Score:1)
All your examples involve the government unlocking it, which has nothing to do with what the OP said.
> That way it cannot even be forced
> it
As in the company holding the encrypted data.
The OP said that the company can hand over the encrypted data, and then the government can figure it out.
The company should not be able to decrypt the data.
That bit about mathematics and complexity theory was clearly just hyperbole.
Re: (Score:3)
the government could send code from the cloud provider to the client which sends them the decryption key
The stuff should be encrypted locally, and the decryption key never made accessible to the remote computers. So, how are you going to do that if you can't exploit a hole in the client?
Re: (Score:1)
It's bitztream, the autism-hating Slashdot troll!
Re: (Score:3, Insightful)
Guess what? Law enforcement officials still caught bad-guys when all the data about whatever they were planning was in their heads or on papers the police never got to see during their investigations. Police being lazy is no excuse for insecure data storage.
Re: (Score:2)
Re: (Score:2)
The storage providing company should not provide any encryption at all, that should be the responsibility of the customer.
Well, I don't know as I'd go that far -- I can think of perfectly fine use cases where that would be handy.
However, nobody should consider such encryption to be secure enough for really sensitive information. It's more like a lock on a screen door.
If they have a warrant (Score:5, Insightful)
Re:If they have a warrant (Score:5, Insightful)
Re:If they have a warrant (Score:5, Insightful)
FWIW, the argument that 'metadata is not data', and so who you called does not require a warrant, based on Smith v Maryland [wikipedia.org]. The Supreme Court ruled that gathering metadata does not constitute a search.
However, that was 1979, pre-internet. In light of the ability to collect massive amounts of metadata, from almost all aspects of a persons life, combined with the ability to computer analyze that information, I would argue that Smith v Maryland should be re-considered. In that case, it was decided on the idea that the gathering of metadata provided limited insight to a persons life, and that is no longer the case.
Re: (Score:2)
In that case, it was decided on the idea that the gathering of metadata provided limited insight to a persons life, and that is no longer the case.
It was never the case, or law enforcement would never have started collecting it in the first place. It was merely a bullshit argument to get around that pesky 4th amendment.
Re: (Score:2)
While the amount of insight a piece of metadata provides maybe hasn't changed, the sheer amount of available metadata (and the capacity of analysing it) has increased drastically.
Re: (Score:3)
Additionally, the decision in S v M depended upon a user's lack of
Re: (Score:2)
Re: (Score:2)
I would argue that Smith v Maryland should be re-considered.
Me too, since the ruling made no sense to begin with.
Re: (Score:2, Insightful)
It's wishful thinking about warrants.
If China demands Microsoft hand over data for Diebold corp, which contains their US election machine data, it's fine as long as they have a warrant? You seem to assume your own countries warrant.
Or USA demands cloud data for Gemalto (the Dutch SIM card maker they hacked to get the handset keys) with one of their special warrants? OK for Dutch people?
Or UK demands US citizens cloud data in secret (Snoopers Charter warrants permits this), then hands it over to US agency (i
Re: (Score:3, Insightful)
The problem is that first off a vast majority of information requests from the government these days are not in the form of a warrant, they area subpoena, which have little if any judicial oversight. Businesses can challenge them in court but often don't as this is a time and cost intensive process that can result in "unfortunate" side effects (see Qwest). Secondly warrants are a joke these days, for example the FISA court approves 99.97% of requests. And even in the rare cases where there has been enou
"more than one in three IT pros" (Score:2, Interesting)
1) Is it legal in the US to ask the question of job candidates, "Do you believe that the government should be required to hand over cloud data to the government without a warrant targetted to a particular individual?" I would ask this and reject anyone who said 'yes'.
2) Which immediately shows that the question is annoyingly ambiguous because it doesn't specify whether this is fishing expedition type access or targetted warranted access, so the survey results are meaningless.
In particular, it might be that
Re:"more than one in three IT pros" (Score:4, Insightful)
Well I thought it was funny (Score:2)
but then being introduced to Monty Python at the age of 12 is liable to do interesting things to one's sense of humour
Re: (Score:2)
1) Is it legal in the US to ask the question of job candidates, "Do you believe that the government should be required to hand over cloud data to the government without a warrant targetted to a particular individual?" I would ask this and reject anyone who said 'yes'.
This would be perfectly legal in the US.
Nope (Score:1)
No. Governments get hacked on such a regular basis that they can't be trusted with keeping the information secure, as proliferation of locations holding information increases chances of it being accessed.
Also the governments themselves can't be trusted not to misuse information.
Also, information should never be decrypted under circumstances that the specific information is being asked for, directly or indirectly, by a foreign government. Globalism can go take a break in the bottom of the toilet.
The real question should be (Score:2)
Do you think that cloud services should be setup in such a way that the provider is even capable of decrypting user data? IMO, the answer should be no.
Of course, for some kinds of publicly available data like websites this does not hold. If anyone on the world can see them and is supposed to be able to see them, the government can too, even without a warrant.
Re: (Score:2)
> Do you think that cloud services should be setup in such a way that the provider is even capable of decrypting user data? IMO, the answer should be no.
Encryption, and robust encryption, puts the data at the risk of losing the keys. Even securing the keys in a reliable escrow service leaves them vulnerable both to loss, and to theft. And if you test the performance of encrypted disks, encrypted SSD access, and encrypted network communications, all have significant performance costs and even electrical c
Re: (Score:2)
Why rate increases for the cloud service? The data ought to be encrypted before it even leaves the trusted host and is uploaded onto the cloud.
The problem with having your encryption done by the cloud service, is that the cloud service must have full access to your keys (not just store them with password protection). That in itself negates a large part of the reason you want to encrypt in the first place.
Encrypting everything before it leaves your own network may however cause a big headache when sharing th
Re: (Score:2)
> Why rate increases for the cloud service? The data ought to be encrypted before it even leaves the trusted host and is uploaded onto the cloud.
In that case, you'll wind up paying in the short or longer term in resources. Investing some of your VM's computational resources in local encryption means resources not available for the tasks that the server actually provides, and may require larger instances or longer run time. The encryption winds up costing electricity, if nothing else, and someone will wi
Re: (Score:2)
If operating in a secure manner means that cloud services become uneconomical, that is a strong argument that cloud services aren't yet at the point where they should be widely deployed.
Re:The real question should be (Score:4, Insightful)
Re: (Score:2)
Which is a big part of why cloud services should be generally avoided.
Re: (Score:2)
Re: (Score:2)
How is it different from any other contractual arrangement though? You might as well say "avoid banks" because money is only safe hidden under your mattress.
The nature of the contract doesn't really enter into it, as neither the two primary sources of attacks (criminals and the government) are restricted by a contract.
Your analogy isn't quite on point, in part because there are special banking laws that somewhat mitigate the risk. Cloud providers are not subject to such special regulation.
The analogy would be better if you said "pay only with cash because other payment systems enlarge your attack surface". Which isn't incorrect.
Re: (Score:2)
Re: (Score:2)
If the server can decrypt it, then it wasn't a proper application of encryption to begin with.
https://www.youtube.com/watch?... [youtube.com]
It's always good to encrypt data at rest. Even if the cloud provider has the key, it makes it less likely that attackers will get access to your data because they need both the ciphertext and the key, which are hopefully in different locations.
If it's available for them to do so.... (Score:1)
Depends (Score:2)
Are we talking just friendly requests or court orders that went through the full legal process? If it's just a request the response should be "Screw off, go get a warrant." I'm of the opinion that anyone that stores data for you in a professional capacity is acting as an agent on your behalf and should enjoy the same legal protections that you yourself would have if you had the data yourself.
Duty to Protect Privacy (Score:3)
I'm of the opinion that anyone that stores data for you in a professional capacity is acting as an agent on your behalf and should enjoy the same legal protections that you yourself would have if you had the data yourself.
That's not what I want since it leaves the provider the option to voluntarily share my data. What we have in Canada is far better: the holder of the data has a legal duty to protect your privacy and cannot share you data with anyone unless required to do so by law.
Likewise the UK data protection act (Score:2)
To release data without a legal justification would constitute an offence. The fact that it happens routinely and is seldom prosecuted is disappointing, but the potential is there.
Re: (Score:2)
Which is why Windows 10 was pushed so hard.
Re: (Score:2)
Which is why Windows 10 was pushed so hard.
The harder the push, the more inevitable the fall.
People can take a lot of abuse, as long as the abuse is added gradually. But when it becomes clear that they've been backed into a corner, they will react - violently.
Should they? No. Will they? Probably. (Score:2)
Then the government can come to me – with a warrant – if they want me to decrypt my data for them.
I don't store my encryption key on the server with the data.
Which government? (Score:1)
So which government are we talking about? Because each company has multiple jurisdictions, and can be forced in ANY of those jurisdictions to hand over data for ALL those jurisdictions.
In the UK, Theresa May made it legal for UK to demand any data from any company 'cos Terrorist-might-eat-your-babies. She didn't restrict it to the UK. She even added a clause requiring they decrypt any data they encrypted. As soon as she did that, she opened the doors to Putin who promptly demanded keys from every business i
Probably have to with a warrant (Score:3)
With a warrant and the ability (the keys), cloud vendors would probably have to decrypt it.
The rubber hits the road when it comes to "without a warrant" -- that tests how flexible their morality is. Are they willing to turn down only the requests where a legitimate court order wasn't present?
It seems obvious to me that if you want encrypted data, you probably want to encrypt it yourself. The cloud is just storage, you can create your own trust model for encrypted data that doesn't include them.
That being said, there may be practical advantages to cloud-provider managed encryption where the risk:reward makes provider encryption worthwhile. What would be nice would be an encryption system with an access log of some kind to verify key usage. This would allow for a canary in the coal mine warning that your data had been decrypted by someone else. It's imperfect, but it's better than just silent loss of access control.
Re: (Score:2)
With a warrant and the ability (the keys), cloud vendors would probably have to decrypt it.
A warrant can force them to hand over the data and any keys they may have, but demanding that they decrypt it (in the US) requires invoking the all writs act, and that will require more than a rubberstamp warrant. It cannot be used for more convenience - it can only be used when there are no other judicial or practical means.
Re: (Score:2)
What? My mother was a saint!
Now you have to convince me (Score:2)
Why should I store my data with you if you will hand it over to someone with as much as a "gimme" as an order? Moreover, why YOUR government. I fully cooperate with mine. No questions about this. Yours? Piss off!
Encrypted data? Sure. (Score:2)
More than one in three IT pros believe cloud providers should turn over encrypted data to the government when asked, ...
Have all the encrypted data you want. The keys and/or forced decryption are another matter.
Phrased this way you're asking about rule of law. (Score:2)
If you're in a situation where the government has proper legal authority to demand decryption, and you believe in the rule of law, then you must decrypt.
That much is simple. But there are two complicated angles to this: (1) What to do when the government doesn't have the legal power to compel you to decrypt and (2) when the government should have the power to compel you to decryupt.
As a private citizen one often does things one is not required to out of public-spiritedness. But as a provider of IT services
Re: (Score:2)
If you're in a situation where the government has proper legal authority to demand decryption, and you believe in the rule of law, then you must decrypt.
Yes, and it's unfair and unrealistic to expect companies to violate the law to protect your data (even if the law is abusive). This is why the services themselves should not have the decryption keys. That allows them to comply with all laws without endangering their clients.
Let's put this in another way... (Score:2)
Should the postal service decrypt any mail before delivering it to the government, even if they don't even have the means to do so?
Wrong Question (Score:2)
Why is anyone putting anything on the cloud that they haven't encrypted themselves?
Of there there are some things that you can't encrypt beforehand like the pictures and contacts that go into iCloud. But if you are just throwing files up onto storage on some file server then you should never be depending on the providers encryption. Encrypt all files yourself and then let the provider encrypt it again. That way even if they do happen to hand it over to some government with the ability to decrypt it all th
Re: (Score:2)
Re: (Score:2)
That's actually OK as long as everyone who has an interest in the data is aware that their security is being sacrificed to save a few bucks.
should (Score:1)
No, it should not.
What financial incentive do I have to do anything for your government? Are you my customer? Did you sign a contract? Oh, you didn't do any of those things? Then fuck the hell off. I have no reason to waste time or money on you.
Should they or WILL they? (Score:1)
"asked" (Score:2)
When they are asked? Hell no! You do that even once, you will be on my list of vendors I will never, ever work with, and recommend every client I consult to not touch with a ten foot pole, either.
When served with a proper court order? That's a different story.
They don't ask - National Security Letter (Score:1)
They don't need a proper court order to force the cloud providers turning over the data. All they need is a "National Security Letter", then the cloud provider has to drop its pants and bend over. No nasty court order necessary. Forget "Due Cause" and "Fourth Amendment", that's a thing of a past long gone.
American Business Espionage (Score:1)
One important aspect of all the primarily American underwear sniffing is that the US services also do business espionage as part of their mission, as they see an strategic asset in this. And they supply American companies with results from these actions, like Boeing, who got information on Airbus contracts to undermine bids.
So with some cloud providers willingly spreading their legs to be raped by the TLAs, for a non-US company to put business to put data in a cloud system could be considered gross neglect
Support Fees! (Score:1)
Sure! If the government pays the vendor for support.
Re: (Score:2)
There was a terrorist thwarted earlier this week near where I live. The police tracked him on the internet, knew of his sympathy for ISIS, and were able to act just before he was going to set off his bombs. That ability saved lives.
Can you tell us if the police just saw his incoherent allahu ackbar noise on Facetwat, or did the police actually got a warrant, and broke into his.. what.. email? SMS?
You see, AC, I doubt most crims have their plans squirreled away on a secur-ish machine encrypted on hardware and locked in a safe. I think most crims brag their intentions openly, be it Facetwat, or the local pub or burger joint.