The FBI’s hopes to “wiretap” the Internet show that federal officials and the Obama administration have little understanding of its implications and further almost no understanding of the technology and the way security functions in a communications environment.
It’s dangerous stuff if nothing else than for its clear attempt to intrude deeper into our personal lives in the name of safety and security.
But before we get too tripped up on those silly worries about personal freedoms, let’s look at what the effects would be on cloud computing and in particular, the customers who use it.
Securosis is the world’s leading independent security research and advisory firm. The firm point to three reasons why the legislation would have such a detrimental impact.
In review, the proposal calls for the following:
Communications firms should be able to unscramble messages that have been encrypted.
Foreign companies must establish an office in the United States in order to perform intercepts on information traversing across its networks.
And here’s the best one of them all:
Companies that provide peer-to-peer services must redesign their architecture for messages to allow for interception.
Securosis gives this assessment:
A Single Point of Security Failure
“To allow a communications service to decrypt messages, they will need an alternative decryption key (master key). This means that anyone with access to that key has access to the communications. No matter how well the system is architected, this provides a single point of security failure within organizations and companies that don’t have the best security track record to begin with. That’s not FUD — it’s hard technical reality.”
What that means for cloud services customers: Cloud management service like EnStratus provide encryption for customers across cloud platforms. The key is kept off the network. The service provider does not get access to it, only the customer does. If the legislation passed, the government would have a key to your data, too. The back door would always be open.
Foreign Provider Requirements are Political Theater
“Requiring foreign providers to have interception offices in the US is more of a political than technical issue. Because once we require it, foreign companies will reciprocate and require the same for US providers. Want to create a new Internet communications startup? Better hope you get millions in funding before it becomes popular enough for people in other countries to use it. And that you never need to correspond with a foreigner whose government is interested in their actions.”
What that means for cloud services customers: Who knows what kind of requests would come in from foreign governments about your data. That’s an impediment that would cool any enterprise interest in cloud computing.
More Opportunity for Security Failures
“There are only 3 ways to enable interception in peer to peer systems: network mirroring, full redirection, or local mirroring with remote retrieval. Either you copy all communications to a central monitoring console (which either the provider or law enforcement could run), route all traffic through a central server, or log everything on the local system and provide law enforcement a means of retrieving it. Each option creates new opportunities for security failures, and is also likely to be detectable with some fairly basic techniques — thus creating the Internet equivalent of strange clicks on the phone lines, never mind killing the bad guys’ bandwidth caps.”
What that means for cloud services customers: Might as well start using the telpehone. Start printing those files. That’s going to be a lot of paper!
Really, this is ridiculous. What’s the point of stifling innovation and the economic benefits that cloud computing provides?
We are disappointed with the Obama administration. They are now crafting legislation based upon this poorly formed proposal.
It’s evident that the FBI is frustrated. Law enforcement has lagged behind the technology curve. In reaction, they have offered a proposal that would gut our infrastructure, open us to greater security threats and stifle innovation in arguably one of the fastest growing sectors of our national economy.
And one more thing – the term wiretap is another awful metaphor for the world we live. Its rampant use in the language around this proposal speaks volumes about how we continue to use terms that describe practices of another age.
Well, perhaps that’s the point. The past is what we seek to recreate. The problem is – it never works.
