PRISM Fallout: In Cloud We Don't Trust?

U.S. tech firms who have built their business on a free-flowing Internet just got a huge smack in the face. Leaked government documents seemed to reveal the existence of a top-secret program with the capability to mine their users' data at will.

Right now, the debate is over exactly what data's being collected and how—and whether the companies were complicit in letting it happen.

But that misses the real impact of such a program. Regardless of the details, it will damage the reputations of the U.S. as a technology marketplace.

There are many operations that will feel the hit, but the biggest one may be in cloud computing. After all, what foreign company would want to host its data in a cloud that could be rifled at will by the U.S. government?

What We Think We Know

Leaked documents from the National Security Agency and the FBI have revealed an apparent secret government program, code-named PRISM, that is "extracting audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time," according to the Washington Post.

The data was pulled from the servers of Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple. Dropbox, the Post reported, is supposedly "coming soon."

The NSA does not monitor every piece of data, the story reports, only targeted individuals. But the capability to monitor the target within all of the companies' data is there, according to the slides obtained by the Post.

All of the companies named in the leaked slides have categorically denied being involved in PRISM, which is pretty much the only answer they can give: if such a program exists, they are likely bound by court order from revealing their participation, and if it doesn't exist, then they are truthful in denying it. The U.S. government, for its part, acknowledges that such programs do exist, but that the documents published by the Post and the U.K.'s Guardian contain "numerous inaccuracies."

Which, alas for the U.S. tech industry, isn't exactly a "no."

Perception-wise, the firms named in the leaked slides are screwed. If PRISM doesn't exist, it will be very hard to prove otherwise in a climate where distrust of government is at an all-time high. If PRISM does exist, then the perception of these companies will either be as lying co-conspirators in a massive breach of user privacy - or incompetent morons who don't know that the U.S. government can get into their data whenever it wants.

The most likely scenario here is that the tech companies are being very, very literal: they can deny ever hearing of a program called PRISM because they may have really never heard of it. Ars Technica spoke with Electronic Frontier Foundation Staff Attorney Kurt Opshal, who outlined what's probably going on with these denials:

"Whether they know the code name PRISM, they probably don't," [Opshal] told Ars. "[Code names are] not routinely shared outside the agency. Saying they've never heard of PRISM doesn't mean much. Generally what we've seen when there have been revelations is something like: 'we can't comment on matters of national security.' The tech companies responses are unusual in that they're not saying 'we can't comment.' They're designed to give the impression that they're not participating in this."

In Cloud We Trust?

Successfully pulling off that impression would seem to be nearly impossible and the nine tech companies named in the PRISM documents are in for a world of pain. Already, U.S.-based users, individual and corporate, are up in arms about the perceived breach, even as the U.S. government insists that it is not spying on its own citizens, but is targeting non-U.S. citizens in its quest to maintain national security.

US companies may end up becoming more active participants in cyber/national security related activities anyway, depending on how Department of Defense cyberwar rules of engagement play out.

(See also: New Cyberwar Rules Of Engagement: Will The U.S. Draft Companies To Fight?)

But for public cloud users who reside outside the U.S., the statements about non-U.S. targets are sure to have a chilling effect. Especially in the European Union, which has been critically examining their data relationship with the U.S. for some time. That relationship, once precarious, may have just gotten pushed off the cliff.

Currently, data generated by European companies is bound by the strictures of the E.U.'s 1998 European Commission Directive on Data Protection (ECDDP), which, among other things, blocks data from being transferred to outside the European Economic Area unless the E.U.'s strict protection guidelines were followed.

The problem is that U.S. laws and policies let data like names and addresses be handled in ways that were way outside the ECDDP comfort zone. This would have effectively prevented any European data from being stored on U.S.-based clouds and data centers, were it not for Safe Harbor.

Established in the Fall of 2000, Safe Harbor is a compromise that would allow data interchange to take place. Safe Harbor requires that companies follow a certain set of privacy practices, such as informing individuals that their data is being collected and how it will be used. If Safe Harbor rules are followed by U.S. companies, which self-certify themselves to be Safe Harbor compliant, then E.U. data can be stored in the U.S., which is handy since many of the world's biggest public cloud services are located in the U.S.

All of the E.U. nations, with the exception of Germany, are participants in the E.U.-U.S. Safe Harbor agreement. This is why in Germany, corporate workers are prohibited from using services like Google Docs to store and work with company information. (One has to wonder if the Germans didn't have an inkling that something like PRISM was going on.)

The Europeans have had some qualms about Safe Harbor already. Last July, an independent European advisory body, the Article 29 Working Party, recommended the existing Safe Harbor agreement between the U.S. and E.U. is not enough to provide true security for European organizations' data. Their argument? That self-certification was nowhere near enough to assure adequate protections.

"…[I]n the view of the [Article 29] Working Party, sole self-certification with Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment," the recommendation stated. "The Working Party considers that companies exporting data should not merely rely on the statement of the data importer claiming that he has a Safe Harbor certification. On the contrary, the company exporting data should obtain evidence that the Safe Harbor self-certifications exists and request evidence demonstrating that their principles are complied with."

In other words, don't take U.S. tech companies at their word that they will comply with Safe Harbor rules.

Safe Harbor At Risk

Fast forward to today, when suddenly the Article 29 Working Party's non-binding recommendation has some teeth to it. European companies and lawmakers are very likely going to look at the events surrounding PRISM and wonder how safe their data would be if stored in a U.S. system.

Amazon and Rackspace, two large U.S.-based public cloud providers, were not named in the PRISM slides, but Microsoft and Google were. While no one knows if the U.S. intelligence services can and were accessing cloud-based data hosted by Microsoft and Google, the integrity of their cloud hosting services will probably be called into question now, especially by companies outside the U.S., which - by the U.S. government's own insistence - are valid targets for national security investigations.

The E.U.-U.S. Safe Harbor agreement may be the one of first casualties of the leaking of PRISM - even if PRISM turns out to be fictitious. Just the hint that something like PRISM could exist could evaporate a large amount of trust and business for U.S. cloud vendors - even ones not named in the PRISM documents.

Public cloud infrastructure is under serious threat, as users domestic and international start seriously questioning public cloud security and integrity. This may bring a large shift towards private cloud or virtual data centers deployments, as companies seek to protect their data from government's prying eyes.

 

Images courtesy of Shutterstock.