The European Union is asking the United States about the scope of the recently exposed Prism cybersurveillance program and the collection of metadata on phone calls, emails, and other communications of foreigners, especially EU nationals. Yet perhaps the EU should be asking about another security concern.
The Advanced Encryption Standard (AES) is widely used to encrypt most forms of digital communications -- everything from banking data to email servers. The AES-256 encryption protocol in particular is about as strong as a data security tool gets, but is it really secure? Many people believe so, but AES is only truly secure if the user keeps sole access to the encryption keys. Therefore, it is becoming increasingly common to use zero-knowledge services, such as SpiderOak and Wuala. Those services give the organization full ownership over its data and promise that the service provider will have absolutely no visibility into it. The vendors say they cannot comply with subpoenas and court orders to decrypt data, since they never get access to the encryption keys. For obvious reasons, there is no password recovery.
But some people are concerned about the security of zero-knowledge services. Back in 2010, it was reported that the FBI had paid contractors to plant backdoors into the IPSec stack of the OpenBSD crypto framework. OpenBSD is a technology widely used for VPN and firewall installation in virtualized environments. If the FBI could do that, who knows what the NSA or any other organization could do? The NSA was the organization that gave the thumbs-up to AES in 2011, making it suitable for secure government communications.
Fear of government entities secretly intercepting sensitive data is a major reason some European organizations stay away from cloud services -- or at least from those provided by Amazon, Google, and Microsoft, which are based in the United States. The USA Patriot Act allows the US government to access any data it pleases if the data is considered essential to national security. Also, most of the Internet traffic worldwide travels through the US, making interception easy for government agencies there.
The European Parliament recently established that:
No data subject should be left unaware if sensitive data about them is exposed to a 3rd country's surveillance apparatus. The existing derogations must be dis-applied for Cloud because of the systemic risk of loss of data sovereignty. The EU should open new negotiations with the US for recognition of a human right to privacy which grants Europeans equal protections in US courts.
Also, the European Parliament wants to have half the EU public services running on cloud infrastructure solely under EU jurisdictional control by 2020.
Last month, well before the Prism scandal started, the United Nations Human Rights Council published a Report of the Special Rapporteur on the right to freedom of opinion and expression. Frank La Rue, the UN's special rapporteur, concluded that:
Individuals should have a legal right to be notified that they have been subjected to communications surveillance or that their communications data has been accessed by the State. Recognizing that advance or concurrent notification might jeopardize the effectiveness of the surveillance, individuals should nevertheless be notified once surveillance has been completed and have the possibility to seek redress in respect of the use of communications surveillance measures in their aftermath...
Individuals should be free to use whatever technology they choose to secure their communications. States should not interfere with the use of encryption technologies, nor compel the provision of encryption keys.
The report also calls mass surveillance a violation of basic human rights. It refers specifically to individual rights, but in my humble opinion, those rights should apply to corporations, too. Corporations must comply with court orders. It is important for CIOs to understand the ramifications of government surveillance and data-gathering programs, and they should take all necessary precautions when encrypting data and using cloud and virtualization services.
Maybe it's time to review these famous words uttered by US President John F. Kennedy on April 27, 1961:
The very word "secrecy" is repugnant in a free and open society, and we are as a people inherently and historically opposed to secret societies, to secret oaths and secret proceedings. We decided long ago that the dangers of excessive and unwarranted concealment of pertinent facts far outweighed the dangers which are cited to justify it. Even today, there is little value in opposing the threat of a closed society by imitating its arbitrary restrictions. Even today, there is little value in insuring the survival of our nation if our traditions do not survive with it.