Thursday, October 31, 2013
There may be more outrage overseas than in the US over loss of data privacy and vulnerabilities
by Larry Geller
This summer, the IEEE (Institute of Electrical and Electronics Engineers) “upgraded” its members’ email service to Google Gmail, including Google cloud services as an added advantage. Probably, when planning the changeover, they had no idea that this would make all traffic and stored documents available to the NSA, the British GCHQ, and who knows where else. See: NSA spying may compromise private corporations’ technical data, 6/12/2013).
While I do not make much use of that email system, others do. It was my suggestion to the editor of their newsletter The Institute, that they should consider reverting. Or heck, at least they might say something to members about the security issues.
From an email in August:
Thank you for sharing your concerns with other readers. I'm also forwarding this email to the group who is in charge of that service so they are aware of your concerns.
It appears that my concerns have remained, well, just my concerns. At least as far as this one organization goes. To heck with technical correspondence between engineers and others falling into unintended hands.
Others see the problem, though.
It’s no longer unusual that an organization, such as this union representing German journalists, advises its members to stop using services such as Google which, it’s clear, can not be counted on to protect their data.
Whether Google had no choice, in view of NSA spying under the patriot act or otherwise, does not matter. It appears to be a simple fact that any email sent or any data stored in Google Docs or elsewhere in their “cloud” can also turn up on the screens of uncounted analysts or contractors who have no business viewing it. Perhaps some of them are unscrupulous and might sell the information. Or perhaps a government might take action against, in this case, a journalist.
Edward Snowden’s revelations have demonstrated that NSA has access to the data of US citizens as it flows back and forth between Google’s worldwide data centers.
Citing documents obtained from former NSA contractor Edward Snowden and interviews with officials, the Washington Post claimed the agency could collect information "at will" from among hundreds of millions of user accounts.
The documents suggest that the NSA, in partnership with its British counterpart GCHQ, is copying large amounts of data as it flows across fiber-optic cables that carry information between the worldwide data centers of the Silicon Valley giants. The intelligence activities of the NSA outside the US are subject to fewer legal constraints than its domestic actions.
[The Guardian (UK), Reports that NSA taps into Google and Yahoo data hubs infuriate tech giants, 10/30/2013]
This snip is pretty clear on the issue:
People sending email to any of Google's 425 million Gmail users have no "reasonable expectation" that their communications are confidential, the internet giant has said in a court filing.
Consumer Watchdog, the advocacy group that uncovered the filing, called the revelation a "stunning admission." It comes as Google and its peers are under pressure to explain their role in the National Security Agency's (NSA) mass surveillance of US citizens and foreign nationals.
"Google has finally admitted they don't respect privacy," said John Simpson, Consumer Watchdog's privacy project director. "People should take them at their word; if you care about your email correspondents' privacy, don't use Gmail."
[The Guardian, Google: don't expect privacy when sending to Gmail, 8/14/2013]
Who are the users of Gmail and Google Docs? Almost anybody, these days.
We each have a choice, at least in whether we use one service or another. At present, it’s not clear how a user, particularly a user in this country, can avoid having the NSA tap their data. Encryption might (or sadly might not) protect the government from reading it, but they have it.
For journalists, routine and secretive phone and email tapping means that sources cannot be protected. For engineers or scientists, it means that their patent data, their coordination of proprietary or sensitive tests or studies, or in fact anything they do upon which profits or even human wellbeing depend, cannot be protected.
Think: if the NSA has built back doors into Windows and encryption software, as has been revealed, then around the world people are working hard to exploit those back doors. It won’t be just the NSA or GCHQ watching over your shoulder, it could be anyone, anywhere, as soon as they get good at playing NSA and zooming through those back doors.
Having zoomed, if the purloined data has competitive value, it will be sold.
Over time, I think individuals and organizations will work out ways to protect their data, and learn not to send critical information over the Internet in unprotected fashion. Heck, one can still put the data on a memory stick and carry it over to the recipient, but we would really like to continue to use the Internet and our various devices as we’ve become accustomed.
Engineers and scientists should, IMHO, be taking leadership positions, as the journalism union has done, in working to protect sensitive data from intrusion. Technical people, in particular, can work at creating a better, meaning more secure, Internet of the future.