Analytics //

Security Monitoring

12:13 PM

NSA Data Collection Worrisome For Global Firms

Microsoft, Google, Facebook, and other tech firms have downplayed their participation in government spying programs, but U.S. and international companies should worry about access to their data in the cloud

With the past month's revelations of vast data-collection by the National Security Agency and the cooperation of U.S. technology companies with that collection, global firms should focus on encrypting their data in the cloud, security experts say.

While government monitoring may not be at the top of the list of threats that worry companies, the wholesale collection of metadata on phone calls, as well as the relatively easy access to information in online communications, underscores the lack of security that corporate data has in the cloud. In addition, firms that operate globally must consider the privacy consequences posed by U.S. data collection and how to protect that data if it remains on servers in the United States, says Steve Weis, co-founder and chief technology officer for cloud-security firm PrivateCore.

"U.S. companies operating in other countries -- China comes to mind -- would definitely worry about this sort of data collection," Weis says. "In the same way, European companies, which have very strict privacy regulations, will not run any sort of data processing facility in the U.S. that touches personally identifiable information."

The concerns come as more information became public this week about the NSA's broad data collection. On Thursday, the Guardian UK reported that Microsoft had allegedly worked with U.S. intelligence agencies, decrypting messages sent through its business e-mail service,, as well as its consumer-focused services, such as In addition, Microsoft allows the NSA to access its SkyDrive cloud storage service as part of the technology company's participation in the PRISM program, the newspaper reported. PRISM is a program designed to expedite intelligence and law-enforcement officials' legal request for data on a specific person or target.

Google, Facebook, and other service providers have also been criticized for their cooperation with the PRISM program. The companies have stressed that they do not allow direct access to user data and only respond to specific, legally obtained court orders.

"We take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes," Microsoft said in a statement, adding that it rejects any demands that it believes are not valid. "We only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks."

While the efficacy of U.S. intelligence and law enforcement monitoring and whether the efforts warrant the trade-off in privacy and civil liberties are an important public debate, for companies the concerns boil down to whether their data is secure from general access and the desire for notification when a legal request for access is received.

"Today, the U.S. government can ask a cloud service provider for access to information, and the U.S. cloud provider has to hand it over the data," says Paige Leidig, senior vice president with cloud encryption provider CipherCloud. "Not only does the customer not know that the information was handed over, but they may be put in the position of breaking the privacy laws in their own country."

Companies, especially those firms that have to abide by non-U.S. privacy laws, should consider end-to-end encryption, Leidig says. By encrypting and managing their own keys, companies can control who has access to the data and must be notified when a government agency requests to see the data. When a cloud provider holds the keys to the security of a company's data, the data can be decrypted and handed over to a government without any notice, or stolen by an insider at the provider.

[There's no way to stop a determined insider from leaking or stealing what he knows if he can get his hands on it, but there are ways to track users as humans, rather than by just their use of company equipment or their network traffic. See Hacking The Human Side Of The Insider Threat.]

The impact on business is only starting to be seen. While the NSA collects metadata on phone calls between millions of Americans, it's unclear how they use that information or how often they request customer information from online service providers. Microsoft and Google have requested that they be allowed to publish more data on the number and types of requests.

"There are aspects of this debate that we wish we were able to discuss more freely," Microsoft said in its statement. "That's why we've argued for additional transparency that would help everyone understand and debate these important issues."

Facebook and other firms gained permission in June to publish more information, but only in aggregate. In the last half of 2012, intelligence and law enforcement officials asked for information on between 18,000 and 19,000 Facebook user accounts, the company stated in June.

"With more than 1.1 billion monthly active users worldwide, this means that a tiny fraction of one percent of our user accounts were the subject of any kind of U.S. state, local, or federal U.S. government request -- including criminal and national security-related requests -- in the past six months," said Ted Ullyot, Facebook's general counsel, in the statement. "We hope this helps put into perspective the numbers involved, and lays to rest some of the hyperbolic and false assertions in some recent press accounts about the frequency and scope of the data requests that we receive."

Yet other companies contacted for an interview -- even security vendors -- declined to comment over concerns that publicly discussing the issue may impact their business. Such worries stifle debate over the impact on civil liberties as well as the Internet economy, says Bruce Schneier, security futurologist at British Telecom.

"This is why surveillance is so poisonous," he says. "I've had people say that they are afraid to sign a petition, because if they do they fear they will be targeted in some way."

For companies, however, they should treat government monitoring as any other security threat. By encrypting their data in the cloud and not relying on the cloud provider to do it for them, they keep control of who accesses the information. For most companies, that should be business as usual.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/17/2013 | 4:41:32 PM
re: NSA Data Collection Worrisome For Global Firms
Crypteron, I agree with what you are saying. These things all help. However, the problem I see is that, encrypted or not, they have your data. If they want it. With enough resources and the will....well, who knows. Is the public cloud really that compelling of an option? Why risk it?
User Rank: Apprentice
7/16/2013 | 8:10:06 PM
re: NSA Data Collection Worrisome For Global Firms
Snowden's disclosure of PRISM and NSA programs are shaking confidence in the public clouds. But software easily fixes this, strong data encryption can protect your information from unwanted access. We are seeing a huge inflow of customers asking for our cloud security software. Our military grade data encryption, authentication, and
key management to ensure that your cloud data is safe and your company
satisfies compliance requirements. Do you feel safe? Tell us what you think in the comment box below or at our website
User Rank: Apprentice
7/16/2013 | 2:37:48 PM
re: NSA Data Collection Worrisome For Global Firms
IMHO, for most intents and purposes, the Cloud for business is dead. Why risk it?
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a double-free problem in the function rec_mset_elem_destroy() in the file rec-mset.c.
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a NULL pointer dereference in the function rec_fex_size() in the file rec-fex.c of librec.a.
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_aggregate_reg_new in rec-aggregate.c in librec.a.
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_buf_new in rec-buf.c when called from rec_parse_rset in rec-parser.c in librec.a.
PUBLISHED: 2019-01-16
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_extract_type in rec-utils.c in librec.a.