Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

12:13 PM

NSA Data Collection Worrisome For Global Firms

Microsoft, Google, Facebook, and other tech firms have downplayed their participation in government spying programs, but U.S. and international companies should worry about access to their data in the cloud

With the past month's revelations of vast data-collection by the National Security Agency and the cooperation of U.S. technology companies with that collection, global firms should focus on encrypting their data in the cloud, security experts say.

While government monitoring may not be at the top of the list of threats that worry companies, the wholesale collection of metadata on phone calls, as well as the relatively easy access to information in online communications, underscores the lack of security that corporate data has in the cloud. In addition, firms that operate globally must consider the privacy consequences posed by U.S. data collection and how to protect that data if it remains on servers in the United States, says Steve Weis, co-founder and chief technology officer for cloud-security firm PrivateCore.

"U.S. companies operating in other countries -- China comes to mind -- would definitely worry about this sort of data collection," Weis says. "In the same way, European companies, which have very strict privacy regulations, will not run any sort of data processing facility in the U.S. that touches personally identifiable information."

The concerns come as more information became public this week about the NSA's broad data collection. On Thursday, the Guardian UK reported that Microsoft had allegedly worked with U.S. intelligence agencies, decrypting messages sent through its business e-mail service, Outlook.com, as well as its consumer-focused services, such as Hotmail.com. In addition, Microsoft allows the NSA to access its SkyDrive cloud storage service as part of the technology company's participation in the PRISM program, the newspaper reported. PRISM is a program designed to expedite intelligence and law-enforcement officials' legal request for data on a specific person or target.

Google, Facebook, and other service providers have also been criticized for their cooperation with the PRISM program. The companies have stressed that they do not allow direct access to user data and only respond to specific, legally obtained court orders.

"We take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes," Microsoft said in a statement, adding that it rejects any demands that it believes are not valid. "We only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks."

While the efficacy of U.S. intelligence and law enforcement monitoring and whether the efforts warrant the trade-off in privacy and civil liberties are an important public debate, for companies the concerns boil down to whether their data is secure from general access and the desire for notification when a legal request for access is received.

"Today, the U.S. government can ask a cloud service provider for access to information, and the U.S. cloud provider has to hand it over the data," says Paige Leidig, senior vice president with cloud encryption provider CipherCloud. "Not only does the customer not know that the information was handed over, but they may be put in the position of breaking the privacy laws in their own country."

Companies, especially those firms that have to abide by non-U.S. privacy laws, should consider end-to-end encryption, Leidig says. By encrypting and managing their own keys, companies can control who has access to the data and must be notified when a government agency requests to see the data. When a cloud provider holds the keys to the security of a company's data, the data can be decrypted and handed over to a government without any notice, or stolen by an insider at the provider.

[There's no way to stop a determined insider from leaking or stealing what he knows if he can get his hands on it, but there are ways to track users as humans, rather than by just their use of company equipment or their network traffic. See Hacking The Human Side Of The Insider Threat.]

The impact on business is only starting to be seen. While the NSA collects metadata on phone calls between millions of Americans, it's unclear how they use that information or how often they request customer information from online service providers. Microsoft and Google have requested that they be allowed to publish more data on the number and types of requests.

"There are aspects of this debate that we wish we were able to discuss more freely," Microsoft said in its statement. "That's why we've argued for additional transparency that would help everyone understand and debate these important issues."

Facebook and other firms gained permission in June to publish more information, but only in aggregate. In the last half of 2012, intelligence and law enforcement officials asked for information on between 18,000 and 19,000 Facebook user accounts, the company stated in June.

"With more than 1.1 billion monthly active users worldwide, this means that a tiny fraction of one percent of our user accounts were the subject of any kind of U.S. state, local, or federal U.S. government request -- including criminal and national security-related requests -- in the past six months," said Ted Ullyot, Facebook's general counsel, in the statement. "We hope this helps put into perspective the numbers involved, and lays to rest some of the hyperbolic and false assertions in some recent press accounts about the frequency and scope of the data requests that we receive."

Yet other companies contacted for an interview -- even security vendors -- declined to comment over concerns that publicly discussing the issue may impact their business. Such worries stifle debate over the impact on civil liberties as well as the Internet economy, says Bruce Schneier, security futurologist at British Telecom.

"This is why surveillance is so poisonous," he says. "I've had people say that they are afraid to sign a petition, because if they do they fear they will be targeted in some way."

For companies, however, they should treat government monitoring as any other security threat. By encrypting their data in the cloud and not relying on the cloud provider to do it for them, they keep control of who accesses the information. For most companies, that should be business as usual.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/17/2013 | 4:41:32 PM
re: NSA Data Collection Worrisome For Global Firms
Crypteron, I agree with what you are saying. These things all help. However, the problem I see is that, encrypted or not, they have your data. If they want it. With enough resources and the will....well, who knows. Is the public cloud really that compelling of an option? Why risk it?
User Rank: Apprentice
7/16/2013 | 8:10:06 PM
re: NSA Data Collection Worrisome For Global Firms
Snowden's disclosure of PRISM and NSA programs are shaking confidence in the public clouds. But software easily fixes this, strong data encryption can protect your information from unwanted access. We are seeing a huge inflow of customers asking for our cloud security software. Our military grade data encryption, authentication, and
key management to ensure that your cloud data is safe and your company
satisfies compliance requirements. Do you feel safe? Tell us what you think in the comment box below or at our website www.crypteron.com
User Rank: Apprentice
7/16/2013 | 2:37:48 PM
re: NSA Data Collection Worrisome For Global Firms
IMHO, for most intents and purposes, the Cloud for business is dead. Why risk it?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-24
vm/opcodes.c in JerryScript 2.2.0 allows attackers to hijack the flow of control by controlling a register.
PUBLISHED: 2020-09-24
PrestaShop from version and before version is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in
PUBLISHED: 2020-09-24
In PrestaShop from version and before version, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version
PUBLISHED: 2020-09-24
ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFILES%\ActiveFax\Terminal\. The folder permissions allow "Full Control" t...
PUBLISHED: 2020-09-24
Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allows a local user to corrupt system files: a local user can create a specially craf...