The ongoing case of the federal government versus Lavabit was a hot topic of discussion at RSA -- not just regarding the merits of the case, but because it demonstrates how the increasingly stringent safe harbor provisions in the European Union can impact US companies doing business in the cloud.
For those who didn't follow the story, Lavabit, an organization that offered encrypted email as a service, shut down last August without explanation. Under a gag order, Lavabit CEO Ladar Levinson was prohibited from disclosing any information relating to the shuttering of the business, as well as the details leading to the termination of Lavabit.
After court documents were unsealed, it emerged that Levison was resisting a government order to provide Lavabit's encryption key to authorities. The nature of the Lavabit email service was that a single key was shared for encrypting all client email. The government insisted on acquiring the key, so that it could access one client's email account -- ex-National Security Agency contractor Edward Snowden. Lavabit objected to handing over the encryption key, since it would not only decrypt one client's email, but it would also provide access to the company's few hundred thousand customers' data in the clear.
So what does the US government's legal dispute with Lavabit over access to its encryption key have in common with discussion over Safe Harbor principles? On a simple level, the connection is obvious -- both are reactions to activities by the NSA (and other agencies within and outside of the US) to access vast amounts of cloud data without the data owner's knowledge or consent. However, this issue is much larger than the NSA.
The NSA is doing what it was created to do: collect data, analyze it, and use it to protect US interests. To date, we haven't seen its agents violate the principles they are sworn to uphold. However, the bigger issue is one of privacy -- a fundamental right that is fueling an important debate over whether people are willing to give up privacy in exchange for security.
In the case of the EU and its Safe Harbor provisions, regulators are moving closer to a version that requires the cloud service provider (CSP) to at least notify data owners when their information has been accessed.
Harbinger of clouds to come
The more profound connection, however, is that both the Lavabit case and the Safe Harbor provisions are harbingers of the future of cloud computing policies. For cloud computing to continue to grow, there needs to be a better balance between end users' requirements for privacy, confidentiality, and direct control of data, and the ability for law enforcement and government agencies to fight crime and terrorism. These are both attempts to nudge the pendulum back from where it has shifted over the last few years, toward ever-greater government surveillance of all cloud and Internet traffic, at the expense of user privacy and confidentiality.
What differentiates the Lavabit case from new EU data residency requirements that flag changes to Safe Harbor provisions that have governed data transfers for more than a decade is that it represents an attempt by a CSP to contest the scope of NSA access to cloud data through the courts. Changes to the Safe Harbor provisions will in all likelihood place a new set of requirements on CSPs (or at least compel them to uphold their own privacy policies better). And they'll have to consult directly with major cloud service providers (most of whom are based in the US) to make that happen.
Regardless of the outcome of both the Lavabit case and the EU's revised set of Safe Harbor provisions, you can be sure that the cloud landscape will be different six months from now -- and it will continue to change into the future. Recent modifications recommended by President Obama on how phone metadata collection is performed almost certainly mean that privacy concerns will play a greater role in national security investigation policies.
On the other hand, Lavabit's legal response to an appeal by the government requesting the defunct service provider's encryption key suggests that it will be a lengthy process within the US to have policies changed, because of the investments the government has made in data mining and capture technologies. Already, we have seen explicit pushback from the intelligence community to the steps outlined by President Obama. Yet, while the NSA and Snowden are currently grabbing headlines, it goes well beyond that. Other government agencies accessing data with a subpoena, such as the IRS, may set off more sensitive issues in this privacy vs. security debate.
The current methodology is based on what some observers are calling the sieve theory: It doesn't matter as much what data goes into the data mining process; the information that is produced from the process justifies the activity. In the course of action, all kinds of enterprise data can get caught up and stored in ways that the data owners never intended -- regardless of legal arguments about Fourth Amendment rights.
So what options are available to enterprises looking to move to the cloud but not willing to become entangled in a privacy, compliance, data residency, and security morass?
Customers need to proactively take control of their own data by persistently encrypting data before sending it to the cloud. Encryption at rest and in transit is no longer sufficient. To ensure that the data is never decrypted outside their control, businesses must implement encryption "in use." This way, they can apply the proper governance over the data, regardless of where it lies. This use of encryption as a circuit breaker allows enterprises to balance their need for privacy and confidentiality with the needs of law enforcement and anti-terrorism agencies.
If there is a legitimate and lawful reason why an organization should hand over data in response to a request, then businesses should have a seat at the table. Encrypting data in all three states of existence, combined with ownership of encryption keys, is the only way to accomplish this.
We each play a role in protecting information that should be private in this real-life drama. The government's role is to continue to gather and analyze data for tax, regulatory, law enforcement, or national security purposes. Cloud providers are stepping up to do their part to protect their environments from internal and external threats. Most importantly, we all have personal responsibility, as well, and we must take action to implement persistent encryption to protect what we believe in.