NSA Data Collection Worrisome For Global Firms

Microsoft, Google, Facebook, and other tech firms have downplayed their participation in government spying programs, but U.S. and international companies should worry about access to their data in the cloud

5 Min Read

With the past month's revelations of vast data-collection by the National Security Agency and the cooperation of U.S. technology companies with that collection, global firms should focus on encrypting their data in the cloud, security experts say.

While government monitoring may not be at the top of the list of threats that worry companies, the wholesale collection of metadata on phone calls, as well as the relatively easy access to information in online communications, underscores the lack of security that corporate data has in the cloud. In addition, firms that operate globally must consider the privacy consequences posed by U.S. data collection and how to protect that data if it remains on servers in the United States, says Steve Weis, co-founder and chief technology officer for cloud-security firm PrivateCore.

"U.S. companies operating in other countries -- China comes to mind -- would definitely worry about this sort of data collection," Weis says. "In the same way, European companies, which have very strict privacy regulations, will not run any sort of data processing facility in the U.S. that touches personally identifiable information."

The concerns come as more information became public this week about the NSA's broad data collection. On Thursday, the Guardian UK reported that Microsoft had allegedly worked with U.S. intelligence agencies, decrypting messages sent through its business e-mail service, Outlook.com, as well as its consumer-focused services, such as Hotmail.com. In addition, Microsoft allows the NSA to access its SkyDrive cloud storage service as part of the technology company's participation in the PRISM program, the newspaper reported. PRISM is a program designed to expedite intelligence and law-enforcement officials' legal request for data on a specific person or target.

Google, Facebook, and other service providers have also been criticized for their cooperation with the PRISM program. The companies have stressed that they do not allow direct access to user data and only respond to specific, legally obtained court orders.

"We take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes," Microsoft said in a statement, adding that it rejects any demands that it believes are not valid. "We only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks."

While the efficacy of U.S. intelligence and law enforcement monitoring and whether the efforts warrant the trade-off in privacy and civil liberties are an important public debate, for companies the concerns boil down to whether their data is secure from general access and the desire for notification when a legal request for access is received.

"Today, the U.S. government can ask a cloud service provider for access to information, and the U.S. cloud provider has to hand it over the data," says Paige Leidig, senior vice president with cloud encryption provider CipherCloud. "Not only does the customer not know that the information was handed over, but they may be put in the position of breaking the privacy laws in their own country."

Companies, especially those firms that have to abide by non-U.S. privacy laws, should consider end-to-end encryption, Leidig says. By encrypting and managing their own keys, companies can control who has access to the data and must be notified when a government agency requests to see the data. When a cloud provider holds the keys to the security of a company's data, the data can be decrypted and handed over to a government without any notice, or stolen by an insider at the provider.

[There's no way to stop a determined insider from leaking or stealing what he knows if he can get his hands on it, but there are ways to track users as humans, rather than by just their use of company equipment or their network traffic. See Hacking The Human Side Of The Insider Threat.]

The impact on business is only starting to be seen. While the NSA collects metadata on phone calls between millions of Americans, it's unclear how they use that information or how often they request customer information from online service providers. Microsoft and Google have requested that they be allowed to publish more data on the number and types of requests.

"There are aspects of this debate that we wish we were able to discuss more freely," Microsoft said in its statement. "That's why we've argued for additional transparency that would help everyone understand and debate these important issues."

Facebook and other firms gained permission in June to publish more information, but only in aggregate. In the last half of 2012, intelligence and law enforcement officials asked for information on between 18,000 and 19,000 Facebook user accounts, the company stated in June.

"With more than 1.1 billion monthly active users worldwide, this means that a tiny fraction of one percent of our user accounts were the subject of any kind of U.S. state, local, or federal U.S. government request -- including criminal and national security-related requests -- in the past six months," said Ted Ullyot, Facebook's general counsel, in the statement. "We hope this helps put into perspective the numbers involved, and lays to rest some of the hyperbolic and false assertions in some recent press accounts about the frequency and scope of the data requests that we receive."

Yet other companies contacted for an interview -- even security vendors -- declined to comment over concerns that publicly discussing the issue may impact their business. Such worries stifle debate over the impact on civil liberties as well as the Internet economy, says Bruce Schneier, security futurologist at British Telecom.

"This is why surveillance is so poisonous," he says. "I've had people say that they are afraid to sign a petition, because if they do they fear they will be targeted in some way."

For companies, however, they should treat government monitoring as any other security threat. By encrypting their data in the cloud and not relying on the cloud provider to do it for them, they keep control of who accesses the information. For most companies, that should be business as usual.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights