Slashdot Mirror
Your Cloud Provider (Probably) Isn't Spying On You
jfruh writes "Last week the CEO ServiceNow made a minor splash by claiming that it was awfully easy for a cloud provider to spy on the data they stored for you or discriminate based on pricing. But while that's possible, in many cases it turns out to be simply not practical enough to be beneficial. Even moves like restoring outages for higher-paying customers first turn out to be more trouble than they're worth."
The solution which is always repeated is to encrypt any sensitive data.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
My concern isn't that the company as a policy is spying on me, it's the fear that a disgruntled employee would start copying all of the data for their own use.
Insurance companies does that and you don't see anyone creating a riot or bitch about it. People lived with it unfortunately. Lots of other company have that capability too. Any company who has info on you could look at it... whats the news here ??? really. this is really stupid and old news. This shouldn't be here...
Data is not the same thing as information.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
TL;DR -- Your cloud provider is not competent enough to spy on you.
Nobody gives a damn about your data, with good statistical confidence.
OTOH I suspect it is quite important to be able to get your data should the need arise, which is a different concept.
That's, at least, what I desume from seemingly grossly inefficient developments in IT, e.g. the cloud where your machines are not part of the nodes, or the UI downloaded from the server, instead of having everything available locally and a remote db for syncing data.
It's a parallel with the development of laws where cronyism replaces democracy. In those system it is not important to put a lot of people in jail, it is vital to make anybody potentially a criminal so you have an excuse to lock people up if the need arises.
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
While spying/corporate espionage from a cloud supplier is a concern, the bigger concern is the US gov who have proved time and time again that if your data is in their jurisdiction they can look/take all they like and with the provisions in the "patriot" act they don't even need a warrant or tell anybody they looked at it.
say no to the cloud, and moreso if the data or supplier is based in the USA
"Your Cloud Provider (Probably) Isn't Spying On You"......
But your government probably is.
Take Nobody's Word For It.
I use Spideroak, and their business model is based on privacy and they try to support open source when viable. When most cloud providers are similar, this is the featureset that sways my choice.
why pay people over $100,000 per employee per year when accounting for taxes and benefits to spy on data? if dropbox were to spy on your data how would they use it to make more money?
Your cloud provider may not be snooping, but your ISP, if its AT&T, probably is.
Yes, if you use someone else's CPU, that person can spy on all your computations. If your data is proprietary, you need to keep it on your own servers, and use strong encryption for data in-transit.
The cloud service provider isn't the worry. They couldn't care less. It's the government I'm concerned about. They do care and they have a history of spying and want the right to do so.
The internet is a postcard. Don't store or transmit anything you don't want seen.
Sure, they do not see any advantage now. That does not mean they never will.
And when they do (perhaps in 10 years) it will be too late to take away your data at that moment. They already have it.
Don't fight for your country, if your country does not fight for you.
Why bother using ssl on facebook, email, or any other "social" site? I mean who would be interested in that?
IMAP and webmail connections are probably the first thing I'd encrypt in transit because it's commonly used by web sites as a password recovery mechanism.
Going to keep the identity kinda vague here but I can say that I'm a high-ish level executive for a company that provides cloud services similar to Amazon and I will tell you first hand that we NEVER ever ever would spy or collect data on our customers. It would be a disaster and far more trouble than it's worth. Most mainstream platforms (VMware, OpenStack, whatever you choose) don't even provide facilities for reading on-disk customer data in a true cloud environment easily; I guess if you really wanted to you could start pulling raw blocks off of a SAN and dig around, but it would be a serious pain. Even if it were easy, I can't see a compelling reason to eavesdrop on customers, plus there are likely legal ramifications.
Can someone explain to me why the data extraction happening under The Patriot Act is never revealed in leaks, while if AWS or others snoop on my data, it would pose such a great risk that they would never do it?
The Patriot Act means that all the systems are in place for snooping, and even the veil of secrecy can be reused for snooping.
This story does not pass my sniff test.
Humans working in government are probably not listening to your unencrypted phone calls or reading your unencryped emails.
If you forgot to lock your front door this morning, a burglar is probably not taking advantage of the situation.
Even if you skip your dog's rabies vaccinations, it probably won't get rabies.
If you drive home drunk tonight, you will probably arrive safely, and without hurting anyone else or facing serious criminal consequences.
North Korea probably doesn't intend to nuke anyone.
If you run with scissors, you probably won't trip and accidentally stab yourself.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
You may be dull; but you might also be classified by inferences; which are even worse when done by a machine (either in how wrong they are or how scary accurate and fast.)
You might like the same movies as pedophiles and that may be in their criteria so then you are labeled a potential pedophile and you don't even know it (because telling you would make you harder to catch...) You could end up flagged by authorities; although, I'd prefer that over the mindless racial, clothing, car stereotypes the police use now. Body language is different; however, being somebody with unusual body language always confuses the cop and can have bad results.
Employers hiring HR services using next-gen software will quite likely not know WHY the software said to not hire you - for legal reasons (privacy, proprietary data disclosure etc.) the software won't tell the HR drone exactly WHY and HOW it decided you were going to be a bad employee.
The problem with any cloud provider is that you have to trust that their claims about privacy are true without any verifiable evidence that they are in fact true.
Startpage and Duck Duck Go *claim* searches are private, but there is no actual evidence this is true. Believe so at your own peril.
Likewise, Spideroak's claim that they can't even look at your data themselves is comforting, but still just a claim. It may be true and they may believe it to be true (their site is very convincing), but without an audit of their methods, source code, architecture etc., it could just as easily be a lie.
At the end of the day, what they are selling you is a fantasy that may give you some peace of mind, not actual security. Maybe these providers give you legal recourse you don't get with others - IANAL. If the claims are false, you're just as compromised as you would have been with a "less secure" provider, whether you have grounds for legal action or not.
That's pretty shaky ground to stand on.
In the end, the only approach that offers even a chance of real security is to encrypt your data yourself without any 3rd party involvement. Realistically that means placing your trust in software others built for you (if the tool is provided as a binary) or source code others wrote for you (if you didn't write it yourself), which isn't that great either, but still much better than the fantasy offered by trusting in unsubstantiated claims.
Fully homomorphic encryption solves this problem, its q shame that IBM is keeping the tech locked away instead of open sourcing it...
Rate of Investment vs Rate of Return.
Going through all the trouble to spy on Joe Pimpleface Teenager: ROI > ROR.
Going through all the trouble to spy on a user whose browsing profile and typing habits match Julian Assange or Frank Whizbang, Stock Investor of the Year: ROR > ROI.
By an order of magnitude.
So technically, yes, cloud providers probably aren't spying on 90% of the users.
But if I know I'm one of those 10% of extraordinarily high-interest persons? I'd call it a given that you're being spied upon. No matter how much it costs.
[End Of Line]
Woah...talk about a bad misreading of a comment subject.
If the only reason that we shouldn't be worried about cloud providers snooping on client data is because it's not economically beneficial for them to do so, then we should absolutely be worried about them doing so. Economics change.
Do I believe rackspace spies on me? No
Do I believe Google does? Of course. In fact they're pretty open about a lot of snooping and they try pushing real name policies and other shit to make it easier to shill crap on the web. Why would I not believe they're not snooping on me every single chance they get?
Oh, good. I always knew he was such a nice man
This is just a cry for attention, in the form of FUD, from a small, strugling cloud service provider.
Title should be: Your Cloud Provider (Probably) Isn't Spying On You Yet
Hey, that's the Internet! Everybody spies on you here. If the big companies like Verizon sell your info to ad makers and other third parties, so what can be done with a small ones?