Should Cloud Vendors Decrypt Data For The Government?

An anonymous Slashdot reader quotes an article by Help Net Security's editor-in-chief: More than one in three IT pros believe cloud providers should turn over encrypted data to the government when asked, according to Bitglass and the Cloud Security Alliance (CSA). 35 percent believe cloud app vendors should be forced to provide government access to encrypted data while 55 percent are opposed. 64 percent of US-based infosec professionals are opposed to government cooperation, compared to only 42 percent of EMEA respondents.
Raj Samani, CTO EMEA at Intel Security, told Help Net Security the answers ranged from "no way, to help yourself, and even to I don't care..." But since vendors can't satisfy both camps, he believes the situation "demands some form of open debate on the best approach to take..."

Turn over: yes. Decrypt: no

[sciengin]

If they receive a legal and correct warrant, meaning one that has issued by a proper court, not a secret, shady, pseudo-military one, where the accused can challenge it, then yes, the cloud provider should turn over the data.

A smart provider however will have implemented its data management software in such a way that only his client has the key to decrypt the data it just turned over to the government. That way it cannot even be forced to decrypt it without violating the rules of mathematics and complexity theory.

If that is not the case, meaning that the cloud provider is able to decrypt the data themselves, then a warrant might be only the least problem a client will have with such a company. Most likely their biggest problem will be that the cloud provider uses that data to directly or indirectly harm them, either by selling it to advertisers or by being unable to protect it during hacking attacks.

Re:Turn over: yes. Decrypt: no

[Z00L00K]

As an user I wouldn't store my data with any kind of encryption that the provider offers, I would turn to only store it in Veracrypt archives or similar.

Re:Turn over: yes. Decrypt: no

Guess what? Law enforcement officials still caught bad-guys when all the data about whatever they were planning was in their heads or on papers the police never got to see during their investigations. Police being lazy is no excuse for insecure data storage.

Re:Turn over: yes. Decrypt: no

[BarbaraHudson]

Would you say the same for anyone who, instead of writing "THIS", would mod the comment up (at +5 right now)?

The original comment is 100% right - if you're storing sensitive data unencrypted on someone else's server, you're doing it wrong. Now I'm far from a millennial, but I would say THIS deserves to be modded to +10.

Re:Turn over: yes. Decrypt: no

[BarbaraHudson]

the government could send code from the cloud provider to the client which sends them the decryption key

The stuff should be encrypted locally, and the decryption key never made accessible to the remote computers. So, how are you going to do that if you can't exploit a hole in the client?

Re:Turn over: yes. Decrypt: no

[postbigbang]

No sane entity stores unencrypted ASSETS anywhere. No network is safe from anything, let alone the bunglers in government. Unless you want the world to know and therefore own your assets, encrypt it. AES-256 with extra hashes at minimum is good, but there are others that are just as painful to decrypt.

Cloud providers may have their own encryption schemes, but one presumes they're vulnerable, which is why you used your own-- and let the cloud vendor's scheme scramble it more.

This moots the initial question, which is should cloud vendors deliver the goods to $government. The answer is: you don't care. Go ahead, cough up whatever, it's useless without the keys and hashes/hashing algorithms used.

This is what CASB schemes are all about: control your own assets.

Re: Turn over: yes. Decrypt: no

Agreed 1000%! However, I believe soon cloud operators will face regulation on this issue and will be forced to provide a means to decrypt for the gov or not be able to operate in the country.

And don't be surprised if a cloud provider that does only provide encrypted data get hit with an obstruction of justice or aiding and abetting charge.

Re:Turn over: yes. Decrypt: no

[SvnLyrBrto]

Yes, But that's a known limitation of gmail. And if you're using the service, you've accepted that limitation.

Besides, it's a limitation that can be mitigated. Gmail allows access by standalone IMAP clients. So you can use whatever GPG-enabled client you like, on a computer running with full-disk encryption, and go ahead and use gmail. Google will know who you're talking to, but not what you're saying. And you would still be able to search your mailboxes locally.

Re:Turn over: yes. Decrypt: no

[SvnLyrBrto]

I'd like to add:

Search for evidence, or assist in doing so: No. The government should not be able to conscript you into actual and unwilling service. With a proper warrant, as you describe, sure: "Turn over the 12 emails between party $x and party $y, sent on 2015-09-14." is okay. "Search for and provide us with every email in the last three years where person $x discussed topic $y with persons $a, $b, or $c, or anyone residing in country $foo." is not acceptable. That requires affirmative work, not just turning over specific (virtual) items they ask for. It steals productivity from the person and the employer. And, frankly, if I liked government work, I could have stayed in the one government contractor job I had; or actually gone to work for the government. "Build custom software, that otherwise would not exist, to insert a backdoor and destroy your product's security for us." is obviously entirely unacceptable as well.

and:

Force you to break the laws you're subject to in your business: no, No, NO! If our government wants access to data stored in the EU, that is nominally illegal to export out of the EU thanks to their data privacy laws; it should go through proper international channels to get access to it within the EU. It should not do an end-run around the law, and force some admin from Microsoft (Yes, this is a specific and, I think, still-ongoing case.) to open himself up to liability, and perhaps criminal charges; should he ever go there for vacation.

If they have a warrant

[cjonslashdot]

A warrant is supposed to provide independent (non-executive) oversight. No warrant - no data. That was the theory. Warrants exist to prevent abuse by the executive government, which would eventually tend to use unchecked surveillance powers to protect itself and to stay in power.

Re:If they have a warrant

[msauve]

Warrants are also supposed to supported by probable cause and be specific ("particular") about what's being sought and where. Not "phone records of all calls made in the US," which is exactly what's NOT supposed to be allowed.

Re:If they have a warrant

It's wishful thinking about warrants.

If China demands Microsoft hand over data for Diebold corp, which contains their US election machine data, it's fine as long as they have a warrant? You seem to assume your own countries warrant.
Or USA demands cloud data for Gemalto (the Dutch SIM card maker they hacked to get the handset keys) with one of their special warrants? OK for Dutch people?
Or UK demands US citizens cloud data in secret (Snoopers Charter warrants permits this), then hands it over to US agency (info sharing treaty permits this)? A legal but dodgy workaround of US rights. OK? Even allies have abused such a system.

A warrant only works if there is an interest party to oppose excesses. That's the person or company whose data they're trying to grab. That's the party with the interest in defending the data. A cloud provider just wants an easy life with decent profit.

In many cases a warrant has become just a letter or phone call with no opposing voice to challenge. It often has no judicial or independent check. e.g. a RIPA warrant in the UK, has no check, is not revealed to you, is just a letter from a policeman, is never challenged in court, and millions of these are issued.

Re:If they have a warrant

The problem is that first off a vast majority of information requests from the government these days are not in the form of a warrant, they area subpoena, which have little if any judicial oversight. Businesses can challenge them in court but often don't as this is a time and cost intensive process that can result in "unfortunate" side effects (see Qwest). Secondly warrants are a joke these days, for example the FISA court approves 99.97% of requests. And even in the rare cases where there has been enough evidence to prove beyond all doubt that a warrant (which can't be challenged until after the fact) was illegally obtained court cases have held that any evidence resulting from that search can be used anyways.

Re:If they have a warrant

[Beezlebub33]

FWIW, the argument that 'metadata is not data', and so who you called does not require a warrant, based on Smith v Maryland. The Supreme Court ruled that gathering metadata does not constitute a search.

However, that was 1979, pre-internet. In light of the ability to collect massive amounts of metadata, from almost all aspects of a persons life, combined with the ability to computer analyze that information, I would argue that Smith v Maryland should be re-considered. In that case, it was decided on the idea that the gathering of metadata provided limited insight to a persons life, and that is no longer the case.

Re:If they have a warrant

[msauve]

The "metadata" in Smith v Maryland was limited to what a pen recorder could provide, which was called party number, time and duration. Contrast that to cell phone records which also contain caller number (so now data is specific to actions made by the target), location, voice/data/SMS information, and a stronger association with an individual (a landline of S v M vintage wouldn't be as closely associated with an individual as a cell phone).

Additionally, the decision in S v M depended upon a user's lack of an expectation of privacy - that was the days of Ma Bell, where you took what they offered (which included no assurance of privacy) or nothing. Modern cell companies are competitive, and most if not all offer specific privacy policies as part of their ToS, so there _is_ a reasonable expectation of privacy.

None of that has been addressed in subsequent cases, law enforcement has simply taken the attitude that anything other than the actual voice content is OK.

"more than one in three IT pros"

1) Is it legal in the US to ask the question of job candidates, "Do you believe that the government should be required to hand over cloud data to the government without a warrant targetted to a particular individual?" I would ask this and reject anyone who said 'yes'.

2) Which immediately shows that the question is annoyingly ambiguous because it doesn't specify whether this is fishing expedition type access or targetted warranted access, so the survey results are meaningless.

In particular, it might be that e.g. German respondents with their strong privacy laws assumed it was only referring to access with a warrant.

Re:"more than one in three IT pros"

[Anne+Thwacks]

Correct -

• 9/10 Slashdot abusers believe that asking ill-defined questions lead to ill-defined results.
• 9/10 pollsters are paid to ask ill-defined questions.
• 9/10 "journalists" have some difficulty spotting a question, and when they do, they report on the spots, and not the question... I blame alcohol.

Re:The real question should be

[cryptizard]

This kind of naive approach only works for simple storage services like Dropbox. Anything more complicated and the server has to be able to decrypt the data in order to do its job. Gmail has to be able to search through your inbox. AWS has to be able to run code over your data. There are some cutting-edge crypto solutions to do searching or computing over encrypted data, but they add substantial overhead on the server side. It would increase the cost of cloud services by 100x or more.

Duty to Protect Privacy

[Roger+W+Moore]

I'm of the opinion that anyone that stores data for you in a professional capacity is acting as an agent on your behalf and should enjoy the same legal protections that you yourself would have if you had the data yourself.

That's not what I want since it leaves the provider the option to voluntarily share my data. What we have in Canada is far better: the holder of the data has a legal duty to protect your privacy and cannot share you data with anyone unless required to do so by law.

Probably have to with a warrant

[swb]

With a warrant and the ability (the keys), cloud vendors would probably have to decrypt it.

The rubber hits the road when it comes to "without a warrant" -- that tests how flexible their morality is. Are they willing to turn down only the requests where a legitimate court order wasn't present?

It seems obvious to me that if you want encrypted data, you probably want to encrypt it yourself. The cloud is just storage, you can create your own trust model for encrypted data that doesn't include them.

That being said, there may be practical advantages to cloud-provider managed encryption where the risk:reward makes provider encryption worthwhile. What would be nice would be an encryption system with an access log of some kind to verify key usage. This would allow for a canary in the coal mine warning that your data had been decrypted by someone else. It's imperfect, but it's better than just silent loss of access control.