Should Cloud Vendors Decrypt Data For The Government?

An anonymous Slashdot reader quotes an article by Help Net Security's editor-in-chief: More than one in three IT pros believe cloud providers should turn over encrypted data to the government when asked, according to Bitglass and the Cloud Security Alliance (CSA). 35 percent believe cloud app vendors should be forced to provide government access to encrypted data while 55 percent are opposed. 64 percent of US-based infosec professionals are opposed to government cooperation, compared to only 42 percent of EMEA respondents.
Raj Samani, CTO EMEA at Intel Security, told Help Net Security the answers ranged from "no way, to help yourself, and even to I don't care..." But since vendors can't satisfy both camps, he believes the situation "demands some form of open debate on the best approach to take..."

Turn over: yes. Decrypt: no

[sciengin]

If they receive a legal and correct warrant, meaning one that has issued by a proper court, not a secret, shady, pseudo-military one, where the accused can challenge it, then yes, the cloud provider should turn over the data.

A smart provider however will have implemented its data management software in such a way that only his client has the key to decrypt the data it just turned over to the government. That way it cannot even be forced to decrypt it without violating the rules of mathematics and complexity theory.

If that is not the case, meaning that the cloud provider is able to decrypt the data themselves, then a warrant might be only the least problem a client will have with such a company. Most likely their biggest problem will be that the cloud provider uses that data to directly or indirectly harm them, either by selling it to advertisers or by being unable to protect it during hacking attacks.

Re:Turn over: yes. Decrypt: no

[postbigbang]

No sane entity stores unencrypted ASSETS anywhere. No network is safe from anything, let alone the bunglers in government. Unless you want the world to know and therefore own your assets, encrypt it. AES-256 with extra hashes at minimum is good, but there are others that are just as painful to decrypt.

Cloud providers may have their own encryption schemes, but one presumes they're vulnerable, which is why you used your own-- and let the cloud vendor's scheme scramble it more.

This moots the initial question, which is should cloud vendors deliver the goods to $government. The answer is: you don't care. Go ahead, cough up whatever, it's useless without the keys and hashes/hashing algorithms used.

This is what CASB schemes are all about: control your own assets.

Re:Turn over: yes. Decrypt: no

[SvnLyrBrto]

I'd like to add:

Search for evidence, or assist in doing so: No. The government should not be able to conscript you into actual and unwilling service. With a proper warrant, as you describe, sure: "Turn over the 12 emails between party $x and party $y, sent on 2015-09-14." is okay. "Search for and provide us with every email in the last three years where person $x discussed topic $y with persons $a, $b, or $c, or anyone residing in country $foo." is not acceptable. That requires affirmative work, not just turning over specific (virtual) items they ask for. It steals productivity from the person and the employer. And, frankly, if I liked government work, I could have stayed in the one government contractor job I had; or actually gone to work for the government. "Build custom software, that otherwise would not exist, to insert a backdoor and destroy your product's security for us." is obviously entirely unacceptable as well.

and:

Force you to break the laws you're subject to in your business: no, No, NO! If our government wants access to data stored in the EU, that is nominally illegal to export out of the EU thanks to their data privacy laws; it should go through proper international channels to get access to it within the EU. It should not do an end-run around the law, and force some admin from Microsoft (Yes, this is a specific and, I think, still-ongoing case.) to open himself up to liability, and perhaps criminal charges; should he ever go there for vacation.

If they have a warrant

[cjonslashdot]

A warrant is supposed to provide independent (non-executive) oversight. No warrant - no data. That was the theory. Warrants exist to prevent abuse by the executive government, which would eventually tend to use unchecked surveillance powers to protect itself and to stay in power.

Re:If they have a warrant

[msauve]

Warrants are also supposed to supported by probable cause and be specific ("particular") about what's being sought and where. Not "phone records of all calls made in the US," which is exactly what's NOT supposed to be allowed.

Re:If they have a warrant

[Beezlebub33]

FWIW, the argument that 'metadata is not data', and so who you called does not require a warrant, based on Smith v Maryland. The Supreme Court ruled that gathering metadata does not constitute a search.

However, that was 1979, pre-internet. In light of the ability to collect massive amounts of metadata, from almost all aspects of a persons life, combined with the ability to computer analyze that information, I would argue that Smith v Maryland should be re-considered. In that case, it was decided on the idea that the gathering of metadata provided limited insight to a persons life, and that is no longer the case.