Slashdot Mirror
Big Brother is Being Increasingly Outsourced To Silicon Valley, Says Report (fastcompany.com)
The federal and local governments have long relied on private companies for defense and law enforcement technologies, from Lockheed Martin jetfighters to Booz Allen Hamilton data analysis. But increasingly, the government is expanding beyond the usual defense contractors to the company that also provides free shipping and online TV. From a report: "The ... thing that was shocking for me was to understand just how the federal authorizations are allowing Amazon to have such a monopoly over the storage of government information," says Jacinta Gonzalez, field organizer for immigrant advocacy group Mijente. Along with the National Immigration Project and the Immigrant Defense Project, Mijente funded a new report entitled, "Who's Behind ICE?: The Tech and Data Companies Fueling Deportations." Its findings are based on documents such as contracts, memoranda, and corporate financial reports --which are publicly available but take a lot of digging to decipher.
While Amazon plays the leading role, the report also details the involvement of companies including Peter Thiel's Palantir, NEC, and Thomson Reuters in storing, transferring, and analyzing data on both undocumented residents and U.S. citizens. The U.S. government is moving its databases from federal facilities to cloud providers, especially Amazon Web Services (AWS), raising concerns about accountability.
While Amazon plays the leading role, the report also details the involvement of companies including Peter Thiel's Palantir, NEC, and Thomson Reuters in storing, transferring, and analyzing data on both undocumented residents and U.S. citizens. The U.S. government is moving its databases from federal facilities to cloud providers, especially Amazon Web Services (AWS), raising concerns about accountability.
"Imagine a movement that is not just Pro-Latinx...but pro-Black, pro-woman, pro-queer, pro-poor because our community is all that and more."
You must be kidding me. Does AmiMojo work there?
This is one of those "devil in the detail" stories.
For example, if the government used the resources of AWS for a basic "elastic compute" facility - i.e. to cope with surges in demand of their own in-house compute farms, and if (big if) all the applications that the government ran used a form of Application Level Enryption (ALE) that did not require the use of cloud-provider-owned HSMs, then this looks like a more-or-less conventional facilities outsourcing program.
But what if it's not so clear-cut as that? What if the government stores data in the could, long term? What if the government uses Amazon HSMs to secure their content? By implication, the risk here is that this would give Amazon administrators access to the government's data. Should that happen, the least dangerous thing I'd expect to see is Amazon starting to shut down accounts for anyone on a government watch list. The worst-case scenario is much more significant.
So a big part of the potential issue list for this sort of model will depend significantly upon the architecture that the Cloud providers agree to. Disclosure: I've worked for a very large financial institution that discussed cloud services with Amazon - and they absolutely refused to allow us to host our own HSMs in Amazon data centers. How likely are they to change that answer?
The second question, after the relative safety of the data once it's in the cloud, concerns the way that the government is setting about this sort of procurement. There was, if I recall, some interesting material in the documentation released by Edward Snowden. The short version of this story is that BAH were putting together a proposal to meet a government RFC, in which a BAH technician raised the concern that even though it would be possible to implement the solution as requested, there was no way that the government would be able to interpret all the data the new system would collect. A BAH Manager wrote back, "Look, you're technically correct, OK? But your job isn't to tell the client that their idea won't work, your job is to sell the client whatever the client asks for. Then, next year, when the client realizes that this solution doesn't work, we can sell them an upgrade to fix that problem..."
In other words, there is the danger that some of the providers that tender for this sort of business [and note: I am not for one moment suggesting that any company would certainly do this; rather, I am pointing out an implementation risk] might well be able or tempted to sell a solution to the government that just doesn't work. It's my experience that too often when a government runs a bidding process for a solution, the people responding to the bid know so much more about the topic than the person managing the bid, they run rings around them.
This is particularly relevant because of the subject matter likely involved here. I can easily see the government saying that the entire bidding and outsourcing process has to be classified because "national security", which means that proper accountability controls will be pushed aside.
That would not be good.