Personal information at risk as spying agencies tap the cloud
Government spying has been a hot topic of late, thanks to the recent revelations that the U.S. National Security Agency has been spying on American and foreign citizens by vacuuming up huge amounts of communications data directly from big telecom companies. This was quickly followed by the announcement that Canada’s spy agency, the Communications Security Establishment Canada (CSEC), has been conducting its own secretive surveillance of innocent citizens.
We deserve to know if our sensitive private information is being collected and stored in giant databases, and why. The Internet freedom community has rallied in the face of these discoveries, with thousands quickly joining the No Secret Spying campaign to voice their opposition. Now as we try to figure out the next steps, it’s important to consider how we got here in the first place.
Our increasing use of the Internet has brought many benefits in the form of faster and more efficient access to information, and a greater ability to connect and communicate. This has continued with the growth of ‘cloud computing’, a type of computing where data is not stored on an individual’s device, but rather in cyberspace (or more specifically on servers elsewhere), and it’s accessed through applications- like Dropbox, Google Docs, or Apple’s iCloud.
As more and more of our personal information circulates online, is stored in ‘the cloud’, or is moved about on USBs and other portable devices, it’s essential that we make sure those data flows are secure. And as we’ve been seeing, due to a lack of safeguards they’re not secure at all when it comes to the government. Cloud services are likely more secure for both citizens and the government than carrying around USB keys or hard drives full of sensitive data (see “data breaches” below), but that increased security goes out the window when government bureaucrats recklessly use them for spying without our consent.
Governments have been quick to capitalize on the increased accessibility of our data. As privacy experts have pointed out, regardless of whether existing U.S. rules are effective at protecting American citizens (a questionable claim at best), it offers “zero protection to foreigners’ data in U.S. Clouds.” And that’s a vast amount of our data, considering how many services and applications are hosted in the States.
Meanwhile, Canada’s Privacy Commissioner has long been concerned about the lack of protections around cloud computing at home. Research has suggested that the recently defeated online spying bill might allow law enforcement to access a range of data through a cloud provider, above and beyond what was intended, because they are able to bypass the organization that owns the data, and go straight to where it is stored.
In addition, while governments have been quick to respond to this increased ability to conduct surveillance, they have not been so enthusiastic about creating and enforcing protections for innocent citizens who are getting caught up in this digital dragnet.
On the contrary, we’ve seen moves in the U.S., in Canada, and internationally to remove the remaining barriers to online spying which currently afford us some protection. In fact, as noted by UN representative Frank La Rue, this expansion of surveillance beyond national borders increases the risk of undemocratic agreements between law enforcement and security agencies seeking to get around the legal restrictions on online spying.
Vulnerabilities and Hacking
Rather than focusing on improving security and guaranteeing privacy, the government has been promoting the idea of building back doors into service providers and networks, to allow for better surveillance. But those back doors make the system even more insecure.
As the BC Civil Liberties Association noted in their assessment of online spying laws, “by requiring [service providers] to maintain a “back door” for law enforcement surveillance, the state is creating a heightened risk that hackers will exploit that back door for their own, possibly criminal, purposes.”
The ‘cloud’ storage centres and the networks themselves aren’t the only spaces which need stronger safeguards. We’ve already seen a spate of data breaches as hard drives and USBs containing the personal information of Canadians have been lost, stolen, or misplaced by various government departments. This generalized state of insecurity is indicative of what MP Charmaine Borg has called a “systemic problem” with our national data management practices.
So what’s the solution?
We don’t want to encourage the fragmentation of the Internet by restricting the flow of information across national borders. Internet users are citizens of a global community that spans countries, and increased information sharing can bring great benefits. What we need are guarantees that our data is secure. Instead we’ve seen state spying agencies illegally collecting our communications, vulnerabilities being built into our networks, and government departments losing our personal information.
As of right now the government’s secret spying on our private lives could affect anyone, at anytime and we can’t even tell when we’ve been victimized by it.
Enough is enough. We need our government to come clean about its spying practices.