US GOVERNMENT MOVES TOWARDS MORE TRANSPARENCY IN ITS DATA COLLECTION, BUT IS IT GOOD ENOUGH?
By Paige Leidig, SVP, CipherCloud
Edward Snowden’s continuing revelations of government surveillance into ordinary citizens’ and private enterprises’ Internet use and communications have become a regular staple of the news headlines, but so far governments have seemed unwilling to compromise on how much of our data they feel entitled to see. That looks like it might be changing now, however. Last month saw the announcement that the Obama administration has agreed to allow technology companies more freedom in disclosing US government requests for information.
Good deal? Bad deal?
As The Wall Street Journal reported, the agreement, negotiated between Deputy Attorney General James Cole and the general counsels of Google, Yahoo, Facebook, Microsoft and Apple, will allow technology companies to disclose the numbers of data requests they receive from the Foreign Intelligence Court and the FBI in increments of 1,000 or, in a modified option, increments of 250.
Companies may also estimate how many customer accounts have been affected by the reported requests. The Wall Street Journal (WSJ) reports that this “could help the companies fight back against perceptions that huge numbers of customers are affected by government surveillance.”
Under the terms of this agreement, Apple has disclosed that it received between zero and 249 national security orders in 2013′s first half affecting a similar number of customer accounts. The WSJ suggested that this number is low because its business “does not rely on collecting large amounts of personal data about our customers,” as the other firms may do.
A good first step
This move towards increased transparency is a good step. One of the most damaging effects of the Snowden revelations has been the perception that vast numbers of Internet users are being spied on. Without concrete numbers, that perception could continue to damage cloud companies’ business by tarnishing all of them with the same brush.
The enhanced ability to report on government requests for information will give customers more visibility into the risks they incur by adopting cloud services and help them make more informed decisions.
But the agreement fails to go far enough. Knowing that your cloud provider has received 1,000 requests is one thing, but what are the requests for, and whom do they target? Apple received as many as 249 requests for customer information in the first half of 2013 alone. Google, Yahoo, Facebook, and Microsoft collect far more information thanks to their extensive cloud email and communication applications. What is an acceptable threshold for government requests from them? Customers and the market will both demand more detailed information before they can feel fully comfortable with the cloud.
Unfortunately, it may be some time before we can see that information, if we ever see it at all. Meanwhile, the cloud is here to stay, and government spying or not, financial services and other businesses who elect not to adopt the cloud may find themselves falling behind their competitors in terms of business agility and operating expenses.
That is why added cloud information protection is necessary. If data is encrypted before it even enters the cloud, and if businesses retain exclusive control of the encryption keys, then government surveillance becomes much less of a threat. Government agencies might get their hands on your data, but they will not be able to read it without your knowledge and consent.