Revelations in the last week around PRISM have shocked many and it is forcing many of us to re-evaluate our position towards providers of cloud services. I don’t really believe that it comes as a shock to anyone, that various US Agencies have the ability, nor do I believe that anyone could have doubted that they are actively using that ability to intercept internet traffic and scan it for threats to National Security. What I find shocking is the possible extent of the monitoring and the way it has been done. To me at least an important question has to be asked in the wake of these revelations: Is the cloud as we know it really a honeypot for PRISM?.
Many of us today both in our private and professional services use cloud services in some form. We use cloud services in the shape of email, business tools, document storage and more recently we have seen SaaS vendors emerging through authentication to various systems. In other words Identity and Access Management is moving to the cloud. Many of us, including myself, have seen this as the natural evolution in this field, but while following Apple’s Keynote yesterday from WWDC I heard about the new iCloud Keychain, and yes, Apple is on the list of vendors from which PRISM collects. iCloud Keychain is basically not very different from what we have seen in other products like 1Password and similar cloud single sign-on products. It is a solution that holds your credentials for the services and websites that you use. Indeed depending on the flavour of the tool it can also hold your credit card information and other information. The point is that you use these tools to keep the information that is most sensitive and critical to you, secure. These tools, when used, all of a sudden become the place to break in, because gaining access to all the information stored there can give a hacker all the information needed to steal your identity and abuse it.
Obviously most vendors of these products have gone to great lengths to secure the information held by encrypting the information at rest and only communicating over encrypted lines, and this has put many, including my own, minds at rest thinking that all is well and good. But if US agencies have a backdoor like PRISM, then what is it all good for?
How secure is our information really, and more importantly who is using it and for what? The problem here is that it is not yet publicly known how deep the rabbit-hole goes. Consider if you are taking all the right precautions to secure your data in the cloud; strong password, 2 factor authentication, strong encryption and the list goes on, but then with the help of the vendor all your information is readily available to PRISM in a clear and structured way. Readily available because most cloud vendors today can decrypt your data, they have to, and it is convenient if you lose your information to do so yourself. But if they can help you, then they can help PRISM, and now PRISM is not only monitoring your emails and what flows in cleartext over the internet. All of your information not matter how well secured, could be flowing into PRISM. All of your corporate information, private data and even your credentials for your online banking, credit card information – yes, your entire digital life could be made available to the US Authorities, aided by the very same vendors you trust to protect your data. This is effectively turning the cloud into a “honeypot” or a collector of information for PRISM and at the same time making this the greatest heist of data of all times.
The question that really needs to be answered here is what information has been collected, who has had access to it and how it has been used and more importantly how do we stop it. It is a mockery of the many good initiatives to raise awareness around privacy issues and the fact that more and more people and organisations are taking extra steps to really secure their data, if a US agency can just fly in and grab the information they want at their leisure. A statement released from the European Parliament states:
“Programmes such as PRISM and the laws on the basis of which such programmes are authorised potentially endanger the fundamental right to privacy and to data protection of EU citizens.”
On the upside PRISM will also ignite even stronger initiatives around privacy and data protection. No matter how we look at it, the revelations about PRISM serve to decrease the small level of trust in using the cloud, that has been achieved over the last years. If this is the way that we are being monitored then don’t mind the hackers – your information is already in the hands of people you did not give it to.