ThinkPiece: PRISM/Pandora, NSA, GCHQ, Edward Snowden
One thing I want to do more on the blog is write an opinion or OP-ED (opinion opposite the editorial) on various subjects close to my heart. I think it might be time for me to do as much of this type of writing as my more usual tech-focused – “how do I make this work” material.
In recent days and weeks the techmedia and bloggers generally have started to talk about the PRISM/NSA/GCHQ/Snowden debacle, and its impact on cloud adoption. Before I talk about the impact on cloud I want to get my position clear first. I don’t think Edward Snowden is a traitor. I think he’s a whistleblower. The tactics of the US Govt against Snowden (with the complicity of the UK and the EI), in smearing him as such as a threat to “National Security” are essentially a media smoke screen, a media diversion – to distract the general population (the voters who elected the politicians) from the fact that in some cases legal protections that are in place to protect citizens from the covert actions of the security community – have at best being sidestepped or breached. Don’t get me wrong I believe we do need security services. But they need to be tightly controlled by proper oversight that is democratically accountable…
Mr Snowden hasn’t disclosed the names, locations, or activities of any CIA/MI5/6 operative. Nor has he spilt the beans on any security programs such as military technology or covert black-operations elsewhere. Nor has he exposed the secret cables that pass between embassies and diplomats – as was the case in the Bradley Manning/WikiLeaks situation.
What I personally find very worrying is that the response has largely been one of acquiescence. The big tech companies involved have basically stated they will rollover and have their tummies tickled whenever govts make these requests; Last week two big secure email companies shutdown their operations rather than hand over the keys to the Kingdom; Europe on the other hand worked hand in glove with the US authorities to make Snowden’s situation as hard as possible.
Then there’s the response of ordinary people: “I’m not a bad guy, so its okay for the government to snoop on me – because they’re only after the evil terrorists”. I’m sorry, but people who espouse this view are essentially accepting a type of George Orwell “Big Brother” view of the world. If you’re not a criminal, its fine for the govt to install CCTV cameras in your home, right? If I hacked your email that would be a crime, but if the government does it without your knowledge that’s called “National Security” right?
ANYWAY. Less of my political ranting. What impact does this have on cloud? Answer: None. Why? Well, if you thought before the Snowden revelations that your data was impermeable and secure once it had left your building – you were quite clearly deluded. Few online systems are protected from the sysadmin with rights. In a way Snowden’s revelations prove this point. With his level of sysadmin rights this information might never have reached the public domain. So if you put your data in the cloud – what protects it from a rogue sysadmin? The answer to this should be proper security that’s designed for multi-tenancy. I would like to see some sort of delegation rights where tokens are used to allow access to systems for temporary troubleshooting assistance, and encryption of data in flight and data at rest that allow access for the tenant. Assuming your Cloud Provider doesn’t hand over those keys. Right now the model is based on trust, and trust alone. We have to blindly trust the govts and intelligence services – and we have to blindly trust cloud providers. And sometimes its not even malicious intent that’s the source of over-stepping the line. In today’s revaltions this choice anecdote was flagged up by the BBC News website:
In one instance in 2008, a “large number” of calls placed from Washington DC were intercepted after an error in a computer program entered “202” – the telephone area code for Washington DC – into a data query instead of “20”, the country code for Egypt.
Honestly, this is the stuff of “The Thick of IT” satire. You can’t make this sort material up. Although I suspect a computer program didn’t enter the numbers incorrectly. But a human (a programmer?) made a human mistake. Remember computers only do what we tell them too, they haven’t become sentient beings. Yet… 😉
For me one of the rich ironies of the whole sorry tale is the use of the project name of Pandora for the UK end of the internet hoovering machine. As you might know Pandora was the first human created by the Gods. According to the Hesiodic myth, Pandora opened a jar, in modern accounts sometimes mistranslated as “Pandora’s box”, releasing all the evils of humanity — leaving only Hope inside once she had closed it again. She opened the jar out of simple curiosity and not as a malicious act.
[I’ve reworked this from a wikipedia entry… http://en.wikipedia.org/wiki/Pandora]
You could say Mr Snowden has opened the intelligence services’ “Pandora’s box”. All that remains is the hope that our individual freedoms will be respected. I think Ben Franklin had it right when he said “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.”