Adopt Mandatory Cloud Encryption for Compliance and Privacy

Everyone except Americans have no privacy protection and are at risk of arbitrary privacy violations from US government agencies.

United States Law Supports Arbitrary Surveillance of Non-US Citizens

“It intentionally [FISAAA] targets only non-US persons located outside the US and provides for a blanket authorization to this for one year at a time. There is no individual warrantry,” said Caspar Bowden the former chief privacy adviser to Microsoft, who is now an independent advocate for information rights. Bowden co-authored a privacy report¹ released in January 2013 for the EU and appeared during a conference in Brussels to discuss the findings.

The wide reaching rights granted to US government agencies under FISAAA, which is an amendment added with the PATRIOT Act, forces full disclosure of all records and all data of all users stored with and handled through US companies. Essentially all foreign nationals are potential privacy victims of FISAAA as everyone has contact or vague association (such as using the same service) with someone that has a political interest that for instance oppose the war in Iraq or wants to stop drilling for oil in the Arctic.

US companies are forced to silence under the law and are granted immunity for their cooperation. Not complying or exposing that a violation has a occurred is punishable by FISAAA. It should be noted that a non-US company that has data exposed through FISAAA that in turn affects its users are not covered by the immunity.

Everyone On the Internet is Affected

The implications of FISAAA are far reaching as the services that are affected include hosted email, file storage, backup, software versioning systems, cloud servers, voice and video services, data management systems such as CRMs and project tools and also all data stored with services providers that are US based or controlled by US companies. All data that passes through a Internet node that is controlled by a US company is also affected. Examples of companies that are affected is Google, Amazon, Rackspace, Dropbox, Salesforce, GitHub, Facebook, Apple, AT&T, Microsoft (which includes Skype). These companies together touch most of the worlds Internet users. And they are bound to comply to FISAA as Microsoft stated to the BBC: “If a law enforcement entity follows the appropriate procedures and we are asked to access messages stored temporarily on our servers, we will do so”²

Two US senators wrote an open letter³ to the Attorney General in 2012 about the implications of FISAAA on US citizens:

“We believe most Americans would be stunned to learn the details of how these secret court opinions have interpreted section 215 [allowing access to private data] of the Patriot Act.”

The question that arises is how foreign citizens would react on the violation of their human rights. As the UN declaration of Human Rights states in section 12:

“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Other territories legislation protects both native and foreign citizens in their Privacy laws. Section 2 of the EU Data Protection Directive clearly states that for example US citizens have equal privacy rights.⁴

American companies are caught in the middle which is exemplified by Microsoft into whom the EU opened a privacy probe in December 2012.⁵

Why Is Privacy Important

Organizations for example established in the EU are bound to protect their users privacy. It can be argued that as things stand it is questionable if American companies can be used when storing unencrypted data that may contain any privacy sensitive information.

There is no disclosure to what use the US is putting the data they collect. This is of concern to organizations that perform research and development on a global competitive market.

Encryption Holds the Key to Privacy

The appropriate use of encryption can help organizations to achieve privacy and security.

The most important part of encryption is proper key handling. The key is the string that is used to encrypt and decrypt data. If you have the key you have access to the data.

The Cloud Security Alliance issued new recommendations in 2012 which stated:

“Whenever possible avoid any reliance on cloud providers to protect and appropriately use the keys that protect your critical information… If only you have the keys, only you can access your files.“⁶

To relate this to FISAAA it means that if your service provider is encrypting the data on your behalf and are in control of the encryption key they will have to hand over your data when requested to do so. Having proper key management also protects you against service provider flaws and hackers.

The solution is to separate key management and storage. If all data is encrypted locally prior to being transferred to the cloud for storage and transfer the problem with FISAAA is solved.