Why PRISM kills the cloud

The migration from desktop computing to the cloud is on every tech firm's playlist this season, with Apple [AAPL] expected to deliver improvements to its iCloud service later today -- but recent revelations regarding the US government's PRISM surveillance technology could be the kiss of death to these future tech promises. (You may also wish to read this more recent report).

Prism kills the cloud

[ABOVE: There's more to cloud services than iTunes Match.]

Security is essential

Think about it: In order for cloud computing solutions to be seen as viable alternatives to more traditional desktop solutions users -- personal and business users alike -- need to be 100 percent certain their data is secure.

It is unlikely too many people want their privacy curtailed in exchange for convenience -- and reports claiming the US can pretty much tap into a user's personal data and information from any PRISM-enabled system installed in locations worldwide undermines expectation of secure data in the cloud.

What is PRISM? Whistleblower, Edward Snowden, put it like this when he spoke with The Guardian this weekend (there's a video of him speaking below):

"The NSA has built an infrastructure that allows it to intercept almost everything. With this capability, the vast majority of human communications are automatically ingested without targeting. If I wanted to see your emails or your wife's phone, all I have to do is use intercepts. I can get your emails, passwords, phone records, credit cards.

"I don't want to live in a society that does these sort of things … I do not want to live in a world where everything I do and say is recorded. That is not something I am willing to support or live under."

Competent cloud service provision

US technology firms have attempted to deny the PRISM claims. One Apple spokesperson even claimed Apple "has never heard" of it. Google claims no knowledge of it. In fact, if you listen to the technologists, no one has any knowledge of the highly confidential surveillance tech.

These denials are open to challenge. Take this deconstruction of Yahoo's denial written by security and privacy researcher, Christopher Soghoian. He observes that Yahoo:

"Has not in fact denied receiving court orders under 50 USC 1881a (AKA FISA Section 702) for massive amounts of communications data."

Yahoo's denial stresses the company has never volunteered to share this data with the spooks, adding:

"We deeply value our users and their trust, and we work hard everyday to earn that trust and, more importantly, to preserve it."

Despite Soghoian's poignant analysis, let's give Yahoo and the other big tech firms the benefit of the doubt. Let's assume their denials mean they knew nothing of PRISM. Surely that's OK?

No. That's not OK. That's far, far worse.

You see, if it's true the US government has been routinely monitoring communications ("for your protection") and the big tech firms were unaware of this, then it suggests intelligence services have managed to find a way to access such data without the big tech firms being aware of the transaction.

If that is true then it suggests security flaws exist across all cloud service providers that can be exploited by anyone who knows where they can be found. This means that while the US has been exposed as accessing the data at this time, there's no great guarantee that other intelligence services and even powerful entities outside of government haven't also identified the same security gaps. Which means the presidential reassurances on the matter don't fill me with warm, cosy feelings -- particularly since I'm in the UK.

Safety no longer guaranteed

Given even the big tech firms are unaware of these gaps, there's no way then of knowing that a user's data safe.

In the event that the big tech firm's -- by their own admission -- were unaware of government monitoring of their services, then users are left in a position in which they now know their service providers cannot in sincerity guarantee their data is safe.

That's less of a problem for US users, as the PRISM story does suggest their data is protected by some elements of the Constitution. However, international users are fair game, apparently.

Given the sheer quantity of international data passing across various cloud services into servers based in the US, that's a big concern.

It's not just a concern for blameless, guilt-free individuals who don't want governments, or anyone else, snooping through their information; it's also a huge concern for businesses that are increasingly storing confidential business data in the cloud.

Given competition is international, many businesses should now be asking themselves if they can trust their cloud service provider, particularly if that provider happens to be Google, Amazon, Microsoft…

In addition, if Microsoft, Apple, Google and Yahoo were unaware surveillance was taking place, what hope is there for security from smaller cloud service providers?

It is of course possible these firms were aware of PRISM, but have been required to deny it for reasons of "national security." Does that make it any better?

Of course not: It means, once again, that international business have been subject to routine surveillance of their data with very little oversight.

Who watches the Watchmen?

Perhaps that's fine in a perfect world, but in this imperfect world just how long might it be until confidential business secrets are stolen from cloud-based servers in order to be sold to the highest bidder by some rogue security professional? Human nature says this is likely to happen at some point, even if it hasn't already.

The result?

The cloud has been compromised.

In order for these services to become the main foundation of the Post-PC future, users are utterly justified in demanding binding commitments to security from service providers.

If such a commitment cannot be made, then business users may as well publish every slice of their confidential data to a public blog. That's even before they consider that if the US is engaged in such surveillance, others are probably engaged in it, too.

It is surely time for an internationally binding Bill of Digital Rights in which privacy is enshrined. However, even if there were such a Bill, would governments respect the spirit of it? In the words of Alan Moore, "Who watches the watchmen?"

By its very existence, PRISM encapsulates almost every argument against placing your trust in cloud services. A shame for all users and a likely tragedy for Apple as it attempts to bring its users into the iCloud this evening at WWDC.

Got a story? Drop me a line via Twitter or in comments below and let me know. I'd like it if you chose to follow me on Twitter so I can let you know when these items are published here first on Computerworld.

FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies