With free people now gazing through PRISM, darkly, Apple [AAPL] has moved to quell fears concerning its customer's online privacy by revealing those details it is aware of regarding the US NSA's legitimately filed requests for that data -- but have we got the big picture, or just a partial account of what's been going on?
[ABOVE: "When I was bought up I was taught that communist Russia …was bad because they followed their people, they snooped on them, they arrested them, they put them in secret prisons…We're getting more and more like that," says Apple co-founder, Steve Wozniak.]
Does not compute
Apple last night joined Google, Facebook and others in publishing a statement disclosing some detail about what requests US law enforcement have made for customer data, or at least, those requests it knows about. These statements may be designed to reduce the concern most global citizens feel about how safe their data is, but it is arguable that the remit of the PRISM project appears much wider than the details disclosed.
You see, as described, PRISM is a top secret surveillance technology that sounds -- and I do stress, "sounds" -- as if it might be an additional level of surveillance to the legitimately made data requests Apple and other big Internet firms are talking about -- so could this fresh information be designed to disguise the true facts?
Perhaps the strongest hint that this may indeed be the case could be the shocked cross party reaction shown by Senator's briefed on the full extent of PRISM last week.
What's key is that as data becomes increasingly cloud-based, people will need reassurances that their data is safe.
It's not the guilty who require such assurances -- we can assume those guilty of planning terrorist atrocity are already incredibly careful to cover their tracks: the ones who need to be reassured are the vast majority of law-abiding humans on the planet who expect to get on with the peaceful and private enjoyment of their lives.
After all, if the claims concerning the nature of PRISM are correct, then the NSA is able to access huge quantities of personal data. That's a big concern for business users exploiting cloud services -- what safeguards do they have in the event an intelligence official goes rogue, takes business critical data and then sells it to the highest bidder?
That need for privacy also extends to almost any Apple user who may hope to use the company's all-new iCloud Keychain service, which will host all your passwords and credit card details within the Apple cloud. How secure is this data really? Given the unknowns surrounding PRISM, is the company 100 percent aware of just how deep the system goes in terms of secret access to Apple-hosted accounts? At present, I don't think we know.
Of course, given the need for secrecy and national security we can't expect to be fully briefed on how PRISM works, but here is some of what Apple has been permitted to say it knows, with regard to its position with regard to law enforcement data requests (you can read the company's statement in full here):
"Two weeks ago, when technology companies were accused of indiscriminately sharing customer data with government agencies, Apple issued a clear response: We first heard of the government’s “Prism” program when news organizations asked us about it on June 6. We do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order."
The thing is, Apple's statement leaves a few gaps.
For example, it says only that it has been authorized to share "some" of the data regarding US government requests for information relating to national security.
The company confesses that between December 1, 2012 and May 31, 2013 (around six months) it received between 4,000 and 5,000 requests from US law enforcement for customer data. It discloses no historical data with which to evaluate whether the number of such requests has risen or declined in the last few years.
"Between 9,000 and 10,000 accounts or devices were specified in those requests, which came from federal, state and local authorities and included both criminal investigations and national security matters," the company adds.
The nature of the requests Apple says it has received appear very, very different from the kind of routine access PRISM reportedly provides:
"The most common form of request comes from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer’s disease, or hoping to prevent a suicide," the company said.
These descriptions seem odd. It is, after all, unlikely that the NSA's PRISM project is even remotely concerned with attempting to prevent suicides or finding Alzheimer's patients. So could these newly disclosed law enforcement data requests relate to something else? Could these requests be absolutely nothing at all to do with PRISM?
Apple has what seems to be a little advice for those of its users who want to ensure their communications are kept private:
"For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form," the company said.
"We will continue to work hard to strike the right balance between fulfilling our legal responsibilities and protecting our customers’ privacy as they expect and deserve," the company concluded in its statement.
That's laudable, but given the difference between the nature of the requests Apple has published information about and the claims made concerning PRISM by whistleblower, Edward Snowden, I remain concerned the world's quiet majority of law-abiding Internet users have not been told enough to make up their own minds.
This means I remain concerned at the future of cloud services for business, and at the fate of Apple's iCloud Keychain.
Because if the NSA has figured out a way to sidestep the official channels for personal data requests (which I wouldn't expect it to admit), then the guardians of that data (Apple et al.) cannot be expected to guarantee that criminals and foreign governments aren't using the same routes to access customer data. You can't protect against what you cannot see.
Where's the oversight?
Sure, this will be one huge opportunity for firms offering products designed to encrypt communications, but why should a rank and file Internet user be expected to work in this way?
The implication of the continued PRISM-related information is that all cloud services may be less secure than the companies that develop those services may have thought them to be.
PRISM, in other words, undermines the future evolution of the computer world -- and that's even before you question its effect on personal privacy.
Got a story? Drop me a line via Twitter or in comments below and let me know. I'd like it if you chose to follow me on Twitter so I can let you know when these items are published here first on Computerworld.