Lavabit-DOJ dispute zeroes in on encryption key ownership
Enterprises should own and manage all keys, but that's easier said than done
Computerworld - The government's insistence, in its dispute with Lavabit, that cloud service providers hand over their encryption keys when asked, has refocused attention of key ownership and management in the cloud.
Security experts agree that the best way for companies to ensure that their data is safe from snooping eyes in the cloud is to encrypt all their data and to maintain total ownership of the encryption keys. However, pulling off that feat is not always easy, practical or cheap.
Lavabit, a provider of secure hosted email services, shut down operations in August citing concerns that the FBI was coercing it into divulging personal information on its customers.
Founder Ladar Levison claimed at the time that he would rather shut down the company than be part of what he described as crimes against the American people. His actions were prompted by government demands for his company's private Secure Sockets Layer (SSL) keys for decrypting email communications believed to belong to former NSA contract worker-turned document leaker Edward Snowden.
Levison maintained that the keys would allow the government to unlock all encrypted communications belonging to Lavabit's users. He claimed the government's request was similar to someone asking for the master key to open all the rooms in a hotel, when all that was needed was access to a single room.
After initially digging in his heels and getting slapped with a $10,000 fine by a federal court, Levison finally hand-delivered a disk containing the keys to the FBI in August.
The U.S. Department of Justice accused Levison of compromising its investigation by shutting down the company and going public with his complaints. In a motion filed in the U.S. Court of Appeals for the Fourth Circuit this week, the DOJ maintained that Levison did not have the right to thwart the government's legitimate surveillance activities by shutting down the service altogether.
The DOJ angrily dismissed Levison's "parade of hypotheticals" regarding the actions the government could take with the encryption keys and likened his actions to that of a business locking its front gate to thwart execution of a search warrant.
The situation shows why companies that want to protect their data in the cloud need to encrypt everything and maintain full control of the encryption keys.
"This disclosure issue at Lavabit is one very good example of an organization's inability to maintain ownership and control of data in traditional cloud computing environments," said Elad Yoran, CEO of Vaultive, a vendor of cloud encryption technologies. "If a third party can turn our data over without our knowledge or authorization, do we really own or control our data in the cloud?" he said.
If a company maintains its own encryption keys, the government will need to make a legal request for the keys with the company and not the cloud provider, he said. Otherwise, all they would get from the cloud provider would be "encrypted useless gibberish," he said. "This puts the power of ownership back into the hands of businesses."
- Franken presses Ford on location data collection practices
- Justices let stand appeals court decision on border searches of laptops
- California lawmakers move to bar state help to NSA
- Appeals court again nixes Google's bid to overturn Street View case
- Older Mac webcams can spy without activating warning light
- Update: Judge rules NSA spy efforts may be unconstitutional
- Perspective: Privacy concerns could keep Amazon delivery drones grounded
- NSA collects data from millions of cellphones daily
- Perspective: Curbing data use is key to reining in NSA
- Lavabit-DOJ dispute zeroes in on encryption key ownership
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Building a Bridge to the Next Generation Data Center Selecting a widely adopted operating system is a foundational component of a standardization strategy.
- OpenStack and Red Hat: IDC White paper Most OpenStack deployments are by public cloud providers that are early adopters of technology and use OpenStack in a do-it-yourself deployment and support...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Encryption White Papers | Webcasts