In-Depth

Cloud Security Alliance's Call for Gov. Surveillance Transparency

A recent roundtable discussion hosted by the CSA discussed how both customers and providers are calling for more insight on federal data collecting programs like PRISM.

• By Jeffrey Schwartz
• August 15, 2013

Even before Edward Snowden leaked classified information that disclosed, the PRISM surveillance operation led by the U.S. government's National Security Agency (NSA), the Cloud Security Alliance (CSA) had established mechanisms for service providers to disclose their data-protection practices.

A key initiative was the Security, Trust & Assurance Registry (STAR) Registry, launched by the CSA two years ago, which is where cloud providers like Amazon and Microsoft have provided audited security controls.

Now that Snowden has unleashed a flood of classified information that points to PRISM and the NSA's widespread use of surveillance to thwart terrorism, the CSA has sprung into action, calling attention to its efforts and leading the discussion on the effect of surveillance on cloud security.

The Snowden leaks come just as IT organizations have started to become more comfortable with the notion that data can be securely stored in the public cloud. Concerned the Snowden revelations might have a chilling backlash on cloud deployments, the CSA conducted a survey in late June into early July after the leaks became public. The findings showed 56 percent of respondents outside the United States are less likely to use a domestic cloud provider, while 10 percent have actually canceled a cloud deployment here.

Less than a third of all participants, including domestic participants, believe there is adequate transparency on how often the government accesses their information. That lack of transparency was a recurring topic in the CSA's first-ever town hall panel held Monday.

"Today, there's no mechanism in place for cloud customers, any user organizations that rely on these cloud providers, to know when their data was exposed," said moderator Elad Yoran, VP of finance with the New York City chapter of the CSA and the CEO of Vaultive, an up-and-coming provider of a cloud encryption service. This is an issue Yoran has studied quite intensely for obvious reasons.

Not only is there a lack of transparency by the NSA and other U.S. law enforcement agencies, but many key cloud providers have complained that their hands are tied in that they're restricted in what they're permitted to disclose.

"This is definitely a hot topic for me," said panelist Peter McGoff, general counsel of Box, the popular cloud storage provider. "One thing we look at as a cloud provider, and what we're asking for, is more transparency in the process. We want to be able to communicate to customers at a minimum the numbers of such requests that we get in and what our process is. Right now, it's not quite super clear that we have that flexibility."

McGoff did offer that Box hasn't received an overwhelming number of warrants for enterprise data.

Back in June, after Snowden alleged that Microsoft was giving the NSA a direct line to Outlook.com (formerly Hotmail), SkyDrive and Skype, Microsoft general counsel Brad Smith immediately denied the claim in an extensive blog post.

"Microsoft does not provide any government with direct and unfettered access to our customer's data," Smith stated. "Microsoft only pulls and then provides the specific data mandated by the relevant legal demand."

Microsoft only responds to requests for specific accounts and identities, and governments must serve court orders or subpoenas for account information, Smith added. Microsoft has filed a petition with the court to allow it to disclose more information. "We hope the Attorney General can step in to change this situation," Smith said.

The Obama administration has resisted supporting changes in the disclosure policies, but last week the president proposed that the government should step up its efforts to be transparent. The proposal was vague and opposition from both parties indicated nothing will change in the near term. However, panelists during the hour-long CSA town hall webcast said Obama's proposal was a positive move.

"It's a good first step," Box's McGoff said. "I felt much better with president Obama coming out and putting a bright light on this."

Robert Brammer, a senior advisor to the Internet2 Consortium and CEO of Brammer Technology, agreed. "The review the president has talked about with the intelligence process with one of the objectives to create more transparency in the process will improve the level of dialogue on this subject," he said.

While calling for more transparency, Brammer argued there's a lot of misinformation, if not hysteria, about government surveillance activities. "Some of the emotional and superficial and narrowly based commentary that's come out in the media -- either in the newspapers or Sunday morning talk shows -- frankly makes this problem worse," he said. "We need a substantive dialogue on the issues and not a bunch of emotional sound bites."

One substantive point, Brammer noted, was a whitepaper (PDF) released last week by the Obama administration that lays out how telecommunications providers access and analyze metadata gathered from calling information.

"This information is limited to telephony metadata, which includes information about what telephone numbers were used to make and receive the calls, when the calls took place, and how long the calls lasted," according to the whitepaper's executive summary. "Importantly, this information does not include any information about the content of those calls -- the Government cannot, through this program, listen to or record any telephone conversations."

While Snowden revealed surveillance efforts that were previously not public, much of the concern that has surfaced is old news, added Francoise Gilbert, founder and managing director of IT Law Group, a law firm focused on domestic and international information privacy and security. The U.S. government has had surveillance initiatives in place dating back to the late 1960s, and the Foreign Intelligence Surveillance Act (FISA) was initiated in 1978, Gilbert pointed out during the CSA panel discussion.

"The topic of government access to data is not something new," she said. "There have been many iterations and many amendments to these laws to keep up with technology, technology progress, and there has been a movement for the past two years to amend one of these laws -- the Electronic Communications Privacy Act -- to also bring it to the 21st century."

Gilbert also pointed to due-process requirements such as the Wiretap Act. While critics of the Foreign Intelligence Surveillance Court (FISC), created under FISA, believe the judges rubber-stamp most law enforcement warrants, Gilbert argued U.S. citizens have more protections than those in many foreign countries such as the United Kingdom.

"There is no FISA court -- they just come in and have access to your information," she said of many foreign counties. "In general, the laws I would say are definitely more favorable to the governments in foreign countries, especially in the U.K.," than in the United States.

Perhaps, but there's a growing chorus of critics in the United States who don't view the current laws along with the Patriot Act as very favorable to their privacy. While the government argues its surveillance efforts have thwarted potentially deadly attacks, even the panelists on this week's CSA webcast concurred that the feds are going to have to look at becoming more transparent.