All your data are belong to us

Organisations that are considering a move to the cloud would be wise to consider the effects of that move on the privacy and confidentiality of their data. That is the conclusion of a new report published by the University of Amsterdam. The university of Amsterdam examined the risks of such a move for educational institutions but their conclusions apply equally to companies, government agencies and private people.

In short, the report concludes that there is no protection from snooping by US law enforcement agencies if you store your data in the cloud, even if you exclude US companies from being your cloud provider and you place your servers outside of US jurisdiction. There is no legal protection against this snooping and such is not possible under the existing legal framework. The US has far-reaching powers to demand data from cloud providers, not only from US based companies but also with foreign cloud providers through existing international treaties.

The report further mentions that it is not possible to give information on how often data is requested by US law enforcement and government agencies because such information is not public and often covered by – ironically- confidentiality clauses with cloud providers. The report assumes, probably correctly, that such snooping will only increase as more and more data moves into the cloud. In the long run, this could threaten even national autonomy, if for instance the Dutch government would move to the cloud.

Building a completely national cloud or a governmental cloud would not offer protection from this snooping because this would also fall under existing international treaties, outlining how investigative authorities work together internationally. US law enforcement could simply request the data through Dutch law enforcement or secret service. According to the report, the Americans have a “wide range” of options available to them.

Ironically, the report suggests that organisations should carefully consider what to store in the cloud and especially what information to keep out of the cloud. Furthermore, it suggests that fragmented and decentralised storage is best to prevent snooping. The use of encryption is also highly recommended. This would at least prevent the simple handing over of data because without the necessary keys to decrypt the information, decryption would perhaps not be impossible but with strong enough encryption, at least computationally infeasible.