No, your data isn't secure in the Cloud

In 2012, Google alone received 21,389 government requests for information affecting 33,634 user accounts

While online data storage services claim your data is encrypted, there are no guarantees. With recent revelations that the federal government taps into Internet search engines, email and cloud service providers, any myth about data "privacy" on the Internet has been busted.

Experts say there's simply no way to ever be completely sure your data will remain secure once you've moved it to the cloud.

"You have no way of knowing. You can't trust anybody. Everybody is lying to you," Security expert Bruce Schneier said. "How do you know which platform to trust? They could even be lying because the U.S. Government has forced them to."

While providers of email, chat, social network and cloud services often claim -- even in their service agreements -- that the data they store is encrypted and private, most often they hold the keys, not you. That means a rogue employee or any government "legally" requesting encryption keys can decrypt and see your data.

Even when service providers say only customers can generate and maintain their own encryption keys, Schneier said there's no way to be sure others won't be able to gain access.

For example, Apple's SMS/MMS-like communications platform, iMessage, claims both voice and text is encrypted and can't be heard or seen by third parties. "But, since [the] product [is] not open source, there's no way for us to know how it works," said Dan Auerbach, a staff technologist with the Electronic Frontier Foundation (EFF). "It seems because of the way it works on functionality, they do have a way to access it. The same goes for iCloud."

Freedom of Information Act requests by the American Civil Liberties Union (ACLU) revealed earlier this year that the U.S. government claims the right to read personal online data without warrants.

"It is the case everywhere in the world that governments seem to believe that if data is recorded and available, they should be able to access it," said Jay Heiser, an analyst with research firm Gartner. "It's not unique to the U.S., although the United States brags about it to a unique degree."

Besides "metadata" (data that describes your data), that the government has now admitted to collecting on, well, everybody, Google, Microsoft, Yahoo and other Internet giants have been handing over data for years in response to government requests.

Google regularly gets requests from governments and courts around the world to hand over user data. Last year, it said it received 21,389 government requests for information affecting 33,634 user accounts. And, 66% of the time, Google provided at least some data in response.

During the same period, Microsoft received 70,665 requests affecting 122,015 accounts -- more than three times as many requests for information disclosure as Google. Only 2.2% of those requests resulted in Microsoft turning over of actual content; 1,558 accounts were affected. Another 79.8% of the requests resulted in disclosure of subscriber or transactional information affecting 56,388 accounts.

A cottage industry is growing up around virtual padlocks that consumers can place on cloud services so that the vendors themselves can't get to the information -- even if the government wants access.

New documents obtained by the ACLU from the FBI and U.S. attorneys' offices revealed startling realities around the government's email surveillance practices. In March, the ACLU also obtained documents showing that the IRS does not always get a court order to read citizens' emails.

Who has your back?

Auerbach said using cloud services is not black and white in terms of what you can trust them to store.

"A lot of people may not mind that the [cloud service] company may pass some of their data to the government," Auerbach said. "Other types of data they may be more concerned about."

For example, if you're a consumer and you're storing photos, videos, digital music or innocuous documents on a cloud storage service, you may not mind that a hacker or the government gets access to it. If you're a company that is archiving non-sensitive historical records -- financial statements, presentations, news releases or marketing materials -- again, there may be no concern about who sees it.

But it is good to know whether a service provider will try to protect your information from government intrusion.

"There are also companies that have friendlier policies...that demonstrate they fight for users and try to push back against unreasonable government requests for data," Auerbach said. "Who's got your back? Does this company require a warrant for customer data? We give companies stars based on whether they meet that criteria."

The EFF, a privacy advocacy group, has filed a lawsuit challenging the NSA's spy program. It has also created a website that rates 19 of largest Internet companies on how hard they try to protect your data. The EFF site " Who Has Your Back" awards companies gold stars based on each of six criteria:

  • Requires a warrant for content;
  • Tells users about government data requests;
  • Publishes transparency reports;
  • Publishes law enforcement guidelines;
  • Fights for user privacy rights in courts;
  • Fights for user privacy rights in Congress.

For example, Apple, AT&T and Yahoo received only one gold star out of six. Dropbox, LinkedIn and Google all have five out of six stars. Twitter and ISP were awarded six out of six gold stars for their efforts to protect user data.

"Ultimately, if you are really are worried about your data going to the government, given there are streamlined legal processes by which they can get access to your data these days, it's good for users to keep data stored locally and only in the cloud in an encrypted way," Auerbach said.

Another project aimed at protecting consumer and corporate data is Tahoe Least Authority File System project (Tahoe-LAFS), a free and open-source storage system created by developer Zooko Wilcox-O'Hearn. O'Hearn built the storage service to ensure data is secure from prying eyes as well as resilient to hardware failure. The service is distributed across a grid of multiple storage servers.

He's been working on secure way to compute with Dropbox in which data is encrypted in meaningful way. All of the data is encrypted and integrity-checked by a gateway server, so that the servers can neither read nor modify the contents of the files.

"Even if some of the servers fail or are taken over by an attacker, the entire file system continues to function correctly, preserving your privacy and security," the service claims.

If you're looking for a really robust online storage solution, users should consider end-to-end cryptography, Auerbach said. That means the encryption keys are only live on your private server or computer.

"That way, the service provider only sees encrypted, garbled junk," he said.

For textual communications, such as instant messaging, the OTR (Off the Record) protocol is sufficient to ensure your communications are secure, Auerbach said. OTR is a cryptographic protocol that uses a combination of the AES algorithm, the Diffie-Hellman key exchange and the SHA-1 hash function.

For email, the Pretty Good Privacy (PGP) protocol and Open PGP encrypt emails to a recipient so no service provider can see what you send.

The one issue with encrypting emails and texts is that the person you are communicating with must also have the protocol operating on their system so that you can share the public key with them to decrypt the data.

For documents, TrueCrypt or PGP are reliable encryption algorithms that give a user full control over keys, and they're free. There are also password managers and generators, such as KeyPass or OnePass, that ensure your password is random, encrypted and more resilient to brute force attacks.

A private social network

When it comes to social networks -- Facebook, Twitter, LinedIn, Google+ or Ning -- the only protection is what the provider offers in terms of privacy settings. But that doesn't mean your data can't still be accessed by the service provider or that the government can't gain access to it.

"If we lose this privacy, then what good is the cloud?" said Mark Weinstein, an online privacy expert. "How would you feel if all your friends and relatives could view your text messages and emails?"

Weinstein has created a private social network called Sgrouples. The site is live now, but the privacy service is still under development and is expected to roll out in the fourth quarter.

Users' passwords and data is encrypted with the Blowfish cypher algorithm.

The social network service will allow groups or "friends" to share encrypted content and only the users will have the keys to see each other's posts. Like other social networks, it allows users to share documents, videos, and calendar events. It can be used on a desktop or mobile platform. Users are offered 4GB of free storage space for their content.

Sgrouples has a privacy bill of rights that promises users own their own content, it will never have tracking cookies, it will not allow users to stalk other users and it will not allow bullying.

The site's bill of rights also states that if it ever changes its policies, even if another company acquires it, it must notify its users and give them an easy way to delete their account.

"If the government came to us with a court order, we'd have to comply, and I want to comply with our court system," Weinstein said. "But, there's nothing for us to hand over."

"When I'm posting to my friends, I don't want a company spying on me, nor do I want my grandmother seeing what I'm posting," he added. "We just don't believe life is fundamentally public."

Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian or subscribe to Lucas's RSS feed. His e-mail address is

See more by Lucas Mearian on

Read more about cloud security in Computerworld's Cloud Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Applesecuritycloud securityencryption

More about AES EnvironmentalAppleDropboxEFFElectronic Frontier FoundationFacebookFBIGartnerGoogleIRSIRSMicrosoftNSAPGPPretty Good PrivacySonicTopicYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucas Mearian

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts