U.S. Spying? Don't Put Your Open Data in the Town Square! (Trouw, The Netherlands)
"In the Netherlands alone, 1.8 million telephone calls were tapped.
But we make it so easy for the Americans. We conveniently forget that we're the
ones putting all of our business information in unlocked safes in the middle of
the town square or the Dam [in Amsterdam]. And then we're surprised that
thieves and secret services are poking around! ... The cloud consists mainly of
data centers where companies can store information. Some of those data centers
are located in the United States, are American properties, and often make use
of American software. That's a problem."
Escape from the NSA: Thanks to the agency's historic overreach, the rest of the world is looking for ways around its spying methods - and the use of American Internet companies that the agency has compromised.
Eavesdropping is
widespread - and we are all partly to blame. However, the government should set
standards, if only to protect civilians, argues University of Amsterdam privacy
and security researcher Guido
van 't Noordende.
The
bugging by U.S. spy agency NSA has led to disbelief and outrage in Brussels, but
also in The Hague. In the Netherlands alone, 1.8 million telephone calls were tapped.
But we make it so easy for the Americans. We conveniently forget that we're the
ones putting all of our business information in unlocked safes in the middle of
the town square or the Dam [in Amsterdam]. And then we're surprised that
thieves and secret services are poking around!
While
the opposition party in The Hague calls for debate, big companies advertise
data storage in "the cloud." Whether this storage is adequately
protected isn't specified - and eavesdropping isn't even mentioned. The cloud
consists mainly of data centers where companies can store information. Some of
those data centers are located in the United States, are American properties, and
often make use of American software. That's a problem. For all U.S. software
must meet U.S. anti-terrorism legislation and allow for the handy retrieval of
data. Any unencrypted information in the cloud or sent over the Internet may be
intercepted - not only by the U.S., but also the British, Chinese, or our own
intelligence services.
Keys
The
question is why the architecture of systems have been designed in such a way
that this can happen. Why don't the government and companies choose a system in
which eavesdropping is prevented? Or systems in which overcoming security is so
difficult that it would only happen when absolutely necessary? Solutions are
known. Information must be encrypted. Only the sender and receiver therefore
have the keys to decrypt the data. Third parties, including the cloud
administrator, have no access. As long as sender and receiver abide by the
rules, this is how to keep the intelligence services out. Only the Justice Department,
in case of concrete suspicion, should be able to demand keys from end users.
The
government can set standards. This end-to-end security is one such area. There
would therefore be no unencrypted data in the cloud - unless it is absolutely unavoidable.
This has consequences, for example, for the storage of medical records. At
present, general practitioners often use central databases. Patient data,
however, should be encrypted before it winds up in a data center. Furthermore, cloud-based
storage of corporate documents is not a good idea - unless they are encrypted
with a key that only the company has. End-to-end security is sometimes more difficult
and expensive, but it is possible. The hacking scandal proves the need.
No brake
Leaks
by Edward Snowden about the NSA have really forced us to face the facts. They
have permitted us to see the scale of what everyone should have known: as long
as we send out data into the world virtually unprotected, there is nothing to
stop those who want to tap it. Especially in a democratic society, the
government must ensure that citizens can protect themselves. Protections are
also needed against the arbitrary use of power, for example, by future leaders.
A government that fails to set adequate standards is partly responsible for the
consequences, and cannot complain if someone else exceeds these non-prescribed
standards. As long as we do nothing about the architecture of systems, and we
don't force companies to pay much more attention to the security of our data,
we have no one else to blame when it is abused.
Posted By Worldmeets.US
The
opposition party in The Hague now wants to invite whistleblower Snowden to
explain how eavesdropping on such a large scale is possible - and what to do
about it. However, we don't need Snowden to tell us. We do, however, need
politicians, lawmakers, and political parties, who understand how security
works, who are interested in the rights and personal safety of citizens, and
who are brave enough to protect them.
*Guido van 't Noordendeis a
privacy and security researcher at the University of Amsterdam
