Trouble in the Cloud: Lessons from AP and Bloomberg

Its been a bad week for the cloud. Businesses of all sizes are under a lot of pressure to save money by moving IT operations into the cloud. for many companies, it can be a lot cheaper and more efficient to pay someone else to manage your email, storage, and servers  and provide other IT services than to do it yourself. But the disclosure of of phone surveillance of the Associated Press by the U.S. Justice Dept. and snooping on customer activities by Bloomberg News reporters, neither of which has anything obvious to do with cloud computing, might give you some pause about trusting your data to a third party.

The issue isn’t security, and least not in the conventional sense of protecting your data and operations from malicious hackers and other no-goodniks. In truth, most service providers are better at that sort of security than businesses from whom IT and IT security are not core competencies. The problem is the amount of control you surrender when a third party hold your information.

In the AP case, the government subpoenaed call records for 20 phone lines used by AP reporters and editors, apparently as part of an investigation of leaks about the disruption of a terrorist plot in Yemen. I’ll leave it to others to discuss the legality and the First Amendment implications of DOJ’s actions. But the implications for privacy are disturbing.

The government was able to obtain the phone records by issuing subpoenas to carriers–and neither the government nor the carriers bothered to inform the AP of the request. The news service found out only because regulations require eventual, after-the-fact notification–but only for news organizations. If you are any other sort of business, you might never find out about the surveillance.[pullquote]If you control the data, you can make your own choices, including going to jail to protect it. If a third party has it, the choice is theirs, not yours.[/pullquote]

Phone records are always highly vulnerable. You don’t have the options of operating your own telephone system. And telephone carriers have a history of giving up call records, and sometimes a lot more, to the government on the slightest provocation. But what about e-mail? Here things get murky. The Electronic Communications Privacy Act which covers email, was written in 1986, in the MCI Mail era. Under the government’s interpretation of it, mail stored on third-party servers that is more than 180 days old or that has been opened can be obtained without a subpoena. That interpretation is currently tied up in several law suits. But the government could also subpoena current mail records and there is no requirement that you be notified.

AP was lucky. It apparently hosts its own email, so there is no way the government could read it without a direct request to AP, which it then could have fought. There’s hardly a guarantee of success, but at least it would have known what was going on. If you control the data, you can make your own choices, including going to jail to protect it. If a third party has it, the choice is theirs, not yours. (Twitter has an admirable policy of notifying users of government data requests; most other service providers do not.)

You have equally little control over data stored on third-party servers. And the Obama Administration is pushing for new rules requiring internet service providers to retain more data on customer activities and to keep it for longer. The more you outsource, the more data you have out there under third-party control.

I’m not arguing against cloud computing or outsourcing of services. The benefits may very well outweigh the risks. But businesses (and individuals, for that matter) should be aware of just what those risks are.

The Bloomberg case exposes a completely different risk. Using third-party services necessarily exposes a lot of your information to the service provider. Even if you use the best security practices and encrypt all of your data both in flight and at rest, you traffic is moving over their networks and, as any good intelligence analyst will tell you, you can learn a great deal just from traffic analysis.

The standard Bloomberg contract, like the one obtained by Quartz, contained language allowing Bloomberg to monitor customer use of the system “solely for operational reasons.” Such language is typical in service provider contracts and is usually interpreted to mean that monitoring is allowed to the extent technically necessary to provide the service. But whether it is a rogue employee or, as appears to be the case with Bloomberg, a matter of policy, it is all but impossible to prevent the misuse of customer data. All you can do in the end is choose your vendors carefully and trust them.