By Chris Lee
Following the whistleblowing by former US intelligence specialist Edward Snowden into the US Government’s PRISM programme, companies involved including Google, Facebook and other major internet players have denied providing the NSA “direct access” to their servers.
Despite brand denials, the episode has prompted a re-evaluation of online personal and business data. NMK caught up with technical and legal experts to learn what the potential repercussions of PRISM could be and steps corporations should take to keep their data safe.
Calling governments to account
Tim Summers, a partner at technology law firm Temple Bright, believes that the PRISM saga proves that those who have fears about personal freedoms and the right to privacy have every right to be concerned, and must accept that their online data and communication may not be truly private.
“For businesses large and small, this also has repercussions. Firms have grown accustomed to conducting business and storing confidential information online, but this is something that many companies will be minded to revisit if the world’s leading tech companies are colluding with the state,” Summers told NMK. “Businesses need to be transparent, but they are also obliged by law (and entitled to expect) that private or commercially sensitive dealings remain private and aren’t vulnerable to covert state intrusion. As such, we must have mechanisms to ensure that governments can be called to account, to ensure that their legal powers are used only for their proper purposes – such as counter-terrorism – and do not extend into other areas.”
For Michael Sutton of Web security firm Zscaler the issue is not so much about whether or not tech firms complied with Foreign Intelligence Surveillance Act (FISA) requests – they would have no choice in the matter anyway – but did those companies voluntarily go beyond what is legally required.
Implications for the Cloud
The PRISM scandal could have big implications on Cloud computing, where trust is key, according to David Sturges, chief operating officer of WorkPlaceLive, a UK hosted desktop company. Researchers at Gartner estimate that 70 per cent of businesses are already using some form of cloud computing.
“Opting for cloud computing services means ‘trusting’ in an external company to manage, protect and look after data, to keep it secure and – most importantly – private,” Sturges said. “However, one of the big issues with cloud-based services is that organisations and their employees store data on the internet without understanding where it is, what that means for the relevant legislation or who is controlling it.”
Microsoft, for example, holds its European data in Ireland and the Netherlands but still operates under US law as a US company, so its customers’ data may also be subject to this.
“Companies need to know where their data is held not only for their own peace of mind but also to reassure their customers and suppliers that their data will be secure too,” Sturges warned. “Cloud computing can be completely secure however, if businesses opt for a private and managed cloud computing service. Companies migrating to the cloud must make the distinction between public cloud services like Gmail, icloud and Dropbox and a private managed service.”
Sturges concluded that now is the time for companies to check where their data is being held and ensure that it is indeed secure and private.