Will PRISM Impact Data Protection Strategies?
As details of the National Security Agency's PRISM program continue to emerge, how concerned should enterprises be about government requests for data?
It's 9 o'clock on a Monday morning, and half a dozen law enforcement officers are banging on the door of your data center. They're waving official looking documents and demanding access to your data. What do you do?
Thanks to PRISM and the news that the National Security Agency (NSA) may or may not be tapping it to obtain data from the likes of Google and Facebook, it may seem like your data is no longer safe. And if you get a national security letter demanding access, along with your silence on the matter, then maybe it isn't.
The fact is, though, most businesses won't receive a letter from the spooks. If law enforcement officials come knocking at your door, they'll likely be waving one of two much more common documents, a subpoena or a warrant.
What's the difference? A subpoena can be issued by an attorney or a court, usually in connection with civil litigation, but sometimes by federal and state governmental agencies. If you get one of those, you have a defined period of time in which to respond and provide requested data.
A search warrant is issued by a magistrate or judge, and it authorizes law enforcement officers to enter your data center and search for specific data or types of data. They are only used as part of criminal investigations. They are usually only granted to government agents if they can show "probable cause" to believe there are valid reasons to support a search.
Responding to Requests for Data
So back to the original question. What should you do when law enforcement officers come knocking?
The first action you should take is to review the subpoena or warrant to see if its scope exceeds the statutory authority that allows law enforcement to access your data, according to David Snead, a Washington, D.C.-based attorney and Internet law counsel.
"You need to read and understand the statute behind the request. It will be in the subpoena or warrant (explaining) what authority is allowing them to request the information," he says.
"Then you need to read what data is requested, and whether it meets the statute. You need to understand what law enforcement is entitled to, and only give them what they are entitled to," he adds. "Sometimes I will say 'I think you are asking for access to emails, and I think that you are not entitled to it.'"
If that sounds daunting, it may be wise to consult an attorney to help you decide what law enforcement is entitled to, and what it isn't.
It's also important to remember that there is usually no rush to respond. "You will almost always have a long time - probably 10 to 15 days to comply," he says.
To avoid problems with subpoenas or warrants for data that you don't have access to or can't provide, Snead advises taking a pre-emptive approach. "I would suggest going down to your local FBI office and arranging a meeting with them. Get them to take a tour of your data center so that they know exactly what you do there, and what you can provide."
If your data is stored in a public cloud, the requirements for accessing your data are broadly the same. Nonetheless, many companies fear that if their data is on the same server as that of another cloud customer who is under investigation, their data may be seized along with that customer's.
That fear is probably unfounded, says Snead. "Most warrants would say to a provider 'Please inform us if you are unable to provide us with only the data that is in the warrant,' and in my experience every cloud provider is very scrupulous about only providing the data that has been requested."
If you are trying to make the argument against storing data in the cloud, you should make the same argument against hosting centers and other environments where your data is not physically in your own data center, Snead says. "From a legal perspective, the cloud is not significantly different to shared hosting or other computing environments - it doesn't require a separate analysis," he points out.
But what about the Megaupload case, in which servers were seized or taken offline and customers had their files inspected or were unable to retrieve them? "I would caution against using the Mega case as an example of anything you can use to extrapolate how data will be handled," says Snead. "That case was exceptional."
When it comes to the types of national security investigations under the purview of the NSA, however, investigatory powers may be more widespread, and therefore your data in the cloud may be at risk if another cloud user is under suspicion, according to Miguel San Jose, an attorney at North Carolina-based Corporate Security Law.
"In practice the authorities are going to get access to all your data when they are looking at one specific person's data. Their search won't be so fine-tuned that they will only see that person's data. It's definitely an issue and one reason why using the cloud is so dangerous in that regard," he says. "They could tap in to all your information in the cloud, and you wouldn't even know."
This view is shared by Robert Ballecer, a technology commentator and podcaster. He believes that the publicity around PRISM and National Security Letters will rightly put many companies off the use of cloud storage.
"If you allow governments to take shortcuts in due process, then it kills the multi-trillion dollar (cloud storage) industry in its infancy," he said on his This Week In Enterprise Tech podcast recently. "It drives enterprises away from the cloud and into putting everything back on premise where they can control it."
Can Encryption Help?
What about encryption as a way of securing your data? That could be effective, but does anyone know for sure what the NSA can decrypt when it puts its mind to it?
(As an interesting side note, you can be compelled to produce the encryption key if law enforcement agencies need it - but not, apparently, if you keep the key in your head. Then you could use the Fifth Amendment to avoid revealing it on the grounds that it could incriminate you.)
It would seem that in normal circumstances the law will safeguard your data, whether it's in a public cloud or in your own data center. But when it comes to the NSA and matters of national security, all bets may be off.
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.
By Jeff Goldman
June 07, 2013
The Guardian and the Washington Post have published information from a top secret PowerPoint presentation describing the program.