The New Cloud and Big Data Privacy Agenda

Evidence is growing that the recent NSA disclosures will be the most consequential revelations about the federal government of our lifetimes, including not just WikiLeaks and the Pentagon Papers but Watergate. How can I say that when, in all likelihood, no crimes were committed by the government, and no presidency will fall? I say it because those disclosures and the ones that will probably follow are likely to drive significant changes in the internet economy, either toward new standards for openness, accountability and transparency or toward private cloud, national internets and at worst mutually assured destruction in cyberwar…

Before backing up those outlandish claims, let me make an equally strong statement in the much more pedestrian world in which our clients and I generally live, where a frequently asked question is where and how to store, process, safeguard and/or make sense of data. Great progress has been made over the years by the cloud computing industry, with leadership from the Cloud Security Alliance and others, to improve the technical security of public cloud and our understanding of that security. At a global level, the NSA disclosures make the issue of cloud security much more of a policy and privacy issue, with questions about trustworthy and accountable controls/decisions/decisionmakers on data access and use, the jurisdictions of storage, segmentation between infrastructure in those jurisdictions and policies and practices for responding to government data requests ascending in importance now that many of the technical security issues of public cloud have been addressed.

The controls, decisions and decisionmakers associated with the Verizon Order, Prism and the access to data of NSA contractors are currently taking a beating. At this writing the arguments about strong checks and balances from the FISA courts and Congress are under very heavy and effective fire from the Woodward/Bernstein of this time, who is as good a constitutional lawyer as he is an investigative journalist (and acting as which, here?). The President has been forced to play what seems like a losing hand against Charlie Rose (where he couldn’t cite any request that was turned down by the FISA court) and Germany (identified by Boundless Informant as subject to more surveillance than the rest of Europe). And the NSA is considering requiring partnered employee concurrence before giving contractors access to certain sensitive documents and changing its collection practices under the Verizon Order. Most significantly for the global impact of the NSA disclosures is the simple fact that unlike minimization in privacy, minimization under FISA protects at most “US persons.”

Many individuals, businesses and governments around the rest of the world of course find in this drama confirmation of the claims that the internet cannot be entrusted to US-based companies, or even that the data and information they need to protect has to remain in their own exclusive physical custody, like hiding money in mattresses during a financial crisis. The balkanization of the internet is accelerating, and may even be overtaken in some cases by those running back into their own data centers (like the CIA’s new private cloud, the first to be built by Amazon).

There are of course limits to what US-based internet companies can do to fix these issues without changes in US laws, but the adoption of very clear principles for transparency and safeguards in connection with government surveillance could serve as a rallying cry that would harness the inherent idealism of many of those companies to improve the world’s trust in company decisions as well as to change laws.   For now, one simple principle might start that rallying cry:  “We hear you. When we get a government request for data or information, we resist it as much as we reasonably can.”