The PRISM scandal
Last week whistle-blower Edward Snowden revealed in the Guardian and the Washington Post that the US National Security Agency captures and catalogues enormous amounts of data from computer and telephone networks like Microsoft, Google, Yahoo, Facebook, Skype, Verizon and Apple. This information caused a lot of reactions in the USA and Europe since monitoring citizens without a warrant is illegal in most countries. Questions have been asked in the parliaments of the United Kingdom, Germany and the Netherlands. Several ministers and Barack Obama gave their view and many discussions started about privacy, intelligence and safety.
I discovered three categories of opinions and arguments :
- People who do the right things have nothing to hide. Loss of privacy is inevitable because we want to be safe. It is the price we have to pay when we want to fight crime and want to defend ourselves against external threats.
- The right to have secrets and stay unknown is an essential part of a free society and democracy. A country with a government knowing everything about everybody will turn into a police state. History learns that what is accepted and legal today can become unacceptable and even illegal tomorrow (for example smoking in public). We all have the right to be forgotten.
- This is much to do about nothing. Some information is exchanged and some communications may be monitored, but we shouldn’t bother.
From an information architecture perspective the PRISM scandal can have major impact on the way we implement IT-services.
We’ve seen a strong movement from “on premise” computer capacity and storage towards cloud services. The fact that, although the underlying hardware is shared, we virtually have our own environments hasn’t been a problem, especially because the virtual environments are strictly separated. Exclusiveness of access seemed to be guaranteed. But now it seems that using these environments automatically implies giving governmental and semi-governmental organizations access to all information.
The PRISM scandal will certainly influence the propagation of SaaS solutions like “Office 365”, “Google Apps”, Gmail and the use of social networking platforms for business purposes. The fact that information entrusted to large service providers like Microsoft, Verizon, Apple and Google is accessible by (semi-)governmental organizations in foreign countries, with disregard of the privacy legislation in the users’ own country will almost certainly slow down their wider use.
European privacy guidelines
According to European privacy guidelines, the holder of privacy-sensitive data is responsible for the exclusiveness of access. The guidelines urge organizations like insurance companies, hospitals, on-line shops and the government itself to:
- take precautions in order to prevent the spread of privacy-sensitive information;
- give every registred person insight in his personal information when requested;
- alter that information or delete it when requested;
- ask for consent from the registered person when the information is to be exchanged with others or to be used for other purposes;
- destroy the personal information after reasonable time (5 years in many cases).
If an organization contravenes these regulations it can be fined with a significant amount.
Civilians who are damaged by the loss or wider spread of their personal information can put liability on the holder of that information and demand compensation. This can be the case when the holder has left a USB-stick in a taxi or an airplane, when a hard disk is stolen from the data centre and the contents are published, but probably also when some foreign country accessed that information without legal permission of the owner of the information. According to European laws the “holder” of the information will be kept responsible for this.
Private use versus business use
Business purposes differ of course from individuals privately using social media or “free” SaaS solutions. When you’re using FaceBook or LinkedIn you know that you’re a member in a social network and that the owner of this network will use the information you provide to “enhance his services”. In these situations it is still a surprise that foreign countries are using this kind of information for their intelligence, but you could have known that you don’t exactly oversee where your data is going and with whom shared.
The big difference between “private use” and “business use” is in the choices you can make. You don’t have to be on FaceBook, you don’t have to use Twitter or Google+ . It is your decision to join or not. But when your insurance company uses some public cloud storage, Office 365 or Google Apps, you as the customer don’t have that choice. In these cases a major difference between “on premise” IT and Cloud/Saas solutions now has become evident.
Depending on the outcome of the many discussions triggered by Snowden’s revelations I expect a further subdivision in cloud solutions:
- many of the current solutions will remain, maybe with somewhat more openness about the institutions given access to the information and somewhat stricter regulations, but without fundamental changes. I would expect this to be the case for “social networks” like FaceBook, Google+ etc.;
- cloud solutions for business services will have to guarantee the exclusivity of data-access in some way. These solutions will have to align more with “local” legislation. They will either have to provide facilities to safeguard that information can only be accessed by the “holder” of the information (probably some kind of encryption), either provide proof that the information is not accessed by others by checks done by independent third parties (accountants for instance);
- there will be more demand for solutions in which cloud technology is used, but access to datacenters and connections to networks are completely governed by the companies using the facilities (“private, local cloud”);
- I would also expect that the demand for “blended’ solutions (for example “on premise” infrastructure with cloud backup) drops because of the impossibility to guarantee exclusiveness of access to the data in the Cloud.
It was foreseeable that organizations and people would be attracted to use the accumulation of large amounts of data in the Cloud for their own purposes. Maybe it was naive to think that this would be restricted to “public data” and to expect that private data would be left untouched.
It is sad that the fact that what has happened with PRISM will cause restraint in sharing facilities and information between people and organizations and probably will bring us back to more local solutions and more privately owned networks and data centers.
By ing Bob Schat
Principal Solution Architect