Monday, February 04, 2013

Governments should not use the cloud

The cloud is a wonderful thing. It lets you store you data securely and access it from anywhere. Its easy, its convenient, and its cheap. The latter has led governments to look at moving their data there. But there's a problem: while all cloud providers promise security and privacy, they are lying to their customers. The US government can access your cloud data without a warrant. Which isn't much of a problem if you're, say, using Google Drive to write a larp - but one hell of one when governments are storing their citizens' private records. And that problem has led UK MPs to call for their government to stop using US-based cloud services:

The Government should consider stopping sharing intelligence services with the US and end the use of Cloud computing due to concerns that sensitive personal information about British citizens can be spied upon by US authorities, MPs said today.

The warning comes during a Whitehall drive for government departments to store their electronic information externally with private companies, meaning taxpayers’ private data could be left vulnerable to large-scale surveillance.

US law allows American agencies to access all private information stored by foreign nationals with firms falling within Washington’s jurisdiction, if the information concerns US interests, without a warrant. Four suppliers of the UK Government’s G-Cloud system are located in the US, leading to questions over the security of information is being stored overseas.

Those calls are justified. Citizens have to be able to trust governments to actively protect their privacy. If they're just going to effectively hand their data over to a foreign power to be used for Cthulhu-knows-what, then that trust disappears. The need to maintain public trust means that governments simply should not use the cloud.

And now I'm curious: do any NZ government agencies use cloud storage? Do they use US-based services? If so, what information have they effectively handed to the US government's spies?

Update: A couple of people on Twitter have pointed me at the NZ's government's All-of-government cloud computing approach. The important bit:
Ministers have given issues of government data security a great deal of consideration, and have decided to take a conservative approach to data hosting; cloud-based office productivity services onshore, in New Zealand, for the time being, until the risks and mitigations of off-shore hosting are better understood and able to be managed.

So, if the government is giving your data to the Americans, its doing it deliberately, rather than simply by being dumbarses about the cloud. Good to know.