Aug 29, 2013

Aug 29, 2013

A PRISM into your company’s data?

The initial reports regarding the National Security Agency's Internet data-collection program entitled PRISM stated that the government was "tapping directly into the central servers[1]" of Google, Facebook, and other massive Internet companies to gather information and spy on users. This claim turned out to be false and the companies involved immediately issued carefully worded denials as well as insight into how the data was shared with the government, which mostly involved FTP or good old printed data sent over to Government offices in boxes.

Of course, this still does not mean that it is inconceivable that the US government, or for that matter, any other government, has illegally hacked into these companies’ systems and is stealing user data.

With these revelations in mind, what kind of risk does usage of products aimed at companies, products such as Google Apps or Office 365, constitute to companies who have adopted these products?

Provided that Microsoft is a U.S. corporation, it should be of no surprise that their operations – even if conducted in places that are far afield – fall under the aegis and jurisdiction of U.S. law, including the Patriot Act. Soon after the launch of Office 365 in June 2011, the Managing Director of Microsoft in the U.K. confirmed that data stored in Office 365 could be made available to U.S. authorities[2]. Only time will tell whether said access has continued on even today.

Microsoft has claimed that messages sit in an unencrypted state on its servers, making said emails and SkyDrive files as vulnerable to government intrusion as Google’s Drive offering is.

General Counsel for Microsoft Brad Smith published a statement[3] on July 16 in which he describes how Microsoft interacts with the U.S. government to respond to their requests for information and which included the following quote - “Microsoft is obligated to comply with the applicable laws that governments around the world – not just the United States – pass, and this includes responding to legal demands for customer data.”

Meanwhile, in Silicon Valley, Google is still attempting to shed some light on its role in the PRISM program and has asked of the Foreign Intelligence Surveillance Court to grant permission for Google to describe the information it is compelled to provide to the U.S. government. Such permission was denied. However, Google’s own bi-annual Transparency Report stated that, “In the first half of 2012, there were 20,938 inquiries from government entities around the world. Those requests were for information about 34,614 accounts.”

On the European continent, interesting developments come in the form of a division of the Swedish government division which has prohibited government offices from using Google Apps[4], a decision which is binding to all municipal bodies and federal agencies.

There already was a protracted movement against reliance on shared infrastructure provided by a number of US companies, a movement with a number of sound arguments. The revelations of PRISM have only served to fan the flames further and any more news of this regard arguably continues to contributes to the sentiment.

In truth, concerns over privacy issues may very well prompt a backlash against global operators in favour of a new generation of regional players.

The current situation has brought about a very interesting opportunity for local hosting providers outside the U.S.  Local hosting providers of good repute can provide an assurance that their customers’ data will remain in-country and will thus not come under the purview and jurisdiction of the U.S. Patriot Act. Additionally, a well equipped, highly reputed local hosting company will most likely provide better and more personal support than is available in Office 365 today.

European law has already mandated that companies ought not store their citizens' data outside the EU if they cannot guarantee the security of this data. How this law in tandem with increased customer sensitivity to privacy will play out is anyone’s guess. Ray Valdes, an analyst at Gartner, said, "For users, it is a case of pick your poison. It is deal with the devil you know or deal with the devil you sort of know." 

Realistically, however, there is only one way to know where your data is, and that is to host it in house or at least in tandem with your trusted, local hosting provider, and to have a solid corporate IT policy backed by firewalls with a data loss prevention mechanism. At BMIT we can offer you all this, together with personalised attention to your specific requirements. Talk to us, for a flexible and highly competitive price offering.

Read next