Cloud Data: Secure but not Private

I’ve been revisiting how secure my data is in the cloud. Mainly because I want to know if personal and sensitive data is private in the cloud. This has highlighted that although my data may be secure in a cloud service, it may not be private.

There is an interesting article on noybe.com about a ruling from the Court of Justice of the European Union (CJEU). The article states:

“The Court was clear that the far-reaching US surveillance laws are in conflict with EU fundamental rights. The US limits most protections to “US persons”, but does not protect the data of foreign customers of US companies from the NSA. As there is no way of finding out if you or your business are under surveillance, people also have no option to go to the courts. The CJEU found that this violates the ‘essence’ of certain EU fundamental rights.”

Now, I’m in the UK so this ruling doesn’t affect me per se, but its content does. I may be using GDPR compliant online cloud services, but if they store my data on US servers, my data may be secure, but it is no longer private. I’m not sure what the implications are for organisation in GDPR jurisdictions, but am sure that people using an EU or UK service would be none too happy to find their data is no longer private because it is stored on a US server. Would that mean that US surveillance needs to be added as a possible data controller in GDPR policies? Another concern is with services such as password managers storing your data on US servers. Imagine the NSA having access to all your passwords?

It seems to highlight again the old adage, “If it’s online it’s not private”.

Am I the only one heading more in the direction of data being offline or in zero knowledge encryption systems? This knowledge makes me very uncomfortable indeed and highlights needing to know exactly where a service is storing my data.

1 Like

No, you are not alone. I consider anything I store online (unencrypted) as information that someday could be made public. Sensitive data stays on my local drives. Some files, like tax records, are stored in encrypted sparsebundles and/or in 1password. My backups are pre-encrypted by Arq before upload to the cloud.

But the sad fact is, regardless of the steps we take to keep our information safe, much of what we would consider private information is legally available to anyone willing to pay for it. And nothing is beyond the reach of our governments, either through our legal systems or other arrangements.

2 Likes

Certainly not the only one.

The most important factor for me in considering this issue is my risk profile.

Is the data I’m storing state secrets? The recipe for Mary Brown’s secret chicken spice? Hot goss?

Or am I trying to work with my personal recipe collection or my indecipherable research notes?

Most of the time, the stuff I’m saving is effectively worthless to other people. I suspect the same thing is true for most people. Being sincere about that to yourself is very freeing and will save you some unnecessary paranoia.

Sure, it’s always possible that some government will suddenly become totalitarian and adopt the belief that being a Mac Powe User is implicitly evil… so be conscious of what you’re saving where. But don’t stress about it any more than necessary.

That’s why I use the term “my risk profile.” Everyone has a different tolerance and different privacy preferences and needs. It’s okay to hesitate to upload stuff to The Cloud. But it’s also okay to be a bit more relaxed.

1 Like

An argument might be made that having more useless (to other people) data on cloud services increases the security of everyone’s data (bigger haystack, harder to find the needles).

1 Like

This doesn’t really mitigate how surveillance has got out of hand. It’s one thing coming to your door with a warrant and asking you to hand over stuff, but quite another to secretly vacuum up my data. There should be more accountability forcing governments to access data openly.

Dragnets used to be unconstitutional, but terror.

Since the 1950s, such “dragnets” have generally been held to be unconstitutional as unreasonable search and seizure actions.

…And the fact the the consitution only protects US citizens. I have no rights to how my data is used in America as I’m not American.

1 Like

Maybe it’s time for widespread adoption of the UN Universal Declaration of Human Rights.

Article 12

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

3 Likes

No, it’s not. If you want change, talk to your elected representatives. Don’t turn to an un-elected international body with no accountability to us. And no way to enforce their declarations.

1 Like

Doesn’t the GDPR address the transfer of personal data outside the EU and EEA areas?

It does, but doesn’t make it illegal. If you agree to the transfer of your data, that’s all that is required (I’m doing this from memory, so someone correct me if I’m wrong). These details are usually hidden in Privacy Policies that noone seems to read.

2 Likes

I’ve been a Data Protection Officer (see the EU GDPR definition) for years now, and my firm belief is that not many people really care. You just have to look at the nr of people that use facebook or the A-lady. They do not really care they get fed what they want to see, and not what’s really happening.

All of us know once your data is in the cloud none of it is in your control anymore, and we make the risk assessment.
For some this means using protonmail for email and just use iCloud for shared items. I would be in that category.
Others use what is free, and go where the rest of the world is. The rest of my family is in that category.

So based on that statistic I’d say around 10% of people would care, and the rest would give their first-born for a free service.

note: might be I’m a bit cynical after 25 years in Privacy and security

The ruling you reference by the way actually does not prohibit transfer of data to the US, it just requires that for EU citizens security and legal protection should be essentially equivalent to in the EU. It does not even say there is a problem with US spying on our data, it merely points out the option the US security services have to get there without you knowing. That’s what the EU is now discussing with the US administration: a way for EU citizens to exercise their rights in US courts, like US citizens would be able to. (currently US law does not provide that option in all cases)

With consent cloud providers can still to whatever they want (because your consent is always the best way out, does not need additional safeguards). And your data is as safe as it will ever be outside of your control…

It’s all a matter of trust.

2 Likes

Everything works the day before it is broken. From hardware to policy. Treat anything you put online as hackable forever, leakable forever, doxxable forever, corruptible forever, severable from access by you at any time forever, but never actually deletable.

3 Likes

This throws up some questions with all-in-one buckets. There are now lots of all-in-one buckets. Obviously all in one buckets have a mix of data from benign to private to sensitive. It is a pain having more than one bucket. Examples of these style apps are popular apps like Workflowy, Notion, Roam and the like.

Incidentally, I highlighted this on Workflowy’s community and after 24 days they have still not approved my post! This does not bode well for Workflowy and looks like I won’t be renewing my subscription. I at least expect openness and honesty.

Now I really like all-in-one buckets, Workflowy has been pleasant to use, but data being in the US and with no zero knowledge encryption makes me extremely nervous. I’m slowly migrating to Obsidian simply because it is zero knowledge encrypted.

What are the apps or services out there that are truly private and not just secure? It might be good to have a list of apps and services that are not only secure, but also private. Privacy seems to be where the weakness lies.

That’s a very cynical view of things. Absolutely true, but cynical. :grinning:

IMO, his 10% figure of people who care about privacy might be high. I’ve seen unsolicited credit card numbers emailed to the customer service reps at my former employer. And I have been asked if our email server was secure because information sent by email had “gotten out”. And each time I reminded them that you cannot control email any more than an author can control who reads his book.

Rather than not care, I believe most people never think about data privacy. I consider everything I store on line (unencrypted) as public.

In my experience people greatly overestimate their own ability to keep information confidential on their own devices, especially in light of the ways in which exploitation of threats against endpoints is coming up to scale. People also generally underestimate the importance of the other two components of security: integrity and availability, which can be greatly enhanced by the use of cloud services.

My view on this that if you want to keep something private, encrypt it end-to-end (you and only you have the keys), make sure that your endpoint devices are meticulously kept up to date, and accept that it it’s worth it for someone to gain access to your data that they will no matter where or how it’s stored.

If you’re going to do it yourself then you should also have a good plan for management of your data over its lifetime, which includes (but is not limited to) adapting to changing encryption and storage standards over the years.

Keeping things on your own devices provides an illusion of control, but very little else.

I’ve heard this argument a lot in the last couple of years, but think it is fatally flawed. There is an assumption that because tech companies have the finance, the experts and the knowledge they’re best left to handle this. However, this does not ensure that they care about your data. People do a job, and that’s all it is except for the company owner. Most aren’t well paid enough to care about your data. If your data hacked or lost, they’re not going to lose sleep over it. But you yourself care deeply about your data and will ensure it is protected at all costs. For all the policies nearly every business has about GDPR and data security, the number of emails sent out asking people to email in plaintext proof of identity is astounding. These corporations may have policies and procedures on paper, but does every employee follow all these requirements? I seriously doubt it. It’s only addressed when it’s too late.

Having your personal information accessible on business servers is a recipe for disaster.

Keeping things on your own devices is not an illusion of control. An encrypted phone with an encrypted vault holding data is way more secure than a company having that same data on their servers where employees can access it or where it’s accessible to online hacking tools.

I do agree that availability is an issue, but security comes at a cost, as does privacy.

This may be true, I consider my iPad much more secure than my Mac. However, with the exception of data that I created that is unknown to anyone else, most of what I might desire to keep private is already on some organization’s servers.

I suppose we’ll have to agree to disagree and hope to discuss it over beers some time :slight_smile:

Edited to add: I meet regularly with other CISOs in my sector, and my position on this is by no means uncontested. I would say we’re about evenly split on the matter of the relative security of on-prem vs in-cloud. On the other hand, there is nearly unanious agreement that having data residing on end user systems is generally the worst case scenario for all three aspects of information security.

I’ll add one caveat to my position as well. For my own personal data I side much more closely with your point of view if the cloud provider has access to my unencrypted data. In those cases (such as with iCloud Drive), I use the services with the understanding that anything that I put there could be made public at some point. If confidentiality is important, my data is encrypted in such a way that only I hold the keys.

1 Like