66 Maine Law Review 488 (2014)
This Article considers the organizational and technical responses of cloud computing companies in response to the Snowden leaks, which revealed the extent of NSA surveillance of foreign citizens whose data was held by U.S. based cloud services. The industry has sought to restore trust in their services by stepping up their efforts to protect the privacy and confidentiality interests of their customers against what we call “transnational surveillance.” While the legal debate about the proper legal standards for such surveillance is ongoing, the article focuses on two broad classes of technical and organizational responses and their interaction with the law. First, leading cloud firms like Google and Microsoft have implemented long-established cryptographic protocols that secure both communications with their customers and information flows among their own company data centers. In particular, these solutions help ensure that access takes place only through the “front door” of a valid legal process involving the service providers. Second, the article explores the availability of more far-reaching security innovations based on Privacy Enhancing Technologies (PETs). These increasingly popular solutions would limit the ability of service providers to comply with government orders, notwithstanding the technical assistance provisions in existing domestic and foreign surveillance laws.
The solutions discussed raise a number of legal issues. For example, do investigative agencies have sufficient legal authority to seek court orders compelling U.S. firms to modify their services in order to facilitate surveillance? More broadly, do U.S. firms (other than telephone carriers subject to a 1994 law requiring them to design wiretap-ready equipment) have a free hand in modifying existing services, or designing new services, to make them more resistant to transnational surveillance? Or may the U.S. government rely on existing surveillance laws to oversee the design of cloud services to ensure that court-ordered access remains achievable when duly authorized by judges or magistrates?
In analyzing these issues, the article draws upon an earlier debate about encryption export controls in the 1990s (the so-called “crypto wars”). It concludes that new laws may be necessary for the U.S. government to maintain its current levels of access and that Congress may be reluctant to enact such laws in the current climate. More generally, it concludes that many of the technical and organizational measures under discussion are likely to fall short of providing the kind of absolute protection sought by certain cloud customers, especially those located abroad. At the same time, under the right conditions, these measures can help to lower some of the risks of transnational surveillance and work to restore the balance in favor of privacy, information security, and confidentiality interests in the context of cloud data.
Date of Authorship for this Version
NSA, Snowden, surveillance, cryptography, privacy, security, cloud services, Privacy Enhancing Technologies
van Hoboken, Joris and Rubinstein, Ira S., "Privacy and Security in the Cloud: Some Realism About Technical Solutions to Transnational Surveillance in the Post-Snowden Era" (2014). New York University Public Law and Legal Theory Working Papers. 483.