The Cloud Conspiracy

Former Microsoft Security Advisor Caspar Bowden gave a presentation at 31C3, the hacker conference in Hamburg last month, that gave the conspiracy theorists some more ammunition.   An article on his presentation appears here, his slides are here, and a video of the talk is on YouTube here.

A quote from the article gives you a taste for where he is going:

Bowden served as Chief Privacy Officer at Microsoft for nine years, responsible for advising 40 National Technology Officers from different countries. During an internal strategy conference in 2011, with Microsoft deputy general counsel, cloud management personnel and the NTOs in attendance, Bowden warned, “If you sell Microsoft cloud computing to your own governments then this [FISA] law means that the NSA can conduct unlimited mass surveillance on that data.”
After that, Bowden said the deputy general counsel “turned green” and the room was dead silent. During the coffee break, Bowden was threatened with being fired. Two months later, Microsoft decided Bowden was redundant and fired him.

His basic premise is that the FISA act and it’s amendments give the government the right to surveil foreigners outside the U.S. and then minimize (but not eliminate) access on U.S. persons after collection.   A clause was added to the 2008 FISA reauthorization that added coverage for remote computing services, i.e. cloud computing.  Since the FISA court operates in complete secrecy and a provider would be in contempt if they even talk about things that they have done in support of FISA warrants, we don’t really know the extent of this.

Just to be clear, I am less concerned about what the NSA is doing.  There are likely abuses and hopefully the political processes will deal with that – eventually.  What I am more concerned about is that we should not think that what the NSA can do is unique.  If we don’t think that China, Russia and a handful of other countries don’t have hackers just as good as the ones we hire, then we are fooling ourselves.

But even if you are not ready to join the tin foil hat crowd, you might want to consider this.  If companies like Microsoft, Amazon and Google have added back doors to their cloud computing capabilities to support FISA warrants, do you really think that other state sponsored actors or even hackers will never discover these back doors?  That seems unlikely.

And, as I have said for years, the good hackers – state sponsored or otherwise – are never discovered.  Until they want to be.  The hackers inside Sony were likely there for many months before they went nuclear.  If they just wanted to steal information and use it for their own purposes, they likely would have never been discovered.

So the question becomes this:  does having this ability to spy on the people we want to spy on ultimately work for or against us?  Is it really possible to control this “spy genie” and keep it in the bottle?  My opinion – we cannot keep it in the bottle and it will likely come back to bite us.  Just my two cents.