Privacy and Security in the Cloud: Some Realism About Technical Solutions to Transnational Surveillance in the Post-Snowden Era

48 Pages Posted: 1 Jun 2014 Last revised: 23 Jan 2023

See all articles by Ira Rubinstein

Ira Rubinstein

New York University (NYU) - Information Law Institute

Joris van Hoboken

University of Amsterdam

Date Written: September 2014

Abstract

This Article considers the organizational and technical responses of cloud computing companies in response to the Snowden leaks, which revealed the extent of NSA surveillance of foreign citizens whose data was held by U.S. based cloud services. The industry has sought to restore trust in their services by stepping up their efforts to protect the privacy and confidentiality interests of their customers against what we call “transnational surveillance.” While the legal debate about the proper legal standards for such surveillance is ongoing, the article focuses on two broad classes of technical and organizational responses and their interaction with the law. First, leading cloud firms like Google and Microsoft have implemented long-established cryptographic protocols that secure both communications with their customers and information flows among their own company data centers. In particular, these solutions help ensure that access takes place only through the “front door” of a valid legal process involving the service providers. Second, the article explores the availability of more far-reaching security innovations based on Privacy Enhancing Technologies (PETs). These increasingly popular solutions would limit the ability of service providers to comply with government orders, notwithstanding the technical assistance provisions in existing domestic and foreign surveillance laws.

The solutions discussed raise a number of legal issues. For example, do investigative agencies have sufficient legal authority to seek court orders compelling U.S. firms to modify their services in order to facilitate surveillance? More broadly, do U.S. firms (other than telephone carriers subject to a 1994 law requiring them to design wiretap-ready equipment) have a free hand in modifying existing services, or designing new services, to make them more resistant to transnational surveillance? Or may the U.S. government rely on existing surveillance laws to oversee the design of cloud services to ensure that court-ordered access remains achievable when duly authorized by judges or magistrates?

In analyzing these issues, the article draws upon an earlier debate about encryption export controls in the 1990s (the so-called “crypto wars”). It concludes that new laws may be necessary for the U.S. government to maintain its current levels of access and that Congress may be reluctant to enact such laws in the current climate. More generally, it concludes that many of the technical and organizational measures under discussion are likely to fall short of providing the kind of absolute protection sought by certain cloud customers, especially those located abroad. At the same time, under the right conditions, these measures can help to lower some of the risks of transnational surveillance and work to restore the balance in favor of privacy, information security, and confidentiality interests in the context of cloud data.

Keywords: NSA, Snowden, surveillance, cryptography, privacy, security, cloud services, Privacy Enhancing Technologies

Suggested Citation

Rubinstein, Ira and van Hoboken, Joris V. J., Privacy and Security in the Cloud: Some Realism About Technical Solutions to Transnational Surveillance in the Post-Snowden Era (September 2014). 66 Maine Law Review 488 (2014), NYU School of Law, Public Law Research Paper No. 14-46, Available at SSRN: https://ssrn.com/abstract=2443604

Ira Rubinstein (Contact Author)

New York University (NYU) - Information Law Institute ( email )

40 Washington Square South
New York, NY 10012-1301
United States

Joris V. J. Van Hoboken

University of Amsterdam ( email )

Spui 21
Amsterdam, 1018 WB
Netherlands

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
761
Abstract Views
5,999
Rank
61,163
PlumX Metrics