1 is there privacy in the cloud? the snowden effect kp chow dept of computer science university of...
TRANSCRIPT
1
Is there privacy in the cloud?
The Snowden Effect
KP ChowDept of Computer ScienceUniversity of Hong Kong
July 2013
Something you should know• Cloud computing has significant
implications for the privacy of personal information
• A user’s privacy and confidentiality risks vary significantly with the terms of service and privacy policy established by the cloud provider
• Law could oblige a cloud provider to examine user records for evidence of criminal activities
CISC 2
Something you should know
• The legal status of some types of information may change when stored in the cloud
• The location of the information in the cloud may affect the privacy and confidentiality protections of the information
• Information in the cloud may have more than 1 legal location at the same time, with different legal consequence
CISC 3
Something I didn’t know until June 2013, how about you?
• FISA and FISC• The PRISM• The MTI• …
CISC 4
“I don’t want to live in a society that does these sort of things… I do not want to live in a world where everything I do and say is recorded.” by Snowden (The Guardian, June 2013)
I learnt it from Snowden
Who is Snowden?• American former CIA employee
• A former contractor for the NSA
• Leaked details of NSA mass surveillance programs to the
press• 2004: US Army Special Forces
• 2007: CIA computer technician, stationed with diplomatic
cover in Geneva, Switzerland, responsible for maintaining
computer network security
• 2009: left CIA and joined a private contractor inside an NSA
facility on a US military base in Japan
• 2013 (< 3 months): consultant with Booz Allen Hamilton as
a system administrator inside the NSA at the Kunia Regional
SIGINT Operations Center in Hawaii
Disclosures Stories 5 June - a top secret order of Foreign Intelligence Surveillance Court (FISC)
Ordered a business division to provide metadata for all telephone calls “wholly within the United States, including local telephone calls” and all calls “between the United States and abroad.”
6 June – PRISM (begin from 2007)
A clandestine electronic surveillance program that allegedly allows the NSA to access e-mail, web searches, and other Internet traffic in real-time.
9 June – Boundless Informant
A system "details and even maps by country the voluminous amount of information [the NSA] collects from computer and telephone networks."
15 June - Government Communications Headquarters (GCHQ)
A British intelligence agency, worked jointly with the NSA to eavesdrop on a meeting of industrialized nations in London in 2009.
21 June -- GCHQ has secretly gained access to the network of cables and has started to process vast streams (The MTI Project)
Major Programs/Events
• FISC (Foreign Intelligence Surveillance Court)
• PRISM Program and Boundless Informant• China and Hong Kong Hacking• GCHQ (Government Communication
Headquarters) & British eavesdropping• MTI (Master The Internet)
CISC 7
8
FISC
CISC
FISC
• Foreign Intelligence Surveillance Court (FISC) ordered a business division of Verizon Communications to provide “on an ongoing daily basis” metadata for all telephone calls “wholly within the United States, including local telephone calls” and all calls made “between the United States and abroad”
• NO CONTENT
CISC 9
CISC 10
What are the metadata?• Caller and receiver• Caller and receiver current location• Length of call• …
11
How the data was used?
CISC
Boundless Informant
Boundless Informant• The NSA's powerful tool for cataloguing global
surveillance data – including figures on US collection
CISC 12
The color scheme ranges from green (least subjected to surveillance) through yellow and orange to red (most surveillance). Note the '2007' date in the image relates to the document from which the interactive map derives its top secret classification, not to the map itself.
Boundless Informant• Recording and analysing where its intelligence
comes from• Use advanced data mining techniques: details and
maps by country the voluminous amount of information it collects from computer and telephone networks
• Focus on counting and categorizing the records of communications, known as metadata, rather than the content of an email or instant message
• The agency collecting almost 3 billion pieces of intelligence from US computer networks over a 30-day period ending in March 2013 13
14
The Prism
CISC
Besides Verizon Communication, who else?
The PRISM Program
The seal ofSpecial Source Operations, the NSA term for alliances with trusted U.S. companies.
The program is called
PRISM, after the prisms
used to split light, which
is used to carry
information on fiber-optic
cables.
This note indicates that the
program is the number one
source of raw intelligence used for NSA analytic
reports.
NSA slides explain the PRISM data-collection programhttp://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/
Monitoring a target's communication
NSA slides explain the PRISM data-collection programhttp://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/
Providers and data
NSA slides explain the PRISM data-collection programhttp://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/
Why the companies willing to participate?
Companies Participation
• Through a top-secret program authorized by federal judges working under the Foreign Intelligence Surveillance Act (FISA), the U.S. intelligence community can gain access to the servers of nine Internet companies for a wide range of digital data. (Washington Post 6 Jun 2013)
CISC 18
Participating providers
NSA slides explain the PRISM data-collection programhttp://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/
The PRISM
• Data collected– Search history– Contents of emails– File transfers– Live chats
• NOT METADATA anymore, it includes contents
CISC 20
Where is the law?
• Allows NSA to obtain targeted communications without having to request them from the service providers and without having to obtain individual court orders
• In the past, NSA needed individual authorization, and confirmation that all parties were outside USA, they now need only reasonable suspicion that one of the parties was outside the country at the time of the records were collected by the NSA
CISC 21
What the PRISM found
• The number of obtained communications increased in 2012 by 248% for Skype
• 131% increase in requests for Facebook data
• 63% increase in requests for Google data• Plan to add Dropbox as a PRISM provider
CISC 22
If you are using the cloud and you don’t know where the data is,
CISC 23
It is very likely that NSA is watching you.
If you are using the cloud and the data is moving around the world,
CISC 24
According to FISA, it is likely that NSA is gaining access to the servers that store the data.
25
MTIMastering the Internet
CISC
The web is for everyone and so is surveillance.(The Guardian, 21 Jun 2013)
MTI• Under GCHQ (Government
Communications Headquarters)• Mastering the Internet, started in 2007• Capture and analyse a large quantity of
international traffic consisting of– emails, texts, phone calls, internet searches,
chat, photographs, blogposts, videos and many uses of Google
• Collecting signals from up to 200 fiber-optic cables at the physical points of entry into the country, each with 10 gigabits per second, approx. 21.6 petabytes in a day
CISC 26
Internet Buffer• Internet traffics into and out of UK are intercepted
and collected, then filtered to get rid of uninteresting content
• The filtered traffics are then stored: 3 days for content and 30 days for metadata
• Some degree of co-operation from companies operating either the cables or the stations which they came into the country: referred to as the “special source” provider
CISC 27
Project Tempora• Core programme in MTI• The evolution of a secret programme to capture
vast amounts of web and phone data
CISC 28
The “Real” Big Data
• MTI produces larger amounts of metadata collection than the NSA
• NSA analysts effectively exploit GCHQ metadata for intelligence production, target development/discovery purposes
• With Tempora's "buffering capability", and Britain's access to the cables that carry internet traffic in and out of the country, GCHQ has been able to collect and store a huge amount of information
• Every area of ops can get real benefit from this capability, especially for target discovery and target development
CISC 29
Where is the law?
• The 2000 Regulation of Investigatory Powers Act (Ripa) requires the tapping of defined targets to be authorised by a warrant signed by the home secretary or foreign secretary.
• A clause allows the foreign secretary to sign a certificate for the interception of broad categories of material, as long as one end of the monitored communications is abroad
CISC 30
TINT
• By March 2010, analysts from the NSA had been allowed some preliminary access to the project MTI
• Refer to as "joint GCHQ/NSA research initiative“• TINT: "uniquely allows retrospective analysis for
attribution" – a storage system of sorts, which allowed analysts to capture traffic on the internet and then review it
CISC 31
If you are using the cloud and the data in located in Europe
CISC 32
It is likely that the data will travel through the fiber in UK, and got buffered by GCHQ.
Conclusion
• Data privacy protection: laws exist to protect data in a particular country
• Unfortunately, laws cannot protect data resided in another country where the intelligent agencies do not observed, or laws exist allow unlimited access of data that are potential dangerous in the oversea
CISC 33
34
Thank You