Turning the Sow's Ear of Surveillance into a Silk Purse

On Wednesday I wrote about the Houses of Parliament deciding to use cloud computing solutions, despite the fact that we now know - not just surmise - that this is like handing your documents to the NSA. As I noted, that may not be problematic if...


On Wednesday I wrote about the Houses of Parliament deciding to use cloud computing solutions, despite the fact that we now know – not just surmise – that this is like handing your documents to the NSA. As I noted, that may not be problematic if your documents were going to be in the public domain anyway. But of course, that's only the case for a tiny fraction of most companies' documents. And for those, it is clearly the height of irresponsibility to place them with cloud-based systems that are wide open to demands from the US government for any and all data to be handed over, decrypted where possible.

On the other hand, the basic idea of clouds – centralised computing solutions offered on a kind of utility basis – is pretty compelling for companies looking to cut costs and to outsource functions where appropriate. So that leaves us with the rather unhelpful situation that companies would be mad to use cloud computing services that might be subject to US law, and mad not to make the most of their potential to save money. The key question then becomes: so what should people do?

That is actually part of a larger question: what should we as a nation do about the fact that UK companies, government departments and citizens can be spied upon by US agencies thanks to PRISM et al., and that pretty much all communications coming in and going out of the UK on fibre optic cables are being captured and analysed by GCHQ on the flimsiest of pretexts?

That was the central issue at a packed meeting that was held yesterday afternoon in the Houses of Parliament, organised by the Open Rights Group. The Guardian has a useful summary of what happened. Here's the line-up of speakers and their topics:

Hosted by Tom Watson MP, the event is bringing together experts on UK and US surveillance law to help inform the debate on PRISM and surveillance.

Caspar Bowden will be talking about the American law which allowed the PRISM programme and how PRISM can be used by the US to access the data of non-US citizens and businesses.

Simon McKay will be speaking on the UK laws governing surveillance and how they interact with the PRISM programme.

David Davis MP will also be speaking to give his views on PRISM and its relevance to the UK.

And in case you're not familiar with everyone there:

Tom Watson MP is the Labour MP for West Bromwich East and Deputy Chair of the Labour Party.

Caspar Bowden is an expert on FISAAA, the law underpinning PRISM. He was previously Chief Privacy [Adviser] at Microsoft for nine years.

Simon McKay is a solicitor advocate specialising in intelligence and covert policing. He is a former adviser to the UK Government on terrorism and covert policing.

David Davis MP is the Conservative MP for Haltemprice and Howden, and a former Shadow Home Secretary.

As you can see, there were representatives from both sides of the House, which is indicative of the breadth of concern on this topic. Caspar Bowden gave an updated account of the bad news he presented about cloud computing at the end of last year, and reported here in January. Simon McKay gave a quick rundown on the law on this area, or rather, as he put it, the fact that the main legislation here – the Regulation of Investigatory Powers Act (RIPA) is in practice pretty much voluntary. Interestingly, the total inadequacy of RIPA was something that David Davis also stressed, calling for RIPA to be "ripped up" (there's a nice slogan in there, I think....).

This suggests that one fruitful avenue to explore is not just to rip up RIPA, but to replace it with a regulatory mechanism fit for the digital age – which RIPA most certainly is not. In particular, it needs to take into account the kind of things that we've learned about in the last few weeks, and be flexible enough to accommodate whatever changes come through in the next few years, notably in terms of scaling and the use of automated systems alongside human judgment.

The other idea that clearly emerged during the discussions at yesterday's meeting was moving to clouds that are entirely subject to European law. This is something that i've been advocating for a while. Back in January I wrote;

Fortunately, setting up cloud computing infrastructure isn't hard, not least because a wide range of open source software is available in this area to ease the task. This should lead to a burgeoning of European cloud computing services once companies start realising the dangers of using US-controlled systems.

I also advocated that people should explore using private clouds:

Companies for whom data security and privacy are absolutely crucial need to think about bringing the clouds in house. Again, the availability of low-cost open source solutions that scale effortlessly is hugely helpful here, especially if an enterprise already has experience of implementing free software solutions.

Not surprisingly, I suggested building both using open source software. Fortunately, that's hardly a radical move, since open source code is the only kind that scales in economic terms (and probably technically, too.) But we need to move beyond just random calls for EU clouds to a concerted effort at both a European and national level.

The great thing is that this would not only give companies more control over their data, and citizens more privacy (because protected by relatively strong EU norms), but that it would also benefit the European computer industry at every level. We would need engineers to build massive cloud computing infrastructure; programmers to write the code; and people to keep things humming along. Indeed, arguably this kind of move should have been made years back for precisely that reason.

In terms of making it happen, an easy way would be for all European Commission computing to move to these new cloud providers (unless there are very good reasons not to), and for financial incentives to be offered to companies that do the same. That money would be recouped by virtue of the fact that most of it would be spent in Europe (provided, of course, open source code were used, rather than proprietary programs whose licensing fees would flow straight out of the EU.)

There would also be the significant, if harder to quantify, benefit that European companies and governments would be less vulnerable to the kind of industrial espionage that is almost certainly going on currently as information is passed by the NSA and others to US competitors of European firms.

Really, the EU and European nations would be crazy not to see the current revelations about massive US spying on non-US citizens and companies as a huge opportunity as well as being a serious problem. It could well help Europe to kick-start a 21st century computing industry in a way that wouldn't otherwise have been possible. Thanks, Mr Obama....

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Find your next job with computerworld UK jobs