26.1 Cloud Privacy

20210507 In general, unless you ensure your data is encrypted in the cloud, your data is accessible by the cloud host, government, and criminal entities. We should store our data encrypted at all times. Unfortunately, there appear to be legislative attempts to access our data at the point where it is not encrypted (when we use or view the data) which can then also be compromised by criminal entities. Be vigilant.

For a while US cloud compute companies fought in the US courts against action by the US government to access data held within data centres overseas. Whilst this was underway the US government introduced the CLOUD Act (2018) to clarify that the US has the right to request this data where ever it is. The cloud compute companies accepted this, despite the risk it posed to their business model.

The Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943) is a United States federal law enacted in 2018 by the passing of the Consolidated Appropriations Act, 2018, PL 115-141, Division V. The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil. (Wikipedia 20210507)

Ensuring that all of your data in the cloud is encrypted is important.

However, this is not enough. At some stage you need to decrypt your data to make use of it. This is where the Australian Government stepped in to force technology companies to hand over data once it is decrypted by the user. This came into effect in 2018 with the Assistance and Access Act 2018. Apparently, the Government can demand a tech company include a mechanism for access to decrypted data in their otherwise encrypted apps, in secret. Whilst the encryption itself is not interfered with, once decrypted on the user’s device, a backdoor can provide access to the otherwise private data. Today, any number of apps in Australia may have such a backdoor and we may be unaware of it. It is also likely that if there are backdoors then they will be exploitable, eventually, by criminals too. The Act explicitly prohibits a backdoor to the encrypted data itself, but not, apparently, a backdoor to access the data once it is decrypted.

Under the bill, designated communications providers (which include … anyone who develops software likely to be used by a carriage service or an electronic service with end-users in Australia …) can be ordered to assist in intercepting information relevant to a case, either by means of an existing capability if possible (Technical Assistance Order, TAO), or being ordered to develop, test, add, or remove equipment for a new interception capability (Technical Capability Order, TCO). (Wikipedia, 20210507)



Your donation will support ongoing availability and give you access to the PDF version of this book. Desktop Survival Guides include Data Science, GNU/Linux, and MLHub. Books available on Amazon include Data Mining with Rattle and Essentials of Data Science. Popular open source software includes rattle, wajig, and mlhub. Hosted by Togaware, a pioneer of free and open source software since 1984. Copyright © 1995-2022 Graham.Williams@togaware.com Creative Commons Attribution-ShareAlike 4.0