June 12, 2013

Privacy Roundup: PRISM Special Edition

by with 6 comments

May has rolled into June and summer is fast approaching. Originally I had planned for this privacy update to be another collection of somewhat random links regarding the world of security and privacy. And then… We had Thursday. And then PRISM. And it seemed only right to gather as much information, opinion and material as possible around PRISM and make it available to our readers.

But what is PRISM?

This far in, all anyone can tell for sure is that PRISM is the name of a data collection model and technology solution that improves speed and simplicity in allowing NSA and possibly other US agencies to access user data from a large number of the worlds most popular online services. (Including Google, Skype, Microsoft, Facebook etc.)

It seems the program in itself actually does not introduce any new laws, or even break any current ones. What it does however is enables a more effective way for the NSA to request and receive private user data. And of course, this makes it ripe for speculation as to what this ‘new’ stream lined procurement process is being used for and how.

One of the most informative posts as to the model, use, and participants ironically enough comes from the NSA themselves (via Washington Post) and can be found here:

NSA slides explain the PRISM data-collection program

If you desire to dig a bit deeper into PRISM, what people are saying / thinking, and what companies may or may not have been directly involved, here are a collection of what we found to be the most informative links on the subject from the last several days:

Though we will be elaborating on the PRISM program in relation to SpiderOak in a separate blog post,  I can say definitively that our users’ data is encrypted client-side, uploaded, and stored in its fully encrypted state which means we  are never able to view plaintext user content under any circumstances. In short, PRISM would be wholly and entirely useless in the SpiderOak context. 

To Note: We also have yet to even be contacted by any agency regarding the program – surely a result of our ‘Zero-Knowledge’ privacy environment. After all, encrypted data is rather useless for conducting data mining activity.

In light of recent news and the topic for this special roundup I think it’s only fitting we sign off with this quote of the week:

He who controls the past controls the future. He who controls the present controls the past.” – George Orwell in 1984

 

Comments
  1. The FBI has recently been pushing for laws forcing tech companies to build back doors into their products in order to facilitate so called “lawful interception”.

    It seems unlikely at the moment, but if such a law were come to pass, would you be affected by this and what would or could you do to avoid being affected by it? From what I understand of the product, a back door would be unfeasible as it would break the whole purpose of the product. Would it effectively mean you could not operate within the US and have you thought about contingencies?

    • @ mengoni: As it turns out, I was set to testify in opposition of this bill had that very language survived. Thankfully it was removed but – as you point out – that doesn’t mean it will forever. In the event that a law is passed and there was an ‘FBI’ encryption standard that all US companies had to comply, I can outwardly say that we would not abide. Of course I don’t say this to stir up the hornets nest or cause a stir but rather that this runs in clear contradiction to what SpiderOak believes in. We have talked about moving the company outside of the US to avoid jurisdictional issues should it come to that and even have a few places in mind; all that said, I think this is a long way off and I feel as though PRISM pushed it even further into the future (if it ever had a chance to begin with).

      Please let me know if that accurately answered your questions and/or you have additional thoughts on the topic. Thank you for writing in.

  2. I am curious where you were thinking of going?

    If the US did enact a law requireing certain encryption, or back doors wouldn’t that apply to companies doing business in the US, not just ones headquartered here? I doubt SpiderOak would give up all its’ US business in that case.

    Thanks.

  3. I can’t speak for SpiderOak, but I don’t see how the US judicial system can hope to impose it’s laws on every nation in the entire world.

    For example, drinking alcohol is illegal under Islamic law. Does that mean Islamic nations can drag US citizens in front of an Islamic judge for violating their laws? Of course not.

    The DOJ is currently trying to drag Kim Dotcom in front of a US judge for violating US copyright laws. The DOJ’s excuse is that MegaUpload was leasing servers on US soil, so MegaUpload falls under US jurisdiction. Notice that the newly relaunched Mega, has no servers on US soil.

    Arguing that any country should be able to impose their nation’s laws on every nation in the entire world is dangerous thinking. That would mean US citizens must follow not only US law, but Islamic, Chinese, Russian and every other counties laws, of face prosecution under those countries judicial systems. A scary thought!

    • Peter was your post intended as a reply to my post? If so I have to say your post does not really make sense to me.

      I am imagining a situation where SpiderOak moves to a different country with strong privacy laws. However they still have customers and a business presence in the US. If US law enforcement with a warrant demands user information or data, how does being headquartered in the other country help?

      I am still curious about where they were thinking of moving. I hope someone from SpiderOak will answer.


      Matt