back to article Microsoft tells US lawmakers cloud has changed the game on data privacy, gets 10 info demands a day from cops

The US House Committee on the Judiciary met on Wednesday to hear testimony on the government's practice of secretly subpoenaing cloud service providers, and Microsoft was happy to oblige. Tom Burt, Microsoft's veep of customer security & trust, testified as a representative of cloud service providers. He revealed that …

  1. DonL

    So how exactly could this be surprising? If you choose to place your data somewhere out of your control because you can't be bothered to care, obviously people can (and in some cases will) be digging into it.

    Vendors like IBM know and get out of their cloud once they sold it and it's no longer under their control.

    Would anyone store their most private letters at some strangers house just because they offer it? It's exactly the same thing.

    The cloud has it's uses, but the trust some people have in it for anything important is misplaced.

    1. Anonymous Coward
      Anonymous Coward

      It's not at all surprising, especially after they passed a law (the CLOUD act) specifically to get around that pesky problem of having to ask a foreigner for assistance if the information is stored abroad. The fact that any data stored anywhere where it is accessible to someone based in (or with links to) the USA is "fair game" to any Tom, Dick, or Donald with an official ID to go rummaging through it at will is why Safe harbour got canned, why Privacy ShieldFigleaf got canned, and why any similar replacement will get canned just as soon as the process can drag itself through the courts in the EU.

      Yet, I know for a fact that despite MS USA proving that it could reach out and grab data held in a data centre in Ireland, the cloud providers are still selling a false tale of security. And people who really ought to know better are busy selling services like Office 365 4 3 (or whatever they've gone down to so far this year) as secure and "there's no problem with GDPR as the data is held in an EU data centre" to small businesses who don't have the knowledge to query these blanket statements of "fact". Oh how I wanted (at my last place) to tell some of our clients the truth - there was a reason I was kept away from clients !

    2. MacroRodent Silver badge

      > Would anyone store their most private letters at some strangers house just because they offer it?

      Actually, that happens all the time. Ever heard of safe deposit boxes at banks?

      1. DJO Silver badge

        With safe deposit boxes you have the only key, the bank cannot open your box without the assistance of a locksmith. That does not stop a third party bank-robber from breaking in but that's what insurance is for.

        With cloud services you do not have ownership of the key. Yes you can (and should) encrypt content but metadata is always available and as any spook will tell you, metadata is where the most useful information is found.

        1. MacroRodent Silver badge

          True, but the bank will nevertheless forcibly open the box in certain circumstances. For example, if the police turns up with a warrant for a particular box, the bank has reason to believe the box contains something hazardous, or the customer stops paying rent and cannot be contacted (the terms of my bank say they will wait for a year in that case, but then they will open it).

  2. HAL-9000
    Big Brother

    Fishing anyone?

    Not even slightly predictable, moving emails and data to cloud based 3rd parties was sure to attract some unwanted attention. Hosting locally complicates matters for law enforcement, but the big question remains: what is the general nature of the justifications for these subpoena's, I'd be interested to know.

  3. HildyJ Silver badge
    Big Brother

    It's not just the cloud

    It's also your phone company, your internet provider, your bank, your suppliers, your customers, et effing cetera.

    As Microsoft is pointing out, it has become absurdly easy for the government, at all levels, to get a warrant to see your data to slap on a secrecy provision. And Turley points out that there is even less oversight with a subpoena.

    Big Brother can watch whatever it wants whenever it wants to.

  4. Pascal Monett Silver badge
    Facepalm

    "7–10 secrecy orders per day"

    And yet Huawei is still the big bad problem, right ?

    1. Anonymous Coward
      Anonymous Coward

      Re: "7–10 secrecy orders per day"

      Only 10 requests a day? I find that hard to believe.

  5. Bartholomew
    Big Brother

    In many ways the metadata is more telling than the actual data

    An account comes online every day from 9am and offline at 6pm, five days a week that tells one story.

    Two phones travelling in opposite directions towards a hotel every Friday afternoon and powering off shortly before reaching the destination, and then powering back about an hour later when the phones are heading away from the hotel tells another story. Almost every application installed on a mobile phone these days has the potentially to capture and upload that kind of metadata. Historically (pre-smartphone apps) only the mobile telephone operators could track your cell location, and they did that and and still do record that information and more to monitor the existing, and improve the future, picocell/nanocell/microcell/base stations coverage. Historically they would throw it away after use, now it is stored permanently because it is so cheap. Now this metadata is available to the telco provider, the operating system provider, the phone hardware manufacturer and all the individual application developers.

    Long term metadata collection can leak far more information than data normally does.

    Cloud providers with the amount of metadata that they are harvesting can tell when you are eating, using the toilet, or when your normal routine had changed even by slightest amount.

    1. Robert Grant Silver badge

      Re: In many ways the metadata is more telling than the actual data

      I would argue that while this may be metadata as far as the phone provider is concerned, it's data as far as the person being scrutinised is concerned.

    2. LovesTha

      Re: In many ways the metadata is more telling than the actual data

      The smart criminal lets the phone battery run out at home or just leaves the phone at home.

      It gets complicated if you try to figure out the right frequency for exactly one of the conspirators to bring their phone, just so the times the phones are 'left' at home isn't a pattern.

  6. Eclectic Man Silver badge
    Joke

    It couldn't be ...

    that IBM's recent e-mail 'problems' are actually a ruse to avoid a subpoena, could it?

    https://www.theregister.com/2021/07/01/ibm_email_disruption_sales/

    (Sorry, it is late and I've already waited over an hour to have the chance for my application to buy tickets for Wimbledon to time out after entering my credit card data, and still have about 45 minutes left, if the little green bar is anything to go by.

    Cynical, moi?)

  7. Anonymous Coward
    Anonymous Coward

    Microsoft and every company with the means to slurp you private data speak with forked tongue:

    * Data mining as much as possible from private individuals and selling it is good.

    * Having to turn it over to law enforcement for free is bad.

  8. FozzyBear
    Unhappy

    technology is a double edged sword

    It delivers on almost all things promised, convenience, speed, accessibility, etc. The problem is almost no one asks and then answers the one important question.

    "Am I willing to hand over (credit card information, banking details, medical history, personal details, etc) to a random stranger for safe keeping?

    If not, then why are you willing to upload this information onto a storage platform, simply for convenience sake.

  9. adam 40 Silver badge
    Unhappy

    Commercial and not in Confidence

    If micro$haft can read all this data in the clear, what's stopping them from reading commercial data also stored in their cloud infrastructure, for example sensitive technical data, computer programs etc etc?

  10. sreynolds

    They can't take what they don't have

    Why is this server based email a thing? Think about it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021