* Posts by p.houppermans

17 publicly visible posts • joined 15 Jan 2013

Has President Trump’s executive order on 'Public Safety' killed off Privacy Shield?

p.houppermans

Both Safe Harbour and Privacy Shield don't fix anything

US service providers have known for years that they were incapable of delivering privacy from well before Edward Snowden and Max Schrems vs Facebook (on reflection, make that decades, not years). You may recall I talked about this quite a while back - there are profound differences in law that make the ability to offer privacy at best a myth.

There are constructs possible to improve on this situation, but I fear that if you're a service provider with a HQ in the US, life is about to become even more difficult - not just because of former President Obama's departing tweaks to Executive Order 12333 but also because of the very stance the Trump Troupe has with respect to any rights that the population may dare to assert.

Entertainingly, though, Privacy Shield has a review condition and that date is coming up.

Tick, tock, tick, tock..

Redmond resists order to hand over overseas email

p.houppermans

Re: Not in America

On the rare occasions I use a web browser without AdBlock plus, I often see adverts for a hosting company proudly saying they aren't in the US. I can only see this growing: "We have nothing in America. No servers and no offices."

OTOH, for company use you also want to avoid businesses that you have no legal grip on, like in, say, Panama. Having said that, as BOFH I would not jump to conclusions and insist on a thorough 3 week on-site review :)

p.houppermans

Re: Interesting?

the whole future of the Cloud, or at least an international cloud with any presence in the USA is in the balance here.

If the US Government prevails in this case, it will be the death knell for the US Cloud industry, although it will possibly spur on national cloud services.

Yup, you heard it here first...

MS' "success" in fighting a previous order was different, that was about an NSL which was withdrawn - it didn't actually win, the case disappeared because the FBI apparently found another way to get what it wanted.

That is also the way in which I can see MS win this: it can argue that the US government has alternative ways to access that information by using the standard international agreements on collaboration (translated: it could play nice instead of just grabbing what it wants).

"If the US government prevails in reaching into other countries' data centers, other governments are sure to follow," Microsoft general counsel Brad Smith wrote in an editorial in the Wall Street Journal on Tuesday. (MS lawyer)

Err, no. Only the UK has recently seen the need to hand itself some more means to force UK companies to break the law abroad (because that's what is really happening by demanding data from another jurisdiction) - other nations still have this quaint idea that they can use their international agreements to politely ask for collaboration in case of a criminal investigation. Personally, I wonder why the UK followed the US approach on international access because it amounts to creating a privacy "don't go there" island for multinationals with UK headquarters, right in the middle of the EU..

Never mind the jetpack, where's my 21st-century Psion?

p.houppermans

Data entry on the Psion Organiser

In those days I was writing quite a lot of code on the Organiser II, so I wrote a replacement for FIND, SAVE and INFO that made proper capitalisation easier.

I was astonishing to actually received an enquiry about this freeware last year, asking for an updated version (never got round to make it work on the LZ screen :). It turns out that not only the file is still available, some of those Organisers are still in active use.

I sent most of my Org II kit to the Computer Museum in Swindon (even an Organiser I).

As for diaries, I found the one on the Psion S3 actually the easiest (but the PC sync software was gruesome - there is no nicer word for it), later followed by a separate program you had to install on the Sony Clie NX70 that approached its usability, with the Sony Clie being the most interesting form factor.

The next one that was usable I encountered in the Sony Ericsson P1, where you could schedule calls. Compared to that, the current iPhone calendar sucks, but it does at least synchronise if you use a groupware account (not a fan of iCloud, and Apple stupidly took away the ability to sync via iTunes in iOS 7). Of course, all of that is personal opinion - it depends a bit on how you work.

El Reg Contraption Confessional No.1: The Dragon 32 micro

p.houppermans

Re: classic computing

I'm currently restoring my 1979 Apple II

Wow - trip down memory lane :). I built one (you could buy the bare motherboards), and it was quite a soldering job...

p.houppermans

Set some to the Swindon Computer museum

I sent some of my Psion Organiser II kit to the Swindon Computer Museum. I know the people who dreamt up the museum idea, and that way it benefits more people, as I still have plenty of other things to collect dust with :)

I must ask them if they're interested in a pretty much new top-of-the-line Roland A3 flatbed plotter ("new" as in "printed maybe 20 A4 sheets in its life" new). This sort of tech is now only found in 3D printers, but I don't have the time for a hardware project, and retiring kit to a place where others can learn from it is IMHO much better than eBaying it...

Right, that's IT: We'll encrypt INTERNAL traffic to thwart NSA - Yahoo

p.houppermans

Re: The point is?

The point is?

Marketing, and there is a LOT more coming - I predicted as much quite a while back.

As others in the comments here have already pointed out, such statements can be comfortably made without any risk of retribution even though there are a tad creative with reality - after all, they are a US company. When (not if, IMHO) they are required to cough up user data they are bound to keep it secret, so if it ever leaks they have done so, they can blame the government for forcing them to keep it quiet.

Switzerland to set up 'Swiss cloud' free of NSA, GCHQ snooping (it hopes)

p.houppermans

Re: but...

surely you are still stuffed in the UK even if the data is in Switzerland? Can they not compel you to turn over the keys,login etc....?

You're correct. The issue that is being addressed is the risk of outsourcing. If you're a bank or a law firm in the UK, your core competency is probably not in running an IT shop or keeping security up to date, so you buy in that service from somewhere else (also has a neat side effect that you can blame someone else if you get hacked).

The problem is that the combination of the Regulation of Investigative Powers Act and enhanced powers when you bandy the word "terrorist" around allow a bypass of due process when it comes to intercept, so your provider could be ordered to hand over your data without you ever finding out .. or so you'd think.

The second problem is that the rules surrounding such an investigation do not really do much for your privacy either, so even the most junior policeman fresh out of school could see really confidential data - once that data has been obtained, it's a big question if it remains protected as well as you would need it to be. This is why I said "or so you'd think" - when some of that data leaks you may not have an idea how this has happened, and with all the secrecy it will be hard to discover, less prove it was actually law enforcement who caused this to happen. Either way, you will end up shouldering the blame and liability as the "National security" meme will get very much in your way.

Last but not least, the UK also has a problem with the disposal process after an investigation has been closed down. For example, until recently, DNA taken during an arrest would remain on file in contradiction with EU law and it took a court case to change that. It is now slowly being addressed.

Your next question will be "what if the UK simply asks Switzerland for the data?" and the answer to that is the next reason why you'd want your data in Switzerland: a cross-judicial request for assistance has to fulfil the conditions of the target country. In other words, if the request does not satisfy Swiss law, it will be rejected.

BTW, it's not enough to just decamp to Switzerland and then declare yourself the defender of privacy (as I see with many Swiss email providers). There is a lot more work to do before you have closed all the backdoors. I've been through that exercise and it's hard work, but you may recall I saw this trend well before Snowden came onto the scene.

The above also indicates how I knew that not all was well with US "secure email" providers even before they started up. Having your HQ in the US makes it pretty much irrelevant where you host your data as the decision power (and thus the leverage for law enforcement) is subject to US law. The latter should also give you a hint as to (a) what a massive problem Silicon Valley is presently trying to hide from you and (b) just how little value the Safe Harbour scheme has, even if you ignore the inherent conflict of interest in a self certification scheme in the first place.

The US is now in a situation where all chickens come to roost at once, and -pardon me for butchering the expression- many feathers are flying. There was a reason why we have due process: handing powers to the state is perfectly OK if it can be checked they are used for the purpose for they were given (pretty much in the same way you don't give everyone in your company the right to sign corporate cheques). Take transparency and supervision away and it becomes a mess. The bad guys have a party, and the good guys (because they exist too) no longer have a way to prove they still follow the rules. If you do this in law it takes a LONG time to sort it out. I reckon it'll be close to a decade, and that's IMHO a conservative estimate.

Some final remarks: this is not just a UK issue. A number of EU countries have implemented anti-terror measures in ways that do not exactly inspire trust, the Swedish FRA is but one example. Also, the fact that the Swiss are careful about intercept does not mean they don't have the capability, it's just that they go about it a bit more carefully.

World+Dog hates PRISM: Cloud Security Alliance

p.houppermans

Re: US cloud suppliers "Foreigners are dumb and can't read."

As I have previously remarked if you don’t want your data seen by anybody else then don’t either put it on the web or in the cloud

Agree on the Web thing, less so on the Cloud, plus you're ignoring the fact that data is sometimes shared between parties, which makes the whole jurisdiction thing a heck of a lot more complex.

I honestly wasn't expected a Snowden style disclosure when I wrote the Swiss private clouds article, but it appears eerily prescient now. The Op is actually right: you need to lawyer up if you want to do it right. I spend most of my time now helping larger organisations develop global privacy strategies which MUST start with the legal picture (otherwise you're frankly wasting your time).

There are a number of ways in which you restructure an organisation to shield corporate information from uncontrolled government snooping (to call warrant free intercept by its proper name), but you must start with making sure your HQ is not in a nation which has such legalised or you're wasting your time. If you can meet that basic first requirement, then there are a number of ways in which you can make a presence in multiple jurisdictions actually work FOR you.

Only once you fixed those fundamentals can you develop global privacy policies, and then acquire or organise the required technology to implement them. Notice that I use the word "privacy" instead of "security" - policies too must address laws, rights, compliance obligations - the hard work is usually bringing some structure into what is a complex mix of aspects that had a firm stirring since the intercept disclosures.

That doesn't mean those issues didn't exist before, but the awareness thereof has now finally entered the boardroom. I see that as a positive development.

Privacy winds blow through Clouds towards Switzerland

p.houppermans

Re: au contraire

Any sizeable company has to handle multiple jurisdictions. The intelligent approach is to make that work for you.

Incidentally, there is no trademark on "The Cloud" - the US PTO decided in 2008 after a Dell trademark application for "Cloud computing" that it was a generic term, seen as merely descriptive.

(see http://www.informationweek.com/cloud-computing/infrastructure/no-one-owns-the-cloud/229100115).

p.houppermans

Re: This article is not really very detailed or factuelle

You've touched on the major issue here:

"One of the other problems with the "Cloud" providers is that their terms and conditions often include clauses whereby other succursals in other countries also have access to the servers. The hell desks/service desks can actually be found in some strange places outside of the hosting country. It's not easy for Data centers to pay onsite 24 hour staff...."

Personally I'm uncomfortable with the term "Private Cloud" because the "private" means you should be very clear about what works where and with who, whereas the "cloud" part is too vague.

I spent quite a lot of time with various lawyers looking at the same issue - you *can* do this if you have a 100% Swiss company and know what the complete picture looks like. There are also plenty call services in the country itself and almost all of them are multilingual as the nation itself is, so you can contain that aspect too.

As for service access: choose a provider who hosts banks. Their admin interfaces are not allowed to be reachable from outside Switzerland. This is why, for instance, Postini had to get themselves an office in Zürich when it was filtering email for Swiss companies (with a Swiss data centre). When Google bought them this service was terminated.

As I observed somewhere else before, the picture is a tad more complex than I can drop into a short article - it needs a strategic view. In the end it remains a risk assessment, just with more variables. You look at the law and how it is applied, the politics, national attitude in general, availability of talent and during company evaluation you also look at the other work they do, how they go about it, how staff is screened - the full picture. The technology and security elements are pretty much the more standard elements of the mix. This leaves a few providers that are capable of making it happen as described, and I suspect that number will grow.

p.houppermans

Re: So, who are these Swiss Cloud providers?

<i>he surely can help</i>

Sure, but it's a "piece of string" question - without knowing requirements it's hard to point you at the right people (each have their own focus). A useful trick is to see if they carry banks, because that means the providers has to conform with FINMA standards and you just enjoy the benefits of annual audits without having to do them yourself.

p.houppermans

I was expecting this argument to come up, and there are a couple of answers to that. I'm going to keep away from the political dimensions, because that's a whole story in itself.

First of all, if you do something illegal, Switzerland is no help to you either because agreements for international collaboration are in place. Privacy is a right, but you also have an obligation to behave lawfully or the state can use its privilege to lift your privacy and check what you're up to.

Secondly, Switzerland is a democracy, and what the US did to gain that bank data was blackmail (a fishing expedition instead of normal due process). This story is long from over, because what happened broke Swiss law and not all of it has been dealt with. You can see that, for instance, with what is now happening with the collaboration with Germany where the government have (a) written out <a href="http://www.spiegel.de/international/europe/germany-and-switzerland-wrange-over-tax-offical-arrest-warrants-a-825443.html">arrest warrants for the Germans officials involved</a> and have (b) told Germany that investigations based on illegally obtained information are out of the question. The net result is what I alluded to in the article: the Swiss stance to privacy violations is hardening, with positive consequences for the legal framework protecting your information. In Europe, the EU Justice Article 29 Working party is looking at improving privacy, but as long as the use of the backdoors to this law is not controlled and audited you retain IMHO the problem.

Thirdly, get the corporate lawyer to compare privacy laws. Switzerland is the only nation which has no uncontrolled backdoors in its privacy laws. When I help corporations with client privacy, I don't need to say much on this topic - I just ask the corporate lawyer to investigate and point him or her where to look. That way, the corporation has its own independent confirmation.

p.houppermans

Re: This article is not really very detailed or factuelle

The article would be 3x as long and no longer fit if I had to fill in all the detail :).

The exceptions you quote only come into play <i>after due process</i>, and that is by default quite rigorous in Switzerland..

p.houppermans

That is my understanding of this (rather recent) change in approach, which makes sense IMHO (although I'm not a lawyer). If the Swiss would help, they themselves would start an investigation on the basis of illegally obtained information..

p.houppermans

Re: isn't "Crypto AG" Swiss?

The Crypto AG story is probably the best known story of communication subversion by the US. In that context it is indeed worth examining US law, and the sum total of the US PATRIOT Act and FISAAA seems to suggest that when you plan to procure any secure private cloud services requires a check that the organisation in question is free of any US connections or you have a legal problem from the start.

This is what I tend to find with a lot of private clouds: technically from OK to very well designed, but holed under the waterline by applicable laws..