Hrm I wonder what are the chances that someone at the NSA or doing contract work for the NSA has a buddy at a company and that person decides to use their NSA powers to get their buddy's competitor's emails from Google Apps and send those emails to their friend. If there are safeguards in place from keeping this from happening how was Snowden able to take so many documents with him when he went to Hong Kong. Ok so maybe he didn't take any of that kind of data, maybe I'm reaching. If this kind of thing did happen would they let the affected company know? Would anyone know?
This is getting overlooked, but a 2009 NYT article claimed an NSA analyst looked through Bill Clinton's email out of curiosity (he was caught). I think this is very revealing.
The safeguards for actual analysts who use the data "officially" are probably a lot stronger than for sysadmins (like Snowden) who have access through side channels. They probably log access through the front door of the webapp and would question someone doing queries on blatantly non-work related things -- this has caught people in healthcare looking up the medical records of famous people, in the past.
They could probably still get access to a very limited number through some pretext, or with cooperation from other staff (like sysadmins or the reviewers), but it's less of a risk with NSA I think than it is with other agencies.
According to Google "NSA powers" in their case are restricted to FISA orders, so I'm not sure how a random worker at a government contractor can produce these. Snowden was a sysadmin for a contractor and that is how he got his hands on their internal documents.
Is no one else paying attention to anything beyond the "slides" in this story?!
Seems odd that someone wouldn't have understood that even 10-15 years ago. Outsourced means being exposed to risk from your supplier -- by the company itself, by its employees, or by governments. Gmail has somewhat better technical security to protect from outside non-state hackers than your average self-hosted exchange server, and from insiders (the IT guy, like Snowden, may not have the same goals as the organization...), but that may or may not make up for the ease of serving a third-party communications service provider.
I still prefer well-run self-hosted mail unless:
* You have a <6 month retention policy (i.e. so ECPA's weaker protections are a non issue) (which can be specified in Google Apps for Your Domain)
* You don't have the technical competence to run your own mail server (which gets complicated in a larger organization due to HR risk), or don't have the business competence to hire a contractor to run it in-house in such a way that their staff don't become a huge risk.
There's a third way which would be a lot better for everyone, but it's not technically feasible yet -- a way to outsource some aspects of the server without giving up control.
I think he understood the risks, but basically took it as fact that the US was beholden to decent privacy laws restricting access to private (and encrypted) communications like email.
One of the main arguments for using Google apps in the past is the technical level of Google's security, and protection from being hacked. But the NSA/prism leaks have raised a new question in peoples minds, in favour of keeping things in-house or at least in your own country.
It would be great to have a service that could manage your mailserver configuration, tracking reputation & avoiding spam, while not having any access at all to the data itself.
While OP's apology is appreciable, there was more than enough information available in 2008 to understand that his Czech colleagues were right.
The Prism scandal may have come as a surprise to US citizens, but the US has been spying foreign nationals and companies for years, and we've long known about it - haven't you heard of Echelon? It was also well known that these systems were used for industrial espionage.
(...) the document lists several examples in which intelligence officers are believed to have interfered in a commercial contract. The report claims that European aircraft maker Airbus Industrie had its lines tapped in 1994 while negotiating a $6 billion contract with the Saudi Arabian government and national airline.
Exactly, AFAIR it's always been sorta known that US intelligence agencies can spy on non-US citizen data held on US servers without a warrent. The PRISM lark is mostly big because it's spying on US citizens.
Agreed - that was the exact reason that I was apologizing to the guys in CZ. I simply had no idea. Once we talked through the issue, I trusted their judgment (just like they've trusted ours on the areas we know better).
It was simply an area I'd never done any work in - that's the benefit of a global, diverse (and still very small) organization.
Sadly the NSA programs are strongly anti-business as it is based on 'trust in me'.
American businesses could and should lobby Congress to fight this and to find ways to protect US stored data, I know I wouldn't trust a Chinese cloud company not to snoop or steal business/corporate ideas and trade secrets.
But if there were assurances for US cloud businesses that this doesn't affect their business ideas accidentally or deliberately then we could set a global example on how to run cloud data storage that is safe and business friendly. There is an opportunity here for Google, Amazon, Apple etc for cloud data.
Lots of damage control to be done here for international clients. As an American I would always trust our systems more but international companies may have a very hard time trusting without the US being a shining example of how to correctly protect business data in clouds here, especially encrypted data that is automatically subject to storage/filtering if international.
But what protection of stored data do you mean should Congress find, by introducing some Laws? Because, well, if the data are not encrypted on the server, then someone could still take them... that's how Internet works. For now, the only solution I can think of is that you encrypt the data locally, and upload only the encrypted data - but this way, the cloud provider will not able to provide any additional value. Or are there some other possibilities?
I love how business-friendliness is your top concern here.
How about this: only businesses (like Facebook, Google et al.) should be able to say 'trust in me' - to their customers. Privacy regulation is only for the government, this will ensure that the surveillance state is built by corporations, as God intended.
It's obviously a huge risk and embarrassment if the US government looks at data from Europeans. But if American companies sell each other that data, that should be of no concern to Europeans, because private companies are all inherently trustworthy without external oversight.
Historically, similar systems have been quite pro-business (or pro-American-business); ECHELON sigint data was used in the 90s to help Boeing win a large contract over Airbus, for instance.
It doesn't take much reading of the literature to understand industrial espionage or any of the other substantive risks of outsourcing. Prism or not, when you put your intellectual property on someone else's networks you are taking a risk.
Yet most of the managers I see who make this decision just don't care. They ignore the advice of their systems admins and follow the old adage "you can't get fired for buying IBM" like sheep to a slaughter. It's typical of the short-term mindset that drives so many business decisions.
I chalk this up to a lack of education, both in business and IT. While CS professors obsess over data structures and algorithms, and non-IT departments preach about the relevance of the next quarter's results, "Rome is burning".
We'd brought up a wafer fab in the Hsinchu Scientific Park in Taiwan before - so we weren't strangers to the concerns about industrial espionage. Several of us have done a lot of work with the government and we'd manufactured some very sensitive products (as does the current business).
My apology is really around the fact that at the time we were trusting that such programs would not exist here (this was before explained Echelon to us), and that the US didn't work that way. I was naive and I was wrong.
I just wonder why telcos I've been dealing with have always required to encrypt all information which is not classified as public information. All customer, project, system, configuration, documentation, contracts etc. must be encrypted before transit. - Surely they must have known about this. So if telcos won't trust privacy of telecommunication, why should anyone else think that telcos are trustworthy?
(A) Yes, they probably knew about this, at least as a potential risk; while the media has gotten very excited about PRISM, it isn't really that different to ECHELON, which has been effectively public knowledge since the late 90s.
(B) Governments aren't the only ones potentially spying on peoples' unencrypted comms.
The author is overlooking one major flaw in his discussion: security (and possibly also reliability). His implication is that they can run internal servers more securely than Google and Salesforce. While government collection of encrypted emails is problematic, securing your own server and making it reliable is an entirely different issue. Unless they have an absolutely top notch security team they'd be better off on someone else's servers.
This is perhaps true where budget is severely constrained, or where Windows servers are spec'd, or where developers do systems administration, or where the corporate culture won't pay for capable IT.
Experienced IT staff can typically exceed the uptime of Google and Salesforce on a standard budget with no special accommodation. Perhaps the organization's IP (intellectual property) wasn't really worth that much, or upper management forced their hand? Sounds like that wasn't the case but you never really know.
Our IT team, though small, is very good at what they do and extremely focused on security. We install machines on customer floors that run 24.7.365, which themselves are remotely monitored and serviced. Security is important to us from a manufacturing standpoint as well as from an operational standpoint.
Hosting the email on a server in your office is no protection if the data is being captured at your ISP unless all email is transmitted using SSL, and even then govt probably has that cracked long ago.
[+] [-] btipling|12 years ago|reply
[+] [-] uvdiv|12 years ago|reply
http://www.guardian.co.uk/world/2013/jun/17/edward-snowden-n... and
http://www.guardian.co.uk/world/2013/jun/17/edward-snowden-n...
This is getting overlooked, but a 2009 NYT article claimed an NSA analyst looked through Bill Clinton's email out of curiosity (he was caught). I think this is very revealing.
http://www.nytimes.com/2009/06/17/us/17nsa.html?pagewanted=a...
[+] [-] alrs|12 years ago|reply
Economic espionage is a big part of what intelligence agencies are doing all day.
http://www.commondreams.org/headlines/070200-02.htm
[+] [-] rdl|12 years ago|reply
They could probably still get access to a very limited number through some pretext, or with cooperation from other staff (like sysadmins or the reviewers), but it's less of a risk with NSA I think than it is with other agencies.
[+] [-] rasterizer|12 years ago|reply
Is no one else paying attention to anything beyond the "slides" in this story?!
[+] [-] rdl|12 years ago|reply
I still prefer well-run self-hosted mail unless:
* You have a <6 month retention policy (i.e. so ECPA's weaker protections are a non issue) (which can be specified in Google Apps for Your Domain)
* You don't have the technical competence to run your own mail server (which gets complicated in a larger organization due to HR risk), or don't have the business competence to hire a contractor to run it in-house in such a way that their staff don't become a huge risk.
There's a third way which would be a lot better for everyone, but it's not technically feasible yet -- a way to outsource some aspects of the server without giving up control.
[+] [-] damian2000|12 years ago|reply
[+] [-] ricardobeat|12 years ago|reply
[+] [-] dfc|12 years ago|reply
http://support.google.com/a/bin/answer.py?hl=en&answer=15112...
Spoiler Alert: Apps for Business/Education only
[+] [-] Camillo|12 years ago|reply
The Prism scandal may have come as a surprise to US citizens, but the US has been spying foreign nationals and companies for years, and we've long known about it - haven't you heard of Echelon? It was also well known that these systems were used for industrial espionage.
[+] [-] icebraining|12 years ago|reply
European Parliament adopts 'Echelon' report
(...) the document lists several examples in which intelligence officers are believed to have interfered in a commercial contract. The report claims that European aircraft maker Airbus Industrie had its lines tapped in 1994 while negotiating a $6 billion contract with the Saudi Arabian government and national airline.
http://archives.cnn.com/2001/TECH/internet/09/07/echelon.rep...
[+] [-] skrebbel|12 years ago|reply
[+] [-] rmc|12 years ago|reply
[+] [-] flybrand|12 years ago|reply
It was simply an area I'd never done any work in - that's the benefit of a global, diverse (and still very small) organization.
[+] [-] alan_cx|12 years ago|reply
Nothing was "known" until these leaks. It was the conspiracy theory of nut jobs. Now and only now is it "known".
[+] [-] drawkbox|12 years ago|reply
American businesses could and should lobby Congress to fight this and to find ways to protect US stored data, I know I wouldn't trust a Chinese cloud company not to snoop or steal business/corporate ideas and trade secrets.
But if there were assurances for US cloud businesses that this doesn't affect their business ideas accidentally or deliberately then we could set a global example on how to run cloud data storage that is safe and business friendly. There is an opportunity here for Google, Amazon, Apple etc for cloud data.
Lots of damage control to be done here for international clients. As an American I would always trust our systems more but international companies may have a very hard time trusting without the US being a shining example of how to correctly protect business data in clouds here, especially encrypted data that is automatically subject to storage/filtering if international.
[+] [-] greyman|12 years ago|reply
[+] [-] pekk|12 years ago|reply
How about this: only businesses (like Facebook, Google et al.) should be able to say 'trust in me' - to their customers. Privacy regulation is only for the government, this will ensure that the surveillance state is built by corporations, as God intended.
It's obviously a huge risk and embarrassment if the US government looks at data from Europeans. But if American companies sell each other that data, that should be of no concern to Europeans, because private companies are all inherently trustworthy without external oversight.
[+] [-] rsynnott|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] pconf|12 years ago|reply
Yet most of the managers I see who make this decision just don't care. They ignore the advice of their systems admins and follow the old adage "you can't get fired for buying IBM" like sheep to a slaughter. It's typical of the short-term mindset that drives so many business decisions.
I chalk this up to a lack of education, both in business and IT. While CS professors obsess over data structures and algorithms, and non-IT departments preach about the relevance of the next quarter's results, "Rome is burning".
[+] [-] flybrand|12 years ago|reply
My apology is really around the fact that at the time we were trusting that such programs would not exist here (this was before explained Echelon to us), and that the US didn't work that way. I was naive and I was wrong.
[+] [-] Sami_Lehtinen|12 years ago|reply
[+] [-] rsynnott|12 years ago|reply
(B) Governments aren't the only ones potentially spying on peoples' unencrypted comms.
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] driverdan|12 years ago|reply
[+] [-] pconf|12 years ago|reply
Experienced IT staff can typically exceed the uptime of Google and Salesforce on a standard budget with no special accommodation. Perhaps the organization's IP (intellectual property) wasn't really worth that much, or upper management forced their hand? Sounds like that wasn't the case but you never really know.
[+] [-] honzzz|12 years ago|reply
[+] [-] flybrand|12 years ago|reply
[+] [-] mironathetin|12 years ago|reply
It's so obvious.
[+] [-] jojobe|12 years ago|reply
[+] [-] comrade1|12 years ago|reply
[deleted]
[+] [-] frozenport|12 years ago|reply
[+] [-] betterunix|12 years ago|reply
https://en.wikipedia.org/wiki/FinFisher
[+] [-] readme|12 years ago|reply