By James Green ~ February 13th, 2014 12:33 PM MST
The cloud can be utterly convenient, allowing us to seamlessly access all of our music, photos, and work files from anywhere in the world, even while on vacation (if you’re into that sort of thing). But, there are those who scrutinize the cloud for lack of privacy. Cloud skeptics criticize the security of cloud servers, question the fail-safes in place to prevent unauthorized access to data, and condemn companies who collect and trade customer data like currency.
So, can data stored on the cloud ever be truly private? I asked that very question to a champion of data privacy and the CEO of cloud service SpiderOak, Ethan Oberman. His response was a resounding “Yes, and there are a lot of reasons why!” Then again you would expect the CEO of a cloud company to say the cloud can be private, so what’s the catch? Truthfully, after my own independent research and my conversation with Mr. Oberman, who speaks objectively and in-depth about cloud and data privacy, the only catch is that some cloud services only consider privacy as an afterthought. Since you don’t want to be caught with your data exposed we’re here to help you understand how to find privacy in the cloud.
Algorithm! Algorhyme! Get on up, it’s Cryptography time!
Online data privacy relies on the complex math of cryptography. The following is an example of an elementary version of the cryptographic process. We will encrypt our input “topsecretmessage” and we will receive an cipher text output. For the sake of brevity our example only completes the process once, real cryptography cycles though this process numerous times.
- A plaintext input (your data) is taken and divided into two-dimensional data blocks. (imagine a spreadsheet with rows and columns)
- Each data character is then replaced with a corresponding crypto character according to a lookup table.
- The data is then shifted vertically by row, and then horizontally by column.
As you can see our input of “topsecretmessage” was encrypted and the cipher text out put we received “#@&j@wr$##fu@w%#” is unrecognizable. This is a simplistic example of an encryption process. The standard encryption processes used today contain longer and more complex transnational methods. Encrypting data is a complex process and the art of cryptography relies on a community to test and audit cryptographic code.
According to Oberman, the reason cryptography isn’t standard practice is “cryptography is really hard math,” it’s not something that every developer has in their tool box. There are currently no out-of-the-box tools for developers to create cryptographically sound applications. Each developer must work out for themselves how to use an implement data encryption, which is no small feat.
Oberman and the boffins at SpiderOak are working on one of the first open-source, cryptographic application frameworks called Crypton. The goal for Crypton, or another crypto application framework like it, is to become a standardized tool for developers. Oberman envisions privacy as the platform on which all cloud services are built, and cloud companies competing to provide the most innovative services such as the SpiderOak private chat application rumored to be in the works.
Privacy > Data Encryption
Two algorithms, DES (Data Encryption Standard) and SHA (Secure Hashing Algorithm), are dinosaurs in terms of technology and have not been suitable for security purposes for some time. All too often following a data breach we have seen companies using these algorithms to store consumer data. Or worse yet, we find that companies have been storing data in plaintext. Before committing your data to any cloud service find out if stored data is encrypted and using which encryption algorithm.
Encrypt Data at Rest with AES – Using the world’s most powerful supercomputer it would take 319 quadrillion years to crack data encrypted with AES-128. Data encrypted using AES will be secure beyond the end of time as we know it.
Cybercriminals prefer to monitor insecure internet connections and steal unencrypted data in transit rather than spend time hacking individual devices and servers only to steal unusable, encrypted data. Data being transferred between your device and cloud servers requires its own type of encryption.
Data in Transit Requires an SSL – An SSL certificate encrypts data transferred between your computer and the cloud server. HTTPS in the address bar indicates a secure SSL connection.
Data encrypted with an SSL is decrypted once it arrives at the cloud server and a exists briefly in plaintext before it is encrypted for storage. Client-side encryption prevents rogue employees from accessing your cloud data, prevents a cloud service provider (such as Microsoft) from scanning the content of your data, and secures your data from spy programs of government overreach.
Client-Side Encryption – Client-side encryption means that data is encrypted locally on your device. This style of data encryption ensures the utmost privacy; no one can access your data without your password not even the cloud service provider.
Your Password Is Key
Cracking encrypted data is like trying to break into a lead vault with a plastic fork, it would be much easier to steal the key and open the door. Passwords are often the weakest link. A strong password does not contain real words, uses both upper and lower case letters, and contains both symbols and numbers. Create an acronym using an easy to remember phrase (example: “we’re gonna need a bigger boat”) then give it some pizzazz with special characters. (example: WgNaBb_/\_\0/_)
The Illusion of Free: Data Collection & Data Sharing
Among the most commonly collected data is browser cookies which are used to track web activity. To prevent advertisers from monitoring your web activity you can:
- Disable cookies in your browser. Keep in mind that some services rely heavily on browser cookies and “(i)f you do not accept cookies… you may not be able to use all aspects of the service.”
- Install a browser add-on such as DoNotTrackMe to monitor and block tracking cookies for individual websites.
- Opt-out of cookie advertising from nearly 100 companies by following this link: NetworkAdvertising.org.
Data Privacy Laws
In the US the Electronic Communications Privacy Act is the most recent federal regulation regarding the privacy of electronic consumer data. The ECPA was passed in 1986 before the internet had even been invented. Over 27 years later and the ECPA is still the only federal legislation protecting consumer privacy online.
Under the ECPA a warrant is required to access electronic communications (emails, text messages, shared data, etc) that are less than 180 days old. However, a warrant is not required for electronic communications more than 181 days old. This information is considered to be in “storage” and can be obtained with a subpoena. The ECPA protects electronic communications only and does not protect the privacy of data stored online such as “photos or Google docs.”
In November of 2013 the UN passed a resolution entitled “The right to privacy in the digital age.” In this resolution the UN “(a)ffirms that the same rights that people have offline must also be protected online, including the right to privacy.” As pioneers of the digital age we have the unique opportunity to shape the kind of legislation that will protect the public for generations to come. The ACLU and many other organizations are fighting for our digital rights, take a moment and join the movement for digital privacy. If you feel strongly about your digital privacy (and I hope you do) send an email in support of digital privacy legislation to your state Congressman or Senator. ♦
James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA