home | archives & search | rough type store | nicholasgcarr.com

« On the trail of the itinerant computer | Main | One big holiday »

Encryption and the law

June 25, 2008

The rise of cloud computing raises a lot of legal issues, and one of the thorniest involves the variations in national laws governing the storage and use of personal and other information. Controls on data threaten, for instance, to prevent certain information from being stored in data centers outside a user's home country, hence eroding some of the efficiencies promised by a global cloud.

And yet does the location of the data center really matter? I was listening recently to comments by an executive from Mozy, the online backup service. Noting that Mozy allows its customers to use a personal encryption key to encrypt the data that they store with the company (making it impossible for Mozy or anyone other than the owner to decipher it), he asked whether such encrypted information resides legally where the data is stored or where the encryption key is held. It's an interesting and important question, as encryption promises to separate "information" from the bits of data that carry it.

Posted by nick at June 25, 2008 08:28 AM

Advertisement: Are you ready for "The Big Switch"? Fast Company calls Nicholas Carr's new book "compulsively readable - for nontechies, too." Salon says it's "magisterial." Order now from Amazon.com.

Comments

Sounds like my thesis from 10 years ago: "Encryption and Public Policy". Of course that was during the Clipper Chip era.

I believe that all information on any public network that may be personal, private or IP related must be encrypted. Certainly this will make things more difficult for law enforcement, but when did anyone say law enforcement was supposed to be easy?

Encrypting more information will provide law abiding people and enterprises with a level of protection they do not currently enjoy. Government entities will be put to task to crack this encryption, as they feel it is their mandate to do so, but isn't that how technological innovation comes about?

Posted by: Eoghan [TypeKey Profile Page] at June 25, 2008 09:28 AM

If encryption were perfect and garaunteable, then perhaps, but it ain't. Sure, we can get practical protection in most circumstances, but particularly in the case of governments we don't know what their capabilities are. For example, if you were a company like Intel, and your IP was worth billions, would you hold it on a server in China and hope the encryption held and your key remained secret? Anyway, I'm not sure that it matters. Under EU law you can only pass to a 'safe harbour', and security is but one of the requirements. I'm not sure that encryption negates the other requirements. I can't imagine a Judge buying the idea that encrypted personal data is not personal data. I certainly don't!

Posted by: David Evans [TypeKey Profile Page] at June 25, 2008 11:40 AM

Interestingly, I've just started re-reading Neal Stephenson's Cryptonomicon, which has a very similar topic as a main sub-plot line: establishment of a "neutral" data-haven that is free from any and all government intrusion. Encryption is, of course, a key part of the plan. (Although the actual main plot of the book remains a mystery to me, establishment of the data-haven was but a step on the way to creating a hard "virtual-currency".)

A bit dated maybe (published in '99), but still an entertaining read.

Posted by: Brett [TypeKey Profile Page] at June 25, 2008 01:05 PM

Throw another wrinkle in there - imagine that Mozy was outside of the US

Encryption then becomes a US Trade Law issue.

Posted by: ERoss [TypeKey Profile Page] at June 25, 2008 03:13 PM

You might want to check with Mike Godman, he was at EFF during Clipper, and did a lot of work in this area.


While Dave Evans is technically correct, that even strong crypto can be broken, in practice it is not possible. See Bruce Schneier's Applied Cryptography for calculations. With sufficiently strong keys, it would take as many computers as there are molecules in the Universe.


But, Mr Evans is correct in that the only secure computer is turned off, disconnected from all wires, inside a SCIF and protected by a squad of US Marines. If its on the 'net, there are easier ways to get the data than breaking RSA. Nearly all access is done with social engineering. its a lot easier.

Posted by: Patrick Farrell [TypeKey Profile Page] at June 25, 2008 08:36 PM

Nick, according to Gartner locality (geographical) is least popular feature of cloud for corporate respondents. This raises a legitimate question of why cloud provider would want to move your data to, say, China or Russia (besides economical reasons).

In my practice geotargeting used mostly for high availability solutions or content delivery networks like Akamai (obviously not used to make your SSN or health records available globally).

I see very loose logical relation between cloud computing, different countries' legislation and various data attributes/lifecycle like encryption, privacy, retention, locality etc. It might work in pairs (encryption - legislation, cloud computing - encryption and so on), but not always altogether.

cheers,
Khazret Sapenov

Posted by: Khazret Sapenov [TypeKey Profile Page] at June 26, 2008 12:17 AM

Nick:

"Mozy allows its customers to use a personal encryption key to encrypt the data that they store with the company (making it impossible for Mozy or anyone other than the owner to decipher it)..." (emph. added)

Boy, that branches on a big assumption.

The integrity of encryption is a classic Popperian black swan problem. We have no idea whether encryption is broken. We can only know whether someone has publicly shown it to be broken. Given the incentives to keep such information private, that's of little comfort.

Patrick:

"You might want to check with Mike Godman..."

I suspect you mean Mike Godwin.

Posted by: Hal O'Brien [TypeKey Profile Page] at June 27, 2008 12:36 AM

I suspect the answer to that question is similar to the question of whether your stuff, lying in a swiss bank locker, are infact in Switzerland if you hold the key in the US, and nobody can open your locker without that key.

Posted by: parijat [TypeKey Profile Page] at June 27, 2008 04:54 AM

Never forget that, Phillip Zimmerman, when he released the source code for PGP, was investigated and almost charged for "munitions export without a license." This was because the US government classified any encryption algorithm that used keys of greater than 40 bits as explosives. Bet you never knew that computer code printed in a book could explode!No smoking in the CS section of your library, please! Your tax dollar at work! Don't you just feel safer already!

Posted by: Linuxguru1968 [TypeKey Profile Page] at June 30, 2008 03:45 PM

Post a comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Remember me?


Subscribe to Rough Type

Nick's new book: bigswitchcover2thumb.jpg "Future Shock for the web-apps era" -Fast Company

"Ominously prescient" -Kirkus Reviews

"Riveting stuff" -New York Post

Order from Amazon

Visit Big Switch site

Read Q&A with Nick

Greatest hits

The amorality of Web 2.0

The editor and the crowd

Avatars consume as much electricity as Brazilians

The great unread

The love song of J. Alfred Prufrock's avatar

Sharecropping the long tail

The social graft

Steve Jobs' devices

MySpace's vacancy

Other writing

The ignorance of crowds

The recorded life

The end of corporate computing

IT doesn't matter

The parasitic blogger

The sixth force

Hypermediation

More

Nick's last book: Order from Amazon

Visit book site

Rough Type is:

Written and published by
Nicholas Carr

Designed by

JavaScript must be enabled to display this email address.

What?