How secure is the cloud?

This is my editorial for the Spring 2017 issue of HardCopy magazine:

Image by HypnoArt via Pixbay

Security and privacy are two aspects of an issue that has long bugged our society. On the one hand most of us consider that we have a right to a private life, and indeed Article 12 of the Universal Declaration of Human Rights explicitly states that “No-one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation.” The right is implicit in the American Constitution, while Article 8 of the European Convention on Human Rights is more pragmatic in that, though explicitly stated, the right is moderated by the needs of a “democratic society” with regards to national security and crime prevention.

Perhaps unsurprisingly, the situation in the UK is less clear, particularly since the fiasco that is the Investigatory Powers Act 2016 (aka the ‘Snooper’s Charter’).

In practice there has always been some give-and-take. We have accepted since the 1920s that our security services can intercept private telephone conversations once they have obtained a warrant, while the police have been able to search private property on production of a warrant for several centuries now. However, modern technology has upset the apple cart. These days most of us happily sign away our privacy with a single click and a resigned acceptance of the terms and conditions.

Some take the attitude that privacy is only of concern if you have something to hide, or go along with Scott McNealy of Sun Microsystems when he said: “You have zero privacy anyway – get over it.” However even they would be reluctant to hand out their credit card details, or their passwords, to all and sundry.

The problem for security services is that accessing the information they are convinced they need is becoming increasingly difficult, which has resulted in ever more persistent calls to legislate for our data to be stored in an accessible form. The problem for us – even for those of us who have nothing to hide – is that such moves can only make our data more vulnerable, and our privacy harder to protect.

Such considerations are particularly relevant to data that is stored in the cloud. If your provider is an American company and your data is stored in a server-farm located in the UK but might be backed-up or routed through another in Singapore or Sydney, then access could be subject to the laws of four different countries. And if the ‘Snooper’s Charter’ continues unchanged, then the UK could become the weakest link.

Ultimately the cloud is an international resource, and such matters can only be resolved through international discussion and agreement. Only once that happens can we start thinking about taking back control of our online privacy and identity.