Cloud Extraction Technologies Pose Privacy Threats
A recent article by Privacy International nicely surmises one of the biggest looming threat posed by the cloud. Entitled Cloud extraction technology: the secret tech that lets government agencies collect masses of data from your apps, the piece purports that for purposes of law enforcement, government agencies and investigative bodies have moved from searching just the physical mobile device, to data stored in the cloud.
In short, the article concludes that there is an absence of information on the use of cloud extraction technologies – thus making it unclear to the public whether the usage (of cloud extraction technologies) is even lawful; and equally so, how users can safeguard from the abuse and misuse of their data.
It is suggested that law enforcement agencies themselves might be setting a dangerous precedent by using cloud extraction technologies to ‘do their job’ while not doing enough to explain and justify their actions; hence this opposes the principal for transparency and accountability in the usage of new technologies involving the soceity.
Cloud extraction technologies have advanced leaps and bounds in allowing forensic analysis of users’ data stored on third-party servers used for backup by device manufacturers and app providers.
In particular highlight are ‘forensics tools’ which is a type of cloud extraction technology is rather easy to get a hand on today. These tools enable practically anyone obtain privately-stored, cloud-based user data, and also do surveillance on the user activity such as deleted messages from chat groups, profile pictures and status messages that related to all of the users’ contacts.
Although security has improved across the board with more secure phones, encrypted files, improved cloud-based security, the promise of all the private user data that is increasingly hoarded on the cloud, is a great lure. This becomes a continual motivation for the government (even with ‘legit’ reasons) and hackers (even those with limited forensic skills) to seek to extract the data they want with the help of cloud extraction technologies.
Today, with the explosion of cloud-based storage, reports say that in just 5 years by 2025, almost half of all data will be stored on 3rd party public cloud environments hosted on remote servers. For public users like all of us, this refers to our private data that are already stored on Google Drive, Dropbox, Instagram, Twitter, Facebook, Email accounts, cab-hailing, food-ordering apps, the list goes on.
The most valuable take away from the article is its recommendations list, which re-listed below:
- An immediate independent review be initiated into the use by law enforcement of cloud-analytics by relevant policing bodies and border control with consultations taken from the public, civil society and industry as well as government authorities.
- The police must have a warrant issued on the basis of reasonable suspicion by a judge before forensically examining any cloud-based data, or otherwise accessing any content or communications data stored therein.
- A clear legal basis must be in place to inspect, collect, store and analyse data from cloud-based services which provides for adequate safeguards to ensure intrusive powers are only used when necessary and proportionate. It must be considered whether such intrusive technology should only be used in serious crimes.
- Guidance aimed at the public regarding their rights and what such extractions involves must be published and provided to persons whose devices are to be analysed.
- Individuals be informed that their cloud-based data has been extracted, analysed and retained.
- Anyone who has their cloud-based data examined should have access to an effective remedy where any concerns regarding lawfulness can be raised.
- There must be independent oversight of the compliance by law enforcement of the lawful use of these powers.
- Cyber security standards should be agreed and circulated, specifying how data must be stored, how long it is to be retained, when it must be deleted and who can access it.
- All authorities who use these powers must purchase relevant tools through procurement channels in the public domain and regularly update a register of what tools they have purchased, including details on what tools they have, the commercial manufacturer and expenditure amounts.
- Technical standards be created and followed to ensure there is a particular way of obtaining data that is repeatable and reproducible, to ensure verification and validation. This should be accompanied, for example, by a clearly documented process.
- Technical skill is required as with this unprecedented amount of data comes the need for highly skilled forensic investigators. Consideration must be given to the risk of miscarriage of justice if raw data is misinterpreted or individuals cannot afford experts to review the data.
- Testing, trialling and deployment of cloud extraction technologies must be accompanied by impact assessments, adequate safeguards and engagement with the public and civil society.
IT BYTES BACK Says: When it comes to Cloud, Security and Privacy will always continue to be issues that are floating and ‘thrown up in the air’. In all seriousness, these issues can only be countered to some degree if action is taken by users and authorities on the some of the listed recommendations.