FTC Worries About Consumers, Cloud Data, and Privacy 175
pcause writes "Ars Techina has a nice article about the FTC's concern that consumers don't understand the implications of storing their data in the cloud. From the article: 'Data is now sitting on servers outside of your control, where it can be accessed far more easily by Google itself, hackers, and law enforcement than it ever could if kept within the device. Once data passes over the network, it gets much easier to access in realtime; once it is stored on a remote server, it gets much easier to access at any time. And those are just the phone settings. Google also has access to search history data, anything stored in Google Docs or Spreadsheets, complete schedules stored in Google Calendar, and recent Maps searches. Combine them all, and companies like Google become one-stop shops for authorities looking for personal information.' Do you think the average consumer even has a clue about this issue?"
They can know about you, do you know about them? (Score:4, Interesting)
Re:I was just thinking about this today (Score:3, Interesting)
Yep. Anything that connects to any phone network must allow dialing of 911 even when no service is being paid for. In fact, most modern cell phones make it easier to dial 911 when there's no paid service.
Would somebody think of the future of our data? (Score:4, Interesting)
All hard drives will fail eventually. Flash memory drives are starting to outlast them, but those will fail someday too. CD/DVDs age poorly. Nothing is safe in your house anyway.
So, a cloud with a big RAID where dead drives are replaced with no loss in a nice safe datacenter sounds like a nice option. The problem with that is that clouds are run by companies, and no company lasts forever either. Look at what happened to drive.com.... they were bought by AOL, and then thrown out. Users were given a couple of months to retrieve their data, after which everything was deleted.
Is there any way to write data and then 10 years later get that same data back?
A public well is easily poisoned (Score:5, Interesting)
so the net change is that you'll have a harder time telling you've been snooped on
It's also easier to hide things you don't want to be seen. GMail can turn over your emails, but if they're encrypted, even with something simple [fourmilab.ch], it will be harder to make it useful. How many secret messages I have hidden in the pictures I email around or post online? Who has the resources to check every one?
Searches can be masked using TOR and private browsing. Again, not bullet proof, but it doesn't have to be. Just enough to poison the data and make it unreliable. Go buy a pre-paid phone with cash and take the battery out of your regular cell phone at random intervals. You're not trying to create a smoke screen, just sow doubt.
That's if you're worried about it.
Law enforcement may think search data and social media information is some kind of lucky charm, but it's pretty easy to spoil that data, leave false trails and really easy to hide things. If they gain confidence catching stupid people, all the better for those with a little clue.
I'm starting to feel old. (Score:5, Interesting)
With our lives stored on Facebook, MySpace, Twitter, etc. does today's younger generation even appreciate/want privacy?
Everyone knows who your friends are, what movies you like, that your cereal this morning looked like a smiley-face until your dog knocked it over.
Is our view of privacy outdated?
Two rules (Score:4, Interesting)
Backup your important data.
Encrypt your sensitive data.
These two steps are as important and effective with the cloud as they are with any other form of storage.
Re:Google's domination makes this much worse. (Score:4, Interesting)
I would loved to see some documented sources on this. What google service were you suspended from? The only two services I am aware of them ever suspending anyone from are Adsense and Adwords and they usually have pretty good reasons. I suppose if you were using their mail servers to pump out spam they might shutdown your gmail account.
Re:A public well is easily poisoned (Score:1, Interesting)
PS: more and more I read your posts, I am beginning to doubt your motives for posting in almost every story on slashdot. Frankly do you get paid to do this? By any chance, do you own frustrationtrivia.com or are employed by it to do this?
I doubt it (Score:3, Interesting)
Re:I'm starting to feel old. (Score:3, Interesting)
Vernor Vinge's Rainbows End [wikipedia.org] is the only case I've ever seen made for the "new" notion of privacy. Sounds like a pretty cool world in which to live, but I'm not convinced the real post-privacy world will end up anywhere near as cool.
Re:Would somebody think of the future of our data? (Score:3, Interesting)
My metric is WSJ's Walt Mossberg (Score:3, Interesting)
He has reviewed cloud backup and other services, yet never mentioned the legal differences between cloud based service storage and storage on your own in-house machine. That indicates that it's not interesting to his audience, which is telling. NPR recently did an article [publicradio.org] on how the domain holder of your email service is noticed by your potential job interviewer. Their comparison was between Yahoo! and of course AOL on one side (you're a LUser), and GMail on the other. Guess whose privacy actually suffers the most. This is definitely not understood.
Comment removed (Score:3, Interesting)
Re:Two rules (Score:4, Interesting)
I would add some more rules onto that after backups and encryption because cloud computing also covers networking, communications, and even virtual machines:
1: Don't create VM instances with sensitive data on machines you don't control. Yes, cloud functionality is awesome because you can create a VM you can ssh or RDP in that has a lot of CPU cycles. However, said VM is sitting on someone else's hardware, and has the possibility be shut down and imaged at any time, and the data given away. Even if one enables full disk encryption, the cloud computing provider has full access to the VM's RAM.
2: Use gpg or PGP, and consider a keysigning party or two [1]. gpg has the advantage of being able to be used as part of a MUA as an add-on, or used completely separate as a manual decryption mechanism. To a lesser extent S/MIME is good too, but it requires a dedicated MUA, and only Blackberries and Windows Mobile devices support it. Tell people to send confidential information encrypted. This way, should the mail spool get compromised, the blackhats won't be able to get any further than headers.
3: Offsite backup services like Mozy or others have the ability for the client to encrypt with a keyfile. For me, this is "good enough". For others with REALLY sensitive stuff, this is not acceptable at all, because one is letting someone else "pack your parachute" for you, with their encryption standard. Know your security needs. For me, this is an acceptable risk. If you are leery of this, put Mozy in a VM and share the directory with the TrueCrypt volume [2] that has the data you want backed up. This way, Mozy only sees the encrypted volume, no matter what it did inside the virtual machine.
4: If you use offsite storage, periodically log on to check your files still exist. I personally recommend gpg signing all files before you upload them just in case of corruption (or just sign/encrypt.) Don't forget to keep your gpg keys in a safe place [3].
5: Always remember if backing up to a cloud provider, cloud storage requires a good network connection. Backups are easy, but if you have a ton of data to recover, a restore may be a headache, or may require asking the cloud provider for media to be shipped via FedEx. Make sure to do backups to a local drive too. With utilities like Time Machine for the Mac, Acronis TrueImage or Retrospect for Windows, or bru for UNIX, this is an absolute no brainer to do.
[1]: I've made sure people's PGP/gpg keys were from whom they were by a number of means. If you can't do a keysigning party, sometimes you can ask the other person and set up a mutual passphrase where they can send you their public key, and you can send them your key. This way, the passphrase is only used for that exchange, and both parties can sign off on the keys as trusted.
[2]: On a Mac, you can get decent security through using the Disk Utility, and sparse bundles because the backup program would only have to copy the bands that were changed.
[3]: If you use the commercially licensed version of PGP, one idea is to generate multiple keys on a few smart cards, then have them all be ADKs and revocation agents for the cards. This way, if one card dies, you still have access to your protected stuff, as well can put out a revocation cert for the dead private key. To a lesser extent, you can copy the same keyfile to multiple cards in TrueCrypt, and store your private keys in a protected TrueCrypt volume that is only accessible by the keyfile on the smart cards.
Re:They can know about you, do you know about them (Score:3, Interesting)
It's the reverse for me and I live in a safe neighbourhood with few visitors. If google have that much access to your personal data/effects in your house then you are responsible. The same as I am responsible for locking my own door, I am responsible for securing my own data. I don't subscribe to the theory that Google is watching my every move, I'm willing to bet Google doesn't even know who I am and that Eric, Larry and Sergei don't give a shit about what I search for. If you want your personal data to be secure then don't put it on line, don't sign up to Facebook with your real name and DOB, don't give your mobile phone number to a marketing site asking for it.
Your security is your responsibility. If you're that paranoid about Google, use a proxy or just don't use google and by some tin foil as Googles satellite can read your mind right through the roof (what, you didn't know the GeoEye launch was a cover up for Googles Gspy mind reading satellite).
Re:Cloud data already used against me... (Score:5, Interesting)
I assume the attorney lost his bar?
If your story is true, there is just no way that any attorney could survive this.