Forgot your password?
typodupeerror
Security Your Rights Online

FTC Worries About Consumers, Cloud Data, and Privacy 175

Posted by samzenpus
from the what-worries-the-worriers dept.
pcause writes "Ars Techina has a nice article about the FTC's concern that consumers don't understand the implications of storing their data in the cloud. From the article: 'Data is now sitting on servers outside of your control, where it can be accessed far more easily by Google itself, hackers, and law enforcement than it ever could if kept within the device. Once data passes over the network, it gets much easier to access in realtime; once it is stored on a remote server, it gets much easier to access at any time. And those are just the phone settings. Google also has access to search history data, anything stored in Google Docs or Spreadsheets, complete schedules stored in Google Calendar, and recent Maps searches. Combine them all, and companies like Google become one-stop shops for authorities looking for personal information.' Do you think the average consumer even has a clue about this issue?"
This discussion has been archived. No new comments can be posted.

FTC Worries About Consumers, Cloud Data, and Privacy

Comments Filter:
  • by LostCluster (625375) * on Wednesday January 06, 2010 @09:25PM (#30677726)
    A hard drive in your house is just as accessible as data in the cloud, they just need a warrant. However, they have a hard time hiding the fact they took your computer, it's somewhat questionable whether you can detect they got a wiretap, and outright impossible to tell what they copied out of a cloud... so the net change is that you'll have a harder time telling you've been snooped on, but that won't make it any easier to do the snooping. If you have info, they can make you turn it over whether you want to or not. What's at stake here is whether you know.
    • by Nursie (632944)

      Won't make it easier? When companies can just roll over and hand over data without a warrant?

      Yeah. Great.

      • And so can turn over anybody who has physical access to your house. No safety in that.

        • by truthsearch (249536) on Wednesday January 06, 2010 @09:49PM (#30677940) Homepage Journal

          A lot less people have (legal) access to my house than Google's servers. Maybe you live in a commune, but I don't!

          • No parents? No kids? No significant other? Oh yeah, I understand, You're on Slashdot.
            • Re: (Score:2, Insightful)

              by Anonymous Coward

              If I have 10 kids and an SO, that's 11 people. Still fewer than the number of Google employees running around their data centers.

            • by hallux.sinister (1633067) on Wednesday January 06, 2010 @11:12PM (#30678500)
              Ouch!

              Actually, even if they have access to the terminal, they may not have access to the data if you have separate logins... of course, I tried something like this with my ex, once; it didn't work out real well. Separate computers turned out to be easier.

              Of course, this only works if you're running a real OS. If you use Misro$oft Win/DOS, well, best of luck.

              Even if your SO insists on having access to your user account and password, unless she's *NIX savvy you can always bury stuff in /usr/local/bin/whatever_arcane_sounding_subdirectory, make root the owner, and set permissions to rwx------.

              If you're really worried, put the data on a separate partition, and use /etc/fstab to keep it from mounting, make an alias from the mount command to a shellscript that quietly wipes that partition, and overwrites it with garbage, unless you mount it with the correct alternate command...

              Yeah, guess I'm a little paranoid.

              ~Hal

              If you're worried about your privacy, don't forget to rm -rf /home/[username]/.macromedia everytime you logout.

          • Re: (Score:2, Insightful)

            by minderaser (28934)

            That is exactly right.

            I'm astonished how many people just don't realize this.

          • Re: (Score:3, Interesting)

            by mjwx (966435)

            A lot less people have (legal) access to my house than Google's servers.

            It's the reverse for me and I live in a safe neighbourhood with few visitors. If google have that much access to your personal data/effects in your house then you are responsible. The same as I am responsible for locking my own door, I am responsible for securing my own data. I don't subscribe to the theory that Google is watching my every move, I'm willing to bet Google doesn't even know who I am and that Eric, Larry and Sergei don't

            • Re: (Score:3, Insightful)

              Your security is your responsibility. If you're that paranoid about Google, use a proxy or just don't use google

              I have a problem with this kind of approach to privacy. It creates an issue in that there is no basic set of standards. A person should at least have the knowledge that if they give X data to a company, that the company may only use it in a predetermined manner UNLESS the company specifically asks for your permission to use it in other ways.

              With our current approach, you literally have each ent

      • Re: (Score:3, Insightful)

        Especially when they don't have to worry about any backlash from their customers as the government will just give them immunity from any suits after the fact.

    • by MojoRilla (591502)
      Its much easier for them to fabricate evidence on a hard drive from your home. At least the cloud keeps them honest about the contents.
    • Data on a hard drive in your house can be as accessible over the Internet as data in the cloud, assuming that the hard drive is hooked up to a computer that's connected to the Internet. The only difference is, "'Data is now sitting on servers outside of your control". That has nothing to do with "the cloud". Any hosted service has the same weakness.

      Yes, sure, if you store all your data on a single company's server, then that means people only need to get access to that company's servers in order to get

      • Simple: Don't keep anything important anywhere you can't control 100%.

      • by number11 (129686)

        Finally, yes, Google is in a scary position right now. Not only might they have access to your search results, but if you use Gmail then they have your email and if you use Google Docs then they have your documents. Right now, Google has a lot of access to a lot of data, which is exactly why people think their "don't be evil" mantra is so important. If Google chooses to abuse their position, they could cause a lot of problems.

        Which is why running programs like TrackMeNot and SquiggleSR (Firefox extensions)

    • Re: (Score:3, Informative)

      by neorush (1103917)
      Only a subpoena is needed to get a company to hand over data its called "subpoena duces tecum" basically it orders a person give physical evidence to the ordering court or face punishment. Subpoena's are not the same as warrants, and because they are akin to a testimony they are very easy to have issued, and you do not need to be notified because they are often related to the authorities building a case against you, as opposed to something like a warrant, where YOUR physical property is searched. Read the
    • A hard drive in your house is just as accessible as data in the cloud

      Last I checked, a hard drive in my house is controlled by me and I decide on what security I put around it. If I stuff up, it's my stuff up. I have no such control over anything in "the cloud".

      The whole buzz phrase just needs to die. "The cloud" is nothing other than short term rental and loan space on 3rd party machines.

    • by PopeRatzo (965947) *

      A hard drive in your house is just as accessible as data in the cloud, they just need a warrant.

      That part about the "warrant" makes all the difference in the world.

      • Slashdotters! The parent post marks a monumental event! PopeRatzo has successfully passed data through a temporal-tunneling HTTP proxy from pre-9/11 America! Congratulations PopeRatzo, and WELCOME TO THE WEB OF TOMORROW!
  • by LostCluster (625375) * on Wednesday January 06, 2010 @09:27PM (#30677746)
    Most cloud services these days are funded by companies who have ad interests too. Google has the web's largest ad network, Amazon loves to sell things, Microsoft has an ad platform too. Will what you post on MySpace suddenly influence which ad you see when you're watching Fox? Should it?
    • Re: (Score:2, Funny)

      by CyDharttha (939997)
      It would be great if I saw ads on TV pertaining to my interests, instead of constant drug commercials pertaining to urinating problems or lose weight fast schemes.
      • Yeah, but they've got to sell those weight loss schemes somehow. Would you please link your Google Health weight statistic to your TV ad interest form?
  • No. (Score:5, Informative)

    by Rossman (593924) on Wednesday January 06, 2010 @09:28PM (#30677748) Homepage
    "Do you think the average consumer even has a clue about this issue?" No. And they don't care, and can't be made to care.
    • Re:No. (Score:4, Insightful)

      by causality (777677) on Thursday January 07, 2010 @12:47AM (#30679110)

      "Do you think the average consumer even has a clue about this issue?" No. And they don't care, and can't be made to care.

      ... until something happens to them, personally. They just don't believe in prevention, that's all.

    • This is really the biggest problem with the whole system right now. An active citizenry is required to make any democratic or pseudo-democratic system function properly, and a consumer is the precise opposite of an active citizen.
    • relax. as long as you're not a marijuana-smoking jihadist, you have nothing to worry about. good people never go to prison!

  • by t0qer (230538) on Wednesday January 06, 2010 @09:31PM (#30677766) Homepage Journal

    My friend that works as google gave me a droid G3 phone for christmas. I guess they all got the nexus this year so he was giving me last years present. It doesn't have a SIM card in it, and I don't have it activated on a cell network. I don't really have any intentions on doing so either.

    I let my 4 year old daughter play with it. There's a coloring book application called Zebra Paint. Today though I hear the phone talking.

    "Hello? Heloo? Emergency 911"

    I guess even without a phone plan, you can still use these things for 911?

    I politely told the 911 operator what happened. He told me to be careful letting my girl play with it and that was that.

    Scary thing though, this thing has GPS. If someone really wanted to track me down they could. Even without a cell phone plan or sim card in the device.

    • Re: (Score:3, Interesting)

      by LostCluster (625375) *

      Yep. Anything that connects to any phone network must allow dialing of 911 even when no service is being paid for. In fact, most modern cell phones make it easier to dial 911 when there's no paid service.

    • How could they find that particular device? If you don't have it associated with a cell provider account then it's not associated with your name in any way. It's just a MAC address connected to a wifi network behind a NAT.

      You're right to worry about 911 though. When you're connected to E911, all security bets are off. Manufacturers of phones for the US are required by law to make sure that a connected E911 operator has access to the cell phone's location, either by some weird cell triangulation or by GPS. I

    • by iammani (1392285)
      Yes, FCC mandates it actually.
    • by Shadow-isoHunt (1014539) on Wednesday January 06, 2010 @11:00PM (#30678430) Homepage
      No, they cannot. GPS is one way, receiving timestamps via radio transmitted via multiple transmitters, then it does some fun maths involving the speed of light, and relativity. It requires the cellular link to transmit it's location to 911 via E911 services, but with the default firmware of your phone they can't remotely turn this on directly as it's not part of the E911 functionality. In order for them to turn it on remotely, they need to push a firmware patch to the handset which disables any GPS icon indications, and enables the vendor-specific command set. On top of that they have to figure out which handset is yours, which is going to be hard without an associated account with a valid GSM provider in your area. However, if they had previous knowledge of your IMEI/ESN, they could use that to locate you as IMEI/ESNs are globally unique to each GSM handset.

      Also, the GPS is overkill since they can passively monitor your location via triangulation of your cellular link. This is the most likely method of monitoring, as it won't kill your battery life(tipping you off), it's passive requiring no interaction with the handset, it doesn't require the GPS chip to initialize and possibly download the GPS ephemeris if it's a cold start(which will take 40s minimum due to the 50bits/s).

      Also, they could theoretically do it without a warrant if they used their _own_ equipment and knew your CDMA code - anyone can listen in to any radio transmission in the US, though decrypting a GSM/CDMA signal may be illegal. No decryption is necessary though, as long as they know your timeslot(GSM's tdm)/code(cdma).
      • by Gerzel (240421) *

        More likely won't kill your battery life, allowing you to stay on the line longer, and increasing your chances of survival.

        If you are really being hunted you throw the cell away. If someone is hunting you and you don't know about it well it is much easier to nab someone going about their normal routine and that doesn't require cellphone tracking just some observations.

    • Even without a cell phone plan or sim card in the device.

      But not without a battery, or a functional radio. If you just want the device sans cell coverage and are really concerned about someone tracking you, disable the radio.

  • Woah (Score:3, Funny)

    by dissy (172727) on Wednesday January 06, 2010 @09:32PM (#30677780)

    I'm just shocked the FTC is seemingly saying that easy access for law enforcement is a good thing.

    Sanity in a government agency?! Cats and dogs living together? Mass hysteria?

    • by dissy (172727)

      Grr, I meant:

      I'm just shocked the FTC is seemingly saying that easy access for law enforcement is a bad thing.

      • FTC is just doing its job... government access isn't a bad thing to them, but people afraid of government snooping is bad for business.

  • by LostCluster (625375) * on Wednesday January 06, 2010 @09:35PM (#30677806)

    All hard drives will fail eventually. Flash memory drives are starting to outlast them, but those will fail someday too. CD/DVDs age poorly. Nothing is safe in your house anyway.

    So, a cloud with a big RAID where dead drives are replaced with no loss in a nice safe datacenter sounds like a nice option. The problem with that is that clouds are run by companies, and no company lasts forever either. Look at what happened to drive.com.... they were bought by AOL, and then thrown out. Users were given a couple of months to retrieve their data, after which everything was deleted.

    Is there any way to write data and then 10 years later get that same data back?

    • Is there any way to write data and then 10 years later get that same data back?

      Yup, it's called putting it on optical discs, then putting them in a safe, dry location. I use many cd's that are over 10 years old and I've never had a problem.

    • by Brian Gordon (987471) on Wednesday January 06, 2010 @10:24PM (#30678172)

      Is there any way to write data and then 10 years later get that same data back?

      /me glances over at the bookshelf.

      Yep, still there.

      • /me glances over at the bookshelf.

        Yep, still there.

        I backed up the videos from my vacation that way. I hope you weren't using the Amazon for anything, cause I kind of used it all.

    • The problem with that is that clouds are run by companies, and no company lasts forever either.

      That is not even remotely the biggest problem. The biggest problem is that clouds are run by corporations, and corporations last forever. Someone else can actually win the right of stewardship over your data as part of a bankruptcy settlement.

      Is there any way to write data and then 10 years later get that same data back?

      Sure, it's called DVDs from Verbatim, stored in a cool dark place. If you mean "on the internet" then the answer is to get web hosting, and move data from host to host as necessary (e.g. when they go out of business.) But of course, you've got to have some excellent encryption. Luckily that will cost you $0.

    • Re: (Score:3, Interesting)

      by bky1701 (979071)
      I have CDs almost 20 years old that still run just fine, and these weren't exactly sealed in a moisture controlled vault; more like a cardboard box in a closet. With proper upkeep and some redundancy, MOST mediums will probably last much longer than 10 years.
    • Re: (Score:3, Interesting)

      by hairyfeet (841228)

      Allow me to correct a few points there. Shitty consumer hard drives wear out quickly. Good quality business class drives can last a scary amount of time, as the 200Mb WD I have sitting in a drawer will attest to. As for CD/DVD? Don't buy Best Buy or Staples brand and keep them in a cool dry place. I have 15 year old CDs and nearly decade old DVDs and they read quite well, thanks.

      While I do agree in off-site backups, a couple of cheap 200Gb drives and USB enclosures equal a hell of a lot of data you can take

    • Re: (Score:3, Informative)

      by syousef (465911)

      Is there any way to write data and then 10 years later get that same data back?

      Yes. I call it MRBAM. Multiple Redundant Backup At Mother's.

      For important data, photos etc, I keep a copy locally. Periodically I dump the data to another hard drive. One goes at my mother's house. One stays local. Every few years I buy more disks and copy drive to drive off a backup. I don't erase the old ones.

      Co-incidentally I have exactly 10 years worth of photos. Haven't lost one yet. Latest drives are Terabyte size and are h

  • use encryption (Score:4, Insightful)

    by timmarhy (659436) on Wednesday January 06, 2010 @09:39PM (#30677846)
    strong encryption means they can't access it no matter where the data is. why are we even talking about this?
    • Because they can force you to give up your crypto key or go to jail infinitely, which is a worse punishment than anything short of death.
      • by QuantumG (50515) *

        They really can't ya know.. just remember these three words: "I don't recall". End of story.

        • Re:use encryption (Score:4, Informative)

          by MichaelSmith (789609) on Wednesday January 06, 2010 @10:08PM (#30678076) Homepage Journal

          They really can't ya know.. just remember these three words: "I don't recall". End of story.

          Not in the UK [theregister.co.uk].

          • by winwar (114053)

            Unless the UK has invented/discovered telepathy, they still cannot FORCE you to divulge the key against your will.

            Although in the real world, I would agree prison time and violence work pretty well most of the time .

          • by enoz (1181117)

            Surprisingly you appear to be quite Safe in OZ [news.com.au]

            • Dunno about that [74.125.95.132].

              * While being interrogated, a detainee has to
              o Answer all questions
              o Provide all information or material requested of them
              o Prove that they do not have the material requested—if they are unable to do so and do not provide the material they can be imprisoned for up to 5 years

          • by QuantumG (50515) *

            At the local Fareham police station he was served with the section 49 notice. Signed by CTC's Superintendent Bell, it said: "I hereby require you to disclose a key or any supporting evidence to make the information intelligible."

            JFL maintained his silence throughout the one hour time limit imposed by the notice. He was charged with ten offences under section 53 of RIPA Part III, reflecting the multiple passphrases needed to decrypt his various implementations of PGP Whole Disk Encryption and PGP containers.

            Reading comprehension, you failed it.

            Just say the words "I don't recall" and there is nothing they can do. Refusing to give them the keys is exactly what the law requires to incarcerate you, so don't do that!

            • The cop said I hereby require you to disclose a key or any supporting evidence to make the information intelligible.

              From that standpoint silence and "I don't recall" are exactly the same. Do you have more information about "section 53 of RIPA Part III" than me?

              • Re: (Score:2, Flamebait)

                by QuantumG (50515) *

                Mike, why are you being a dick?

                Silence and "I don't recall" are not the same.. not even slightly.. not only that, the guy had refused to answer other questions already.

                If the police come to you and want to ask some questions, ask for your lawyer.. if they suggest you hand over some encryption keys, immediately ask "to what?" and when they point out your encrypted drive/files immediately say "oh, I have no idea, that was a long time ago". If they seek a warrant to force you to produce the keys you simply ha

      • by Z00L00K (682162)

        In the US there is always the fifth amendment.

    • by JoshuaZ (1134087)
      Because the vast majority of data that is in the cloud isn't encrypted at all. The concern here isn't what the paranoid crypto geeks like you or me are doing (and even then there's always the truth about that http://xkcd.com/538/ [xkcd.com]). The concern from the FTC is that people don't realize that their unencrypted data is easily accessible to large companies. The FTC's job isn't to be worried about the nerds but to be worried about what the general population knows about. Whether a tiny fraction of the population
    • If I own a hard disk the contents might appear random. This random data might be encrypted content or the disk may have come like that. If I upload a file to a cloud service every byte in that file is assumed to mean something, so otherwise why did I upload it?

      There is less plausible deniability with cloud storage.

  • by HangingChad (677530) on Wednesday January 06, 2010 @09:47PM (#30677916) Homepage

    so the net change is that you'll have a harder time telling you've been snooped on

    It's also easier to hide things you don't want to be seen. GMail can turn over your emails, but if they're encrypted, even with something simple [fourmilab.ch], it will be harder to make it useful. How many secret messages I have hidden in the pictures I email around or post online? Who has the resources to check every one?

    Searches can be masked using TOR and private browsing. Again, not bullet proof, but it doesn't have to be. Just enough to poison the data and make it unreliable. Go buy a pre-paid phone with cash and take the battery out of your regular cell phone at random intervals. You're not trying to create a smoke screen, just sow doubt.

    That's if you're worried about it.

    Law enforcement may think search data and social media information is some kind of lucky charm, but it's pretty easy to spoil that data, leave false trails and really easy to hide things. If they gain confidence catching stupid people, all the better for those with a little clue.

    • Go buy a pre-paid phone with cash and take the battery out of your regular cell phone at random intervals.

      How quickly we forget... If you pay for a phone with cash, you've consented to a wiretap. They want to know who you are. If you fail to identify yourself by recharging with a credit card, they keep wondering. If too many minutes are bought by cash, they start raising the price for everybody in the region. Okay, so the investigation on this was done by an organization that also employs Ryan Seacrest. Still, it's true.

  • by bezenek (958723) on Wednesday January 06, 2010 @09:51PM (#30677962) Journal
    Side note: The article should have mentioned gmail.

    Companies change. Look at Sun Microsystems. Suppose Google ends up needing money. What is going to stop them from allowing me / your mother in law / the king of Sweden from paying to dig through all of the data they have related to you? This might not be done directly through Google, but through a "nice, responsible company" which has paid for access to Google's data. If Google makes the data available to other companies, who knows what those entities might do with it?

    We need legislation and a way to verify compliance!

    Of course, it would be good if the legislation also protected our data from the Department of Homeland Security, but I do not expect lawmakers to be able to do the right thing there anytime soon.

    -Todd
    • Re: (Score:3, Insightful)

      by nine-times (778537)

      Of course, it would be good if the legislation also protected our data from the Department of Homeland Security

      Of course, the real question with the government is, what happens when they don't follow the law? If all they have to do is say, "... but we're protecting you from terrorists," and people accept that as an excuse for the government breaking its own laws, then now law can protect us.

  • by starbugs (1670420) on Wednesday January 06, 2010 @10:00PM (#30678016)

    With our lives stored on Facebook, MySpace, Twitter, etc. does today's younger generation even appreciate/want privacy?

    Everyone knows who your friends are, what movies you like, that your cereal this morning looked like a smiley-face until your dog knocked it over.

    Is our view of privacy outdated?

    • Re: (Score:3, Insightful)

      by hedwards (940851)
      Not really, just because a large number of people are idiots, doesn't mean that privacy is outdated. What it means is that many people lack judgment and are willing to expose themselves to people that may or may not be psychopathic killers in order to fulfill some sort of narcissistic tendency. Really, the solution is either education or making it legal to kill people that have such serious lack of judgment.
      • by winwar (114053)

        "Not really, just because a large number of people are idiots, doesn't mean that privacy is outdated. "

        I think privacy as we knew it is outdated due to our technology. We are essentially living in a small town where everybody knows all about everybody else. Except that most people think they are anonymous to those outside of their circle.

        • Re: (Score:3, Insightful)

          by causality (777677)

          "Not really, just because a large number of people are idiots, doesn't mean that privacy is outdated. "

          I think privacy as we knew it is outdated due to our technology. We are essentially living in a small town where everybody knows all about everybody else. Except that most people think they are anonymous to those outside of their circle.

          It's not because of our technology. It's because of how carelessly many people use it without a full understanding of its implications. If they really wanted to, they could demand stringent privacy safeguards, both legal and technical. We often lack those things because the demand is so low.

    • Re: (Score:3, Interesting)

      by Anonymous Coward
      I'm old too.

      Vernor Vinge's Rainbows End [wikipedia.org] is the only case I've ever seen made for the "new" notion of privacy. Sounds like a pretty cool world in which to live, but I'm not convinced the real post-privacy world will end up anywhere near as cool.

    • by winwar (114053)

      "Is our view of privacy outdated?"

      Probably.

      We had the luxury of having that privacy because it was difficult to have that level of knowledge about most people. That level of knowledge or lack of privacy tended to be limited to people living in small towns or people who came to the attention of large organizations/governments. Thanks to the wonders of technology it has come to the masses.

    • by sznupi (719324)

      As is usual, as you get older, you start to have romanticized outlook at the past, seeing it through rose colored glasses. There was never much privacy to speak of against some slice of society if you wanted to live in it.

      Now the notions of what makes societal groups are simply changing; they broadened quite a bit.

      Actually those "youngsters" have a much more control over what, in relation to what's possible, they reveal than most people in history of mankind. And much greater freedom in pursuing what activi

  • by doug20r (1436837) on Wednesday January 06, 2010 @10:06PM (#30678066)
    Google reserves their right to suspend services for any reason in most of their terms and they do exercise this right by suspending people for life from the use of their services. Becoming dependant on Google's services, or being dependant on a market they dominate, leads to a large penalty and damage when services are suspended. Google will suspend services based on their suspicion alone, and clearly use data collected to make decisions. Their investigations are held in secret, based on secret information, giving the victim no chance to defend it, and this is not fair treatment. It has become so bad that employers are asking job applicants if they have ever been suspended from Google services to avoid the risk that Google will suspend the employers services. Clearly something needs to be done, but what can they really do?
  • No. (Score:5, Insightful)

    by JustShootMe (122551) * <rmiller@duskglow.com> on Wednesday January 06, 2010 @10:11PM (#30678098) Homepage Journal

    The average consumer cares about nothing more than having their immediate wants gratified. Notice I didn't say *needs*. And they are not willing to put in the effort to understand the consequences of their actions, either due to unintentional or willful ignorance.

    This is not every consumer, but the average one.

    There is no other possible way that I can explain American Idol. ;)

  • Two rules (Score:4, Interesting)

    by Jenming (37265) on Wednesday January 06, 2010 @10:28PM (#30678194)

    Backup your important data.
    Encrypt your sensitive data.

    These two steps are as important and effective with the cloud as they are with any other form of storage.

    • Re:Two rules (Score:4, Interesting)

      by mlts (1038732) * on Thursday January 07, 2010 @02:45AM (#30679670)

      I would add some more rules onto that after backups and encryption because cloud computing also covers networking, communications, and even virtual machines:

      1: Don't create VM instances with sensitive data on machines you don't control. Yes, cloud functionality is awesome because you can create a VM you can ssh or RDP in that has a lot of CPU cycles. However, said VM is sitting on someone else's hardware, and has the possibility be shut down and imaged at any time, and the data given away. Even if one enables full disk encryption, the cloud computing provider has full access to the VM's RAM.

      2: Use gpg or PGP, and consider a keysigning party or two [1]. gpg has the advantage of being able to be used as part of a MUA as an add-on, or used completely separate as a manual decryption mechanism. To a lesser extent S/MIME is good too, but it requires a dedicated MUA, and only Blackberries and Windows Mobile devices support it. Tell people to send confidential information encrypted. This way, should the mail spool get compromised, the blackhats won't be able to get any further than headers.

      3: Offsite backup services like Mozy or others have the ability for the client to encrypt with a keyfile. For me, this is "good enough". For others with REALLY sensitive stuff, this is not acceptable at all, because one is letting someone else "pack your parachute" for you, with their encryption standard. Know your security needs. For me, this is an acceptable risk. If you are leery of this, put Mozy in a VM and share the directory with the TrueCrypt volume [2] that has the data you want backed up. This way, Mozy only sees the encrypted volume, no matter what it did inside the virtual machine.

      4: If you use offsite storage, periodically log on to check your files still exist. I personally recommend gpg signing all files before you upload them just in case of corruption (or just sign/encrypt.) Don't forget to keep your gpg keys in a safe place [3].

      5: Always remember if backing up to a cloud provider, cloud storage requires a good network connection. Backups are easy, but if you have a ton of data to recover, a restore may be a headache, or may require asking the cloud provider for media to be shipped via FedEx. Make sure to do backups to a local drive too. With utilities like Time Machine for the Mac, Acronis TrueImage or Retrospect for Windows, or bru for UNIX, this is an absolute no brainer to do.

      [1]: I've made sure people's PGP/gpg keys were from whom they were by a number of means. If you can't do a keysigning party, sometimes you can ask the other person and set up a mutual passphrase where they can send you their public key, and you can send them your key. This way, the passphrase is only used for that exchange, and both parties can sign off on the keys as trusted.

      [2]: On a Mac, you can get decent security through using the Disk Utility, and sparse bundles because the backup program would only have to copy the bands that were changed.

      [3]: If you use the commercially licensed version of PGP, one idea is to generate multiple keys on a few smart cards, then have them all be ADKs and revocation agents for the cards. This way, if one card dies, you still have access to your protected stuff, as well can put out a revocation cert for the dead private key. To a lesser extent, you can copy the same keyfile to multiple cards in TrueCrypt, and store your private keys in a protected TrueCrypt volume that is only accessible by the keyfile on the smart cards.

  • Its soooo damn easy, to google,gmail, voice, maps, phone, etc... who cares? Until you have to pay for access to your own info-sets, you won't know how much you value your privacy.

    We are so screwed Google surpassed 1984 in a blink of an eye. Only google's data can protect us from ourselves!

    • Re: (Score:3, Insightful)

      by mlts (1038732) *

      What puts this in perspective is being asked by other people why I use a commercial E-mail service when Gmail/Hotmail/Yahoo/whatever is free. My response, of course, is "TANSTAAFL". What I pay for when I use a commercial provider is not just a TOS with solid privacy features (stored data being delivered on lawful court order as opposed to request), but the fact that the data stored is my data. It isn't going to be handed over to be sifted through for marketing or advertising, nor will it be used to sling

  • I doubt it (Score:3, Interesting)

    by Rehnberg (1618505) on Wednesday January 06, 2010 @11:24PM (#30678592)
    Really, most people don't realize how much information is IN the cloud. For example, my mom was very surprised to discover that her email redownloaded after she deleted it from her computer.
  • by Flexagon (740643) on Thursday January 07, 2010 @01:21AM (#30679290)

    He has reviewed cloud backup and other services, yet never mentioned the legal differences between cloud based service storage and storage on your own in-house machine. That indicates that it's not interesting to his audience, which is telling. NPR recently did an article [publicradio.org] on how the domain holder of your email service is noticed by your potential job interviewer. Their comparison was between Yahoo! and of course AOL on one side (you're a LUser), and GMail on the other. Guess whose privacy actually suffers the most. This is definitely not understood.

  • Storing your data in the, "Cloud", is the IT equivalent to putting your most prized valuables in the local Greyhound bus locker. I also don't see much difference in using a Cloud service and folks who create, send, and store sensitive email via hotmail or gmail and then act surprised or upset when there is breach.

    IMHO

  • by i58 (886024)
    To put sensitive data in something as nebulous as a cloud, you deserve whatever you get. I wouldn't put financial or other personal data in there willingly. Once you open Pandora's box by giving away your data you can't close it. Public is public. Private is private. The chance of a hacker targeting joe cable modem vs "the cloud" is so tiny I'll take my chances protecting my data myself any day. Besides, once your data is there, you have no guarantees whatsoever. You're at their mercy because they already h
  • A company that has it's data "in the cloud" is quite likelly exposed to the laws in other jurisditions/countries. Wherever the data is hosted, the local law enforcement authorities, based on the local laws can get a warrant to get that data out. This even if said company does not do business there.

    Plenty of opportunities for the competition to file a lawsuit in the appropriate place and get valuable trade information during the "discovery process".

    Bigger companies even have to worry about foreign intelligen

I bet the human brain is a kludge. -- Marvin Minsky

Working...