In a double-blow to freedom this week in Australia, the Free Press and the Internet take a huge hit with laws passed that restrict media reporting of specific issues and allow for a single country-wide warrant that will allow all mass surveillance of all Internet traffic. Australia now joins some of the vast nation states like China, Russia, North Korea, and the United States passing laws that reduce citizen freedoms under the auspices of “terrorism”.
Here’s how it works in a nutshell. If someone releases information that compromises “special intelligence operations” then they can be thrown in jail for ten years. Examples of this would be similar to what Snowden did, however, the Australian Security Intelligence Organisation (ASIO) can define “special intelligence operations” to be pretty much whatever they like. This means that in terms of over site and accountability, of which the free press is critical, ASIO can effectively gag or jail reporters, bloggers, or whistle blowers at will.
I suppose, cynically, you could say that free press in Australia has already been eroded by a certain large and powerful media organisation run by a ruthless dinosaur.
The second bill allows for spooks to request a single warrant to monitor the Internet. I.e. Legal mass surveillance of the population. Rather than New Zealand where we don’t do this, and require a warrant for each setup of monitoring, now a single warrant covers every citizen of Australia and all Internet traffic that traverses her borders. Even the United States NSA has not been so bald-faced about this kind of setup.
Now, we know that everyone is spying on everyone else, however there are countries where if you have sensitive data, because of those mass surveillance laws and legal overreach, you need to consider whether or not you should store your data there.
Let me tell you what I think sensitive data is.
First, any kind of economic or competitive material about your company. We know beyond a shadow of a doubt, that the Five Eyes has used material that has been collected to their individual economic advantage. Dr Paul Buchanan (as signals specialist) is quoted as saying “Terrorism is the fig-leaf on surveillance.” In other words, the vast majority of surveillance is not to do with terrorism, but other things, such as economic advantage. So if you have competitive intellectual property, then you would want to consider where that was stored.
Second, any kind of complete citizen picture data with sensitive information should be considered at risk. That is, aggregated data about an individual as opposed to dispersed, raw data. For example, online health records versus dispersed databases of information across multiple companies and government agencies. Aggregated data sets, like Facebook, provide extremely rich information on an individual and a population.
But should we care about Australia? There is an emotional reaction and a more measured reaction to there legal moves this week.
The emotional reaction is that we should probably send quite a strong message to Australia, as we have to other nations, saying that mass surveillance of citizens is not acceptable. Our cable connects to both the U.S. and the Australia. Australia’s new laws allow for them to now monitor any traffic on that and of the loop. We can now assume that all traffic that leaves our borders is subject to being collected by both parties and we will never know the extent of it’s use.
It is my personal opinion that Australia is heading down a very slippery slope and when you combine this latest law, with the gagging of the press law, and the control of the media in general, you have to wonder what happened to our happy go lucky, big brother (in the kinder sense of the term), over the other side of the Tasman.
And no, I do not agree that mass surveillance is necessary to protect against terrorism. Dozens of major terrorists incidents have not been picked up by the Five Eyes disproving the theory that the system actually works as we are publicly told. As we know, a great deal of spying is about anything but terrorism.
On the measured side, we could argue that it really doesn’t matter, unless it is very sensitive data. That’s an ok statement, if you know that your customers are happy with that. How do Health Insurance customers feel about their health declarations being open to international data surveillance? Or their medical records? So I think we can throw that particularly argument out.
Is it safer to keep the data on your own premise then? No, again, you can’t afford the levels of security that a Cloud provider can. So that means that despite the surveillance issues, there is still has more security in the Cloud, particularly within New Zealand itself.
Is any location safe? Yes. Some countries afford great protection for companies that choose to house their Cloud services there. Switzerland for example. There are others around the world. However, your data is going to transit unfriendly countries.
So what to do?
I think there are different approaches:
You can store it in local New Zealand Cloud providers. We do not come under surveillance into either a) we leave our border or b) the Prime Minister signs a warrant.
Second, you can choose a very large offshore Cloud provider like Microsoft, Amazon, or the like trusting that due to their anger over the NSA revelations means that security is high. However, you would want to be very careful choosing providers such as Telstra, for example. These are national companies that could face significant pressure from security agencies to tow the line. The fact that the US Government is angry with Apple this week for introducing encryption, shows that the large providers moving to introduce extra security features is working.
Third, separate your data. For your most sensitive data, encrypt it, and ensure that your company is the only key holder. For software as a service Cloud, pick services that either support, or have on their road-map to support, homomorphic encryption. Realise that this process will increase your overheads by around fifteen percent.
Fourth, just ignore it.
Fifth, you can choose a country like Switzerland and utilise there local Cloud services.
Finally, you can disperse your data across multiple providers in order to make it harder to put it back together in a central way.
The last is interesting because it is generally what happens anyway. Hybrid Cloud is default Cloud in reality. Customers move their workloads into various Cloud providers depending on the service levels and characteristics that they need. By splitting loads across your own platform, New Zealand providers, large offshore providers, and niche workload providers you end up with a best of breed platform for your services while making it very very difficult for someone to gain access to the same services. This, coupled with the use of encryption, provides a strong, secure, method of using Cloud.
So, should we trust Australian Cloud based services? My opinion is yes, though I would steer away from any services that are directly owned or managed by the government as theoretically they will come under more pressure than private offshore companies.
This move by Australia increases the risk of Internet balkanization, in fact its another step down that path, which is a very dangerous thing.
“All governments will feel as if they’re fighting a losing battle against an endlessly replicating and changing Internet, and balkanization will emerge as a popular mechanism to address this challenge.” – Eric Schmidt, Executive Chairman, Google
Recent U.S. legal challenges are demanding that large Cloud providers give up their data regardless of the country they are based in. What this means is that Cloud providers will seek to base their services in countries that are not legally touchable by the Five Eyes, or, create an Internet Nation State if you will, which could be based in International waters. We know that some of the uber-tech giants are looking at exactly how they can do that, including the use of massive offshore floating data centres.
In Australia, it will also drive the use of personal security products, as people start to take their privacy seriously.
It’s a weird feeling, writing this blog from Melbourne, with my VPN and other security services set to stun, wondering how it is that Australia has ended up in this strange and paranoid state. The ICT people I have talked too this week think that this is a major backward step for the country and are already investing in more secure systems to protect their Intellectual Property.
As sign of the times or further steps down the road to mass surveillance and balkanization?