Nextgov/FCW - Authors - Paul Rosenzweig

Time Has Come to Reform Laws Governing Law Enforcement Access to Data

Paul Rosenzweig — Fri, 18 Sep 2015 10:22:15 -0400

Paul Rosenzweig is a senior adviser to The Chertoff Group, a global security and risk management advisory, and former deputy assistant secretary for Policy at the Department of Homeland Security.

Some of the laws governing the process by which the federal government gains access to electronic data are nearly 30 years old. As a result, electronic evidence today is, effectively, accessible to the government by fiat at a time and place of its choosing, often without regard for who is holding the evidence or even where, on the vast globe of a connected Internet, the evidence is being stored.

Rules written for a time when smartphones and tablets didn’t even exist are hopelessly out of date in today’s world. It is time, and well past time, for Congress to begin the process of bringing federal electronic evidence-gathering law into the 21^st century.

But at a hearing recently before the Senate Judiciary Committee, representatives of the federal government demurred. Their rhetoric was supportive in theory, but their testimony was laden with exceptions, caveats and concerns. Their basic message, if one may paraphrase it, was “go slow, we need to consider this carefully, we like the idea in general but...”

Otto von Bismarck is famously (though perhaps apocryphally) reported to have said, “When you say you agree to a thing in principle, you mean that you have not the slightest intention of carrying it out in practice.” The modern-day equivalent, observable regularly in congressional hearings is often more in the vein of, “we agree with this idea in principle, but we have concerns about how it will be implemented.” What you really mean is, “I oppose this legislative proposal completely.”

That is the only way to interpret the testimony of federal law enforcement officials the other day. And were I in their shoes (as I have been in the past), that is no doubt the argument I would have made. After all, why would members of the law enforcement community ever want to acquiesce in a law change that diminishes their own authority and discretion?

But there is more to the issue of lawful access to electronic evidence than the question of law enforcement efficacy. Much more. Information and communications technology represent something on the order of 10-20 percent of recent economic growth in America and around the globe. That record of economic dynamism is being threatened by the continuation of antiquated laws and policies.

Because our laws are out of date, and because they seem to give American law enforcement unilateral and unfettered access to electronic data, American information and communication technology companies are increasingly becoming pariahs, especially in foreign markets. Estimates vary, but it is clear customers are turning to non-U.S. based companies to provide cloud services, with losses perhaps as much as $35 billion annually.

If Congress does not act soon, the trend lines are unmistakable. American companies will face ever-growing challenges to the competitiveness, especially overseas. Perhaps even more problematic, we will also see greater confrontation between the tech sector and the federal government over basic rules of product development. For if the laws aren’t modernized to keep up with technology, the technology will change to make the law irrelevant or unnecessary. The growing encryption debate is just one harbinger of things to come as this trend toward confrontation accelerates.

In the end, balancing legitimate law enforcement concerns with equally legitimate economic concerns about competitiveness and citizen’s privacy is more a matter of judgment and politics than it is of law. And that sort of judgment is precisely what we want Congress to do, rather than the executive branch acting unilaterally.

While it is appropriate to hear out the federal government’s concerns, the pace of technological change is too great to warrant further delay. The time for reform of the laws governing law enforcement access to electronic data is now.

(Image via agsandrew/ Shutterstock.com)

]]>

American privacy values vs. European perceptions

Paul Rosenzweig, FCW — Fri, 08 Aug 2014 07:28:00 -0400

Th Chertoff Group's Paul Rosenzweig argues that Americans' dedication to privacy rights is often greater than the rest of the world is willing to admit.

Several years ago, a European Parliamentarian rather famously caricatured American law enforcement as epitomized by Dirty Harry (the famous Clint Eastwood character), and compared U.S. conduct (unfavorably, of course) to the more sensitive European style, embodied in Agatha Christie’s hero, Hercule Poirot.

How times have changed.

In late June, the U.S. Supreme Court decided Riley v. California -- a case that created a zone of digital privacy for the data stored on cellphones, smart phones and tablets. According to the court, before American law enforcement officers may search a device for digital content, they must first secure a warrant – that is, an authorization for the search, issued by a neutral judicial officer, upon proof of probable cause to believe that a crime has been committed and that evidence of the crime can be found on the device. In unanimously ruling thus, the Supreme Court reminded us that American fidelity to values of privacy and civil liberty is quite high – often higher than we are given credit for by the rest of the world.

The Riley decision, after all, is just one small piece of a series of steps that have increasingly made clear the U.S. commitment to privacy. Consider:

-- In the past six months, the Privacy and Civil Liberties Oversight Board (PCLOB) has issued two detailed reports on NSA activities – reports that provide far more transparency into American intelligence activities than has ever been provided by any country in the world.

-- Though an initial ruling went against the firm, Microsoft has brought legal action to limit the extraterritorial effect of .U.S. law enforcement requests for cloud-based data.

-- Microsoft, Google, and other tech giants have driven a lobbying campaign to update the Electronic Communications Privacy Act to extend warrant protection to stored communications and a majority of the House of Representatives has co-sponsored a bill to that effect [full disclosure: I have personally participated in that effort].

-- President Obama has taken executive action to give Europeans privacy rights equivalent to Americans with respect to data held by the federal government, and has indicated that he plans to ask Congress to revise the Privacy Act to create legislative protections that are beyond his executive power.

All of these developments reflect favorably on American efforts to protect privacy and civil liberties. They come at a time when American fidelity to those values is open to some question. Lately, it seems, Americans have been lectured by Europeans on the “right” way to do privacy. And revelations about NSA activities have proven both diplomatically and economically problematic.

It really shouldn’t be that way.

The truth is that European attitudes to government surveillance are not very different from those in the United States. Indeed, by some measures, it is easier for European law enforcement and intelligence agencies to gain access to the personal information of its citizens than in the United States.

For one thing, there is (apparently) no equivalent to Riley in European law. For example, Britain's electronic intelligence agency, GCHQ, has disclosed that it intercepts communications outside the country without the necessity of a warrant. And, under British law, Facebook and Twitter posts or searches on Google or YouTube that went to data centers (say in the United States) outside the British Isles would fall under the external category.

Likewise, consider the ease and frequency with which European law enforcement agencies get access to conversations in real time through wiretapping. If anything, real-time access ought to be more tightly controlled than access to stored data, on tablets and other devices, yet it is surprisingly more frequent and often easier in Europe than in the United States.

In most European countries, to be sure, judicial approval for an interception is necessary. But judges in Europe are "investigative" jurists -- meaning they function more like American prosecutors than judges. So there is, effectively, no check on law enforcement's ability to eavesdrop.

And in the United Kingdom, wiretaps are approved by the Home Secretary -- an executive official. It would be as if our own attorney general could approve the FBI’s wiretap requests. Perhaps even more notably, the Netherlands has the highest rate of wiretapping of any European country -- Dutch police can tap any phone they like, so long as the crime under investigation carries at least a three-year jail term.

More to the point, according to a report from the international law firm Hogan Lovells, the informal nature of cooperation between European law enforcement and service providers is quite significant. In virtually every European country, service providers may “voluntarily” provide data to law enforcement in response to an informal request. That kind of ease of examination is the sort that the Supreme Court was rejecting.

Thus, as we have noted, foreign views of American attitudes toward privacy and civil liberties have long been a bit of a caricature. Perhaps it’s time to re-examine that perspective -- now that Dirty Harry seems to have more legal constraints on his activities than does Hercule.

]]>

Where does privacy figure into FTC data discussions?

Paul Rosenzweig, FCW — Tue, 04 Dec 2012 12:34:15 -0500

When the Federal Trade Commission (FTC) hosts a workshop, titled "The Big Picture: Comprehensive Data Collection," on December 6, 2012, to explore the practices and privacy implications of the comprehensive collection of data about consumers' online activities, it should expand the scope of its examination. One topic germane to the workshop's consideration but seemingly not on the agenda is the adequacy of privacy protections for public sector consumers (including students and staff in educational institutions and employees of federal, state or local governments) who use cloud-based systems. It behooves the FTC to also include these consumers in its examination of the privacy implications of cloud services.

There are, of course, sound business reasons why cloud service providers aggregate data across multiple accounts and services: the results are extremely valuable. Seemingly unrelated personal data, when aggregated and mined at large scale, can provide immense value to advertisers, marketers, corporate sales forces, and others. The revenue generated by combining and monetizing such data -- by mining the mosaic -- is the reason "free" cloud services can afford to be free. But that, in turn, means that cloud services come with a hidden cost - because there really is no such thing as a free lunch. That hidden cost is the loss of privacy (and even, in extreme cases, the loss of security) that comes with a pervasive data aggregation and analysis regime.

The FTC is appropriately concerned with threats to individual privacy inherent in data-mining business models for the average private consumer. Less noticed but of equal concern, is the potential use of these same tools and techniques to aggregate and analyze information concerning public sector employees (who, after all, are also consumers) and, potentially, public sector institutions themselves such as government agencies. The privacy interests of public sector employees are no less important than those of private citizens and, to the extent that they are doing the public's business, they may perhaps be of even more importance to the commonwealth. For beyond the risks to individual privacy, regulators and government consumers also need to be aware of the risks to national security, government integrity, confidentiality of student information, and even personal safety that might result from the data mining of public sector data.

In general (and at the risk of oversimplifying), the current rule is that the use of data collected from public sector organizations by cloud service providers is governed by contract. If the contract does not prohibit data aggregation of user content, then the cloud provider is legally free to use the data in conformance with generally applicable privacy policies. Those policies, in turn, generally provide for the confidentiality of user data with respect to third parties, but often permit the cloud service provider to aggregate and analyze a users' data for its own purposes. These purposes can range from improvement of products and services to the marketing of consumer information. And that means that, in the absence of a contractual prohibition public sector consumers cannot be assured that aggregation of their data is not occurring. In many ways, the issues for public sector users replicate those under consideration by the FTC in the context of private sector consumers - both types of consumers are looking for greater transparency, the availability of opt-out provisions rules, and default settings that empower choice.

Likewise, public sector users are consumers of web-based information services. Here, too, their concerns mirror those of the private sector. Their search histories and patterns tell much about what they are interested in. And that, in turn, may reveal much about what the interests of the government are - a SEC employee's search history may identify the next regulatory initiative and a local county research history may presage a tax hike. To be sure, web sites often seek to avoid regulatory limitations by treating privacy regulations as restricting only certain uses of collected personal information, rather than as a limitation on collection itself. But that, too, is a fit subject for the FTC to examine.

Finally, data aggregation of government-originated data may pose governance problems for the public sector consumer. In the absence of a strong encryption policy or a confirmation that only US citizens are responsible for the security of government data, the move to cloud services raises distinct possibilities that governments may lose control of their information (and that of their employees as well as its citizens).

For these reasons the FTC's inquiry into privacy issues at their December 6 workshop should be undertaken while cognizant of the reality that much of its work on private consumer protection will have direct and indirect consequences for public sector consumers and, in the end, all public sector institutions, including government agencies, schools, and universities. Inasmuch as this particular perspective has often been absent from the current set of discussions, the Commission should seek to expand its consideration to include these concerns.

]]>

Op-ed: Encryption, not restriction, is the key to safe cloud computing

Richard Falkenrath and Paul Rosenzweig — Fri, 05 Oct 2012 09:41:01 -0400

It’s 11 p.m. Do you know where your data is? If your enterprise has transitioned to the cloud for data storage the answer almost certainly is “no.” Portions of it might be in Malaysia; other bits in Antigua.

Today, governments across the globe are deeply uncomfortable with that answer -- but they don’t need to be. Just a small application of technological magic through encryption at rest can dispel concerns about data’s location.

The underlying problem is familiar to most cloud-sophisticates. Cloud architecture is a distributed network. Optimizing efficiency means locating server farms wherever energy and labor costs are cheapest. And, given the speed with which information transits the network, there is no need to build data centers close to where the data users reside -- data can be almost anywhere in the world in milliseconds.

But the widely-distributed nature of cloud storage systems poses a problem for government users. There is something fundamentally problematic for them with the notion that Federal government data -- IRS records, for example -- might be stored on servers in, say, India. The specter of non-U.S. citizens having physical control over and access to U.S. data understandably gives the government pause. The same is true of almost every other country in the world.

As a result, many federal, state and local governments and agencies are starting to require that their data remain within geographic control.

Taking this school of thought further, the U.S. government is engaged in an opaque rule-making process that is poised to create a requirement that federal data be stored at a U.S. location and handled only by U.S. citizens. These restrictive rules will doubtlessly increase the cost of cloud services used by all levels of the U.S. government -- perhaps by as much as 50 percent to 100 percent over standard public cloud rates. After all, almost by definition, the distributed cloud network is the most efficient (read: cheapest) and any limitations on that distributed architecture will cost money.

The domestic location requirements are almost certainly a mistake. Insisting on geographical boundaries creates a false sense of security that nothing detrimental can happen to sensitive data as long as it resides within U.S. borders; this simply isn’t true. More importantly, the requirement is technologically difficult to implement and throws overboard the very efficiencies that motivate transition to the cloud in the first place.

There is an easier solution -- encryption at rest. A system of encryption where the customer controls the encryption keys solves many of the security problems that have bedeviled public clouds for the government. It would eliminate the need to insist on U.S.-only location for government cloud data centers and support personnel. All that is required is to implement an architecture that enables customers to apply encryption to data at rest before that data is transitioned to the cloud and for their customers to be the sole holders of their own encryption keys. This sort of architecture is not technically difficult; many cloud service providers do it now.

Encryption-based technology already provides a measure of protection for most Internet financial transactions. The encryption of cloud data protects critical information without becoming an onerous burden to users seeking to capitalize on the efficiencies of cloud computing. What’s critical is how the encryption system is structured. If a customer relies solely on vendor-provided encryption (and a vendor promise of confidentiality) that places too much trust in the cloud service provider. The better solution from a security standpoint is to locally encrypt data prior to transfer, and then use the provider’s encryption, if possible, as a second level of security.

Onsite encryption at rest allows a cloud user to effectively replicate existing onsite control over data. There is no reason a customer should have to give up that same degree of control when transitioning to the cloud. Consumers should be in the position of not having to worry that their cloud vendor will use the data or user information from the cloud for the vendor’s own purposes (for example, data mining for ads). With the customer in charge of the encryption keys, users can maintain exclusive control of their data and the cloud provider will have no access to it.

If the at-rest encryption solution is implemented then it just doesn’t matter who works at the server farm or where the data is located, since no one can see the data except the customer. And that means that we can dispense, for example, with the location and citizenship requirements and store U.S. government data at the cheapest and most efficient cloud data center available -- even if it’s in Canada instead of America.

Another advantage of at-rest encryption is it negates some of the legal obstacles that could arise from a globally distributed network, both for governments and for private citizens. One concern has been that government data overseas might be subject to foreign law (and, reciprocally, some overseas are concerned about the application of U.S. law to their data held in America). But encryption answers much of that problem. The cloud service provider can’t be compelled to provide data to which it has no access. In effect, Google can’t give up encryption keys it doesn’t have.

In short, at-rest encryption helps customers preserve some of the benefits of maintaining data on the premises. To be sure, encryption comes with its own security problems -- most notably key management -- but those pale in comparison to the challenges associated with the geographic mandate.

Challenging Old Business Models

So what’s the problem? Why do some in the industry resist this solution?

In part it is because encryption with customer controlled keys is inconsistent with portions of their business model. This architecture limits a cloud provider’s ability to data mine or otherwise exploit the users’ data. If a provider does not have access to the keys, they lose access to the data for their own use. While a cloud provider may agree to keep the data confidential (i.e., they won’t show it to anyone else) that promise does not prevent their own use of the data to improve search results or deliver ads. Of course, this kind of access to the data has huge value to some cloud providers and they believe that data access in exchange for providing below-cost cloud services is a fair trade.

Also, providing onsite encryption at rest options might require some providers to significantly modify their existing software systems, which could require a substantial capital investment. Nor have any major customers, like the U.S. government, seen fit to demand onsite encryption as a service. Instead, federal customers have been content to find other solutions (like the geographic/citizenship rule) as preferred options. So in some ways, there is a disconnect between what the vendors can provide and what the customers think they need.

Finally beyond industry resistance, there is another unintended consequence of these geographic limitation rules. They will destroy the ability of U.S. cloud vendors (such as Microsoft and Google) to sell government cloud services in most overseas markets. Other countries are concerned about the risks of offshore data location and that is the number one obstacle to greater adoption of U.S.-provided cloud services by foreign governments.

For example, in Australia the government recently decided to ban outright the use of foreign-based cloud services by Australian government agencies (even for email or storage). Thus, the current U.S. rule-making is effectively destroying the ability of American cloud vendors to access the world market. And this at a time when these vendors have a huge advance in the scale, scope and technical maturity of their cloud service offerings. But we should be under no illusion: if the U.S. government refuses to allow foreign-data center location for cloud services, foreign governments will be certain to follow the U.S. example.

It’s 11 p.m. You don’t really need to know where your data is. As long as you know it is safely wrapped in an at-rest encryption cocoon, you should feel secure.

Richard Falkenrath was the Deputy Homeland Security Advisor to the President from 2002 to 2004. He is currently a principal at The Chertoff Group, a global security advisory firm. Paul Rosenzweig formerly served as Deputy Assistant Secretary for Policy at the Homeland Security Department. He is currently a senior advisor to The Chertoff Group. They are contributors to SafeGov.org, a forum for IT providers and experts dedicated to promoting responsible cloud computing solutions for the public sector.

]]>