Why Using the ‘Cloud’ Can Undermine Data Protections

By Jack Nicas

While the increasing use of encryption helps smartphone users protect their data, another sometime related technology, cloud computing, can undermine those protections.

The reason: encryption can keep certain smartphone data outside the reach of law enforcement. But once the data is uploaded to companies’ computers connected to the Internet–referred to as “the cloud”–it may be available to authorities with court orders.
“The safest place to keep your data is on a device that you have next to you,” said Marc Rotenberg, head of the Electronic Privacy Information Center. “You take a bit of a risk when you back up your device. Once you do that it’s on another server.”

Encryption and cloud computing “are two competing trends,” Mr. Rotenberg said. “The movement to the cloud has created new privacy risks for users and businesses. Encryption does offer the possibility of restoring those safeguards, but it has to be very strong and it has to be under the control of the user.”

Apple is fighting a government request that it help the Federal Bureau of Investigation unlock the iPhone of Syed Rizwan Farook, the shooter in the December terrorist attack in San Bernardino, Calif.

The FBI believes the phone could contain photos, videos and records of text messages that Mr. Farook generated in the final weeks of his life.

The data produced before then? Apple already provided it to investigators, under a court search warrant. Mr. Farook last backed up his phone to Apple’s cloud service, iCloud, on Oct. 19.

Encryption scrambles data to make it unreadable until accessed with the help of a unique key. The most recent iPhones and Android phones come encrypted by default, with a user’s passcode activating the unique encryption key stored on the device itself. That means a user’s contacts, photos, videos, calendars, notes and, in some cases, text messages are protected from anyone who doesn’t have the phone’s passcode. The list includes hackers, law enforcement and even the companies that make the phones’ software: Apple and Google.

However, Apple and Google software prompt users to back up their devices on the cloud. Doing so puts that data on the companies’ servers, where it is more accessible to law enforcement with court orders.

Apple says it encrypts data stored on its servers, though it holds the encryption key. The exception is so-called iCloud Keychain data that stores users’ passwords and credit-card information; Apple says it can’t access or read that data.

Officials appear to be asking for user data more often. Google said that it received nearly 35,000 government requests for data in 2014 and that it complies with the requests in about 65% of cases. Apple’s data doesn’t allow for a similar comparison since the company reported the number of requests from U.S. authorities in ranges in 2013.

Whether they back up their smartphones to the cloud, most users generate an enormous amount of data that is stored outside their devices, and thus more accessible to law enforcement.

“Your phone is an incredibly intricate surveillance device. It knows everyone you talk to, where you are, where you live and where you work,” said Bruce Schneier, chief technology officer at cybersecurity firm Resilient Systems Inc. “If you were required to carry one by law, you would rebel.”

Google, Yahoo Inc. and others store users’ emails on their servers. Telecom companies keep records of calls and some standard text messages.
Inc. and Twitter Inc. store users’ posts, tweets and connections.

Even Snapchat Inc., the messaging service known for photo and video messages that quickly disappear, stores some messages. The company says in its privacy policy that “in many cases” it automatically deletes messages after they are viewed or expire. But it also says that “we may also retain certain information in backup for a limited period or as required by law” and that law enforcement sometimes requires it “to suspend our ordinary server-deletion practices for specific information.”

Snapchat didn’t respond to a request for comment.

Write to Jack Nicas at jack.nicas@wsj.com
(END) Dow Jones Newswires
Copyright (c) 2016 Dow Jones & Company, Inc.

Originally Posted at: Why Using the ‘Cloud’ Can Undermine Data Protections

Leave a Reply

Your email address will not be published. Required fields are marked *