After the Snowden leaks, why trust a U.S. cloud?

by John Naughton

The Observer

“It’s an ill bird,” runs the adage, “that fouls its own nest.” Cue the U.S. National Security Agency (NSA), which, we now know, has been busily doing this for quite a while. As the revelations by Edward Snowden tumbled out, the scale of the fouling slowly began to dawn on us.

Outside of the United States, for example, people suddenly began to have doubts about the wisdom of entrusting their confidential data to cloud services operated by American companies on American soil. As Neelie Kroes, European Commission vice president responsible for digital affairs, put it in a speech on 4 July: “If businesses or governments think they might be spied on, they will have less reason to trust the cloud and it will be cloud providers who ultimately miss out. Why would you pay someone else to hold your commercial or other secrets if you suspect or know they are being shared against your wishes? Front or back door — it doesn’t matter — any smart person doesn’t want the information shared at all. Customers will act rationally and providers will miss out on a great opportunity.”

Which providers? Why, the big U.S. Internet companies that have hitherto dominated the market for cloud services — a market set to double in size to $200 billion over the next three years. So the first own goal scored by the NSA was to undermine an industry that many people had regarded as the next big thing in corporate computing.

The second own goal (or unintended consequence, to give it its technical name) came from the revelation that the NSA had cracked or circumvented the encryption systems used by Internet companies, banks and other organizations to persuade consumers that online transactions could be confidential and secure. Given that one of the great triumphs of the industry had been to persuade initially skeptical users that it was safe to conduct transactions online, this was a staggering revelation, the implications of which will be very far-reaching. And it brought to mind a conversation I had last year with a fairly senior executive of a major Internet company, who casually mentioned that his organization’s head of security “wouldn’t dream of using online banking.” I thought it was amusing at the time and filed it away as a curiosity: Geeks, after all, are notoriously paranoid about these things. Now I wish I had been more perceptive.

But, in a way, even more disturbing was the realization that the NSA seems to have covertly suborned the process by which encryption standards are set by the supposedly independent U.S. National Institute of Standards and Technology (NIST). In 2006, NIST published the standard (i.e., technical protocol) for encryption on the Web that was subsequently adopted by the International Organization for Standardization (ISO), which has 163 countries as members. What nobody knew until Edward Snowden revealed it was that the 2006 standard was effectively written by the NSA and that it had inserted a secret back door into the encryption system for its own use. “The road to developing this standard was smooth once the journey began,” an NSA memo noted. “However, beginning the journey was a challenge in finesse.”

I’ll bet it was. Technical standards are to networking as oxygen is to life. And, broadly speaking, the way they are shaped has always been cooperative and open. In the Internet world, for example, it’s done by groups of engineers with specialist expertise in a particular area who gather to hammer out, by a process of open discussion, successive versions of a protocol until they converge on something that is agreed to be workable. “We believe,” one of the pioneers of the process wrote, “in rough consensus and running code.” But at the heart of the process is the assumption that everyone participating — whether from companies or academia — is working in the public interest rather than trying to advance the narrower interests of their organization.

That’s why the discovery that the NSA abused that kind of trust is so depressing. And, in a way, it represents the biggest own goal of all, because it fatally undermines one of the fundamental tenets of U.S. foreign policy, namely that governance of the Internet is best left in American hands. As the Net became increasingly global, this was already looking like a threadbare proposition. The NSA has ensured that it is now untenable.

Which brings us back to birds and their nests. I forgot to mention that of course the official seal of the U.S. president is … an eagle.