Monday, August 19, 2013

Buying British: Data security in the Cloud and the effect of PRISM

Daniel Hoy
UK Marketing Manager
Egress Software Technologies Ltd.
The recent revelations leaked to the international press by whistle-blower Edward Snowden regarding the scale of the US Government’s data surveillance programme have raised major concerns about the security of information stored in the Cloud, causing some to question where this leaves our basic human rights to privacy (a subject Egress CEO Tony Pepper has previously discussed).

The latest reaction has been the closure of two high-profile secure email services, Lavabit (a former favourite of Snowden’s for sharing information securely) and Silent Circle. Their reasoning? To avoid becoming ‘complicit in crimes against the American people’. In fact, Ladar Levison, Owner and Operator of Lavabit, has declared that:
‘This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.’ (

What does this mean for the future of Cloud-based data security?

It remains to be seen whether these latest developments have any lasting impact on Cloud security; however they do raise questions over data residency and the laws that companies and their data  fall under.

Levison’s caution to avoid companies with physical ties to the US is a thinly veiled remark about the Patriot Act. Formed in the immediate wake of 9/11, the act enables the US Government to gather information on US and non-US citizens, granting them access to all data within the country and that of sister companies based outside the States or those using US subsidiaries for data processing. Fortunately in the UK, however, the Data Protection Act comes with various caveats that offer citizens greater protection and assurance over when and why their personal information might be accessed. Of course, there is no guarantee that these laws won’t change over time, which is something that we should all remain aware of.

It’s my opinion that Snowden’s revelations will have a positive effect on Cloud security in the long term. Individuals and businesses have had their eyes opened, and arguably will proceed with much more caution in the future when choosing where to store their data, and with whom. Simply put, they need to be aware what laws can, and will, be applied to their data (including any backed up versions, which may reside in a different country), and whether these will safeguard their right to privacy.

This increased awareness can only be a good thing for UK-based companies, and specifically Egress, who offer a combination of cloud-based, hybrid and on-premise data storage solutions. Crucially, this type of flexible hosting platform gives customers choice over how and where their data is stored. Depending on their appetite for risk, and the confidentiality of the information they manage, they remain in control and have the assurance of end-to-end information security throughout the lifecycle of their data.

Governments will always need to intercept communications and access data in the interest of national security, a fact that most people can accept as long as the necessary legal and constitutional steps have been taken. 


  1. The Patriot Act is always going to be a concern for anyone dealing with a US based company. However, this article skims the question of similar and, in some cases such as in the UK, even more draconian and legally dubious measures that already exist for the same purpose. There is nothing to stop most countries in Europe requesting information from an organisation in another, and that organisation in question being forced to hand it over via a convenient MLAT (Mutual Legal Assistance Treaty), established between the two countries. These have existed for decades so whilst the US may not be able to obtain information directly under the PA, there are always ways and means. 'Special relationship' anyone?

  2. Yes, this is a complex and not easily solved issue. You're right that the US Government isn't the only one accessing data in the name of 'national security'. The recent revelations from Snowden also link the British Government and specifically GCHQ. I would argue that the current UK laws and proposed EU data regulation updates do offer an additional layer of transparency and protection. There is no perfect solution here and as mentioned in the article, I think most people can accept that on occasion governments will need to access personal data. When it is done on the scale of the current NSA data surveillance programme it does raise a concern that the balance between national security and the basic human right to privacy has been lost.