Privacy Working Group

No, that isn’t the name of a new grunge rock band.  It refers to the City of Los Angeles trying to decide whether or not to use Google Apps as a replacement for the Novell Group Wise e-mail and Microsoft Office Applications.

There are huge taxapayer and privacy concerns with such a move.  In a press release and letter to members of the Information Technology and General Services Committee, we expressed our concerns:

On behalf of the 193,000 members and supporters of Citizens Against Government Waste in the state of California I would like to express our concerns with this proposed contract.  As the nation’s premier taxpayer watchdog, we applaud your desire to evaluate technology use and the potential to save taxpayer money.  However, there are cost and privacy issues associated with Google Apps that could negatively impact taxpayers and put critical information at risk.

Even though some news reports have claimed that there will be cost savings from the switch, a July 10, 2009 report from the Office of the City Administrative Officer to the Information Technology Agency (ITA) contradicts those assertions.  According to the ITA report, “In the City’s experience with other systems replacement projects, contractors that supported implementation of the new system have often remained involved with the project for a longer period of time than originally anticipated. … That no such costs are anticipated here is inconsistent with this experience. … GroupWise licensing savings totalling $269,700 will only be achieved if the City can fully implement Google’s system by December 31, 2009. … For this date to be met, ITA must submit a notice to proceed to CSC no later than August 1, 2009.”

In addition to cost, privacy should also be a key component in the decision- making process.  In a July 16, 2009 letter to Los Angeles Mayor Antonio Villaraigosa, the World Policy Forum (WPF) concluded that, “…the City should conduct a formal independent risk assessment of the privacy, security, and confidentiality issues the contract raises….  A risk assessment focused on this issue will assist the City in clarifying the problems before harm occurs.”

The savings estimates for Los Angeles are based on fully implementing Google Apps by December 31, 2009.  That means all employees must be utilizing the new system by that date.

In addition, a July 17, 2009 Los Angeles Times article said that “City Administrative Officer Ray Ciranna, the city’s top financial advisor, said the LAPD has raised questions about Google’s ability to shield sensitive arrest information.

We urge you to conduct more research on cost, security and risk, starting with learning more about the D.C. experience and why so few are using Google Apps.

It’s fun to have shiny new toys but when it comes to taxapyers paying for those new toys, there needs to be a serious discussion about cost and in the case of software or computing, privacy.

Governments at all levels have a duty to ensure that privacy is guaranteed.

Cloud computing, that much-hyped trend toward storing information in off-site data centers, in some ways breaks the long-held order of data privacy. Some CIOs hesitate to blur the line that separates closely-guarded data with information that’s shared with partners.

But one group of researchers has brought to light a stranger problem that could undermine cloud computing’s cybersecurity: It’s not chaotic enough.

In a presentation Thursday at the Black Hat cybersecurity conference in Las Vegas, iSec Partners researcher Alex Stamos pointed to what he described as a fundamental problem with cloud computing setups that use virtualization software to partition servers into “images,” which are then rented out to customers. Although packing those virtual machines into cloud providers’ data centers provides a more flexible and efficient setup than traditional servers, Stamos, along with fellow presenters Andrew Becherer and Nathan Wilcox, argued that virtual machines suffer from a rarely discussed flaw: They don’t always have enough access to the random numbers needed to properly encrypt data.

That unlikely problem hits at one of the fundamental problems of cryptography: How do computers produce truly random numbers that can’t be guessed or replicated? In PCs, Stamos explained, operating system software typically monitors users’ mouse movements and key strokes to glean random bits of data that are collected in a so-called “entropy pool,” a set of unpredictable numbers that encryption software automatically pulls from to generate random encryption passkeys. In servers, which don’t have access to a keyboard or mouse, random numbers are also pulled from the unpredictable movements of the computer’s hard drive.

Virtual machines, which perform like physical machines but are simulated with software, have fewer sources of entropy: Linux-based virtual machines, for instance, gather random numbers only from the exact millisecond time on their internal clocks. And that source isn’t enough to generate strong keys for encryption, Stamos argues. “Normally there’s enough variation that after a while your operating system can gather up the entropy it needs to provide you with secure random numbers,” he says. “The fundamental issue is that with virtualized hardware, many of those random variations don’t exist.”

The problem is compounded by the fact that virtual machines are often created for short periods to serve a single function–not long enough to develop a sufficiently unique entropy pool, Stamos says.

If a malicious hacker were to set up his or her own Linux virtual machine in Amazon’s EC2 cloud service, for example, he or she could use that machine’s entropy pool to better guess at the entropy pools of other recently created Linux-based virtual servers in Amazon’s cloud, Stamos posits.

That advantage would allow the hacker to crack the machines’ encryption many millions of millions of times faster than in a non-cloud setup, potentially breaking the safeguards that prevent attackers from accessing the server’s data or snooping on Web browsing sessions hosted on that machine. “It doesn’t matter how strong the encryption is if the bad guy can guess at the numbers used to generate the key,” he says.

Still, access to entropy pools doesn’t necessarily mean a system’s encryption can be broken, given that encryption using keys that are thousands of bits long would theoretically take enormous amounts of time to crack–in some cases, longer than the lifetime of the universe.

Read More

Senate Judiciary Chairman Patrick Leahy hopes the third time will be a charm for his legislation intended to better protect citizens’ personal information.

The bill, which he reintroduced Wednesday and in two previous Congresses, would increase criminal penalties for identity theft involving electronic data and criminalize intentional or willful concealment of a security breach. Leahy said passage of the measure, which would pre-empt a patchwork of state data breach laws, is among his top legislative priorities.

The bill requires entities that maintain personal data to establish policies to protect that material and give notice to individuals and law enforcement when they experience a breach. Failure to do so could result in penalties of up to $500,000 per violation and potentially doubled fines if the activity was deliberate. The bill would let individuals correct personal records held by commercial brokers. Additionally, states would be able to bring lawsuits on behalf of residents, but the bill would not give consumers a private right of action.

Under the measure, federal agencies would be required to set privacy and security rules for use of commercial data broker information. They would have to perform audits of contracts with brokers worth more than $500,000 and would be required to impose penalties on those that fail to meet the requirements. A GAO report this week found that almost all major federal agencies have weaknesses in their information security controls.

Leahy’s cybersecurity bill is one of many expected in the House and Senate. Senate Commerce Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine, were first with legislation in April, which could see committee action before the August recess. Rockefeller issued a statement saying he and Snowe are working hard on the measure and hope to mark it up soon.

Read More

A group of computer scientists at the University of Washington has developed a way to make electronic messages “self destruct” after a certain period of time, like messages in sand lost to the surf. The researchers said they think the new software, called Vanish, which requires encrypting messages, will be needed more and more as personal and business information is stored not on personal computers, but on centralized machines, or servers. In the term of the moment this is called cloud computing, and the cloud consists of the data — including e-mail and Web-based documents and calendars — stored on numerous servers.

The idea of developing technology to make digital data disappear after a specified period of time is not new. A number of services that perform this function exist on the World Wide Web, and some electronic devices like FLASH memory chips have added this capability for protecting stored data by automatically erasing it after a specified period of time.

But the researchers said they had struck upon a unique approach that relies on “shattering” an encryption key that is held by neither party in an e-mail exchange but is widely scattered across a peer-to-peer file sharing system.

Public key cryptography makes it possible for two parties who have never physically met to share a digital secret and as a result engage in a secure electronic conversation sheltered from potential eavesdroppers. The technology is at the heart of most modern electronic commerce systems.

Read More

SAN FRANCISCO — You might think your password protects the confidential information stored on Web sites. But as Twitter executives discovered, that is a dangerous assumption.

The Web was abuzz Wednesday after it was revealed that a hacker had exposed corporate information about Twitter after breaking into an employee’s e-mail account. The breach raised red flags for individuals as well as businesses about the passwords used to secure information they store on the Web.

On Web sites containing personal information like e-mail, financial data or documents, there is usually just a user name and password for protection. More individuals are storing information on Web servers, where it is accessible from any online computer through services offered by Google, Amazon, Microsoft, social networks like Facebook or back-up services like Mozy.

But password-protected sites are growing more vulnerable because to keep up with the growing number of passwords, people use the same simple ones on numerous sites across the Web. In a study last year, Sophos, a security firm, found that 40 percent of Internet users use the same password for every Web site they access.

The attack on Twitter highlights the problem. For its internal documents, the company uses the business version of Google Apps, a service that Google offers to individuals free. Google Apps provides e-mail, word processing, spreadsheets and calendars over the Web.

The content is stored on Google’s servers, which can save time and money and enable employees to work together on documents at the same time. But it also means that the security is only as good as the password. A hacker who breaks into one person’s account can access information shared by friends, family members or colleagues, which is what happened at Twitter.

Read More

EARLIER this month Google announced a new operating system called Chrome. It’s meant to transform personal computers and handheld devices into single-purpose windows to the Web. This is part of a larger trend: Chrome moves us further away from running code and storing our information on our own PCs toward doing everything online — also known as in “the cloud” — using whatever device is at hand.

Many people consider this development to be as sensible and inevitable as the move from answering machines to voicemail. With your stuff in the cloud, it’s not a catastrophe to lose your laptop, any more than losing your glasses would permanently destroy your vision. In addition, as more and more of our information is gathered from and shared with others — through Facebook, MySpace or Twitter — having it all online can make a lot of sense.

The cloud, however, comes with real dangers.

Some are in plain view. If you entrust your data to others, they can let you down or outright betray you. For example, if your favorite music is rented or authorized from an online subscription service rather than freely in your custody as a compact disc or an MP3 file on your hard drive, you can lose your music if you fall behind on your payments — or if the vendor goes bankrupt or loses interest in the service. Last week Amazon apparently conveyed a publisher’s change-of-heart to owners of its Kindle e-book reader: some purchasers of Orwell’s “1984” found it removed from their devices, with nothing to show for their purchase other than a refund. (Orwell would be amused.)

Worse, data stored online has less privacy protection both in practice and under the law. A hacker recently guessed the password to the personal e-mail account of a Twitter employee, and was thus able to extract the employee’s Google password. That in turn compromised a trove of Twitter’s corporate documents stored too conveniently in the cloud. Before, the bad guys usually needed to get their hands on people’s computers to see their secrets; in today’s cloud all you need is a password.

Thanks in part to the Patriot Act, the federal government has been able to demand some details of your online activities from service providers — and not to tell you about it. There have been thousands of such requests lodged since the law was passed, and the F.B.I.’s own audits have shown that there can be plenty of overreach — perhaps wholly inadvertent — in requests like these.

The cloud can be even more dangerous abroad, as it makes it much easier for authoritarian regimes to spy on their citizens. The Chinese government has used the Chinese version of Skype instant messaging software to monitor text conversations and block undesirable words and phrases. It and other authoritarian regimes routinely monitor all Internet traffic — which, except for e-commerce and banking transactions, is rarely encrypted against prying eyes.

Read further for Jonathan’s suggestions

[...] Given the explosive growth of cloud computing, it should be no surprise that it presents numerous legal issues for businesses. Two of the most significant are privacy concerns and the implications of cloud computing for pretrial discovery.

As with other forms of “outsourcing,” businesses’ duties to protect private or confidential data do not end with their transfer of the data to third-party vendors for storage or processing. A recent report from the World Privacy Forum, “Cloud Computing and Privacy,” highlights a number of important privacy issues raised by cloud computing that corporate users of cloud computing should keep in mind.

Read the full article here

Redmonk analyst Stephen O’Grady writes a bleak, but likely accurate, eulogy for open source’s relevance to cloud computing. In a world where horsepower matters more than the software feeding those “horses,” in terms of the entry cost to compete, and where big vendors like Amazon and Google are already divvying up the market, the odds of a small-fry, open-source start-up challenging “Goliath” are slim.

It’s not a new argument: Nick Carr has been suggesting for some time that only a few, big companies can afford relevance in this hardware-intensive business.

Given this fact, O’Grady thinks the best we can hope for (and he thinks it’s pretty important) is “a loose coalition or confederation of [open-source] projects and vendors that will together comprise an increasingly viable top to bottom alternative to some of the cloud providers today.” He includes projects like Puppet (Reductive Labs) and Hadoop in this mix, but is careful to point out that he doesn’t see a full-fledged, open-source alternative seriously challenging the closed platforms of Google, Amazon, Salesforce, and the other mega-clouds.

Read More

Cloud-based services are being rolled out without enough attention being paid to securing these services and the information they handle. That was the finding of a recent study commissioned by RSA Security.

While the report’s findings are alarming, there is still time for providers of these services to address the problem, said Art Coviello, executive vice president at EMC and president of RSA Security. The key is to look at security as an integral part of the service and not as an add-on feature, he said.

Read More

The “cloud,” despite its name, isn’t quite the open, limitless place it seems.

“Cloud computing” or “utility computing” offerings like Google‘s (nasdaq: GOOG – news – people ) App Engine or Amazon‘s (nasdaq: AMZN – news – people ) Web Services, which pipe applications, processing and storage over the Internet, may eventually let companies escape the confines of their data centers and pay for cheap, scalable processing and storage as easily as they pay for water or electricity.

But for now, if a company hands its information technology infrastructure to a vendor like Amazon, it’s largely locked in Amazon’s proprietary cloud, with no easy way to move its virtual IT infrastructure to another company’s service or back into its data center.

Read More…