A brief Twitter conversation with Phil Cox (@sec_prof) and Dave Piscitello (@securityskeptic) and the latest PRISM / NSA news got me thinking about trust. Phil suggested that the time is ripe for some sort of Internet “Switzerland” where a U.S. Citizen could (presumably) store your data unfettered by FISA and the long-arm of the US legal system. He argued that “it’s been done with finances” and there is “no reason tech couldn’t do it” and further suggested that “an already ‘trusted’ entity would need to do it.”
I am not so sure. (And, to be fair, I am not clear how strong Phil’s opinion is on this.)
The idea of some sort of “cyberSwitzerland” sounds like a direction we could head in, but we immediately run into questions of trust, oversight, and technical capability.
- Trust – The first step is to identify an entity (presumably in the cloud service-providing business) that we trust more than the U.S. Government (since they are the bad guys with this NSA spying scenario). This doesn’t seem particularly onerous – any of the big players might do – Amazon, Google, etc… Some privacy-supporting org like the Electronic Frontier Foundation might also consider getting into the business or endorsing some service. (Come to think of it, maybe we just need James Earl Jones to or Martin Sheen to endorse a no-name. William Shatner, too ). But the problem really comes with oversight.
- Oversight – Any entity we decide to trust more than the U.S. Government would also have to be willing to snub the U.S. legal system. This is the problem area, because no large entity with U.S. operations would snub the U.S. legal system – heck, that’s probably part of the reason you trust them – they follow rules. So the linchpin problem is that any trustworthy entity also will (ultimately) obey the law and so we are right back where we started from. Like they say, there is no honor among thieves.
- Technical Skill – The final nail in the coffin is that, even if you found an entity you trust who is willing to snub the U.S. legal system, they need to be able to protect you from the NSA. Any successful entity in this endeavor would obviously become a prime target for them. It is unclear whether this is possible in the long run, especially given the many ways to compromise systems. At the very least, it would be quite expensive.
Ultimately, I believe anyone going through this analysis will come to the conclusion that a “CyberSwitzerland” cloud service provider is highly unlikely to be able to address the needs of those concerned enough to make a change (who aren’t breaking the law in some way). That is, for the average U.S. citizen, a “CyberSwitzerland” is not a way out.
There are ways, however, that could significantly help the average citizen concerned about privacy. The real answer here has got to be some form of obfuscation – at the very least encrypted data, perhaps augmented by more unique schemes of data dispersal and split-key techniques. And the super-paranoid might even throw in some “chaff” generation along the way to add noise to whatever analysis is putting you in the ‘results’ list to begin with. Heck, you could even hire 20 people around the world to impersonate you and encrypt random data uploaded to random sites with a “firewall” between you and each of them (sort of joking here).