Technology, Thoughts & Trinkets

Touring the digital through type

Tag: microsoft (page 1 of 2)

Microsoft’s OneDrive Storage Expands NSA Surveillance

spigget_dispersive_prism_illustration

Earlier this month Microsoft announced that its Office 365 subscribers would be able to upload an unlimited amount of data into Microsoft’s cloud-based infrastructure. Microsoft notes that the unlimited data storage capacity is:

just one small part of our broader promise to deliver a single experience across work and life that helps people store, sync, share, and collaborate on all the files that are important to them, all while meeting the security and compliance needs of even the most stringent organizations.

Previously, subscribers could store up to 1TB of data in OneDrive. The new, unlimited storage model, creates new potential uses of the Microsoft cloud including even “wholesale backup of their computer hard drives, or even of their local backup drives”. And, given OneDrive’s integration with contemporary Windows operating systems there is the opportunity for individuals to expand what they store to the Cloud so it can be accessed on other devices.

While the expanded storage space may be useful to some individuals and organizations, it’s important to question Microsoft’s assertion that OneDrive meets the most stringent organization’s security and compliance needs. One reason to question these assertions arise out of a memo that was disclosed by National Security Agency (NSA) whistleblower Edward Snowden. The memo revealed that:

NSA Memo on Microsoft enabling SIGINT Access to SkyDrive

As summarized by the Electronic Frontier Foundation, Section 702 of the FISA Amendments Act which is mentioned in the NSA memo is extremely permissive. The section has been used to authorize:

  • collection of Americans’ phone records without a warrant;
  • access to large portions of Internet traffic that moves through American servers;
  • disclosure of collected information to other parties (e.g. the Drug Enforcement Agency);

European policy analysts agree that Section 702 is overly permissive(.pdf) and argue that the definitions used in the section are so general that “any data of assistance to US foreign policy is eligible, including expressly political surveillance over ordinary lawful democratic activities.” The scope of surveillance was made worse as a result of the FISA Amendments Act 2008. While the FAA 2008 is perhaps best known for providing legal immunity to companies which participated in the warrantless wiretapping scandal, it also expanded the scope of NSA surveillance. Specifically:

[b]y introducing “remote computing services” (a term defined in ECPA 1986 dealing with law enforcement access to stored communications), the scope was dramatically widened communications and telephony to include Cloud computing (.pdf source).

Microsoft’s expansion of OneDrive storage limits is meant to enhance its existing consumer cloud offerings. And such cloud storage can produce workplace efficiencies by simplifying access to documents, protecting against device loss, and externalizing some security-related challenges.

However, if subscribers take advantage of the new unlimited storage and send ever-increasing amounts of data into Microsoft’s cloud, then there will be a much greater amount of information that is readily available to the NSA (and other allied SIGINT agencies). And given that Section 702 authorizes surveillance of foreign political activities there is a real likelihood that data content which was previously more challenging for NSA to access will now be more readily available to interception and analysis.

Signals intelligence agencies, such as the NSA, are likely not top of mind threats to individuals around the world. However, Microsoft’s willingness to manufacture government access to personal and business data should give people pause before they generate sensitive documents, share or store intimate photos, or otherwise place important data in Microsoft’s cloud infrastructure. Any company so willing to engineer its users’ privacy out of personal and enterprise services alike must be treated with a degree of suspicion and its product announcement and security assurances with extremely high levels of skepticism.

Digital Crises and Internet Identity Cards

Something that you learn if you (a) read agenda-setting and policy laundering books; (b) have ever worked in a bureacratic environment, is that it’s practically criminal to waste a good crisis. When a crisis comes along various policy windows tend to open up unexpectedly, and if you have the right policies waiting in the wings you can ram through proposals that would otherwise be rejected out of hand. An example: the Patriot Act wasn’t written in just a few days; it was presumably resting in someone’s desk, just waiting to be dusted off and implemented. 9/11 was the crisis that opened the policy windows required to ram that particular policy through the American legislative system. Moreover, the ‘iPatriot’ Act, it’s digital equivalent, is already written and just waiting in a drawer for a similar crisis. With the rhetoric ramping up about Google’s recent proclamations that they were hacked by the Chinese government (or agents of that government), we’re seeing bad old ideas surfacing once again: advocates of ‘Internet Identity Cards’ (IICs) are checking if these cards’ requisite policy window is opening.

The concept of IICs is not new: in 2001 (!) the Institute of Public Policy Research suggested that children should take ‘proficiency tests’ at age 11 to let them ‘ride freer’ on the ‘net. Prior to passing this ‘test’ children would have restrictions on their browsing abilities, based (presumably) on some sort of identification system. The IIC, obviously, didn’t take off – children aren’t required to ‘license up’ – but the recession of the IIC into the background of the Western cyberenvironment hasn’t meant that either research and design or infrastructure deployment for these cards has gone away. Who might we identify as a national leader of the IIC movement, and why are such surveillance mechanisms likely incapable of meeting stated national policy objectives but nevertheless inevitable?

Continue reading

Thoughts: P2P and Complicity in Filesharing

200901021422.jpgI think about peer to peer (P2P) filesharing on a reasonably regular basis, for a variety of reasons (digital surveillance, copyright analysis and infringement, legal cases, value in efficiently mobilizing data, etc.). Something that always nags at me is the defense that P2P websites offer when they are sued by groups like the Recording Industry Association of America (RIAA). The defense goes something like this:

“We, the torrent website, are just an search engine. We don’t actually host the infringing files, we are just responsible for directing people to them. We’re no more guilty of copyright infringement than Google, Yahoo!, or Microsoft are.”

Let’s set aside the fact that Google has been sued for infringing on copyright on the basis that it scrapes information from other websites, and instead turn our attention to the difference between what are termed ‘public’ and ‘private’ trackers. ‘Public’ trackers are available to anyone with a web connection and a torrent program. These sites do not require users to upload a certain amount of data to access the website – they are public, insofar as there are few/no requirements placed on users to access the torrent search engine and associated index. Registration is rarely required. Good examples at thepiratebay.org, and mininova.org. ‘Private’ trackers require users to sign up and log into the website before they can access the search engine and associated index of .torrent files. Moreover, private trackers usually require users to maintain a particular sharing ration – they must upload a certain amount of data that equals or exceeds the amount of data that they download. Failure to maintain the correct share ratio results in users being kicked off the site – they can no longer log into it and access the engine and index.

Continue reading

Reading, Reviewing, and Recording

readingrecordI want to toss up a few links that I’ve found particularly interesting/helpful over the past couple of months. I’ll begin with a way to read, move to a review of the newest tool for electronic education, and conclude with an article concerning the commercialization of the core platforms electronic resources are accessed from.

Reading 102

We’ve all heard of data-mining; the FBI has been doing it, the NSA has been caught doing it, and corporations are well known for it. Citizens are getting increasingly upset that their personal information is scaped together without their consent, and for good reasons.

What if those citizens used data-mining principles to prepare and filter their reading? Donal Latumahina has eight processes that you can use to get the most out of the books that you’re reading, processes that are guided by the objective to get the greatest possible amount of useful information from the text. It’s amazing what happens when you objectively structure your reading, rather than just letting yourself be carried along by it.

Continue reading

« Older posts