Snowden calls on businesses to encrypt data, shun Dropbox
UK cyber experts side with NSA whistle-blower who urges companies to adopt encryption and to shun Dropbox because the cloud storage company is 'hostile to privacy'.
Snowden effect: Insider threat grips European companies
US cyber spying whistle-blower Edward Snowden has stirred up debate by insisting that professionals such as accountants, doctors, lawyers and journalists should routinely encrypt their data - while branding open cloud storage services like Dropbox as ‘hostile to privacy'.
Although a controversial figure, Snowden's stance has met widespread approval among many cyber industry experts, who say professional bodies are already pushing for wide-scale encryption – but admit take-up and knowledge among individual practitioners is still lacking.
Earlier this week, Snowden told The Guardian newspaper that what his revelations of mass electronic spying by the US NSA intelligence agency “showed us was irrefutable evidence that unencrypted communications on the internet are no longer safe. Any communications should be encrypted by default."
Snowden also shared the insight that analysts at the NSA, from where he defected, routinely passed round nude photos of people in sexually compromising situations that they found during in their espionage work.
In addition, he poured scorn on Dropbox, the open cloud system for storing and sharing data, which he called ‘hostile to privacy' partly because ex-US secretary of state Condoleezza Rice is on its board. He said professionals and others should use services like Spideroak, which encrypts users' data on their device before it reaches Spideroak's servers, so the supplier cannot decode it.
Commenting on his call for routine encryption, UK data security expert Alan Woodward, a visiting professor at the Department of Computing, Surrey University, said that regardless of the NSA and GCHQ's spying, Snowden was right.
Woodward told SCMagazineUK.com: “Encrypting data really should be a default. It's nothing to do with government interception or anything like that.
“I think it is good practice for people who are handling sensitive data, and often that includes lawyers, doctors – really anybody should be thinking about encrypting their communication and indeed the data they hold on their computers.”
But Woodward added: “There's surprisingly little adoption of it, particularly encryption of laptops. Encryption of devices that can be stolen unfortunately is still relatively low.”
He said the way to get the message across was through the different professional bodies and the UK's Information Commissioner's Office (ICO), who have issued advice on encryption.
“This is nothing to do with anti-government surveillance, this is to do giving you the defence in depth that you need,” Woodward said.
Asked if he agreed with Snowden about Dropbox and similar services, he told SC: “I think anybody that uses any cloud service - of course there's nothing to stop you encrypting your data before you put it into the cloud. So why would you not encrypt a file and then store it in the cloud? Why should you rely upon the cloud provider? Take your own steps.”
Stewart Room, a leading data protection expert lawyer and president of the UK's National Association of Data Protection Officers (NDPO), also sided with Snowden and predicted that his statement will galvanise professions like the law into stronger action.
“The legal profession would struggle to challenge many of the ideas expressed by Edward Snowden around encryption,” he told SC.
He too pointed out that the ICAEW accountancy professional body, the Law Society, the ICO and other governing bodies have issued advice promoting encryption. And many law firms have encryption platforms in place for email and other electronic communications.
“There is no universality, there's no unified approach in the profession around this encryption issue. My view is that solicitors' firms and managing partners will now be putting electronic communications encryption right at the very top of their operational risk agendas today - or they should do,” said Room.
He added: “Of course not all information requires encryption but if the information is qualitatively confidential and/or sensitive, the need for encryption has to be identified within risk assessments.”
Room also cautioned: “In terms of what this looks like, we have to be realistic as to the law's expectations concerning the timeframes for tackling the encryption issue.”
Concerning Dropbox and the issue of secure data sharing, he said: “Many firms are looking at alternatives to email and there is significant interest in secure file share platforms whereby information is sent in an encrypted tunnel to a file share and people then pull information off via another encrypted tunnel. The problem is there are still question marks about the quality of the security of a lot of these platforms.”
A spokesperson for the ICO pointed out it issued advice promoting encryption in a blog back in August 2013, which said: “Given that a large amount of data can now be stored on something as small as a smartphone or tablet PC, there is a real danger that personal information could be compromised should such a device end up being lost or stolen.
“Using appropriate encryption can be a simple and effective means to protect personal data in these circumstances, and one which we advise all organisations to take if the loss of the data could cause damage and distress to the individuals affected.”
But the ICO also noted at the time: “Evidence shows that data controllers are still not addressing the problem.”
Dropbox could not be contacted for comment at the time of writing.