Patriot Act May Hamper Cloud Computing Adoption

Michael Vizard

The common wisdom concerning e-mail these days is that it's all heading into the cloud. After all, it's difficult to manage and, as a basic utility of computing, in and of itself it doesn't provide a lot of strategic value.

But Sendmail CEO Don Massaro would beg to differ with conventional cloud computing wisdom when it comes to e-mail in large enterprises. While Massaro concedes that e-mail delivered via the cloud will be a fairly common approach for small-to-medium (SMB) businesses, larger corporations are going to think long and hard about the legal and regulatory implications of such a move.

The issue that Massaro says will result in most large corporations refraining from putting too much data in the cloud is the existence of "Federal Letters," otherwise known as National Security Letters. Under the provisions of the Patriot Act, these can be used to require carriers to turn over records and data concerning individual customers if asked to do so by the Federal government.

The letters do not require the government to get a court order, so in effect the regulation allows the government to access that information on demand. The law itself is a little vague when it comes to the definition of a "carrier," but Massaro says that it has enough of a chilling effect to make corporations that might be involved in any type of lawsuit involving the Federal government to steer clear of cloud computing when it comes to sensitive data that in all probability is going to found in e-mail. Congress is working on refining how this provision of the Patriot Act can be applied, but the Federal government's ability to execute these letters is enough to get most corporate lawyers to err on the side of extreme caution, especially if the company does business in countries where the Patriot Act does not apply and they may be accused of violating local privacy laws.

This doesn't mean that large corporations will eschew cloud computing all together. Massaro thinks the cloud will be used to augment e-mail services by delivering anti-virus, anti-spam and data loss prevention (DLP) services via the cloud.

But when it comes to actual corporate data, Massaro is betting that no matter what the economics are, corporate legal departments are going to direct their corporate officers to steer clear of any service that eliminates their ability to keep potential damaging information out of the hands of Federal prosecutors without so much as the nicety of being told what the government might actually be looking for.

Add Comment      Leave a comment on this blog post
Dec 31, 2009 10:49 AM Dietrich T. Schmitz Dietrich T. Schmitz  says:

PGP or GnuPG make your concerns a non-issue.

Here's the silly part:

ALL email sent is by default in clear-text as it moves through MTAs, ISPs.

When you write a letter, do you not place it in a nice 'envelope'?: Yes.

Why?: Privacy.

That practice needs to be extended to email and nothing short of a Federal Mandate and global treaties for uniform PGP will get that to happen.

In the meantime, Corporate CIOs doing due diligence, risk analysis for when and how to best use the Cloud should avail themselves to all 'best of breed' technologies, including PGP or GnuPG for any sensitive email transmissions.

Dietrich T. Schmitz

Dietrich T. Schmitz & Associates

Cloud Computing Services

Jan 5, 2010 8:17 AM Gregory Shapiro Gregory Shapiro  says: in response to Dietrich T. Schmitz

To some extent, use of e-mail encryption such as PGP/GnuPG or S/MIME would protect the content of individual messages stored on a service provider.  However, as you note, ubiquitous encryption use doesn't exist today.  There is a high barrier to entry in terms of key exchange, especially between parties with no previous introduction, and end-user experience (e.g., reading PGP encrypted e-mail on the Google Apps for your Domain Gmail web interface or on a mobile device such as the iPhone).  Don't get me wrong, I hope we get there someday but the reality is we aren't there today.

However, even if that were in place, there is still information available to the service providers that can be quite useful to investigators.  First, these encryption techniques will only encrypt the body of the message and attachments.  Headers (such as sender, recipient(s), subject and date) are still exposed and, along with mail stream traffic analysis, can contain valuable information.

Additionally, by having the data in the cloud, even if encrypted, corporations lose the ability to control that data in terms of retention, backup, and auditing.  For example, corporations could no longer guarantee a 90-day retention policy as they may not be able to mandate the same policy at a cloud provider, nor validate that it is actually being done properly (i.e., a message may disappear from view after 90 days but may not be deleted from the cloud provider's storage or backups).  Likewise, there is usually no information audit as to where the message has been stored or which machines it has transited.  You may not only be trusting your cloud provider, but the offsite backup service that provider uses or a chain of other providers (e.g., compute farms, storage services, etc).

The combination of traffic and header analysis and the ability to silently collect (potentially encrypted) messages over time beyond any corporate retention policy still leaves a corporation exposed to later subpoenas for the encryption keys to decrypt all content.

By the way, you state, "ALL email sent is by default in clear-text as it moves through MTAs, ISPs."  That isn't completely accurate.  The SMTP protocol includes support for STARTTLS encryption so the entire session is encrypted.  Looking at statistics from our servers, close to 25% of the traffic from remote machines uses STARTTLS.  In many cloud service offerings, STARTTLS is used to protect contents between the customer and service provider.  However, this only protects the communication channel, not the data, which is typically stored in queues and stores unencrypted (or with an encryption key known to the service provider and therefore available to the investigators).  Also, STARTTLS is hop-to-hop, not end-to-end.

Gregory Shapiro

VP, Engineering & CTO

Sendmail, Inc.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.