Losing Control Of Almost Everything In The Cloud

Written by Mark Rasch
February 1st, 2012

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

As retailers embrace the cloud for its flexibility and convenience, they might want to also consider a very serious potential for loss of control. Legally, we’re talking three different types of control loss: Your loss of access to the data; your customers’ loss of the ability to access your services; and the potential for your confidential data to become government public records and to then find its way to your competitors.

Paranoid? Not any more. Recently, the U.S. Government, in cooperation with the Government of New Zealand, took down the copyright pirate site “MegaUpload” and had its founder arrested and detained awaiting extradition. Irrespective of the merits of the copyright infringement lawsuit, the government is now seeking to seize and possibly destroy all of the site’s content, including non-infringing content shared on the P2P site. Family photographs, video, documents or other records that merely reside on the site have already been subject to U.S. and N.Z. inspection, seizure and copying. Now it may be destroyed.

Add to this the fact that the U.S. Government may be introducing legislation allowing the government to “take over” companies’ IT infrastructure if it believes the company is not doing an adequate job of security, and we create just what merchants seeking to jump into the cloud don’t want—fear and uncertainty.

The MegaUpload case points out one of the problems with outsourcing, generally, and the cloud, in particular. As more content and activity migrates to the cloud, more unlawful activity will also migrate to the cloud. This is not just copyright infringement or botnets, but garden variety frauds, swindles and thefts.

In addition to illegal activity, other activities that governments may want to limit or suppress, such as online demonstrations, protests or political activity, will occur on cloud providers. A government may seek evidence from cloud providers, may seek to stifle or prevent activity or may seek to shut down or seize cloud providers or their customers’ data. If the government believes that the activity is systematic or, worse, that the cloud provider itself is engaged in unlawful conduct, the government may seek to seize all of the operations of the cloud provider.

The nature of cloud is such that it is likely to be subject to legal process and demand virtually (pun intended) anywhere. Thus, a U.S.-based entity, storing information or documents on a “cloud” provider with facilities in Denmark, Peoples Republic of China and South Africa may find its documents or records seized by law enforcement or other agents in any of these countries. With Mutual Assistance in Legal Affairs Treaties (MLATs), any country could ask the assistance of any other country to take down an offending cloud provider, seize the records and send them to the other country.

The problem is not always solved by geography. A U.S. customer of a U.S.-only cloud provider still runs the risk of either that provider or a user of that cloud running afoul of the laws in Bulgaria or Singapore, or that the U.S. Government on behalf of those requesting nations may take down that cloud provider and seize its “information assets.” Remember that the user may not have done anything wrong and may not be the subject or target of the seizure.

Years ago, I was involved in a case where a client wire-transferred funds from one bank to another, and the money travelled through the Bank of Credit and Commerce International (BCCI). Because BCCI was suspected of criminal activity, its assets were seized—and those assets included my client’s funds. The client lost their money, because the bank had committed an unrelated crime and the U.S. Government seized the bank’s funds. The same is true of the cloud.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.