Why NSA surveillance is a threat to British doctors and lawyers – Ross Anderson
Professionals using cloud services will have to guard against the danger of patients and clients being snooped on
So now the penny drops, and we all know why GCHQ has long refused to allow government departments to store information classified at “Restricted” or above in US cloud computing services. But what about the private sector? Well, Edward Snowden’s revelations are now causing something of a crisis in the IT industry as its international customers start thinking through the implications. In the past week I’ve heard of big firms reconsidering plans to spend hundreds of millions on services that would have been hosted in the US, as they start to realise that US agencies might snoop on their data and use it to tip off their competitors. US service firms now fear this will harm their growth, and it’s not just Microsoft and Google; many other companies such as Amazon, Salesforce and Rackspace could lose out.
But how will the Prism affair affect ordinary middle-class people in Britain, like doctors, lawyers, accountants and engineers? Surely we’re of no interest to the analysts at the NSA?
Where can I find a service that will guarantee to keep my confidential data in the UK? The information commissioner can’t help: data-protection law has “safe harbour” loopholes designed to allow US service companies to pretend that they follow European law, even when their own government won’t let them.
The third problem is that, even if a client is completely innocent of any wrongdoing, machine-learning algorithms can tar him with guilt by association. If a system just uses Bayesian probability, without paying attention to social context or legal rights, then it may well stigmatise any service that’s had anything to do with terrorists in the past. The implications for NGOs like Liberty or law firms like Bindmans are clear. If we don’t want to risk innocent clients ending up on no-fly lists and watch lists (or ending up on a list ourselves) then we shouldn’t use communications that the NSA’s search engines can devour. Bang goes your beloved BlackBerry, Shami Chakrabarti!
The fourth problem is that many people will fear they’re at risk from the US intelligence community even if they’re not. Last week I heard from a Greek colleague that a friend of his in Athens was raided by a local security agency, who told him that the Americans had tipped them off after reading his Gmail. That was surely nonsense. But if you’re a Greek secret policeman, and a suspect’s ex has tipped you off, then blaming the NSA is the perfect cover story. The world’s spies and secret policemen treasure their aura of mysterious power, and the paranoia this generates; it helps them to get information out of suspects, and money out of treasuries. Expect this meme to run and run.
Web services are leading us to put all our eggs in one basket, and governments everywhere are grabbing for the basket. Visitors to Russia can be forced to disclose laptop passwords at customs; while even less competent governments (like Syria’s) simply beat citizens’ Facebook and Gmail passwords out of them. And dear Theresa May wants to revive her communications data bill, to grant MI5 and the police the same access we now know GCHQ has via the NSA. (She doesn’t explain why the Americans won’t just share what they have with MI5 too, or whether they’ll really let Google and Facebook give foreign governments direct access to systems that can be used to spy on Americans.)
What next? It’s time for the British Medical Association, Law Society, Bar Council and other professional bodies to start thinking about the ethics of using cloud-based services for confidential client information. If Europe’s professions draw the line at making our client or patient data available freely to the US intelligence community, perhaps that might help create a market for online services that operate under European laws, that enable us to work ethically, and that serve small firms and individuals rather than just big firms and governments.