1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

Penetrating the cloud

Ben KnightNovember 1, 2013

The fury of the Internet giants over the latest NSA revelations is understandable, given that data security is fundamental to their business models. However, cloud networks are prone to attack by their very nature.

https://p.dw.com/p/1AA5P
GettyImages 171973706 Telecom network cables are pictured in Paris, on June 30, 2013. The European Union angrily demanded answers from the United States over allegations Washington had bugged its offices, the latest spying claim attributed to fugitive leaker Edward Snowden. German weekly Der Spiegel said its report, which detailed covert surveillance by the US National Security Agency (NSA) on EU diplomatic missions, was based on confidential documents, some of which it had been able to consult via Snowden. AFP PHOTO THOMAS COEX (Photo credit should read THOMAS COEX/AFP/Getty Images)
Image: AFP/Getty Images

The US giants that rule the Internet were enraged by the latest revelations about the National Security Agency's activities. "We do not provide any government, including the US government, with access to our systems," Google's chief legal officer, David Drummond, responded to the Washington Post story, before assuring the world's Gmail users, "We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform."

Google and Yahoo have a good reason to be furious - the thought among users that private data could be compromised represents a direct threat to their business models. "There are a lot of security concerns about cloud computing anyway, and companies, like Google and Yahoo, have spent lots of money trying to reassure people that it is secure," said Carl Miller, research director of the Center for the Analysis of Social Media (CASM) in the UK. "And there's a burgeoning industry of cloud encryption that is trying to monetize all those concerns."

David Drummond, Senior Vice President and Chief Legal officer of Google, addresses the 62nd World Newspaper Congress in Hyderabad, India. Three Google executives, including David Drummond, were convicted of privacy violations by a judge in Milan, Italy, Wednesday, Feb. 24, 2010, in allowing a video of an autistic boy being abused to be posted online, a case that has been closely watched in Italy for its implications on Internet freedom. Judge Oscar Magi sentenced the three to a six-month suspended sentence and absolved them of defamation charges. The trial had been closely watched since it could help define whether the Internet in Italy is an open, self-regulating platform or if content must be better monitored for abusive material. (AP Photo/Mahesh Kumar A., file)
Drummond expressed Google's outrage over the revelationsImage: AP

Bypassing encryption

As if to address that threat, Google's Drummond also said in his statement, "We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links."

But encryption may not be the weak point. By their very nature, networks like the one that Google relies on have to trade off security for smooth service. "They build these huge 'cloud' networks," Falk Garbsch, spokesman for German digital rights group Chaos Computer Club, explained. "The trick is that you have to hold the data wherever the user is - if I have an email account in Germany I also want to access it in the US, but if every data retrieval happens via the transatlantic underwater cables, then it slows down the network connection. So Google and Yahoo exchange data between the data centers."

In other words, Google keeps a number of data centers - often big enough to occupy an entire building - all around the world. When data is transported, it is encrypted before it leaves and then unencrypted inside another data center. To hack that data, Garbsch thinks it is likely that the NSA would try to attack the point where the encryption happens.

"One problem with cloud systems is that you need one point within the data center with unencrypted data - the data center needs to be able to read the data in order to organize it and show it," he said.

This undated photo provided by Google shows a Google data center in Hamina, Finland. The Washington Post is reporting Wednesday, Oct. 30, 2013, that the National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world. The Post cites documents obtained from former NSA contractor Edward Snowden and interviews with officials. (AP Photo/Google)
Google keeps a network of vast data centers around the worldImage: picture-alliance/AP/Google

Prisms and court orders

It is not (yet) publicly known how the NSA was able to attack this network. "There are several possibilities," said Garbsch. "Either I get access to the actual building somehow - either via laws that allow me do it as a secret service, or I break in, or I have employees inside to install some kind of hardware that provide a connection to the outside."

The most likely scenario is that the NSA gets a court order on the company which provides Google with its fiber-optic cables - Level 3 Communications - which would then be forced to install special devices that contain prisms to divert the cables light signals - without Google's knowledge.

The NSA can also use the structure of the cloud network to circumvent the law. "The NSA is not allowed to investigate domestically, just as we in Germany have intelligence agencies that aren't allowed to investigate domestically," said Garbsch. "So in this case it appeared that the NSA worked together with the British agency GCHQ to access British data centers and then sent back information to the US - so technically this was data not sent within the US."

A new National Security Agency (NSA) data center is seen June 10, 2013 in Bluffdale, Utah. The center, a large data farm that is set to open in the fall of 2013, will be the largest of several interconnected NSA data centers spread throughout the country. The NSA has come under scutiny after two large scale data survalliance programs were leaked to the press. (Photo by George Frey/Getty Images)
The NSA likely targets the points where data is unencryptedImage: Getty Images

The end of state paternalism

CASM's Carl Miller thinks this latest story is another illustration of a much wider change in perceptions about government. "This is all ending the idea of security paternalism," he said. "In the last couple of decades we've undergone a radical shift in our expectations of government. The boundaries between government and people have got a lot more porous - in whatever policy area. People want to have more of a stake in how policy is made."

Edward Snowden's leaks about the NSA, Miller argues, represent an attack on the highest taboo of government control - national security. "What Snowden has done is drag the last bastion of this paternalistic model of policy-making into the light," he said.

But Miller also warned that it may take a while before the public debate on surveillance is truly open. "What is happening at the moment is that the security community is digging in under the bombardment of all these revelations," he said. "We haven't had any kind of balance. Security officials feel too legally and morally constrained to be able to talk openly about why they're doing the things they're doing, which means that the civil liberties groups are getting more frustrated and exasperated - it's so radically polarized that there doesn't seem to be any way we can maturely move forward at all."