A cloud for grown ups?
Other human rights organisations often ask us what they should to when it comes to their infosec needs. Should they run their own mail server, or trust Gmail? Should they merge their calendars by email (!), a local server, or use some cloud solution?
We honestly don't know what to tell them. In fact, we are unsure of what we ourselves should be doing. We know that there are risks of keeping things local (e.g. lack of redundancy), and there are risks of data being stored beyond your control. At least with an outsourcing contract you can review the security and privacy issues, but with cloud services, you're stuck with boilerplate.
For years we've hoped for two developments to solve these problems:
- the spread of local server techniques (and we are excited by the Freedom Box idea!)
- the use of cryptography
In light of this, here's what we found to be so odd about Apple's most recent announcements at WWDC.
- They (again) announced that the next version of the operating system would include server capabilities (so people could administer their own calendar management for an organisation). But disappointingly, it is now separate from the version of the operating system that you'll get by default.
- They announced new disk encryption and communications encryption capabilities within both their desktop and mobile operating systems.
Why is this odd? Well, there's a bit of both solutions to the cloud problem, but so much is still missing. Consider a small human rights group and its potential use of these techniques:
- Devices can be encrypted so data is secured from seizure and theft
- Syncing of basic data can be done on a local server if properly administered
This is great for calendar and email. But what about a properly secure set of business processes? This is so much more to be done than just syncing mail and calendars.
We would have liked to hear that iCloud could also be run as a service on a local server. That is, we could set up our computer in an office to run the server version of OS X and we could then get all of our files/docs synchronised through this server. So in a sense, you could avoid having to send your data to Apple and instead do everything yourself. And if anyone could make this work, and make it work easily, it would be Apple.
But this was not mentioned in the Keynote or in any Apple announcements.
So, what about option 2: cryptography? What happens to your calendars on Apple or Google's servers? They reside there in an unencrypted state. This is not ideal from a security perspective (depending on the threat modelling of course). There is a good reason for it to be unencrypted -- it allows access across multiple devices and services. You can access the calendar from your computer, your phone, and any other device without having to worry about compatibility and the complexities of key sharing.
If you are a journalist, a human rights campaigner, or even a lawyer, this setup is a terrible idea. If you are a privacy advocate who runs campaigns against Google and Apple, this is a ridiculous idea. If you run campaigns against the Chinese government, this is a dangerous idea.
But this is the great opportunity that Apple missed out on: it runs the devices, the operating systems, and the applications. It could design its word processing application to encrypt the data before uploading it to iCloud and then enable the downloading to the next device. It could do this with all its apps, services, and devices.
Sure, there are ineffeciencies in encryption, but wouldn't it be great to be given the option at least? A truly useful cloud would be one designed for grownups who have to consider information security risks. Instead, all we have is Apple copying Google and other cloud providers by just storing the bits, guarded only by something as banal as username and passwords.
Can we start a conversation about a more useful cloud made for grownups?