Cloud hate: why Ottawa keeps losing our data

What’s the difference between the federal government and Facebook?


Part 2 of a four-part “Privacy Reality Check” series.  Click here for part one.

When it comes to privacy, what’s the difference between Facebook and the federal government?

Thumb drives.

Facebook wouldn’t dream of letting its employees use one.  Facebook’s massive library of personal data on its vast user base is its greatest asset.  It’s worth billions.  If Facebook employees could simply copy this information, or part of it, onto USB keys in order to take their work home, then it would only be a matter of time before Facebook’s biggest asset was leaked to the world.  Someone would sell or lose a memory stick, laptop, phone or hard drive.  It would show up online, we would all be exposed, and that would be it for Facebook.

Canada’s federal government has no such aversion to portable memory devices.  Canadian spy Jeffrey Delisle filled up his memory stick again and again with classified  military intelligence that he then shipped off to the Russians.  It took more than four years for these constant breaches to get detected.  A careless employee of Human Resources and Skills Development Canada lost a USB key with data on 5,000 other Canadians.  Even this failed to bring about a change in data-handling policy.  Soon a hard drive containing the sensitive personal information of 583,000 student loan borrowers went missing.  Nothing has changed.  The same thing could happen again today in dozens of federal government offices.

“It’s shameful and shocking,” says David Fraser, a privacy lawyer with the firm McInnes Cooper in Halifax.  Ottawa’s sloppy data hygiene, he believes, stems from a wrongheaded aversion to cloud computing:

“The government talks about ‘data sovereignty’ — the idea that data must stay in Canada. It’s a made-up concept. It’s a fiction that it matters where data is located. Then there’s a real phenomenon of ‘server-hugging,’ the erroneous belief that if you can go down into the basement of your building in Gatineau and see a server blink, you know where your data is. The truth is, you have no idea where copies are.”

The security benefits to cloud computing, says Fraser, are many.  There’s no need for employees to copy information on to local drives of any kind.  Any lost device, says Fraser, “would be stupid. They’re only a portal to the data.”  As for inside spies and internal threats, a centralized cloud service knows what’s going on — it knows who is looking at what and when.  It can automatically detect suspicious behaviour, and it can be audited when problems arise.  Neither Jeffrey Delisle’s spying or the HRSDC leaks could have occurred had cloud security been in place.

Perhaps an anti-cloud argument could be made regarding protection from malicious external threats.  But hackers were still able to compromise Finance Canada and the Treasury Board in January of 2011.  We never learned what the attackers got (more on this disclosure problem later) but the compromise was bad enough to force the government to completely shut off Internet access in some departments for months (which in turn forced federal employees on to Starbucks’ open WiFi connections with their work laptops!).

Whatever theoretical arguments you might lay out, there’s no getting around the superior track records of secure, private sector cloud data facilities over whatever rubber-band and chewing-gum solutions Ottawa’s disparate IT managers have cobble together.  Therein lies a clue to the true motivations for Ottawa’s provincial (sorry) aversion to the cloud.  Again, David Fraser:

“We have also seen privacy insecurity being used as a way to prevent outsourcing. Privacy becomes a prop to be used — a fear to pull on to advance a political position.”

It’s understandable that certain security workers in our government would say whatever they feel they must in order to protect their jobs.  But there’s no need for us to heed these arguments.  The money Ottawa would save taxpayers by using centralized cloud security are considerable.  But the most compelling reason for the public to demand this is of course because it’s our information they are putting at risk

I’ll leave you with another difference between Facebook and our government. We choose to give our information to Facebook.

We have no such option when it comes to government data collection.

NEXT: The leaks you never knew.  Why government doesn’t have to disclose privacy violations.

Follow Jesse on Twitter @JesseBrown




Browse

Cloud hate: why Ottawa keeps losing our data

  1. One problem with cloud storage is the Patriot Act.

    If the data is stored on any US server, it becomes allowable for them to take it, break any encryption, and use it as they see fit. Writing an article critical of the US gov’t here in Canada can land you on a no-fly list if that gets stored on a US server.. even if it’s never published.

    • This is certainly true, but there is no reason why the federal government couldn’t build an all-Canadian cloud for its own services. That is, other than cost. The truth is, privacy is held up as all-important, but it is actually less important than cost.

      • Certainly to this government. They might have to cut back on gazebos or S&R helicopter taxis to be able to afford good tech.

    • but (a) Canadian spies can look too, and (b) Canada shares lots of information with the US, and (c) the US shares lots of information with Canada. Privacy Commissioners across Canada have concluded that the Patriot Act worry is largely bogus.

      • Could you please point me in the right direction of where to find conclusions of Privacy Commissioners across Canada that the Patriot Act worry is largely bogus? Thank you.

    • The truth is that all the agreements are in place today so that even if the data is stored in a Canadian data center, the US authorities have the ability to access it given the appropriate conditions.

  2. It’s cultural all right, in healthcare privacy guidelines require the use of faxes instead of email for transmitting personal health information because technically an email transmission can be hacked while a fax transmission is supposedly secure. In practice though, emails don’t go to wrong addresses, they bounce back, whereas a slip of the keyboard sends a fax to the wrong number. Frequently faxes are sent to the wrong person because someone on a long list of numbers has moved and Dr. so and so’s number is now being used by Joe’s Duct Cleaning. Even when faxes go to the right places, they are typically shared machines in open office areas and easily misplaced among the clutter of junk faxes, faxes that got left behind, and so on.

  3. The minute you have anything online, so be sure, it is already somehow public. Even typing this comment is already known by the government. Any website you visit, including those such as of Nazi in Germany, or Radical Zionism Israeli, a Leftist Occupy Movement, or even the iranian Press TV is already known by the Government. There is no privacy what so ever. It is over with online privacy (Unfortunately).

  4. The Cloud offers security only if it’s your Cloud. If it’s Big Business’
    Cloud, especially a foreign Big Business Cloud, or you are not permitted access to that Cloud your information is not secure at all.

  5. Cloud services would store your sensitive data on a private-sector computer. Who will ensure that employees who come and go at that company are any more careful than government employees? What measures does a private-sector company take over what the government does that will make the data more secure than it is in government? The problem is still humans.

    New security measures are being taken in government all the time. New software prevents people from using thumb drives on their computers. Newer software will even erase the data on any unauthorized thumb drive inserted into government computers. Thumb drives given to employees are encrypted. Hard drives are encrypted. Access to databases is restricted. Access to networks is restricted. But many, many people work for the government and people will always be your variable.

    You might say that the same security measures could be done for the private-sector company who the government now will have to PAY to house the data on their servers. But, nevertheless, these measures may or may not stop a spy who is determined to get around the security.

    (Your argument is flawed from many angles, these are just a few comments.)

    • I completely agree with you. This article is more of a marketing campaign type. Especially, considering this quote from David Frasier’s profile on McInners Cooper website: “David advises and has represented Google Inc. before the Privacy Commissioner of Canada in connection with a range of matters “. Let’s move everything to the Cloud – more work for David.

    • Do you know that it was considered to be a “crazy” idea 150 years ago when smart people from all over the world started to pool their assets in a centralized repository and then monitor and protect those assets in a more secure and effective way then they were able to do on their own? The idea caught on because people started to realize that it was less secure to try and protect their assets with only their own limited resources and by pooling them it created more value for them.

      It was called a bank and unless you are currently stuffing cash in your mattress at night when you get home instead of saving for retirement with RRSP’s you will likely come around to this idea some day as well. There may even come a day when our kids may look back at this time and laugh about how the “crazy” people with tinfoil hats didn’t get it…

  6. “It’s a fiction that it matters where data is located.” I find it hard to believe that you of all people, Jesse, can have taken this claim seriously.

Sign in to comment.