26.1 Cloud Privacy

20210507 In general, unless you ensure your data is encrypted in the cloud, your data is accessible by the cloud host, government, and criminal entities. We should store our data encrypted at all times. Unfortunately, there appear to be legislative attempts to access our data at the point where it is not encrypted (when we use or view the data) which can then also be compromised by criminal entities. Be vigilant.

For a while US cloud compute companies fought in the US courts against action by the US government to access data held within data centres overseas. Whilst this was underway the US government introduced the CLOUD Act (2018) to clarify that the US has the right to request this data where ever it is. The cloud compute companies accepted this, despite the risk it posed to their business model.

The Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943) is a United States federal law enacted in 2018 by the passing of the Consolidated Appropriations Act, 2018, PL 115-141, Division V. The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil. (Wikipedia 20210507)

Ensuring that all of your data in the cloud is encrypted is important.

However, this is not enough. At some stage you need to decrypt your data to make use of it. This is where the Australian Government stepped in to require technology companies to hand over data once it is decrypted by the user. This came into effect in 2018 with the Assistance and Access Act 2018.

Under the bill, designated communications providers (which include … anyone who develops software likely to be used by a carriage service or an electronic service with end-users in Australia …) can be ordered to assist in intercepting information relevant to a case, either by means of an existing capability if possible (Technical Assistance Order, TAO), or being ordered to develop, test, add, or remove equipment for a new interception capability (Technical Capability Order, TCO). (Wikipedia, 20210507)

This suggests that the Government can demand a tech company to include a mechanism for access to decrypted data in their otherwise encrypted apps, in secret—something that we call a backdoor. Whilst the encryption itself is not interfered with, once decrypted on the user’s device, a backdoor can provide access to the otherwise private data.

At a National Press Club talk in 2024, ASIO and the Australian Federal Police noted that this part of the Act has only been used once. Perhaps that means there is one encryption-based app in Australia that may have such a backdoor, though we can not be aware of it.

Unfortunately, it is also likely that if there are backdoors in apps then they will be exploitable, eventually, by criminals too. The Act explicitly prohibits a backdoor to the encrypted data, but not, apparently, a backdoor to access the data once it is decrypted.

It is quite a dilemma we face with today’s digital world. Law enforcement must be able to do its job in protecting our society, doing the will of the people, and ensuring our freedoms. Yet, we also require it to be done in such a way that it does not enable criminals to act against our society and our freedoms through the same mechanism.

Your donation will support ongoing availability and give you access to the PDF version of this book. Desktop Survival Guides include Data Science, GNU/Linux, and MLHub. Books available on Amazon include Data Mining with Rattle and Essentials of Data Science. Popular open source software includes rattle, wajig, and mlhub. Hosted by Togaware, a pioneer of free and open source software since 1984. Copyright © 1995-2022 Graham.Williams@togaware.com Creative Commons Attribution-ShareAlike 4.0