Prison or “Prism”? Your data in custody

Send your data into the cloud and make it... vaporize” was the title of one of our Bulletin articles in 2011. We were not precise enough. We should have entitled it “Send your data into the cloud and make it… available to a national security agency”.

 

What has long been feared has just been confirmed by whistle blower Edward Snowden: with ties into Microsoft, Google, Facebook, Apple, Skype, AOL and Yahoo, the NSA (U.S. National Security Agency) “Prism” surveillance programme has been monitoring e-mails, chats, videos, photos, stored or transmitted data and video conferences primarily made by foreigners using those services. So our data is trapped there now… and analysed.

But it is not only trapped with the NSA. If you've synchronized your files, music and photos with Apple’s iCloud, Microsoft’s SkyDrive, or with Dropbox; received phone calls or messages via Skype*; managed your e-mails with Gmail or Hotmail; or installed third-party apps on your smart phone; be assured that your data has already been analysed. This is the primary business model of Google, Facebook or Dropbox: they take apart your private data in order to profile you and your interests, identify your consumer preferences, and strip your digital being into a statistical pattern of zeros and ones. Scientia potentia est (“knowledge is power”) – but only for those companies.

So let us encourage you once more to review the implications of using cloud services for work purposes and in your private life. Data privacy is our own responsibility – particularly when dealing with data in the possession of the Organization. Make sure that you do not leak sensitive documents or personal files to those services. This includes data provided to convenience applications such as URL-shortening services (i.e. TinyURL.com) or online questionnaire tools (i.e. SurveyMonkey). Avoid installing programs on your PC that synchronize with cloud storage (like the “Dropbox” plugin), and do not use peer-to-peer applications that export the contents of certain local folders onto the Internet. “Don't let your mail leak”, especially when automatically forwarding e-mails from your CERN address to an external mail provider like Hotmail or Gmail.

Instead, remember that CERN provides similar services too (admittedly, not always with the same level of convenience, but therefore much better controlled). Your CERN mailbox is also available from the Internet, as are your files stored on DFS or AFS.
 CERN GO and Sharepoint services provide URL-shortening tools and tools to create questionnaires, respectively. Remote log-in is possible through the LXPLUS cluster or the CERN Windows terminal service. So why not use a service you can trust and which complies with CERN's rules(such as the CERN Security Baselines and the upcoming CERN Data Protection Policy)? Check the different ways of connecting to CERN from the Internet here.

Finally, be aware that browsing the Internet is not an anonymous activity. Depending on which browser you use, it already exposes lots of information: the local language, time zone, screen size, installed plugins, available system fonts, etc. As these settings can vary significantly, it means that the probability of you and I having exactly the same settings is very low. Ergo, this information can be used to pinpoint your browser and uniquely identify you when browsing the web… If you don’t believe it, check out Panopticlick and note that some browser plug-ins (i.e. “Stealther”) or security settings (i.e. “In Private” browsing) might change the odds in your favour. Also note that, if you are logged in with your Google or Facebook account, they can profile your activity even outside their domains. This is mainly due to the wide use of Google Ads/Analytics and Facebook’s “Like”-button: the embedded code directly feeds back into your Google and Facebook profile… For a bit more privacy here, log out whenever you don’t need to be logged in and consider installing something like the “Ghostery” plug-in in your browser.

For further information, please contact the Computer Security Team or check our website.


* Microsoft, the new owner of Skype, was recently caught when users “sending HTTPS URLs over the instant messaging service, those URLs receive an unannounced visit from Microsoft HQ in Redmond”. Microsoft claimed that this is to filter out spam and phishing websites, but this argument has not convinced security experts.

Access the entire collection of Computer Security articles here.

by Computer Security Team