Professionals using cloud services will have to guard against the danger of patients and clients being snooped on
Illustration by Satoshi Kambayashi Photograph: Guardian
So now the penny drops, and we all know why GCHQ has long refused to allow government departments to store information classified at "Restricted" or above in US cloud computing services. But what about the private sector? Well, Edward Snowden's revelations are now causing something of a crisis in the IT industry as its international customers start thinking through the implications. In the past week I've heard of big firms reconsidering plans to spend hundreds of millions on services that would have been hosted in the US, as they start to realise that US agencies might snoop on their data and use it to tip off their competitors. US service firms now fear this will harm their growth, and it's not just Microsoft and Google; many other companies such as Amazon, Salesforce and Rackspace could lose out.
Yet some of our patients and clients surely will be. As well as being an academic, I also do occasional expert-witness work, mostly in computer forensics. A few years ago I had a defendant in a terrorism trial as a client. I cannot use a US webmail service if it will leak attorney-client conversations straight to the prosecution. Perhaps for such cases I'd better get on a train to London for a conference at the defence barrister's chambers, as we all did years ago. But as the Legal Services Commission is reluctant to pay for that any more, perhaps I'll have to have a separate email service for sensitive cases.
But you can't always tell in advance which cases might be sensitive. A client I recently helped to get acquitted of a rather dubious fraud charge turned out to be a refugee from a South Asian country whose secret police work closely with the Americans. This emerged only after I'd accepted instructions. So I'd better have a non-US service for all client work. But how can I tell which service to use? For years, BTinternet was outsourced to Yahoo. Where can I find a service that will guarantee to keep my confidential data in the UK? The information commissioner can't help: data-protection law has "safe harbour" loopholes designed to allow US service companies to pretend that they follow European law, even when their own government won't let them.
The third problem is that, even if a client is completely innocent of any wrongdoing, machine-learning algorithms can tar him with guilt by association. If a system just uses Bayesian probability, without paying attention to social context or legal rights, then it may well stigmatise any service that's had anything to do with terrorists in the past. The implications for NGOs like Liberty or law firms like Bindmans are clear. If we don't want to risk innocent clients ending up on no-fly lists and watch lists (or ending up on a list ourselves) then we shouldn't use communications that the NSA's search engines can devour. Bang goes your beloved BlackBerry, Shami Chakrabarti!
Web services are leading us to put all our eggs in one basket, and governments everywhere are grabbing for the basket. Visitors to Russia can be forced to disclose laptop passwords at customs; while even less competent governments (like Syria's) simply beat citizens' Facebook and Gmail passwords out of them. And dear Theresa May wants to revive her communications data bill, to grant MI5 and the police the same access we now know GCHQ has via the NSA. (She doesn't explain why the Americans won't just share what they have with MI5 too, or whether they'll really let Google and Facebook give foreign governments direct access to systems that can be used to spy on Americans.)
Guardian
