While SpiderOak canary defies NSA, CIOs ponder their privacy bind

CIOs battle their own privacy demons as SpiderOak and other vendors attempt to protect customer data from NSA snooping. Also in Searchlight: Cisco cuts 6,000 jobs and the Internet could grow too large for its gear.

Edward Snowden's lengthy interview in Wired's September issue has been making the rounds online this week, in no small part thanks to his revelations about the National Security Agency's MonsterMind program and his provocative statements ("I'd volunteer for prison, as long as it served the right purpose."). The feature's not-so-subtle flag-nuzzling cover photo didn't hurt, either.

It's not just the famed whistleblower lashing out: The list of vendors making a stand against the NSA's backdoor probing grew this week to include SpiderOak. The Dropbox competitor put a "warrant canary" -- an allusion to the infamous "canary in the coalmine" -- into action to alert users when the government is looking at the company's customer data.

SpiderOak's focus on privacy, particularly its "zero knowledge" service, has been lauded by Snowden. The client-side service encrypts user data before storing it on its servers, meaning that no one on SpiderOak can access it -- nor can the government without a warrant for users' unique encryption keys. Unfortunately, once presented with a gag order to access user data, SpiderOak can't inform its customers, which is where SpiderOak's warrant canary comes in:

  • Its canary takes the form of a specific plain text, authenticated by three GPG keys.
  • The GPG signatures belong to three different remote signers, selected based on geolocation.
  • If everything is running smoothly, SpiderOak will republish the page every six months. If it doesn't republish, it means the government or other entity has viewed the user's data.
  • If any entity tries to force a backdoor in SpiderOak, it will also have to force all three signers to sign a message on the page at a specific moment in time.

Six months might seem like a long timeframe to republish a canary, the company says, but it takes a while to contest legal cases such as a National Security Letter, or to verify potentially bogus claims.

Snowden's piling disclosures, coupled with the rallying of SpiderOak and companies of its ilk, signal growing privacy concerns among technology service providers and vendors, but there is an equally disturbing privacy dilemma faced by CIOs and CISOs, particularly in this age of big data.

CIOs are frequently charged with developing services that turn their company's customer data into new revenue streams. Sure, the NSA values customer data for starkly different reasons than, say, a clothing retailer, but it comes down to data, in some cases, being viewed and used without the knowledge or permission of said customer. SearchCIO expert contributor and CTO Niel Nickolaisen tackled the issue in his recent piece on the line between the economic value and privacy risks of digital tracking, in which he asks, "How do we each manage the two sides of digital tracking? Do we prefer privacy over the clear economic value of customer intimacy?"

searchcio, searchlight, news, roundup, logo

SpiderOak's canary tactic helps it protect customer privacy within the confines of a government gag order, but how will CIOs and CISOs secure client data when profit is a focus? What can CIOs do to safeguard customer privacy when CEOs are telling them that part of their job is to make money through data mining? As Nickolaisen points out, customers can opt out and regulations may force privacy to take precedence over profit, but "it is certainly time to start experimenting with potential solutions."

CIO news roundup for week of Aug. 11

Security standards aren't the only tech news on CIOs' radars this week:

  • Networking giant Cisco announced plans to slash 6,000 jobs from its workforce amid sluggish sales of its high-end routers and switches. What could this market shift toward less expensive hardware mean for enterprises?
  • Apple released a diversity report on its workforce this week, which revealed -- like its counterparts Google, Facebook and LinkedIn -- that the company, particularly its tech sector, is predominantly white and male.
  • Could the next Y2K be nigh? Internet specialists speculate that the Internet will soon outgrow its trappings. Technicians are reporting that the total number of worldwide Internet routes is nearing or has already reached 512,000.
  • Listening to your elders is wise -- except perhaps on certain matters of technology. For that, we can turn to a 6-year-old. At least that's what a U.K. study on tech savvy revealed.
  • Most know that cigarettes are bad for our health and the environment, but did you know that their filters make pretty great supercapacitors? "Think of it like static electricity from wearing wool socks on carpet," says Popular Science's Kelsey D. Atherton.

Check out our previous Searchlight roundups: Use Russian hackers to demand better security and Are CIOs standing in the way of a proactive security strategy? on SearchCIO.

Next Steps

EMC's Coviello takes on NSA-RSA allegations at RSA 2014

FAQ: How businesses can combat data surveillance requests

The Data Mill on metadata's role in NSA surveillance

Dig deeper on Enterprise data security and privacy

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Related Discussions

Francesca Sales asks:

How do you balance customer trust with the value of customer data?

0  Responses So Far

Join the Discussion

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close