Internet Privacy and the Free Lunch

Posted on

As technology evolves more and more enterprises are adopting online collaboration applications within the workplace. Not so long ago, such a practice was considered only for home users and technology geeks. Security was the main concern back then, and vendors such as RIM and its blackberry service did a magnificent job of providing an email and messaging service, which is considered secure.

In fact, the platform is so secure that service providers carrying the service have no visibility of the messaging platform whatsoever. Corporations suddenly had a secure mobile messaging platform which ticked all the right security boxes. Yes, life was simple back then. We got up and went to work, logged onto our computers, opened the locally installed applications and accessed the data stored on the server in the back office, and got on with our day.

However, something started to change, the mobile workforce. The notebook computer of the 2000’s was the last generation of portable computers to be called a laptop. It weighed about the same as a pile of bricks and the battery would only last for a hour, and if you could tolerate the heat it emitted while resting on your lap, you could also become sterile! The cost of a laptop computer was nearly three times that of a comparable desktop computer.

Therefore, only the top executives or elite got one, and they were seen as a fashion accessory, since everyone at the CxO level had a PA or secretary to answer or write correspondence. Once laptops became smaller, more portable and cheaper, the VPN came along to tether them back to the office, and provided secure access to email, files and applications. The concept of mobile workforce is nothing new, insurance companies, banks and sales organisations have been doing it for decades.

What has changed is the efficiency with which these organisations operate. The efficiency has been enabled with technology. Today, every mobile sales person uses a notebook computer, and this has meant the demise of the branch office as the hub of collaboration. Today, entire global organisations have slashed costs and increased productivity and efficiency by having their staff operate from home, the airport, on the road, wherever.

Gone are the days where you clocked out at 5pm and forgot about work until the next day. Technology has meant that we never really stop working, or thinking about it, even on vacation. Fast forward to 2012, the corporate data centre is being replaced by cloud computing. Entire data centres are being virtualized and the mobile workforce is connected to shared resources hosted on the Internet, rather than the corporate HQ.

It would seem today many multinationals have thrown caution to the wind, by embracing cloud computing and the third parties, which host their sensitive corporate data. Organisations are supporting BYOD from employees, relaxing the security protocols, which were once in place and basically trading security for operational efficiency and ease.

What has fascinated me about this transition is witnessing the changing mindset of corporations. Going back some ten years, multinationals would not even entertain the thought of a third party managing its data, let alone, the concept of keeping it all in the cloud. Like everything, cloud computing has its merits and demerits. This article is about technological revolution and how much we are willing to compromise.

Let us look at four scenarios where cloud computing can be compromised, impacting enterprises.

1. Corporate Espionage

Today, Skype and other online calling services are being used more and more for business purposes. The convenience and costs are incredible, a video or audio conference can be setup in seconds and the quality is pretty good as well. However, even though Microsoft, which owns Skype, doesn’t record conversations, the vendor keeps all session information for quality purposes. The vendor may share this information with a third party to improve the quality of the service.

There will be a wealth of information reported such as the IP address, user name, computer equipment type, number of calls, duration and location. So, now an unknown third party knows your IP address schema, internal and public, the types of computer on your network, which parts of the world you call and how often. If you are using instant messaging services, then the chat conversations are also available in an unknown public arena. Do you care? IBM recently stopped its employees from using Apple’s SIRI voice application on its iPhone smartphone, since Apple would not conform to anonymizing the user session information.

In a cloud environment this is no different. Even if your workforce connects to a dedicated virtual server appliance using encryption, the source and destination IP addresses are still available, and the volume of traffic per session are still available from firewall logs operated by a third party. From a forensics point of view, I know where your sales force are located on the globe, and if an increase of data activity in a specific region occurs, could also provide a valuable indicator for a compeditor

2. Loss of Data (Intellectual Property)

Let us say you move your entire CRM operations into the cloud. You can decrease your operational costs by not having to maintain IT staff and data centres. For your sales force, this is the goldmine, which keeps your business running. Something happens to your cloud provider, a new unknown virus sweeps through all the hosted virtual servers wiping out your data in its path. In the old days, a backup tape could get you up and running after some outage.

But, let us say the provider’s automatic backup and the snapshot you made in the cloud are both dead. What then? Amazon EC2 experienced an outage in one of its data centers, admittedly it managed to restore service quite rapidly. However, ultimately you are at the mercy of the provider, if you don’t have a solid local backup solution. How quickly can you restore a local backup, do you have a disaster recovery solution which is tried and tested?

3. Criminal Prosecution

In the good old days if your organisation was suspected of any unfavorable activities, authorities needed to secure a search warrant, seize computers and you generally got the impression that something was going down. Today, under the United States’ wide-ranging search and seizure terrorism laws, a third party hosting your data is obligated to open the back door into your operations, and most likely without your knowledge.

What happens to your sensitive data once, it has been thoroughly reviewed and found to have no impact on the investigation? Data is promptly deleted erased and forgotten about, obviously! This is the major reason why European companies are so slow on cloud computing adoption. The European privacy laws just don’t translate internationally.

4. Privacy

As the cost of Megabyte of storage becomes less and less, your browsing history, online documents and social networking connections, both personal and professional are interconnected, working in tandem to construct a profile of who you are. From the online holiday tickets you buy each year to the fishing tackle box you paid for using paypal, all the descriptions and details of your online activity is recorded and stored, forever. Cross referenced against your business connections and activity these third parties can calculate how much you earn and even when you are paid.

The free lunch!

Is there such a thing as a free lunch, when it comes to the Internet? You can be forgiven for thinking there is. Free 5Gb of disk storage, free Internet calling, free email account, free instant messaging, all these things come at a cost, your privacy. Who would have believed twenty years ago that something as trivial as your email address would be worth something to someone.

Targeted advertising, based on your buying habits are designed to channel as much of your spare change in the direction of the advertisers who collect, store and correlate your online activity. With a billboard on the side of the road, the advertiser doesn’t know how effective the advertisement is, how many people called as a result of seeing it. With online advertising, confirmation of success is based on a mouse click, so the campaign can be tuned instantly to be more effective. Do you care?