Unless you have been under a rock for the last week it was impossible not to notice the uproar regarding the Guardian’s story on alleged information collection , allegedly called PRISM that –again allegedly- involved several major cloud service providers. The most detailed and nuanced piece so far – but it is only Sunday when I am writing this – is this one from the Washington Post.
As at this stage many things are unclear and some reports may be incorrect, I – for one – have not decided whether I will move my personal information from the many US based providers that I use in my personal live to local alternatives. But in this blog I do want to share my (strictly personal) views and thinking on the topic and explore potential alternatives. As usual I will stay far away from any politics in my blogs (something that must be doable given that the public reactions from different political sides are so varied and diverse).
Till today , individuals – like myself – often took a relaxed view towards protection of their privacy, using phrases like: “Well, nothing I do here is secret or illegal, so if they wanna peak, no problem”. But illegal in an international context is a relative term. Think of copyright law, where what is legal in one country (for example downloading copyrighted materials for personal use), leads to several year of incarceration in other countries, or think of controversies around travel of people carrying a certain disease or -maybe in the future – a certain gen, or of people of a certain origin. Currently the – already controversial – access to this data is only permitted for anti-terrorism and not for fraud-related or other criminal investigations. But we need to take into account that regimes may change and that as a result also this applicability can change (for example the detailed and accurate paper-based administration systems of local government entities in my country lead to significant, unforeseen and unintended harm following the regime change during WWII).
The increase of control that comes with massive centralized data-processing always carries some drawbacks (as Nicholas Carr – again with remarkable timing – republished just prior to all this hitting the press) and use of alternatives may to some extend be similar to the now famous statement about Democracy: Democracy is far from ideal, but it sure is better than any of the alternatives tried so far. For those individuals who want to try an alternative, here are some thoughts on cloud services to replace the ones currently under scrutiny or discussion.
- Email: Most of the providers listed as part of the program deliver (free) email services. Many European individuals started using these because they delivered convenient webmail that did not tie email addresses to a particular ISP (and thus allowed changing internet provider without being locked in to their proprietary email domain name). Maybe it is time to reconsider ISP-provided email, but at the same time investigate the use of your own domain name (which makes your email a lot more portable). Make however sure that the mail provider your choose is not just owned by a European company , but that it runs under European jurisdiction (for example a European owned mail alternative I looked at turned out to be “a corporation organized and existing under the laws of the State of Delaware”).
- VoIP Calls: Although leading consumer VoIP provider Skype started from Luxembourg, it is now part of a US headquartered corporation. Also most alternative voice and video calling solutions come from US based companies (with some even limiting their services to US based consumers only). Although European Telco’s have been talking about offering VoiP based alternatives to their regular mobile and fixed voice services, only very few have gone to market yet (check you local providers for possibilities) and even fewer offer it as a cost effective alternative for international calling.
- Social Networks: Up to a few years ago most leading social networks in Europe were national providers, but today Facebook is very much the name of the game. If it was not for editorial independence a media corporation like the Telegraaf group might consider leveraging the current media driven FUD to drive local consumers back to the recently acquired (and formerly leading) social network Hyves. However, moving to a new social network all by yourself is not a very social thing to do (and kind of defeats the purpose of a social network) so some group orchestration may be required.
- Short Message Services: So far the reporting did not mention any short message services , such as WhatsApp, Instamessage, Viber etc. Nor did it include other new web destinations becoming popular with the under 20ties (as their parents took over on Facebook) . Many of those however, such as Instagram and Tumbler have been recently acquired by the named providers. Twitter is a chapter by itself as most activities on Twitter are public by nature (and unlike some other providers they have put up a brave fight to keep their private services private).
- Professional Networks: Also professional networks, like LinkedIn have not been explicitly mentioned so far (likely because the job market for the type of activities under investigation does not rely on these types of services ), but here some local alternatives do still exist. Unfortunately the alternatives are often very local (limited to one language area) and do not help much in an increasingly pan-European or inter-continental job market.
- Dropbox: I could have used the more neutral term file replication here, but DropBox has – in a remarkably short time – pulled a Xerox on the market and made its brand name the generic name for these types of service. Alternatives do exist – from independent European companies as well as from Telco’s and ISPs and even from providers of networked hard disks. Maybe this is a good time for companies – who so far largely turned a blind eye towards the (shadow) use of such services, to offer internal – but just as convenient – alternatives to their employees.
- Cloud IaaS/PaaS Providers: Also these have not yet explicitly been mentioned. Maybe because the typical consumer does not use these providers to build their own personal photo of file storage and sharing facility (mainly because higher level alternatives like Flicker and DropBox are so much more convenient to achieve the same result). Also these lower level services offer a lot more options for the user to protect his own data (like using encryption). Regardless of these consideration, this area is a domain where several local alternatives do exist, both at a national and a pan-European level. Some of these providers are even global offering services from facilities they run in “neutral” – but latency-wise quit closeby – locations like Canada or Switzerland.
So far most of the discussion has been about individuals and their data. The interesting thing is that the European Data Protection Directive has implemented the roles of Data Subject, Data Controller and Data Processor. For individuals (Data Subjects) the cloud service providers mentioned in the current media hype are in many cases both the Data Controller and Data Processor. For companies using these same cloud service provider firms, they themselves remain the Data Controller, while their customers and employees are the Data Subjects and the Cloud Service Providers are the Data Processors (which – according to my limited legal knowledge – can significantly change the applicable law and the entity held eventually responsible).