Feeds

Don't be evil

Third party data dangers

Seven Steps to Software Security

A series of developments raise the specter that remotely stored or created documents may be subject to subpoena or discovery all without the knowledge or consent of the document's creators (pdf).

I have been playing around recently with Google's Documents and Spreadsheets. What Google documents and spreadsheets allows you to do is to create documents or spreadsheets (and soon probably presentations) completely online using no software other than a browser and an internet connection. No Microsoft Word, no WordPerfect, no Excel, nothing. All well and good. AFTER you create the document, however, you are supposed to store it on a Google server. Indeed, with virtually unlimited storage, a company could theoretically store all of its documents on Google's servers - all with nothing more than a GMail user ID and password for security. What is even better, all of your documents and spreadsheets would be automatically indexed using Google's software, making it easy for you to locate your documents no matter where you are - as long as you have an Internet connection and can remember your GMail password. Very convenient, but would you do it?

Put aside the security aspects of remote storage of documents. Remember, irrespective of the amount of physical and logical security on the Google servers, ultimately your documents are going to be only as secure as your GMail password - and if you store your password somewhere, maybe not even that secure. I am not even sure that you can encrypt the documents you create on Google documents and spreadsheets - at least not with the software provided by Google - and encryption kind of defeats the purpose of indexing and quickly finding relevant documents.

Add to the security issues the host of legal issues raised by remote storage generally. Whenever records or other evidence is housed with a third party, you have not only increased the likelihood of data access, you have created a new entity with physical or logical possession of your records. Who "owns" your records? Who has a right to access them? Who has "possession" of them? Who has "control" over them? Who must produce them if there is a subpoena, search warrant or other court order? Suffice it to say, when you lose "possession" of the documents, you lose control over what happens to them.

Possession, Custody and Control

One of the biggest problems in the area of computer security is the fact that the law doesn't really distinguish between physical property and intellectual property. The same law which relates to, for example the possession of the murder weapon, also relates to the possession of information about the murderer. Intellectual property is just property. If you "have" it, you can be compelled - through various legal processes - to give it up, both in civil litigation, criminal investigations, administrative hearings, internal reviews, etc. Thus, the same law that allows law enforcement agents to get information about you with a court order or subpoena would allow a husband or wife to get the same information in divorce litigation. Unless the information is privileged (and in many cases even if it is) the entity that "holds" the information must pony it up. The law recognizes that an entity has a legal obligation to produce any materials within its "possession, custody or control." Such possession, custody or control can be physical possession (the gun in the footlocker), legal authority to produce, or in this case, "virtual" possession.

So whenever you entrust your information to some third party, you give up control over the information, and give up to some extent "possession" of that information. For some kinds of records this loss of control is inevitable. When you surf the web, you must transmit information about yourself through your browser to the web. When you send or receive e-mail, the information necessarily travels through some Internet Service Provider somewhere. Sure you can encrypt some information - you can use anonymizers to try to hide what you are doing, but in any event the information necessarily travels outside of your control. The anonymizer or "holder" of the information can be compelled to give up the information in the face of a subpoena or court order.

There is nothing fundamentally new about any of this. What is new is the fact that there is so much information about us held in the hands of third parties which never existed before. I am not talking about weblogs or Myspace postings that I voluntarily put out. Every book I read online, every song I download, every video or radio show I stream, every article I peruse creates a third party record which can be discovered.

Mobile application security vulnerability report

Next page: Physical Location

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.