Feeds

Don't be evil

Third party data dangers

Choosing a cloud hosting partner with confidence

A series of developments raise the specter that remotely stored or created documents may be subject to subpoena or discovery all without the knowledge or consent of the document's creators (pdf).

I have been playing around recently with Google's Documents and Spreadsheets. What Google documents and spreadsheets allows you to do is to create documents or spreadsheets (and soon probably presentations) completely online using no software other than a browser and an internet connection. No Microsoft Word, no WordPerfect, no Excel, nothing. All well and good. AFTER you create the document, however, you are supposed to store it on a Google server. Indeed, with virtually unlimited storage, a company could theoretically store all of its documents on Google's servers - all with nothing more than a GMail user ID and password for security. What is even better, all of your documents and spreadsheets would be automatically indexed using Google's software, making it easy for you to locate your documents no matter where you are - as long as you have an Internet connection and can remember your GMail password. Very convenient, but would you do it?

Put aside the security aspects of remote storage of documents. Remember, irrespective of the amount of physical and logical security on the Google servers, ultimately your documents are going to be only as secure as your GMail password - and if you store your password somewhere, maybe not even that secure. I am not even sure that you can encrypt the documents you create on Google documents and spreadsheets - at least not with the software provided by Google - and encryption kind of defeats the purpose of indexing and quickly finding relevant documents.

Add to the security issues the host of legal issues raised by remote storage generally. Whenever records or other evidence is housed with a third party, you have not only increased the likelihood of data access, you have created a new entity with physical or logical possession of your records. Who "owns" your records? Who has a right to access them? Who has "possession" of them? Who has "control" over them? Who must produce them if there is a subpoena, search warrant or other court order? Suffice it to say, when you lose "possession" of the documents, you lose control over what happens to them.

Possession, Custody and Control

One of the biggest problems in the area of computer security is the fact that the law doesn't really distinguish between physical property and intellectual property. The same law which relates to, for example the possession of the murder weapon, also relates to the possession of information about the murderer. Intellectual property is just property. If you "have" it, you can be compelled - through various legal processes - to give it up, both in civil litigation, criminal investigations, administrative hearings, internal reviews, etc. Thus, the same law that allows law enforcement agents to get information about you with a court order or subpoena would allow a husband or wife to get the same information in divorce litigation. Unless the information is privileged (and in many cases even if it is) the entity that "holds" the information must pony it up. The law recognizes that an entity has a legal obligation to produce any materials within its "possession, custody or control." Such possession, custody or control can be physical possession (the gun in the footlocker), legal authority to produce, or in this case, "virtual" possession.

So whenever you entrust your information to some third party, you give up control over the information, and give up to some extent "possession" of that information. For some kinds of records this loss of control is inevitable. When you surf the web, you must transmit information about yourself through your browser to the web. When you send or receive e-mail, the information necessarily travels through some Internet Service Provider somewhere. Sure you can encrypt some information - you can use anonymizers to try to hide what you are doing, but in any event the information necessarily travels outside of your control. The anonymizer or "holder" of the information can be compelled to give up the information in the face of a subpoena or court order.

There is nothing fundamentally new about any of this. What is new is the fact that there is so much information about us held in the hands of third parties which never existed before. I am not talking about weblogs or Myspace postings that I voluntarily put out. Every book I read online, every song I download, every video or radio show I stream, every article I peruse creates a third party record which can be discovered.

Beginner's guide to SSL certificates

Next page: Physical Location

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.