On 06/05/14 13:37, Fabian Keil wrote:
"Caspar Bowden (lists)" <[email protected]> wrote:
I downloaded Ponemon/Thales new survey of n=4275 IT managers (United
States, the United Kingdom, Germany, France, Australia, Japan, Brazil,
and Russia) a couple of days ago by registering here
<https://t.co/8rI2Z8vy1j>, but they appear to have now pulled the report.
It is remarkable that one third IT managers not only think that it is
possible to compute with encrypted data, but that they are doing so already.
Here's the relevant text (red is my emphasis) and screenshot with graphs
[If they don't understand this, what else don't they understand about
their organization's security?]
CB
*Who controls the encryption keys*
I don't doubt that (at least) one third of the questioned "IT managers"
don't understand their organisation's security, but without a definition
of "control" I'd assume that "Ponemon/Thales" were merely asking who
legally controls the encryption keys.
that is the root of the trouble, the pre-crypto legal concept of
"processing" (e.g. in EU and CoE108) subsumes storage+computing, and
legal control doesn't pass to a mere "data processor" even if has
capability to read and disclose data to a foreign jurisdiction
Otherwise one would also have to mention the people who wrote
the OS, the firmware, the application, people who provide software
and hardware updates, cleaning personal, successful attackers etc.,
even when not looking at "cloud" environments.
The power of compulsion in e.g. FISA 702 is over a service provider to
(effectively) backdoor their running stack. Authors of the OS or lower
in the stack are not in that "service provider" firing line (and an
unremarked amendment in FISA 702 in 2008 extended the scope beyond
telcos/ISPs to Cloud providers)
@CasparBowden
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change
to digest, or change password by emailing moderator at [email protected].
