Prism-hosting-security

Security, Privacy, PRISM and Hosting

Prism-hosting-security

Since Edward Snowden leaked information about the US government’s mass digital surveillance program the media and industry have been very focussed on digital security and privacy.

We live in a digital age, with much of our lives either in “the cloud” or connected to it in some way.

But what if you can’t trust the cloud?

Or more correctly, what if you can’t trust the companies running the cloud to not handover your data to government?

And should we even trust the governments themselves?

We’ve all seen the movies like “Echelon Conspiracy” and “Enemy of the State”. In 2013 fiction was confirmed as being very close to reality.

Working in the internet industry these and other topics have come up a lot in conversations over the last couple of months. And of course our customers and partners have also become increasingly concerned with this as well. So it’s not surprising that we’ve been asked by several people how we are impacted by PRISM and similar programs.

We’ve also been asked if we have a disclosure policy similar to that of some other internet companies.

Rather than addressing people’s queries on an individual basis I thought I’d cover some of the salient points.

So let’s address a few things, both at a general level and at a Blacknight specific level.

First off Blacknight is a 100% Irish owned company. As such we are subject to Irish law.

Whose servers do you use?

We own all our own servers and, apart from one or two, all our servers are based in Ireland on a 100% Blacknight controlled network. We are also building our own data centre here in Carlow to give us even more autonomy. (Update: We opened our own data centre in early 2014)

How many law enforcement and / or government requests have you received?

Over the past 10 years we have received less than half a dozen requests from law enforcement agencies.

Of the requests received most were informal requests for information that was either already in the public domain ie. if you knew where to look you’d have found the information, or was for information that we did not hold.

Only two or three requests resulted in us providing access to log files, which were for specific websites ie. we were asked for the logs for a specific domain / site.

Which law enforcement agencies do you respond to?

As an Irish company we will only respond to requests we receive from An Garda Síochána. (Overseas law enforcement agencies would normally route their queries via Irish law enforcement)

If the volume of law enforcement and / or government requests were to rise we’d consider a disclosure policy, but the volume is far too low at the moment to merit the attention.

So to address a few other common questions:

Is Blacknight impacted by PRISM or similar?

No.

Are all Irish hosting companies immune from PRISM?

No.

If servers are physically based in Ireland AND owned AND controlled by an Irish company then they are subject to Irish law.

BUT

If the servers are physically located outside Ireland they do not have the benefits of Irish law regardless of who owns them. A server physically located in the US is subject to US law, a server physically located in the UK is subject to UK law etc., etc.

Servers (or services) running off servers physically based in Ireland (or other parts of the EU) should be covered by EU law, but if the hosting provider is US owned then you have no guarantees.

What about FISA?

FISA is a US legal device. As an Irish company we are not subject to it. If you use a US provider you should be careful as due to the way FISA works US providers are unable to inform users if they have received a request for information.

So which cloud services are “safe”?

That depends on your definition of “safe”.

Only those that are 100% based in Ireland and controlled by Irish companies can be 100% sure of being compliant with Irish law only. Unfortunately in the wake of Snowden’s revelations it has come to light that several European governments were involved in similar digital surveillance programs.

What about the Irish arm of X?

If the parent company is a US company then you have no guarantees.

Has the Irish government got a PRISM-style program?

We aren’t aware of any such program existing.

Is your network PRISM and NSA free?

The internet is a global network.

While we control our own portion of it we cannot claim to know what is happening outside our own part of it. Our physical network is NSA and PRISM-free, but we have no way of knowing what is happening elsewhere.

Is the NSA (and others) snooping at peering points?

Blacknight are a member of INEX and peer with other providers in their Dublin exchange points. The guys at AMS-IX have provided an explanation as to how peering points work with respect to digital wiretapping (hint – they don’t!)

What about DMCA?

DMCA (Digital Millennium Copyright Act) is a US legal instrument for dealing with copyright. It hasn’t got anything to do with PRISM. As we are an Irish company we are not bound by DMCA. (We’ll revisit the topic of copyright and takedown notices again)

 

If anyone has any other queries or feedback please let us know via the comments.

 

 

 

, , , , , , , , , , , , , , ,