[liberationtech] One third IT managers think can Cloud compute with encrypted data

[Caspar Bowden (lists)]

On 06/05/14 13:37, Fabian Keil wrote:
> "Caspar Bowden (lists)" <lists at casparbowden.net> wrote:
>
>> I downloaded Ponemon/Thales new survey of n=4275 IT managers (United
>> States, the United Kingdom, Germany, France, Australia, Japan, Brazil,
>> and Russia)  a couple of days ago by registering here
>> <https://t.co/8rI2Z8vy1j>, but they appear to have now pulled the report.
>>
>> It is remarkable that one third IT managers not only think that it is
>> possible to compute with encrypted data, but that they are doing so already.
>>
>> Here's the relevant text (red is my emphasis) and screenshot with graphs
>>
>> [If they don't understand this, what else don't they understand about
>> their organization's security?]
>>
>> CB
>>
>>      *Who controls the encryption keys*
> I don't doubt that (at least) one third of the questioned "IT managers"
> don't understand their organisation's security, but without a definition
> of "control" I'd assume that "Ponemon/Thales" were merely asking who
> legally controls the encryption keys.

that is the root of the trouble, the pre-crypto legal concept of 
"processing" (e.g. in EU and CoE108) subsumes storage+computing, and 
legal control doesn't pass to a mere "data processor" even if has 
capability to read and disclose data to a foreign jurisdiction

> Otherwise one would also have to mention the people who wrote
> the OS, the firmware, the application, people who provide software
> and hardware updates, cleaning personal, successful attackers etc.,
> even when not looking at "cloud" environments.

The power of compulsion in e.g. FISA 702 is over a service provider to 
(effectively) backdoor their running stack. Authors of the OS or lower 
in the stack are not in that "service provider" firing line (and an 
unremarked amendment in FISA 702 in 2008 extended the scope beyond 
telcos/ISPs to Cloud providers)

@CasparBowden