Snooping by US raises interesting questions for Irish businesses
SIX weeks ago, Edward Snowden blew the whistle on the biggest snooping program in history. But is there any reason for Irish businesses to care? If so, what can be done to limit the risk of snoopers scooping up our data?
Entrepreneurs are worried. Not because they have something to hide from US authorities, but for fear of breaking contractual liability. "I'm currently setting up two businesses here," said Jude Braden, who employs 12 people in Dublin-based data-related businesses. "My problem is that under Irish and EU law, I have a duty to protect the data of my clients. I can potentially be sued if my clients' data gets out into the public domain. But the events of recent weeks and months puts me in a position where I may not be able to fulfill the terms of that obligation."
One early casualty of the Prism scandal is the sanctity of 'cloud computing'. Whether it's Google Apps, Microsoft Office 365 or Dropbox, your documents are up for review if you put them online.
"Never host any of your sensitive documents in the cloud," said Conor Flynn, founder of Isas, a Dublin- IT security firm. "Some cloud providers now admit handing over customer cloud data to US security groups."
Espionage and industrial skullduggery have long been connected, said Flynn. "There has always been suspicions among American industrialists when they travel to China that they would be monitored for espionage purposes.
"So there is definitely a reason for businesses to be concerned with data interception and decryption."
Dublin-based IT security expert Brian Honan agrees. "You don't bug German embassy offices if you're looking for Al-Qai'da," said Honan. "When the US plants bugs in EU embassies it is clearly targeted at trade talks and industrial interests."
Ireland's newly-appointed Government chief information officer (CIO), Bill McCluggage, said that Snowden was a cautionary tale.
"Admittedly, these are Irish interests being compromised," he said. "They are the interests of all of us. But I'd be more interested in how people exit organisations with vast amounts of data.
"People in corporates will be looking at the Snowden incident and wondering how on earth that could be allowed to happen, how information could be taken out in that way. They will also look at the international ramifications."
The evidence backs McCluggage up. A recent survey of Irish companies showed that 43pc had experienced at least one data breach in the last 12 months with over four-fifths caused by staff.
The survey, conducted by Fresh Perspectives for The Irish Computer Society, also revealed that over half of Irish businesses said negligent employees represented "the greatest threat" to their organisation's data privacy.
The same survey showed that just 21pc said external hackers were among the top three concerns.
Almost a third of Irish companies indicated that their staff lacked a clear understanding of their data breach policy, while 35pc said their staff had not been adequately trained on data breaches.
Isas founder Conor Flynn said that few Irish companies rated US espionage as their primary concern.
"I have not run into too many businesses that say they're worried about the NSA listening in on them," he said. "In fact, for 95pc of companies, it's safe to say that it's not an issue."
And for the 5pc? What about Irish companies who are large enough – or who are part of an industry bloc – to have their interests represented in trade talks and other similarly high-level discussions? Large agriculture, pharmaceutical or IT firms? The tourism or entertainment sectors?
Flynn said that there was little alternative to basic due process. For companies worried about being spied on, this means encryption, virtual private networks and other security measures.
"The capability for interception is far, far more limited if you set up your encryption and virtual private network properly," he said. "It's a little cumbersome, but there are plenty of good services about."
Other solutions include some retrograde measures.
"I know some people who have taken to using their old Nokia 6310 mobile," said Brian Honan. "While you still have a threat of call interception, at least you don't have the cloud data monitoring."
However, some security measures are often less dependable than might be imagined.
"There's a version of Android out there called SE Android," said Brian Honan. "But it's the NSA that has contributed to that platform. Can you really trust it?"
Similarly, Tor is a network system often recommended for communications privacy as it anonymises users' web addresses. However, its so-called 'exit nodes' – where communications re-enter normal online networks – can be set up by anyone, including national security agencies.
Tor is also regarded as a distribution method for illegal or copyrighted material, leading to potential reputational issues for companies that use it.
Government CIO McCluggage said that spying was part of international relations and, as such, was difficult to focus on in isolation from an Irish point of view.
"My main worry is not so much about Snowden or about James Bond spook areas of spy organisations," said McCluggage.
"It's more about being able to understand how data sharing and people's records are maintained from a privacy perspective and how they can then be shared responsibly and appropriately."