
Microsoft adopts first international cloud privacy standard - varunagrawal
http://blogs.microsoft.com/on-the-issues/2015/02/16/microsoft-adopts-first-international-cloud-privacy-standard/
======
ewzimm
This is a great move. Of course, there's the massive loophole on the last
point that they really can't do anything about:

>The standard requires that law enforcement requests for disclosure of
personally identifiable data must be disclosed to you as an enterprise
customer, unless this disclosure is prohibited by law.

Since the policy of several governments seems to be "collect everyone's data
and don't inform anyone about it under penalty of law," it's a pretty weak
protection. Seems like the only way around it is removing centralized keys.
Even if you trust your own government with the data, there are probably other
ones you don't trust and you have no control over that will collect your data
if they have any opportunity to do it.

~~~
lmkg
Yeah, it's not like Microsoft could write a privacy policy that lets them not
follow the law, and expect that to matter to law enforcement. Until the law
changes, there's not much that individual companies can choose to do about
that.

At least they're at least saying that they will be transparent whenever they
are legally allowed to do so, which is something.

~~~
acqq
Oh yes, they _can_ do something, for example store the user data in the cloud
only encrypted. It seems they don't want to do that, however.

~~~
AdeptusAquinas
Because if they did that then they would be breaking the law. 'Disclosing data
if law enforcement asks for it' isn't only if the data can be disclosed; It
means that If law enforcement asks for it you MUST be able to disclose it.

~~~
higherpurpose
No, that's no the case in all countries, and probably _shouldn 't_ be the case
in any country, but UK is pretty weird like that, so I don't know about UK.

But in US, the law says companies must provide the data unecrypted ONLY IF
THEY CAN DO THAT. So if they're using strong end-to-end encryption, the law
should be on their side, since they can't decrypt the data themselves. Only
the users can.

That's why the FBI was making such a big deal about Apple encryting the data
with the user's key _in the press_. Because they knew they can't do anything
about it, and the best they could hope for is to make it a big enough scandal
that Congress will pass a law against such encryption.

And the reason I said this is how it _should_ work in _all_ countries is
because it's common sense. If companies can't do something, then they can't be
forced to do it. But as I said, in UK you could go to prison even if you
forgot your password, and they ask your for your drive's password. That's an
illogical law, but I guess that's what UK citizens get for not having a
Constitution: illogical and abusive laws from the government that trample
people's rights.

~~~
Alphasite_
Its a little I Knox to say that when the U.S. is willing to break the laws of
other countries when it suits them. Accessing EU data from the US is certainly
illegal under that. The fact that the EU commission hasn't done anything about
it is mother issue entirely.

I wont debate specifics of the letter of the law because I don't know them,
but im not convinced you do either.

------
zanny
> The British Standards Institute (BSI) has now independently verified

Yeah great, show your proprietary code to a third party company and everyone
is just going to immediately trust you.

Plenty of other cloud storage services offer _real_ reasons to trust the
backing store, called the code is open. I can audit it, my neighbor could
audit it, and every corporate user is liable to audit it. I have no reason to
ever trust an arbitrary third party I have never had reason to trust in the
past who is now trying to guarantee your cloud is secure, when competitive
options are letting me do my own auditing, if I wish.

Is there anything else this is comparable too - where a company has the gall
to say "another company looked at our black box and said it was good, so trust
us alright guys?". When cars or houses or roads or food get certified for
something you always have the capacity to reproduce the certification process
yourself as a verification measure. You cannot do that to proprietary
software, especially when its on some foreign server somewhere running who
knows what version of it.

~~~
balls187
> Is there anything else this is comparable too - where a company has the gall
> to say "another company looked at our black box and said it was good, so
> trust us alright guys?

Uh, isn't that how third party trust works?

Like how SSL cert verification goes to a trusted root CA for validation.

~~~
mherkender
Not really, the only secret the trusted root has is their private key, not an
entire stack of software/hardware/etc.

~~~
count
Your CA shows you everything they run?

------
acqq
Still, note what they don't say that the user data will be encrypted before
transferred to the cloud, or even more important for Europeans, that the
European data would be managed strictly in Europe. Interestingly, the money
received in Europe is without problem for all these big companies so managed
to not end in the US (avoiding the taxes), the data, it seems still not
important?

------
daliwali
Should there ever be any reason to trust your privacy to proprietary software
running on a third party's server? Or is this "privacy standard" they are
conforming to just another form of security theatre?

~~~
AaronIG
Replace "proprietary" with "open source" and the argument is virtually the
same. You still need to trust the third party running the software.

------
Aoyagi
A company that slurps all contacts and calendar entries from customers'
smartphones without their explicit consent and without a way to opt out from
it is talking about privacy.

------
Create
The IT industry clearly needs systems so that companies can work well
together, and these systems need to work well in all countries. The ISO
process for IT standards was designed to promote interoperability,
portability, and cultural and linguistic adaptability, using a consensus
process. We believe strongly in these goals, but the current process is not
designed to achieve them. The OOXML proposal has exposed serious flaws in ISO
process–especially in the fast-track process–and we believe these flaws need
to be fixed.

The credibility of ISO is at stake.

[http://magazine.redhat.com/2008/03/24/iso-approval-a-good-
pr...](http://magazine.redhat.com/2008/03/24/iso-approval-a-good-process-gone-
bad/)

Either way, the ISO's current state is likely to be seen as a quagmire when
viewed through history's lens.

Microsoft did not respond to several calls requesting comment.

[http://archive.wired.com/software/coolapps/news/2007/08/ooxm...](http://archive.wired.com/software/coolapps/news/2007/08/ooxml_vote)

We begin therefore where they are determined not to end, with the question
whether any form of democratic self-government, anywhere, is consistent with
the kind of massive, pervasive, surveillance into which the Unites States
government has led not only us but the world.

This should not actually be a complicated inquiry.

~~~
gtirloni
Has the ISO 27018 process suffered from the same issues seen in the OOXML
discussion?

~~~
Create
Ex-Microsoft privacy adviser: I don't trust company

Microsoft's former chief privacy adviser said he did not have faith in the
security of the software company's technology

[http://www.theguardian.com/world/2013/sep/30/microsoft-
priva...](http://www.theguardian.com/world/2013/sep/30/microsoft-privacy-
chief-nsa)

~~~
gtirloni
Has the ISO 27018 process suffered from the same issues seen in the OOXML
discussion?

Additionally, is the ISO 27018 not worth implementing because Microsoft seems
to have implemented it (allegedly)?

------
holri
"There is no cloud, just other people's computers."

FSFE Sticker: [https://blogs.fsfe.org/mk/files/2014/11/there-is-no-cloud-
pa...](https://blogs.fsfe.org/mk/files/2014/11/there-is-no-cloud-pack.jpg)

------
__Joker
Can anybody clarify what privacy I as a Bing, outlook, windows mobiles user
get from this ? It mentions enterprise customer, does this means, these
standards doesn't apply to users of above mentioned services ?

~~~
morganvachon
I'm pretty sure it's a different set of rules for regular consumers vs
enterprise. It's always been that way in the past. That said, can you really
trust any "cloud storage" provider these days? I'd say the most trustworthy
would be someone like SpiderOak, as they don't have access to your private key
and therefore have had minimal requests from law enforcement which yielded no
info[1].

And I say that as someone who has settled on OneDrive for my casual cloud
storage, with more important or private files (taxes, finances) stored on a
personal server running OwnCloud from my home office. I have all of my files,
important and casual, backed up to an external drive that lives in a fire
safe. Not as secure as, say, a bank deposit box, but better than nothing.

[1][https://blog.spideroak.com/20150212080057-increasing-
transpa...](https://blog.spideroak.com/20150212080057-increasing-transparency-
and-privacy-2014-report)

~~~
LLWM
Such "transparency reports" are only a lower bound. If the government requires
you to keep the request a secret, you must keep it secret.

------
eyeareque
This might actually mean something had it been a company from a country where
there wasn't secret courts that can create secret subpoenas.

------
yummybear
Microsoft a forerunner on global privacy. .NET open sourced and (soon) running
on Linux and Mac. Things certainly do change.

~~~
itsbits
how are privacy and opensource related??

~~~
fysac
You can't have a reasonable assurance of privacy unless your software is open
source.

~~~
gizmogwai
Going that direction, one could argue that what you open source might not be
what you are running in production.

~~~
fysac
Right, you can never be 100% certain it's the same code. But it's a valuable
"good faith" step that sets a level of trust between the users and developers.

------
kelv
Is there any way I can legally read the standards document without paying the
prohibitive fee?

------
higherpurpose
How "real" is this standard? I mean it seems to be set by the GCHQ motherland.

~~~
wongarsu
The standard was created by the ISO JTC1/SC 27 Working Group 5 (Privacy and
Identity Management). It seems like mostly an European effort, which certainly
isn't limited to Great Britain. Europeans usually take privacy very seriously.

~~~
peawee
Except the European data privacy regulations don't seem to be too restrictive
of law enforcement.

