When is your data not your data? When it's in the cloud

With Verizon's aid, police arrest a man for storing illegal porn in the cloud, which raises questions about how much privacy cloud users can expect

Page 2 of 2

Turning those files over to NCMEC wasn't just a public-spirited action on Verizon's part; service providers who spot child pornography are required by the federal PROTECT Our Children Act of 2008 to send those files to NCMEC. On the other hand, service providers are not required to proactively search for pornography, but about a dozen do so anyway, said John Shehan, executive director NCMEC's exploited child division.

He said "about a dozen" because like much of the information about this program, it is kept quiet and he won't name the companies that signed a 2009 agreement to use PhotoDNA and notify NCMEC of the results. (Microsoft and Facebook have said publicly that they are using the application to hunt for child pornography.) Verizon won't even confirm that its storage partner is Digi-Data, but that information is contained in the terms of service.

Verizon spokeswoman Linda Laughlin told me that Verizon "never looks at customer's data or opens those files." She does, though, confirm that its storage partner scans uploaded files and passes on suspicious files to NCMEC. "We do exactly what the law requires," she said.

According to Shehan, some providers actually open the files manually after the software scores a hit; others don't. To date, more than 8 million images of suspected child pornography have been uploaded to NCMEC's tip line. When they get there, images are reviewed by NCMEC staffers.

Before turning photos over to the authorities, the staffers must determine that the files contain images of prepubescent children or infants and depict actual sexual abuse, he said. A shot of your infant in the bathtub wouldn't qualify.

How Microsoft software fingerprints photos
PhotoDNA, which Microsoft donates to law enforcement agencies, uses technology that's somewhat similar to facial recognition. It examines the digital information comprising a photo and creates a "hash," essentially a fingerprint of the photo. It can then match the hash to other copies of the same image.

Older technologies used hashing to identify photos, but they were not very robust. Even after a relatively small alteration, such as resizing or saving the image in a different format, the photo would be impossible to match. PhotoDNA does not have that limitation. The newer technology is called "robust hashing."

Because the hashes are relatively small, NCMEC doesn't need to store millions of photos on its servers. When it does identify a pornographic image, its hash is then added to a database the service providers work with when they scan photos uploaded by users. There is now data identifying some 16,000 images in the database.  It's not clear to me if encrypting his files would have kept Albaugh out of trouble, but it is certain that if he had uploaded images whose hashes were not in the database, he would not have been caught.

If Albaugh has done what the police say he's done, I certainly have no sympathy. The larger question, though, is twofold: Can we be confident that what we store in the cloud is secure from prying eyes? And if providers are scanning for child pornography, are they or the government scanning our data for other forms of content someone might find objectionable?

I welcome your comments, tips, and suggestions. Post them here (Add a comment) so that all our readers can share them, or reach me at bill@billsnyder.biz. Follow me on Twitter at BSnyderSF.

This article, "When is your data not your data? When it's in the cloud," was originally published by InfoWorld.com. Read more of Bill Snyder's Tech's Bottom Line blog and follow the latest technology business developments at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

| 1 2 Page 2
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies