Photo scandal’s harsh lessons

This kind of breach has severe ramifications for the celebrities, but it also is bad news for financial advisors who store sensitive information in the cloud. If delicate files such as these can be pilfered and made public, then other sensitive information can be, too.

Last year, Edward Snowden, a rogue U.S. National Security Agency (NSA) contractor, revealed several widespread intrusions into cloud services by the NSA, proving that security can be a problem when storing sensitive information using online services. But this latest incursion should bring the danger home to people, says Larry Kearley, president of the Canadian Access and Privacy Association in Ottawa. Nothing brings privacy threats into sharp focus like a pile of leaked embarrassing pictures.

“More than the NSA intrusions,” Kearley says, “this is going to galvanize ordinary people, who can relate to this stuff.”

When you store personal information, you bound to protect it to the best of your ability under Canada’s Personal Information Protection and Electronic Documents Act. Is it possible to store information in the cloud and still protect it against threats?

Much will depend upon where it is stored and which threats we’re talking about. Section 215 of the U.S. Patriot Act, passed in 2001, expands the ways in which U.S. government officials can gain access to your information. That law also allows U.S. officials to gag any cloud service provider that has been required to release information to the government, so that you won’t find out about that transfer of information.

The Patriot Act also allows the U.S. government to access data stored on Canadian soil by companies owned by Americans.

Dianne Lapierre, vice president of information technology with Raymond James Ltd. in Vancouver, handles data requirements for both captive and independent advisors. “Our practice is to store Canadian data in Canada,” she says. “That’s what we’re worried about: the amount of private data that people have about customers.”

Aside from storing your clients’ data away from jurisdictions with prying eyes, encryption is another way to protect sensitive records. Many cloud services will encrypt data on your behalf. The danger, though, is that if the cloud service retains the encryption keys, government officials still could subpoena the service to unlock the data. Even worse, rogue employees also might gain access.

In any case, according to Apple, it wasn’t an intrusive government or an Apple insider who sought out those naked celebrity pictures on iCloud; cybercriminals hacked those individuals’ accounts in targeted attacks.

That’s why Apple’s own encryption didn’t protect the celebrities involved. If someone gains access to an account’s password, as the attackers appear to have done, then the cloud-based storage system will happily assume that the attacker is the account’s owner and decrypt the information.

Nik Cubrilovic, a security researcher in New Zealand who investigated the attack on Apple, offers some recommendations for using cloud-based services responsibly: – start with a strong password. Include a string of random numbers and letters.

– Use a single private email address for sensitive online accounts. This address should be separate from the “public” one you use for regular communication.

– Use your own encryption keys. You can do this in two ways. Some services that store documents in the cloud will encrypt them for you, but demand that you use your own keys. Northbrook, Ill.-based SpiderOak Inc. is an example of this kind of “zero knowledge” cloud service; the site has no knowledge of your encryption keys, and thus is unable to decode your information, no matter who asks for it.

Alternatively, you could use encryption software on your own computer to scramble files before sending them to the cloud. Just make sure you don’t lose your encryption keys – or your information is gone.

Finally, beware the ultimate compromise: having your machine infected with malware. If someone installs a virus on your Mac or PC, all bets are off, as that attacker probably can control your computer – and everything on it, including encryption keys.

Suitable antivirus software will go some way toward protecting you, as will the use of virtual machines for the technically savvy. But, ultimately, the sad fact is that nothing is ever 100% secure. The trick is making it difficult enough for attackers to compromise your information that it isn’t worth their while to try.

© 2014 Investment Executive. All rights reserved.