>"Amazon never participated in the NSA’s PRISM program." - Stephen Schmidt, CISO @ AWS
As true as this may be, the only acceptable form of privacy guarantee is through cryptographic algorithms and open source software. Anything else is a fantasy tale.
And I wouldn't say standard of excellence--just the possibility of excellence. With closed source you can't have even that. You pretty much have to assume the worst.
I suspect they do a good job at a technical level, but they have interests in advertising that are at odds with my privacy interests. I also have no way to know if they are doing Dark Nefarious Things.
From your initial comment, I got the impression that you were claiming that closed source software could not be excellent..meaning secure.
By the way, I'm a big GPL/free software nut. However, I understand the place of closed source software, and under the right circumstances, it can indeed be excellent.
This is where I've come around to appreciating the FSF's moral argument for Free software a bit more than the instrumental-utility argument of the Open Source movement.
Open Source can be bad, in terms of quality. Closed source can be good, in terms of quality.
Security is an interesting case where I don't believe that you can be trustworthy and closed. Could the code be good? Yes. Can I validate in any meaningful sense that it doesn't violate my expectations? No.
Of course it's possible to have obfuscated malicious behavior in Free/Open Source software. But, there is at least the possibility of descovery of such defects. With closed source, there isn't.
We'll have to diverge a little, then, but not too much.
In some cases, such as the security sensitive code written at Google, there are far more eyes on the code than there are with all too much of the critical, security sensitive open source code.
In my mind, it's a matter of alignment of interests.
For the cases of 'run of the mill' security questions, such as buffer overflows, password leaks and the like, Google, Facebook and I have fully aligned interests. None of us want those things in anybody's code.
Things get harder for other security questions, such as data collection, and cooperation with surveillance, legal and otherwise.
In the latter case, state surveillance, Google (and other like entities) have interests that are mostly aligned with mine, but not entirely. They're pushing back on warrant-less, Patriot Act type crap, while efficiently complying with traditional directed warrant disclosures. (As far as we know!)
Fully open source and free software will almost always have full alignment with my interests, and so is better in that regard.
As far as code-level bugs, I think the general rule is that closed source code is pretty poor at companies, with a few notable exceptions, where I think things are a heck of a lot better.
Finally: Wow, I just reminded myself that this thread talking about a new Amazon product. Crazy. (:
Having done a lot of work with financial firms in the past, I found that they're incredibly wary of any agency having access to any of their data.
As a consequence any telephony or messaging product we built had to have a self hosted deployment as part and parcel of our product offering. This meant we usually went for a Java backend which gave us great packaging and install tools. It also meant we had .deb and .rpm packages for all our products.
I can't tell you how much those packages helped. Once you start bundling up your software deployments as proper versioned installation packages you become quite spoilt in the DevOps department - it's hard to use Chef/Puppet or Vagrantfiles for software installations now!
Has this been substantiated? To my knowledge Amazon denies being a part of PRISM and the only thing a quick search reveals is that denial and Snowden criticizing Amazon for not being HTTPS by default on some of their endpoints.
Have you read Snowden's Leaks? All of the major tech companies have been on board for a long time (and that was years ago). How can you believe that a giant like Amazon will somehow magically not be part of it? It's time for the country to sharpen its critical thinking skills.
All of the major tech companies have been on board for a long time (and that was years ago).
I have read the Snowden leaks.
This is one of those times when details matter, and in those details you are wrong.
I wrote this previously[1] about Apple, but it applies here too:
The problem is that PRISM has conflated two separate things, and it is unclear how much of that conflation occurred at the NSA and how much outside.
Apple was (and is) compliant in the "release customer details with a court order" thing, which it seems is part of the PRISM data.
However, there was a second part, where the NSA got bulk access to communications without a court order. It is unclear which companies were complicit in this part. We know Google wasn't (because the NSA slide decks show how they had to intercept Google's inter and intra-data center links which were unencrypted at the time - and Google undertook a crash program to fix that).
Apple's statements are pretty clear: they say they only release information with a court order. That means they weren't complicit in bulk collection - but they may have been hacked at the time like Google was.
Yes, this is a crucial distinction and matches my understanding from what I've read of these public documents: PRISM is a program in which the NSA intercepted Internet and other communications, and then reconstructed the meaning of those communications at a higher level -- that is, interpreting HTTP requests to Google as searches, email views, and whatever else.
I did not see any evidence in the leaked documentation nor the reporting on those primary sources that the companies involved were complicit. If this evidence exists I would be very interested to know, but from Google's actions subsequent to the leaks it did not seem they agreed with the program or were complying with it, and instead took actions to oppose the program by encrypting their communications links internally, and indirectly by advocating encryption in public Internet protocols such as HTTP and SMTP.
I was under the impression that Google gave bulk access to the NSA, and the NSA wiretapped them regardless. I don't have a source to substantiate that claim though.
The US demands - through law - that any company, US and doing business in the US, give access to all it's user data upon simple subpaena by a secret court without notification to anyone, in a situation that can last for years. They're not even allowed to let you delete your data. There is no justification needed and most users are never informed this has happened, not even in the future. If you're a US citizen the time limit is measured in years (and can be extended by said secret court), if you're not a US citizen (or merely suspected not to be one), there is no time limit.
Doing "just" this to their users is what is understood in this discussion under the misnomer "not cooperating" with US spying. One can only assume that the OP has a funny sense of humor.
Given that this is noncooperation, why are we discussing who is cooperating and who is not ? This is WAY over the line, and of course means that no foreign company of any size should trust ANY US company with any amount of data.
And, frankly, it means that given the slightest disagreement in court, you should assume that all your data is public. Famously this facebook/instagram/whatsapp private messages in divorce cases, but not just that. Outlook messages of non-US citizens being picked apart by competitors because of a small non-payment vs non-delivery civil case in a non-US court has happened.
Note that the US government is famous for exploiting private sector relationships for spying and the reverse (exploiting government spying to give advantages to favored US companies).
So you should assume the worst and immediately implement basic security mechanisms (that are standard procedure at most companies now):
1) anything sent to you for any reason gets automatically deleted, especially email, unless specifically and individually prevented
2) any backup system is encrypted and the keys are subject to (1).
3) NOTHING can be put on any cloud system, for any reason without (1) implemented, and you should refuse to cooperate with external parties that insist on such a system.]
4) more strict measures are needed for director level and upward (note: legal definition of director, not just because it's used in company directories). Protocols negotiated beforehand dictate what can only be discussed over secure channels. First item on that list: anything related to any one specific employee.
But the thrust of that article is more suspicion that Amazon is not mentioned in the leaks and questioning the reliability of the company's word. It does cite one source, described in the article as non-mainstream, which asserts that Amazon was a part of PRISM, but that source fails to cite any leak.
Edit: I should mention that the first article casting doubt on Amazon's reliability is published by an independent publishing company, historically an industry that has been at odds with Amazon and harmed by its business practices.
- Amazon, PRISM partner