Should I Trust The Cloud?

I received an email recently from a colleague asking about data sovereignty, and in particular asking about how schools deal with the  need to store all personal data on Australian servers to be compliant with the law. This was my reply…

When deciding whether to do a thing – any thing – you need to assess the relative risk. There is NOTHING that can have it’s risk mitigated to zero. So while we can have debates about the security of the cloud, the fact is that ANY service is generally only as safe as the password that protects it. It’s far simpler to socially engineer your way into a system than to hack it, and it’s easier to follow someone through an open doorway before the door shuts than to crack the lock. There are security risks involved with every system.

What makes you think that data saved on a server that happens to be geographically located on Australian soil is any safer than data on a server located on the other side of some imaginary geographical dividing line? What policies make Australian servers impervious to security issues?  What is it about Australian passwords that are safer than non-Australian passwords?

It’s interesting that whenever I hear the security argument from someone, I ask them whether they use 2-factor authentication on their online accounts. The answer is almost invariably never. I find it hard to take someone seriously when they bleat about security and yet do nothing to secure their own stuff using the safest and simplest technology we have available; 2 factor authentication.

I also find it amusing that these same people who bang on about not trusting the cloud, also almost always have a bank account. When I ask them where their money is stored, they say “in the bank”. When I ask where is it actually stored, they have no idea. They don’t know where their money – or the digital records that define the concept of money – is actually stored. They never stop to consider than when they go to an ATM and withdraw $50, it’s not the same $50 note that they actually put into the bank. There is no magical shoebox under the bank’s bed that stores their actual money… it’s all just computer records, kept on a server, somewhere, and I guarantee that they have no idea where that somewhere is.

That’s why the debate about whether we should be allowing our data to be stored offshore is such a laughable concept. It shows a real lack of understanding about the way the Internet actually works.

The truth is, it doesn’t matter WHERE your data is stored. What matters is WHO is storing it, and whether you trust them with it. I’d rather trust my data to major cloud provider offshore who offer privacy policies that I trust, along with strongly encrypted and sharded data storage techniques, virtual and physical security over their datacentres, and a proven track record of doing the cloud right, than to some minor player in the cloud storage space just because they happen to have servers in Australia.

I’m also not a lawyer.  However, I’ve done enough research into the Australian data sovereignty laws to feel satisfied that I’m interpreting them the right way. And contrary to all the Fear, Uncertainty and Doubt being spread around regarding these laws, they do NOT say that cloud services cannot be used unless the servers are in Australia. What they say is that the cloud service USER – that’s you – needs to feel satisfied that the cloud service PROVIDER is offering a service that meets your expectations of safety, security, privacy and redundancy.  If you do your due diligence, and come to the conclusion that you’re satisfied with your cloud service provider is giving you a level of service you can trust, then you are free to use it and in turn offer it to your users. If you don’t believe they are offering this level of service, then don’t use them. It’s as simple as that.

Your choice will never be able to come with a 100% guarantee. Nothing does. But if you do your research carefully and make your choices well, the chances are as good as they will ever be that you have made the right decision. The cloud offers amazing possibilities, and I’m completely convinced it IS the future of computing. I’m all in on the cloud as the platform.

To me, there is really only one obvious choice in picking a cloud provider. You want someone whose entire infrastructure is built for the cloud, whose entire business model is built on doing it right, managing data with security and integrity and maintaining the trust of their users. I’m not mentioning names because I’m sure you can make your own decisions about who you trust and how well they do this cloud thing.

What I don’t want to do is to place my data with a cloud provider who is still playing catchup, whose cloud infrastructure run on legacy platforms that were never built for the cloud, and whose business practices in slagging their competition I find completely distasteful.

I don’t care where their servers are located.

Header image by Dave Herholz – CC BY-SA

Calling Home

I’ve been travelling a fair bit lately.  Although much of it has been within Australia, I’ve just spent the last few days in Lower Hutt, New Zealand, for the Sitech Champion Schools Conference, and I’m writing this from in the hotel foyer. New Zealand is starting to feel a bit like a second home lately… this is my fourth trip here in the past 12 months. Aussies and Kiwis have a friendly relationship. Aside from the obvious opportunity to take shots at each other over the cricket and the rugby, our two countries get along amicably well, and the trip across the Tasman is something that feels more like going interstate than international.  It’s easy to feel at home in NZ.

About 12 months ago I was here for last years Champion Schools Conference and some readers of this blog may remember that I came home to a $1000 phone bill for international roaming. That was a saga in itself, and much was said about it both here on the blog and on Twitter and Facebook.  While I should have known better, I was quite unprepared for such a minimal amount of data to be charged at such an exorbitant rate.  I was not a happy customer and I made sure my carrier knew about it.  As a result of that experience, and the subsequent whingefest I made of it, I learned two important lessons.  One, unless you’re prepared for huge roaming charges, do not allow your phone to roam when overseas. In the brouhaha that followed the bill I asked my carrier to completely disable international roaming for both data and voice, and insisted they unlock my phone so I could use an overseas SIM card when I was abroad. They complied and did both these things.  The second lesson was that if you make enough fuss about an outrageous bill you stand a much better chance of getting something done about it.  It took me numerous phone calls to customer service and plenty of persistence to get through to someone who could do something about it, but I eventually succeeded in getting the bill reduced to a reasonable amount.  Sometimes it pays to be the squeaky wheel, and to their credit, my carrier eventually just dropped the entire charge.

So, for the last few days, I’ve voluntarily chosen to cripple my iPhone by requesting my carrier not allow it to roam onto the New Zealand phone networks. The international roaming charges are hefty enough, and my need to make phone calls is not critical enough, that I figured I could live without telephony for a few days.  Besides, I figured that as long as I could get occasional access to wifi, that would be enough. Wifi would let me get to my email and other stuff, and I could make any phone calls using Skype or Fring, both of which work just fine on wifi.  Of course, I never anticipated that getting access to affordable, reliable wifi would be so ridiculously difficult in Lower Hutt, which is only 25 minutes outside Wellington, the capital of New Zealand.  The hotel advertised that it had wifi available, but despite paying for an NZ Telecom voucher it never seemed to work, and most times never even showed up in the list of available wifi access points. I went to Starbucks to pay for wifi there, but still had zero success in getting connected.  So for the past four days I’ve been mostly disconnected. There has been wifi at the conference of course, but I’ve usually been too busy to use it for my own personal needs.

But the real point of this blog post is to question why, in this day and age, is it so damn difficult to be connected while travelling.  Why is 3G connectivity so expensive once you roam away from your own country? To be clear, I’m not suggesting that it should be free, but I’d love to see a bit more interoperability between networks and a few more strategic partnerships formed between the carriers so that staying connected while travelling was a bit more affordable and not so difficult.

To access the mobile web in Australia I pay $20/month for my phone to have 1GB, or just over 1000MB, of mobile data. The cost of data when I’m in some countries is charged at over $20 per Megabyte!  So, the cost of accessing the mobile internet when I’m in overseas can be 1000 times what I pay in Australia. I have no problem with paying a reasonable premium to access data over another carrier’s network, but 1000 times more? That’s just gouging!  I’d be willing to be charged a little extra to use the local carriers network, but I refuse to get ripped off like that, hence I turned off the roaming completely.  Sure, it was inconvenient not having access to phone and data while I was in NZ, and there was more than a couple of time when I wished I could make a quick call, but the phone companies can go and get stuffed if they think I’m willing to play their overpriced game.

Why should the cost of accessing the web cost so much just because you’re in another place. I mean, sending an email doesn’t cost you more depending on where you send it.  Once the bits that contain the message content are “in the pipeline”, it costs no more to route them next door or around the world. They just become part of the flow of electrons that circle the globe. The notion that it should cost more to send them further is just a hangover from the old days of telephony, when phone companies charged “long distance” rates for calls that went a bit further. The reasoning that it costs more to push data further is completely flawed.  It makes no difference how far you push binary bits through a network, the cost of doing it doesn’t really increase.  You remember when you sent your first email? Remember how liberating it felt when you found out that you were sending a message to whole other country, and it wasn’t costing you any more than sending it to your own suburb?  How could they do that? How could they afford to transport messages clear across the other side of the world and charge no more? Easy. Bits are free.

That’s all well and good, but it doesn’t solve my problem.  What about Plan B… get the phone unlocked and simply insert a local SIM card to access data on the local country’s network. Getting the iPhone unlocked by my carrier was not too difficult – I just asked and insisted that they do it, and told them that I was unwilling to be charged their inflated data roaming prices. Surprisingly, they complied immediately, although they now tell me that to finalise the unlocking process does require a complete system restore of my iPhone, something which is quite unreasonable. I sync my iPhone with my home iMac and I travel with my MacBook Pro, so the computer I have when travelling is not the one that contains the sync data for my iPhone. Even it it were, the notion that I need to do a complete system restore (which would involve erasing and restoring all my phone data) is plain ridiculous. 

On top of all of that is the near-impossibility of buying a short-term phone plan that offers both voice and data on the guest country’s network at a reasonable proce.  You would think that the concept of someone wanting a temporary local SIM while travelling would be so obvious, but almost no phone companies actually offers something like that. Crazy! I can’t imagine why they are choosing to be missing out on so much potential revenue from travellers.

So I want to know why it it is so difficult for phone companies to provide what seems like an obvious need in this hyperconnected world of ours… the ability to remain connected -at a reasonable price – to our telephony and data while travelling. The web is built on global standards. Data is data. Most voice calls are carried on VOIP anyway.  The methods for connecting to a network node – any network node – is no different no matter where you are in the world. There has to be a better solution than the current overpriced, under-delivering method of roaming onto another network and being charged through the nose for it.

Come on phone companies! Get your act together!

Image: ‘We are spirits in the material world

Data lives Forever

It’s sometimes difficult getting kids to understand the full implications of something as seemingly harmless as putting their photo online. They often don’t realise that, just like The 500 Hats of Bartholomew Cubbins, once something goes online it is near impossible to remove it. This video makes a pretty good point of showing the effect of this behaviour…

[kml_flashembed movie="" width="425" height="350" wmode="transparent" /]

It’s something that both children and adults need to understand well. This is a post-Google world we live in. It’s no longer unusual that an employer Googles the name of a potential hire to check their reputation and see what they have done (or equally, not done). When you go out with a new person, it’s likely that your date has Googled you, MySpaced you or FaceBooked you to get a little bit of “background” on the sort of person you are. In a digital world you leave a trail behind you, often whether you mean to or not. Forum posts, blog posts, (and the comments you make to them), online projects you’ve taken part in, occasions your name has been mentioned in various online and printed publications, photos… if it ends up online, it’s probably there and it’s probably searchable. And you’d be amazed at how you can take lots of little pieces of data to form a fairly thorough picture of someone’s activities and reputation.

This can work in your favour too of course. As I was applying for jobs recently, I was actually hoping that potential employers would Google me as there is, fortunately for me, lots of positive stuff online – lots of technology projects and events I’ve taken part in which I imagine would have been relevant and supportive to the positions I was applying for. But the point is that had there been lots of negative stuff, there would have been virtually nothing I could have done about it. Try it with your own name and see what you get… wrap your name in quote marks to get Google to search it as a single entity, and of course it helps if your name is a little bit unusual as you will probably get more relevant results.

Get your kids to try this too. I recently encouraged my students to do a vanity search on their own name and while for many it turned up nothing, others were shocked at just how easy it was for their past to be dug up. There is probably not much you can do about ending up in the Google database (or any database for that matter), and in lots of cases it could even be a positive thing, but the lesson is to be aware and be careful of what you put online about yourself.

Do this exercise with your students. It’s a lesson worth learning early because if they learn it later it may be too late.