Welcome to Ars UNITE, our week-long virtual conference on the ways that innovation brings unusual pairings together. Today, a look at how everyone involved with the modern cloud is looking to improve its security. Join us this afternoon for a live discussion on the topic with article author Sean Gallagher and his expert guests; your comments and questions are welcome.

When the technology industry embraced “cloud computing” and made it part of our daily lives, we all made a Faustian bargain. They gave us a way to break free from the expense of owning all the hardware, making computing and storage capacity dirt cheap and available on demand. On the other side, we promised not to worry too much about the fine print.

“In the 2000s we had this wild cloud party,” said Peter Eckersley, technology projects director at the Electronic Frontier Foundation. “That party ended—Edward Snowden crashed that party. And we’ve woken up with a massive privacy and security hangover that companies are now trying to shake.”

It’s not like this happened without warning. In 1999, former Sun Microsystems CEO Scott McNealy spoke in front of the US government and infamously said, “You have zero privacy anyway. Get over it.” But in the wake of the Snowden leaks, US companies that sell “cloud computing” services are now losing international customers in droves. At the same time, law enforcement and intelligence agencies are trying to keep what they have left, pushing back on attempts to make the cloud systems Americans use more secure from criminals and foreign governments because those authorities might get locked out too.

How did we get in this mess? And is there any way to have both the convenience of mobile access to nearly everything while still keeping out the prying eyes of government spies and criminal crackers?

Sticking a pin in “cloud”

When we talk about cloud computing, it can get confusing quickly. "Cloud computing" remains such a nebulous term. The essence of the term today encompasses what's been called everything from “utility computing” to “application dial-tone” by technology companies during the past three decades. However, it wasn’t until (relatively) cheap general-purpose server virtualization and storage networking came along that what we now call “the cloud” was really possible on a large scale.

The term “cloud” comes from what networking people have referred to as large, opaque networks well before there was an Internet. Very simply, cloud computing is any service that happens somewhere hidden behind the abstraction of an application programming interface in a shared data center owned by someone else providing on-demand and self-service.

Cloud started out as something big Internet companies like Google and Amazon did for themselves—a way to make their own infrastructure cheaper. Then they figured out how to turn what they did internally into a product for others. The upside to these and other “public” cloud services—the ones that can be reached over the public Internet and are available to individuals or companies other than the data center owners—is that they are relentlessly efficient and relatively cheap compared to running your own.

If you’re an application developer, depending on what kind of service you use, the large footprint of the big cloud companies also means you can reach a global audience or avoid downtime. Whether you're an organization or a smart-phone user, this means you can get to your stuff (nearly) all the time, dirt cheap and worry-free. What’s not to like?

Admiral Ackbar explains it all

Well, for one thing, it’s a trap.

Putting our data and applications on a “service” that runs on someone else’s computers, as it turns out, is not a really great idea if you like privacy. Cloud computing is a bit like a bus station locker—you may have the key, but that doesn’t mean someone else can’t pop it open and see what’s inside. That’s why so many financial service companies, healthcare providers, and government agencies would rather build their own versions of what Amazon offers (or at least hire someone to do it for them without connecting it to the Internet).

Some are more apt to pop that locker open for themselves or for inquiring governments. Remember, we chose to put data in the cloud. With how the US government interprets the law, expectations of privacy are different when using the cloud as opposed to storing data on a hard drive. Currently, the feds believe they can take a look at cloud data without serving you a warrant for it. And in many cases, due to piracy concerns, the Motion Picture Association of America and the Recording Industry Association of America also get to take a free look.

In its iCloud terms of service, for example, Apple states:

Apple reserves the right at all times to determine whether Content is appropriate and in compliance with this Agreement, and may pre-screen, move, refuse, modify and/or remove Content at any time… You acknowledge and agree that Apple may, without liability to you, access, use, preserve and/or disclose your Account information and Content to law enforcement authorities, government officials, and/or a third party, as Apple believes is reasonably necessary or appropriate.

This doesn't apply only to Apple’s iCloud, of course. All cloud providers are more or less going to cough up users’ apps and content on demand from the government when the data falls under its jurisdiction. And if they happen to be a US company, it doesn’t matter where the data is—the US government considers it under its jurisdiction. That was demonstrated by the US Justice Department's recent efforts. The feds tried to force Microsoft to turn over data from an Irish data center in response to a federal warrant—and the Justice Department won. “It is a question of control, not a question of the location of that information,” US District Judge Loretta Preska said in her ruling—affirming that, as Ars’ David Kravets wrote, the world’s servers belong to the US.

According to Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council, this makes it really hard to tell other countries they can’t do the same thing to our data. “It’s been US policy,” he said. “It’s so difficult for us to pull back from it. We say that borders shouldn’t matter that much, but then the way that NSA treats US companies, and the ways Justice serves national security letters—clearly being a US company matters. When we are going out and demanding data from companies in ways that seem extraterritorial, and to me it seems enforcing this sovereignty-based notion over the cloud, it fits in with Russian and Chinese designs [on controlling their portions of the Internet]. It makes it more difficult for us to make our case that borders don’t matter very much when someone uses the cloud.”