[IP] IBM responds to Lauren Weinstein's note
Begin forwarded message:
From: George Robert Blakley III <blakley@xxxxxxxxxx>
Date: August 28, 2005 8:42:52 PM EDT
To: dave@xxxxxxxxxx, farber@xxxxxxxxxx
Cc: Michael R Nelson <mrn@xxxxxxxxxx>
Subject: IBM responds to Lauren Weinstein's note
Dave,
Mike Nelson forwarded me Lauren Weinstein's posting to your listserv;
I've attached
the posting at the end of this note for ease of reference.
I very much appreciate Lauren's concern with privacy, but he appears
simply to have
missed an important point about our announcement of "IBM Tivoli
Continuous Data Protection
for Files".
That point is that the product is not likely to create new backups.
What it will do is enable
responsible organizations, who already routinely perform backups in
an automated fashion,
to add a new feature to their backup regimes.
That feature is continuity.
Continuity is the property that data is backed up immediately rather
than, for example, every night
at midnight. CDP for files provides continuity in order to close the
data-loss window that currently
exists during the intervals between periodic backups.
Adding continuity DECREASES availability risk and information asset
loss risk by insuring
that a second backup copy of data always exists.
Adding continuity DOES NOT INCREASE privacy risk, because the data
all eventually gets
backed up anyway with OR WITHOUT continuity - so the only thing that
changes is
that the data gets exposed to the privacy risk a few hours earlier
with continuity than
it would without.
Lauren makes an assumption about the deployment of this technology which
is, I think, not likely to be correct. He seems to think that the
default deployment will be some
sort of huge central backup facility which provides services directly
to individual
consumers acting in their roles as private citizens. This may be
possible, but
it certainly isn't the most likely configuration. If it does happen,
I presume that individuals
will weigh the data loss and continuity of operation risks against
the privacy risks when
they make decisions about whether or not they want to subscribe to
such a service.
The much more likely configuration is that enterprises will operate
their own backup facilities
(as indeed most of them already do today) and will provide continuous
backup service to their
employess for use with company-owned desktops and laptops. These
machines, and all the
data on them, are ALREADY susceptible to warrant access with the
warrant served at a single
site (the employer's headquarters), in many cases with no requirement
for notification of
individuals whose data is to be accessed. I do not see how the
introduction
of "IBM Tivoli Continuous Data Protection for Files" into an
enterprise will change this situation.
Finally, Lauren does not acknowledge or discuss several important
features of the product, which
are enumerated in the information accessible through the web link in
the IBM press release he
references, and which address exactly the concerns he raises:
(1) The product can be configured to exclude files from being backed
up (so if you want
to exclude privacy-sensitive material from backups, you can).
(2) The product can be run in a local-only mode, in which case the
only backup copy
made is stored on the local machine, and no copies are sent to
remote, centralized
servers.
--bob
Bob Blakley
Chief Scientist, Security and Privacy, IBM
email: blakley@xxxxxxxxxx
phone: +1 512 286-2240 fax: +1 512 286-2057
================= Begin forwarded note ===================
---------------------- Forwarded by Michael R Nelson/Washington/IBM
on 08/27/2005 04:50 PM ---------------------------
Please respond to dave@xxxxxxxxxx
To: Ip Ip <ip@xxxxxxxxxxxxxx>
cc:
Subject: Risky Business -- Re: [IP] IBM to Continuously Protect
Information Stored on Laptops and Servers ...
Begin forwarded message:
From: Lauren Weinstein <lauren@xxxxxxxxxx>
Date: August 27, 2005 10:54:54 AM EDT
To: dave@xxxxxxxxxx
Cc: lauren@xxxxxxxxxx
Subject: Risky Business -- Re: [IP] IBM to Continuously Protect
Information Stored on Laptops and Servers ...
Dave,
Hackers, law enforcement, and Homeland Security will love this one.
All that handy data from individuals' and organizations' computers,
all neatly stored in central facilities not directly under the
original users' control. I wonder how many people using this
feature will have any idea how the legal third-party access
standards differ for data that is stored remotely on other entities'
facilities? Or what the other vulnerabilities might be?
Oh sure, it will be encrypted. Trust the encryption. Trust that the
implementation isn't flawed. Trust that there are no backdoors.
Hackers will go after the system en masse. Everyone from DHS to
local police to divorce lawyers -- warrants, court orders, and
secret PATRIOT actions in hand -- will demand access to the
centrally stored data, in many cases without notification to the
persons involved.
All neat and tidy, and all legal. There are other remote backup
systems already in use, of course. Similar risk sets essentially
exist with all of them. But IBM, by making this environment much
more widely available and used, will instantly become the target of
most interest.
--Lauren--
Lauren Weinstein
lauren@xxxxxxxx or lauren@xxxxxxxxxx or lauren@xxxxxxxx
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
- People For Internet Responsibility - http://www.pfir.org
Co-Founder, EEPI
- Electronic Entertainment Policy Initiative - http://www.eepi.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com
- - -
>
>
> Begin forwarded message:
>
> From: Monty Solomon <monty@xxxxxxxxxx>
> Date: August 27, 2005 1:39:33 AM EDT
> To: undisclosed-recipient:;
> Subject: IBM to Continuously Protect Information Stored on Laptops
> and Servers; New Technology Delivers Real-Time, On Demand Data
> Protection
>
>
>
> IBM to Continuously Protect Information Stored on Laptops and
> Servers; New Technology Delivers Real-Time, On Demand Data
> Protection
> - Aug 26, 2005 06:00 AM (BusinessWire)
>
> ARMONK, N.Y.--(BUSINESS WIRE)--Aug. 26, 2005--IBM today announced
> new software that continuously protects information -- on laptops,
> desktop PCs and file servers -- from viruses, file corruption, or
> accidental deletion. The software, IBM Tivoli Continuous Data
> Protection for Files, is a "data safety net" that provides real-time
> back up for important information such as Word documents, MP3 files,
> digital photos, presentations, and spreadheets containing sales and
> tax records.
>
>
> With people today more likely to be connected to a network through
> high-bandwidth wireless connections in coffee shops, parks and even
> entire cities, continuous backup of data is now practical.
Previously,
> users have had to back up data through a scheduled backup session.
> With IBM's new software, it happens continuously with one simple
> package that can be installed on laptops, desktop PCs or enterprise
> file servers.
>
> ...
>
> - http://finance.lycos.com/home/news/story.asp?story=51392719
>
>
>
>
-------------------------------------
You are subscribed as mrn@xxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-
people/
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/