NSA Revelations Inciting Cloud Services Angst, Says LastPass CEO

Siegrist issued a public response this week to the concerns his firm received from users of its password management software. Both consumers and business executives, who fear their encrypted password vault could be easily decoded or bypassed by a hidden backdoor, expressed concerns. In an interview with CRN, Siegrist said he understands the growing distrust of technology firms following the U.S. National Security Agency surveillance program revelations, but he fears that the distrust can turn into cynicism.

"They're worried that there is some kind of collusion going on and a vast conspiracy that they think we're part of, and that is just not the case," Siegrist said. "We've seen these concerns shared through our support channels, and I've been trying to be up and open about it."

[Related: 10 Ways NSA Surveillance Revelations Could Impact The Channel ]

Siegrist published a post on the company blog addressing the customer concerns over the NSA surveillance program. LastPass has not introduced a backdoor into its software and would fight a request to do so, Siegrist said. LastPass also does not maintain the keys to decrypted data, making it impossible for the company to give them to authorities, he said. "We're in a better place because we don't have access to our customers' data," Siegrist told CRN. "Our services never see or touch the key in any way, shape or form, so we could never be asked to hand that key over."

Some of the latest leaks about weakened or broken encryption algorithms may be difficult for some people to understand, Siegrist said. The latest documents obtained by former NSA contractor Edward Snowden and published by The Guardian show the NSA has spent more than $250 million to decipher or bypass some Internet encryption technologies, including collaboration with technology companies and Internet service providers, to establish backdoor access to view traffic encrypted using some private encryption programs. Evidence also exists that Microsoft worked with the intelligence community on a Windows backdoor. Microsoft has said publicly that it complies with lawful demands but does not provide any government with blanket or direct access to SkyDrive, Outlook.com, Skype or any other Microsoft product. Security experts say properly implemented strong encryption still works. They say open source encryption programs may be the answer.

"It gives me pause to think about why a business would be compelled to weaken their product and what was to be gained," Siegrist said. "I think you will see more businesses react because they want to set themselves up in a way where it isn't easy to hand over data you have sitting on your servers."

Siegrist said he commends the actions of two secure email providers that shut down their operations citing concern over government intrusion. Lavabit, which was reportedly used by NSA whistleblower Edward Snowden to leak the classified documents, ceased its operations. Silent Circle shut down the secure email component of its encrypted mobile communication platform. "The very nature of how email and those secure services work you couldn't guarantee that the provider never has access to it, so it is really based on trust," Siegrist said.

Security expert Michael Sutton, who serves as vice president of security research at cloud-based security vendor zScaler, said the leaked NSA documents have been valuable to shed light on a surveillance program that had limited oversight, but the details have resulted in a lot of speculation.

"I'm not surprised that the NSA is doing everything in their power to view and mine as much traffic as possible," Sutton said. "They've gone outside of their bounds and would have continued to do so if not called out by those leaked documents."

PUBLISHED SEPT. 13, 2013