AWS Finally Releases Data Documenting Government Surveillance Efforts

Amazon Web Services, the industry-dominating public cloud that hosts far more virtual machines than any other provider in the world, has not been in cahoots with a controversial NSA surveillance program and routinely contests the federal government's attempts to spy on its customers, according to the company's first public disclosure on the subject.

The secretive cloud provider on Monday, for the first time ever, released an Information Request Report -- a biannual document revealing how often authorities have come asking for customer data, and how frequently the company complies.

Amazon is the last of the notable Internet giants to provide the public with such statistics. Even the initially hesitant telcos have been issuing biannual reports enumerating surveillance requests.

[Related: Solution Providers: New NSA Controls Fall Short Of Restoring Trust In Cloud Services]

Steve Schmidt, Amazon's chief information security officer, presented the surveillance stats with an accompanying blog post in which he explained the cloud provider's broad policies on dealing with government requests to peak at data belonging to its customers, who "care deeply about privacy and data security."

"Amazon does not disclose customer information unless we’re required to do so to comply with a legally valid and binding order," Schmidt wrote.

Schmidt asserted AWS never participated in PRISM, the clandestine NSA program that directly culled troves of data from at least nine major Internet companies. PRISM was one of the bombshells disclosed by NSA-contractor-turned-whistleblower Edward Snowden.

From the start of this calendar year through May, AWS received 813 subpoenas from the U.S. government seeking access to customer accounts. In those five months, the Seattle-based cloud provider fully complied with 542 of those court orders, submitted partial information in response to 126 and didn't respond at all to 145.

Through the same period, Amazon received 25 search warrants from federal authorities and turned over all the data sought by about half of them, partially fulfilled eight others and withheld information requested by four of the warrants.

AWS fully responded to only four out of 13 court orders that weren't subpoenas or warrants, while refusing to turn over any data related to four of those.

Foreign governments were more successful with their solicitations to Amazon. Of the 132 non-U.S. requests fielded by the cloud provider, more than 80 percent yielded complete data disclosures, while just 13 percent hit a dead end. Amazon also complied with the only request it received during the five months under review to actually remove a user's data from its servers.

Schmidt said Amazon's policy is to notify customers before disclosing any of their information. The only time the company won't do that is when there's a legal prohibition or clear signs that the service is being used for criminal purposes.

Still, the company is no pushover and typically flexes its legal muscles to ensure governments adhere to legal boundaries, according to Schmidt.

"We have repeatedly challenged government subpoenas for customer information that we believed were overbroad," Schmidt said.

Those challenges have resulted in court rulings that "have helped to set the legal standards for protecting customer speech and privacy interests," he said.

Amazon has also lobbied Congress to modernize "outdated privacy laws." The company believes law enforcement agencies must be obligated to obtain search warrants from courts before they can go after the communications of customers.

Amazon recognizes "the legitimate needs of law enforcement agencies to investigate criminal and terrorist activity, and cooperate with them when they observe legal safeguards for conducting such investigations," Schmidt said. But the company opposes laws that either mandate or prohibit specific technologies that make customers more vulnerable to intrusion.

AWS users have the option of using security features available on the platform, including managing their own encryption keys, Schmidt noted.

While Amazon's position might represent a principled stand against government surveillance, it's also good business, according to one AWS partner.

"In our experience, one of the top questions that any corporation or individual has when moving their data to the cloud is, is my data safe?" said Aater Suleman, CEO of Flux7, an AWS partner based in Austin, Texas.

While there are many ways to define safety in the online world, the three most common concerns of his customers, Suleman said, are hackers breaking in, the cloud vendor accessing their data and the vendor sharing their data with a third party.

Vendors make tools available to secure their environments from cybercriminals, and their contracts typically stipulate that they will not access data themselves. As far as that third concern, protecting cloud customers from any third-party exposure -- and the NSA should be in this category -- should be a priority for any cloud provider.

"It will increase people's confidence in the public cloud and eliminate what can be a no-go for some customers," Suleman told CRN.

PUBLISHED JUNE 15, 2015