> "Surely Amazon has a Chinese wall" to prevent that kind of data sharing, I thought. Never underestimate the lack of morals in business is the right answer I guess.
It’s remarkable to me how many competent programmers with years or decades experience in this industry don’t understand —- If you’re using AWS, Amazon has access to ALL of the data you put on AWS.
Not that they 'can' or 'want to', given the current state of technology they absolutely have to have access to all your data for AWS to function.
There isn’t currently a feasible technical way to work around this. And to head off all the ‘but FHE’ comments, see the ‘currently feasible’ above.
I'm not talking about not having any access in the technical sense. I'm talking about a "Chinese wall" whereby people who work for AWS supporting customers should absolutely not be able to inform any of the teams that build new Amazon services. These types of Chinese walls exist in many different industries, perhaps most famously finance, and when these walls have been "breached" in the past it has resulted in huge scandals.
I think your understanding is true, unless the claimant elaborate what those data is and how his team got it, I do not understand how it would have worked.
Access records for public services have a very detailed iam audit trail that logs people who accessed what at what time, and service teams don't get to just jump around that. Maybe they can see some metadata but certainly not actual data in an S3 bucket somewhere.
I think enclaves are a more practical near-term solution for data privacy, but they don't prevent Amazon from identifying successful businesses based on e.g. resource usage growth.
I don’t think the ‘enclaves’ concept addresses the root of the issue I was getting at, which is for there to be useful computation done on the data it must be unencrypted.
Even with ‘enclaves’, from what admittedly little I know about them, you still have to have the key to decrypt things on the machine somewhere, which means whoever is running that machine for you has access to your unencrypted data, and we’re back where we started.
It’s remarkable to me how many competent programmers with years or decades experience in this industry don’t understand —- If you’re using AWS, Amazon has access to ALL of the data you put on AWS.
Not that they 'can' or 'want to', given the current state of technology they absolutely have to have access to all your data for AWS to function.
There isn’t currently a feasible technical way to work around this. And to head off all the ‘but FHE’ comments, see the ‘currently feasible’ above.