The Shadow research

Two steampunk scenes, divided by a jagged rip in reality. Left: A smiling cloud provider executive in ornate Victorian attire shakes hands with a trusting merchant client, bathed in bright, warm, promotional lighting; brochures display bold text: "SECURITY" "PROTECTION" "TRUST." Right: Through the rip, the same executive, in cold blue lighting, hands shimmering crystal balls of client data to shadowy figures bearing hidden guild insignias.

Research brief, The Morporkian Civil Liberties Union (MCLU)

A cloud provider in Ankh-Morpork is suspected of operating surveillance capabilities beyond its public mandate, using technology supplied by a third party in exchange for the data it collects. The clients have no knowledge of this arrangement.

Those clients handed their infrastructure to a provider they trusted absolutely. They got security hardening, container scanning, and incident response exercises. What they did not get was disclosure that their provider was running tools across their systems and feeding the results elsewhere.

The chem does not lie. It says “protect the city’s financial infrastructure.” It does not say whose interests are being protected when those two things diverge.

  • What is the scope of the data flowing out, and what are clients actually funding?

  • When the arrangement becomes known, who is liable: the provider that followed instructions precisely, the party that authorised nothing in writing, or the clients that accepted terms they did not read?

Preliminary findings. Further documentation in progress.

Submit Evidence (Anonymously, We Strongly Suggest)