Following a report (click here) commissioned by Microsoft that found that data security concerns are still an inhibitor to adoption for some UK based SMEs and last week’s Edward Snowden and PRISM controversy (click here), Frank Jennings, the Cloud Innovation Network’s advisor and expert in cloud related legal advice provides useful guidance on range of data security and data sovereignty issues.
By Frank Jennings, Cloud Lawyer, DMH Stallard LLP
According to some, the Patriot Act is a good reason to avoid cloud computing altogether. Others say that the draft EU data protection regulation is the Commission’s defence against the Patriot Act. Others say it is a good reason to avoid using a US provider. Certainly, there is a lot said about the Patriot Act but not all of it is accurate. Here is our myth buster.
1) The Patriot Act is anti European
No. The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act 2001, to use its full title, was passed following the tragic events of 9/11. It consolidated existing anti-terrorism laws and has wide surveillance and seizure powers, some without the need for a court order. However it applies to US cloud providers just as much as European providers. There’s also the lesser known Foreign Intelligence Surveillance Act Amendment Act which allows surveillance of activities which are unlawful or which are potentially against US interests, such as activist, protest or political groups.
2) If I store my data in a US data centre the FBI will access my data
Certainly the FBI could get access to your data but that doesn’t mean they will. Businesses should not worry unnecessarily. The US government is unlikely to want to get access to the data of the average business and will more likely target those engaging in activities which are unlawful or which are potentially against US interests.
3) If I store my data in the UK, the FBI can’t access it
No. In June 2011 the managing director of Microsoft UK admitted that the Patriot Act applies to them because they are a US headquartered business. So, even if you use a UK provider and store your data in Germany, if you have a US provider anywhere in your cloud supply chain which handles your data, the Patriot Act could still affect you.
4) If I avoid US providers, no one will see my data
It’s important to remember that each government has its own anti-terrorism and surveillance legislation – the UK government is no exception with it’s Regulation of Investigatory Powers Act (with the appropriate acronym RIPA). Powers under RIPA have been used widely and not just for surveillance in the cloud sector. Councils have used it to tackle dog fouling and to take sound recordings of noisy children. So each government can get access to data within their jurisdiction.
5) The UK won’t hand my data over to the FBI
Yes it will. Many countries – including the US and UK – have signed treaties and have in place processes to pass data – your data – to each other upon request. To keep your data safe from the UK government or the FBI, you would probably have to store your data in Iran or North Korea. Good luck with that.
6) The draft EU Data Protection Regulation will stop the Patriot Act
It’s true the new regulation will increase the level of protection of personal data – and is intended to apply to data about EU citizens held outside the EU. This is making US companies uneasy and there is a lot of lobbying going on to water this down. Even the UK information commissioner is not happy with the regulation. But don’t forget, there are two key limitations here. First, the regulation – in whatever its final form – will protect only data about individuals, not all information. Second, it includes exemptions for national security, just as the current law does.
7) If governments can get my data wherever I am, I should stay out of cloud
While it’s true that it will make it more difficult for governments to get access to your data, storing it on-premise and out of cloud is not necessarily the answer either. If you are the kind of organisation that the UK government, the FBI and other organisations want to investigate, then maybe you should stay out of cloud. If you are unlikely to attract the attention of law enforcement agencies, then why forego the benefits of cloud because of a misplaced fear that they will come after you? At least evaluate whether private cloud or hybrid cloud could work for you.
8) I’m not in cloud. I’m secure
Cloud providers place data security at the heart of their operation. If you stay with an on-premise solution, make sure you address data security – don’t assume that your security is adequate. Also, make sure your staff aren’t using their own devices for business purposes. Even if you don’t support BYOD, can you be sure that your staff aren’t using their own iPads or Android devices for business. And you’d better check whether they use Salesforce, Dropbox, Gmail and all those other excellent cloud tools.
What can you do to avoid scrutiny?
There are a number of steps you can take:
· Assess whether your business model or the data you collect is likely to attract the attention of UK and US governmental agencies
· Evaluate your data and identify the really important information
· Consider hybrid cloud where you keep your key data on premise and run everything else through public cloud
· Consider private cloud where your data is held by someone you can investigate and trust
· Consider encryption or tokenisation to protect your data
· Check whether staff are using their own devices or public cloud accounts
I agree that data security concerns are important: I’ve co-authored two reports on this subject and have co-authored a cloud contracts best practice whitepaper which addresses data concerns.
Please contact Diarra (Programme Manager for the Cloud Innovation Network) on 44 (0) 207 831 0076 or firstname.lastname@example.org if you wish access to the reports or whitepaper.