Musing:Cloud Data, Ownership and Government Sponsored Data Theft

I’m musing on the risk of government sponsored theft of data.

For example, Amazon is a US-registered company that is subject to, and benefits from, the laws of the US government. If a US-Company, such as Amazon, is hosting data in, say, Ireland and the US government demands access to that data via the courts following due legal process, is Amazon required to provide that data to the US Government ?

In one sense, the data is domiciled physically in the Irish jurisdiction and subject to Irish and EU law. On the other hand, Amazon is the legal owner of the systems and resources and the US courts have consistently ruled that the law allows the US government to take control of people and assets in foreign countries provided that some sort of link to ownership can be made in a court. (And candidates in the current US presidential campaign have been very robust in asserting offshore control via the Patriot and SOPA acts.)

I can’t find any freely available data on this issue, and wonder if anyone else has seen similar problems.

I’ve had discussions with a major financial company who would like to use Google to host their email using gmail, but the data location (or lack of certainty) appears to breach fiduciary guidelines for data control. Therefore Google cannot be considered. More importantly, it’s possible that because Google is subject to US laws, it might be requested to deliver information to the US government in a financial investigation, but the very act of doing so would also breach the laws of the originating jurisdiction in the European Union.

Note that this problem would equally apply to any government, or even via bilateral treaties, or by law enforcement treaties such as Interpol

Deep dark and murky waters these ones. Does anyone have answers ?

  • christalsness

    I would love to hear input on this from some law experts.  Might make a good Packet Pushers episode.

    • Anonymous

      I second that. I would love to hear a packet pushers show about this topic. It seems as though the answer would change depending on who you ask.

  • DF
  • Juan Lage

    Very good questions. I think it’s the elephant in the room when talking about cloud. And if you think about it, the concern (about one country’s legislation impacting the access of data of citizens in other countries) goes beyond the cloud, and also impacts personal computing, only in the latter it is far less obvious to the common user.

  • Romans Fomicevs

    This Q has been raised some time ago already and was even discussed at techEd 2010 in Europe. The state of business is that if the company’s origin is US, then data located in Ireland can be easily requested by US government. Reportedly EU is not happy with this state of things and is making some moves to protect EU companies. So if datacenter is within EU, then EU has to give permission to access data. there are many links on this issue online: 

  • Ryan Malayter

    If any of these issues are of real concern, you need to host your data and applications yourself, on infrastructure that you control fully, in familiar jurisdictions which meet your needs and obligations. Trying to track the ever-changing legal landscape in hundreds of countries and changing your infrastructure each time the wind blows a different direction is a losing battle, and will only make the lawyers rich.

    This is the biggest stumbling block I see with “blah blah cloud” and the enterprise,
    especially in regulated industries like finance, defense, and healthcare. I’ve seen financial services customers walk away from SaaS deals on the grounds that their data would be on servers in a third-party co-location facility, not owned by the SaaS provider. Even though that colo provider was everything you’d want: based in the same country, financially stable, reputable, SAS-70, armed guard, man-traps, razor-wire, and sharks with laser beams. Some enterprises customers simply can’t take the risk of involving a third-party that is not directly bound to *them* contractually, no matter how perfect the SaaS solution or how great the colo. 

    Can you imagine being a SaaS provider, and all you can tell prospective enterprise customers is that their data is “stored somewhere in Google’s App Engine, somewhere in the world? Oh, and *our* agreements with Google don’t have any teeth at all.”

    Even encrypted storage and pervasive use of IPsec between components on cloud infrastructure can’t solve these issues yet. There is a bootstrapping problem for key material, and data in RAM is basically exposed (at least to the cloud provider). The cloud may be good for Foursquare and Digg, and maybe even non-financial business apps like Salesforce. But it’s not yet ready for anything that involves real dollars or real security.

  • HMRCisSh*te

    Some governments already have some form in this matter:

    In the UK Tax courts follow this rule from The Tribunal Procedure (First-tier Tribunal) (Tax Chamber) Rules 2009:
    “The Tribunal may admit evidence whether or not the evidence would be admissible in a civil trial in the United Kingdom”

  • Alex White-Robinson

    I don’t host any information I consider private (personally) or private (corporately) on anything American-owned anymore. However, I don’t see why those services can’t be used if everything is encrypted before being uploaded – Cloud storage is fine if everything is uploaded as encrypted archives as an example.

    This philosophy of encrypting everything vulnerable can (and should!) be applied to everything, not just when using American services. The American ones are much less secure due to American laws that allow the government access to your data, therefore the minimum amount of caution with your data is much higher for those services.

    Note that in Norway it is now illegal for councils to use gmail and google apps because of the lack of data security.