Your cloud data was never secure, says Microsoft
August 29, 2011
Microsoft has attempted to dampen concerns about US Government access to Australian information hosted in American cloud computing facilities by claiming cooperation between governments would likely mean either country’s law enforcement branches could get access data they wanted anyway — regardless of where it was hosted.
Over recent months, Australian cloud computing companies such as Macquarie Telecom-backed Ninefold have raised worries about legal jurisdictions with regard to cloud computing facilities. For example, in mid-July the company warned any datacentre set up by global rival Amazon Web Services in Australia would still be subject to US legislation, despite being located in a different jurisdiction. And earlier that same month, the company highlighted a case in the US which saw the FBI seize a number of servers at the US-based datacentre operated by DigitalOne, without informing customers hosted in the facility about the raid…
At the centre of the debate is the controversial Patriot Act, which was signed into law in 2001 under then-US President George W. Bush. The legislation was a response to the September 2001 terrorist attacks, and reduced restrictions on law enforcement agencies’ abilities to access information held by organisations in the US.
However, in a blog post published last week, Microsoft Australia director of legal & corporate affairs Jeff Bullwinkel appeared to attempt to clarify the debate for those not familiar with the legal niceties.
“When I’m talking to customers, they’re often concerned about the idea that the U.S. government might have the ability to gain access to data stored outside the United States when the data is held by a U.S.-headquartered provider of cloud services. For a number of reasons and for the vast majority of organisations, however, the true impact of the Patriot Act in this context is negligible,” the executive wrote.
Bullwinkel stated the Patriot Act was really a compilation of amendments to other pre-existing laws — which had often already given the US Government access to information held by organisations in the country anyway. “US courts have long held that a company with a presence in the United States is obligated to respond to a valid demand by the US government for information – regardless of the physical location of the information – so long as the company retains custody or control over the data,” wrote Bullwinkel.
The rub for Australian organisations, he added, was that our own Government — like many other Governments around the world — complied with most requests for information from external governments for law enforcement purposes anyway.
“… even when data is hosted by a major cloud services provider with absolutely zero presence in or contacts with the United States (an unlikely scenario, given the economies of scale involved in cloud computing) that information would generally still be accessible to the US government if needed in connection with a criminal case,” wrote Bullwinkel.
“That’s because Australia and the United States, like most countries around the world, cooperate closely in law enforcement matters. Under a longstanding bilateral mutual legal assistance treaty providing for law enforcement cooperation between Australia and the United States, either government can gain access to data located within the territory of the other.”
“Are there interesting and challenging policy and regulatory issues that arise in the context of cloud computing? Yes there are, and organisations transitioning to cloud-based technologies are wise to consider them. But it’s important to ensure that the discussion isn’t clouded by misunderstandings or confusion about the legal landscape.
opinion/analysis
I’m not sure whether Bullwinkel’s comments are intended to reassure Australian organisations that it’s safe to host their data in Microsoft’s global cloud (which is served from datacentres in the US, as well as other countries such as Singapore and Hong Kong), or not.
In one sense, they would appear to be a useful, factual addition to the debate, and a useful counter to the somewhat fearful comments which Australian cloud computing providers like Ninefold have been injecting into the market. However, on the other hand, the arguments which Bullwinkel has outlined in his post, I would bet, would make many Australian organisations — particularly governments — even less likely to want to host their data in a global cloud computing facility with links to the US.
If cooperation between the Australian and US Governments on this issue is so well-established, even more reason to host your data in Australia, so the argument would go — at least you’re on your home turf and able to deal with your local law enforcement authorities, with your own local expert lawyers, if there’s a problem.
The fact remains, regardless of what the true legal situation on the ground is, that Australian organisations in a number of sensitive sectors — especially in the financial services and public sectors — remain highly reluctant to host their most sensitive data in the US, because of a perception that the country has gone too far in allowing its Government access to privately held data.
Microsoft needs to attack this perception, serve its customer’s needs and help them defend their rights if it is to make any headway in the ongoing debate on this issue. Simply pointing out that their data has always been accessible to shadowy foreign interests is not going to help its case at all.