4 Comments

Who can legally get to your data in the cloud

Last weekend I went to a fantastic event, SharePoint Saturday, which was the first time the UK SharePoint community had gotten together on a Saturday in the UK.  It was brilliant, well organised, the speakers rocked the content rocked.  There will be more on how great the event was soon.  This post isn’t about that, not directly.  One of the presenters* said something along the lines “if you put your data in the cloud it will be subject to the Patriot Act, [which is a US law]”.  That’s not verbatim but it’s close.  I announced that he was wrong…

So which one of us right or wrong?  Neither of us.

Just like the picture, it doesn’t work well in black and white.

I took away a public action to find out what the deal was, if you use cloud services can the US government get access to it?

The frame for the picture

Most countries have wide-ranging powers for law enforcement agencies to obtain intelligence for criminal investigatory and anti-terrorist purposes. The UK certainly does. There are wide powers to obtain data for national security reasons and the prevention and detection of crime. The Regulation of Investigatory Powers Act 2000 is one such UK law. The Patriot Act is the US equivalent.

What does this Patriot Act do?

Basically, it’s intended as an anti-terror law to allow the US Federal Government to respond rapidly to a threat using legal means. The effect of it would be that in some circumstances the US authorities may be able to obtain data belonging to a UK cloud customer residing in a data center of a US cloud provider. However, the Patriot Act is neither the saviour nor demon it has been portrayed to be. Rather, it is a collection of amendments to existing laws that seek to enhance public safety. In certain instances, law enforcement’s tasks are made easier and communications data is more readily accessible.

Who can legally get to your data in the cloud

So, can the U.S. government demand access to my information hosted on a cloud provider’s servers?

Any company with a presence in the U.S. is obligated to respond to a valid demand for information from the U.S. government – regardless of the location of that information.  That is not to say that the U.S. government has unfettered access to customer information as it still must follow the tough legal standards set out in the Electronic Communications Privacy Act and others laws relating to its access to electronic information before it can gain access. This obligation to comply with subpoenas or court orders from the U.S. government applies equally to Microsoft, its competitors in the U.S. and any foreign corporation with a sufficient presence in the U.S.

Microsoft is sensitive to the fact that companies want to control the parties to whom their information is disclosed and believes that its customers should control their own information. Accordingly, if law enforcement approaches Microsoft directly for information hosted on its systems for its enterprise customers, Microsoft will unless prohibited by law redirect law enforcement to the customer.

Microsoft will only provide customer records where it is legally required to do so and will limit the production to only that information which it is required to disclose.

In the event that Microsoft received what it believed to be an unlawful or otherwise invalid request for data from the U.S. government, U.S. law provides mechanisms for a provider to challenge a subpoena, court order, or search warrant. If necessary, Microsoft’s legal compliance lawyers will directly contact the requesting law enforcement agency to explain the issue and seek a resolution that adequately addresses Microsoft’s concerns.

Obviously if law enforcement want access to your data locally they can always get it by obtaining a warrant or subpoena to legally gain access.  A fairly crude analogy to this would be that when you host your data on your own property and on your own servers the doors could be bashed in for law enforcement to access your data, if Microsoft holds your data in our data center then law enforcement have to knock on Microsoft’s door first, we then ensure that they only get access to what they have a legal right to access.

This sounds overly complicated, what’s going on to fix this situation?

Our industry as a whole recognises these challenges and is lobbying governments to deliver clarity. A balance needs to be struck between protecting users’ data whilst enabling law enforcement to have the tools they need.   One of the things I love about technology is the speed of development and in this case it totally outpaces the law which is a problem but one that will eventually be resolved – eventually we’ll get to full colour and HD, right now we have grey scale.  That leads to the idea of risk.

So what should I do and what’s the risk?

The issues should always be understood in relation to the overall business opportunity The UK data protection regulator, the Information Commissioner’s Office, has specifically referred to a customer taking the Patriot Act into account in its necessary due diligence as part of any outsourcing. Needless to say, this does not mean that a US cloud provider should not be used. In many and perhaps most circumstances, there will be no real problem. Greater care will be needed perhaps when the data is particularly sensitive.

What if I want my data back, does Microsoft own it.

You own it, it’s yours not ours, we aren’t even allowed to access it.  Your data always remains your data Microsoft absolutely don’t have any claim to it and as we say in the contract you will always have access to your data through the normal feature-set of the service.  That means you can migrate your data away from our offerings again if you wish.  (I’m pretty confident you won’t and if you do I’d love to know why).

I’m still freaked that the US Government could get to my data

Many people wonder what the U.S. government can do with data it receives through these laws and legal procedures. U.S. privacy protections ensure that evidence obtained through investigative means can only be used for official purposes and generally cannot be used for purposes beyond the scope of the investigation. So if industrial espionage is where your mind is taking you need to remember that the risks are very low for you and the price is very high for the other person.

It’s worth noting that the U.S. does not share with U.S. businesses any data it collects through investigations. In fact, there are criminal and civil penalties for such unlawful disclosures.

In truth, the U.S has a very mature and detailed legal regime for restricting government access to data. Privacy protections begin with the U.S. Constitution and extend to federal and state laws protecting health care and financial records, electronic communications, and other kinds of information. Unfortunately, such things as the debate over the Patriot Act have had a negative effect on perceptions of data privacy and data security in the U.S.

Who can legally get to your data in the cloud

Summary

To get to the full colour HD version of the truth about the issues of data security around cloud you need to understand the issues specific to your situation. Microsoft’s cloud offerings may very well provide you with far more cost effective options than you use for on premise solutions, but equally on premise solutions have their place. Change is a constant in this industry and being well armed to understand the complexity like this is now part of an IT Professionals role, you don’t always need to know the answers but you need to be able to ask the right questions, such as “what’s my data being used for and by whom” and to help make informed choices based on the answers.

As I was investigating this I came across another term that’s specific to people within the EU, “Safe Harbour”, which is actually not related to the Patriot Act but I think it’s worthy of a post in the future.

Try BPOS or Azure with a trial account to determine if it fits your business’s needs.

    • Anonymous says:

      No, but Microsoft is legally required to inform you (ie.g. t’s in the Online Services contract) as long as they have not been compelled not to by the subpeona or warrant that’s been produced.

      The law applies to any other cloud provider as it does to Microsoft. Microsofts online services contract is obviously unique to the offering…others may not provide the same comfort level.

      ….also great post Matt

      • Matt Groves says:

        All true, it isn’t just MS/MSO… And you’re spot-on there, MS do go further to protect privacy than other providers…
        I have no idea (and I doubt stats will be available) on how many subpoenas (closed or otherwise) that MS/MSO get issued with. I would imagine that they would fall into the “in the interests of national security” category, so unless your business involves the sale of depleted Uranium you’re probably not too high on the ‘feds list ;)

      • Mark Wilson says:

        Correction: The law applies to any other *US-based* cloud provider.

        Critically, as I understand it (and note I’m not a lawyer), if the Patriot Act is invoked to move data outside the EU for a customer with a presence inside the EU, that could incriminate the IT Director from that EU organisation.

        As for Safe Harbor, isn’t that just a guideline, so Patriot Act (law) trumps any safe harbor considerations?

        The real issue here is that cloud services do not live within one jurisdiction. What’s lacking right now though is some clarity as to what the legal impact is for hosting data with Microsoft (or any other cloud provider) who is legally subject to laws such as the US Patriot Act (I’m sure there are others elsewhere too).

Leave a Reply