In the current headlong rush towards cloud services – outsourcing, in other words – leads to increasingly complex questions about what the service provider is doing with your data. In classical outsourcing, you’d usually be able to drive to the provider’s data centre, and touch the disks and tapes holding your precious bytes (if you paid enough, anyway). In a service-oriented world with global IT firms using data centres which follow the cheapest electricity, sometimes maybe themselves buying services from third parties, that becomes a more difficult task.
A while ago, I was at a meeting where someone posed the question “What happens when the EU’s Safe Harbour Provisions meet the Patriot Act?”. The former is the loophole by which personal data (which normally cannot leave the EU) is allowed to be exported to data processors in third countries, provided they demonstrably meet standards equivalent to those imposed on data processors within the EU. The latter is a far-reaching piece of legislation allowing US law enforcement agencies powers of interception and seizure of data. The consensus at the meeting was that, of course the Patriot Act would win: the conclusion that Safe Harbour is of limited value. Incidentally, this neatly illustrates the way that information assurance is about far more than just some crypto (or even cloud) technology.
Today, ZDNet reports that the data doesn’t even have to leave the EU for it to be within the reach of the Patriot Act: Microsoft launched their ‘Office 365’ product, and admitted in answer to a question that data belonging to (relating to) someone in the EU, residing on Microsoft’s servers within the EU, would be surrendered by Microsoft – a US company – to US law enforcement upon a Patriot Act-compliant request. Surely, then, any multinational (at least, those with offices? headquarters? in the US) is in the same position. Where the subject of such a request includes personal information, that faces them with a potential tension: they either break US law or they break EU law. I suppose they just have to ask themselves which carries the stiffer penalties.
Now, is this a real problem or just a theoretical one? Is it a general problem with trusting the cloud, or a special case that need not delay us too long? On one level, it’s a fairly unique degree of legal conflict, from two pieces of legislation that were rather deliberately made to be high minded and far reaching in their own domains. But, in general, cloud-type activity is bound to raise jurisdictional conflicts: the data owner, the data processor, and the cloud service provider(s) may all be in different, or multiple, countries, and any particular legal remedy will be pursued in whichever country gives the best chance of success.
Can technology help with this? Not as much as we might wish, I think. The best we can hope for, I think, is an elaborate overlay of policy information and metadata so that the data owner can make rational risk-based decisions. But that’s a big, big piece of standards work, and making it comprehensible and usable will be challenging. And, it looks like there could be at least a niche market for service providers who make a virtue of not being present in multiple jurisdictions. In terms of trusted computing, and deciding whether the service metadata is accurate, perhaps we will need a new root of trust for location…
‘…they either break US law or they break EU law.’
This needs to be more widely publicised.
In a further discussion on cloud computing security this morning, someone mentioned that if law enforcement decides to seize your provider’s servers—even for an offence perpetrated by another customer of the provider—you may lose access to YOUR data without warning and for a long time.
Replication is the solution: with $n$-seizure-tolerant fail-over, keep on computing even as law enforcement officers unrack machines in one data centre! Wonder if that business opportunity has been pitched to VCs yet.
Pingback: cloud failure modalities | Systems Security