Opinion: Data sovereignty raised in Microsoft’s selection of Revera
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
Get the latest news from Computerworld delivered via email.
Sign up now
Microsoft’s recent selection of Revera as a cloud provider combines Revera’s private cloud and Microsoft’s public cloud offerings.
Revera general manager Robin Cockayne points out that the service is geared to organisations seeking a sovereign-safe cloud computing environment.
Data sovereignty and extraterritorial jurisdiction are important issues. All multinationals must comply with the laws of the countries in which they operate. That’s not contentious. However, some jurisdictions – notably the US – want to enforce their laws in other countries in which a company may operate, or extraterritorial jurisdiction in other words.
In the past, courts around the world typically interpreted laws with the implied limitation that the law applied only within the territorial limit of the jurisdiction that passed it. There were some explicit exceptions to this, and some international treaties that provided for extraterritorial jurisdiction.
In more recent times, claims of extraterritorial jurisdiction have increasingly played a role in prosecuting alleged commercial crimes. This dates back to the “United States v Alcoa” case in 1945, where the “effects doctrine” was introduced. US courts declared that they could exercise jurisdiction over non-US nationals and their activities outside of the US if an economic effect was felt in the US.
The US Patriot Act greatly expands the ability of US courts to grant “sneak and peak” warrants, where search warrants can be granted for officials to search secretly without informing the person or organisation being searched. The Act specifically allows business records of innocent third parties to be searched to assist in investigations.
US courts are specifically enabled by the Patriot Act to issue warrants in secret and outside of their normal geographic jurisdiction. In some cases, agencies are able to “self certify” and basically rubber stamp warrants themselves.
US authorities thus have the ability to oblige US-based companies, including foreign companies with a US presence, to provide them with any business records to which they have access – including data they hold on behalf of customers – without telling the customer.
These records need not be held in the US and need not belong to a US organisation; if a US-domiciled company has access to them, it can be compelled to turn them over.
Consider a New Zealand company which has outsourced its IT functions to a US-based company. The NZ company has an employee “of interest” to the US authorities. On this basis, the US service provider might be obliged to hand over copies, say, of the NZ company’s emails without advising the NZ company.
Under the Patriot Act, data gathered for one purpose can now be handed over to other US agencies investigating other alleged offences, such as economic or commercial crimes. Audits by the US Inspector General have found that the FBI has frequently abused these powers to go on extensive “fishing trips” for purposes far removed from the original intent of the Patriot Act.
Multinational IT vendors acknowledge the issue. According to Microsoft: “Providers can be caught in the impossible position when governments impose conflicting legal obligations and asset competing claims of jurisdiction over user data held by these providers.
“Divergent rules on data privacy, data retention, law enforcement access to user data and other issues can lead to ambiguity and significant legal challenges.” (Source: Privacy in the Cloud Computing Era, a Microsoft Perspective, November 2009.)
In these circumstances, it makes sense to minimise exposure by limiting data held in offshore datacentres beyond the reach of New Zealand law.
The PATRIOT act is reasonably simple in it's approach and if you read the latest press then there is a lot of FUD around storing data in the US. However, if you look at the EU alternative it is a lot more intrusive.
DIA, my understanding, is in the process of standing up their "Government Cloud" programme. It's all over town apparently.
There are a few issues they are going to have to deal with. For example, cloud comes in three flavours. Private, community, and public. Each has different pricing and service level implications, and risk.
There are a lot of questions. If they are going to build a government "app store" who will own it? Who will manage it?
Canada, US, Japan, Ireland, UK, and Australia are well down this path.
The bottom line is that the cloud is coming. This is as significant as the adoption of internet or proliferation of servers under the Windows Server 3.1 model. If the government doesn't manage it now, then it will be managed for them.
Do it to them before they do it to you.
Posted by Harold Finch at 19:07:18 on August 2, 2012
Posted by Anonymous at 14:15:38 on August 1, 2012
Comments like this do nothing but add to the confusion
Posted by Anonymous at 19:13:00 on August 1, 2012
Let me spell this out to avoid further confused and ill conceived replies. If you are using "The Cloud" to store your personal/business data ensure that the cloud services provider you are using IS a New Zealand based company whose servers are WITHIN New Zealand boundaries. That will ensure your data is, as I stated in my initial post, under the auspices of New Zealand law.
The implication is clear -If your cloud services provider has your data on a server outside of the borders of New Zealand, you are NOT protected by New Zealand law. You may choose to ignore this; nevertheless, this is the REALITY of it.
One last thing, are you sure you understand the physical reality that exists behind the technical concept of "The cloud"?
Posted by Anonymous at 13:00:23 on August 2, 2012
If you abide by the law, there is little to worry about. and given the huge uptake in cloud services, I doubt this is a deal breaker for many companies. The people making the most noise it seems are those trying to protect their services in NZ, as they can no longer compete with the global players.
by the way, people have been using gmail, drop box, etc etc for years with no issue.
I think your making a much bigger issue of this than there really is.
oh and yes, I fully understand the physical reality of the cloud
Posted by Anonymous at 13:20:41 on August 2, 2012
Again I ask, what are the real risks in having your data in different sovereignty as long as you understand the laws? (Any company working internationally has to deal with the all the time)
And is data sovereignty a bigger issue than data security/integrity?
Looking forward to someone explaining the real risks (and likelihood).
Posted by John Holley at 14:49:10 on August 1, 2012
This is a classic example of not understanding business risks. Is your data more at risk from the US Govt or from hackers? There is almost a knee-jerk reaction here against the USA.
Where is the real analysis of the risks NZ businesses face in securing and protecting their data and IP?
What I am seeing is a lot of FUD by organsations with large data centres in country, which are normally at least twice to three times the cost of environments like Amazon's EC2.
If Govt legislation means you are required to keep you data in NZ then that it clear. But to use the Patriot Act as a justification for the need to pay for expensive local services is a self serving agenda by data centre providers and is short of real analysis of the risks businesses face.
Posted by John Holley at 8:50:29 on August 1, 2012
The market will choose its uptake of each respective cloud and at an appropriate price point. EC2 delivers a less rich offering - at an appropriate price.
Randal hasn't spun any FUD here and neither any provider. Is see this piece as a "state of play" piece and highlights there are still grey areas to be wary of.
Posted by Robin Cockayne at 15:50:03 on August 1, 2012
The definition of safe is moot and generally ill-founded. If an organisation has robust IPS/IDS in place along with dedicated security staff (internal or out-sourced) then it is a different conversation.
To focus on sovereignty issues, which are of very low likelihood, compared to security threats which are real and present, does a disservice to companies and gives the wrong message to boards.
If data sovereignty is a legal requirement then the discussion is quite different. But to raise the spectre of data sovereignty issues as a reason to pay a significant delta to have data in NZ is scaremongering and not backed up by any real world evidence. (Possibly the worst abuse of denial of access to data occurred under NZ law - so what protection do we have in NZ?)
Data breaches though are a real and present threat that any Internet connected organisation faces. If budgets are constrained (and who's isn't) then shouldn't security be higher on the agenda than sovereignty? If I can securely host data in the cloud along with robust IDS/IPS solutions for the same cost as *just* hosting the data in NZ, which is better from managing risk in a business?
Posted by John Holley at 19:56:33 on August 1, 2012
Posted by Anonymous at 14:35:57 on August 5, 2012