As reported by Barb Darrow, “A U.S. magistrate judge ruled that U.S. cloud vendors must fork over customer data even if that data resides in data centers outside the country.” This means more trouble for U.S. cloud providers that are eager to build businesses abroad. The ruling over search warrants does not instill trust in potential foreign customers.
“In his ruling, U.S. Magistrate Judge James Francis found that big ISPs — including name brands Microsoft and Google — must comply with valid warrants to turn over customer information, including emails, even if that material resides in data centers outside the U.S., according to several reports.”
Microsoft challenged such a warrant a few months back and this ruling was the response to that challenge. However, considering the patterns of the past decade, the ruling does not surprise me one bit.
So, here’s the deal: If your data resides with a US-based cloud provider, and somebody shows up with a court order, they will be compelled to give up your data. If you’re a company in France, let’s say, and you put your data in Google, Microsoft, AWS, or other US-based cloud providers, the same could be true for you even though your company not within US jurisdiction.
U.S vendors have tried to calm these concerns. Indeed, in January, Microsoft said customers could choose where their data is stored. The implication is that data stored in Microsoft’s offshore data centers are safe from U.S. search. In actuality, that’s not the case. Experts quickly pointed that U.S. firms can be compelled to turn over data that’s stored on U.S. soil, as well as data stored anywhere else in the world.
Many in the industry argue that if you’re not doing anything wrong, then why would you care about the remote chance that US authorities would come looking for your data? Many companies have trade secrets and other information to protect. Recent breaches of classified military information and the theft of millions of credit card holders’ identities hardly fosters a sense of security amongst the titans of industry. A warrant just opens the door to a potential breach a little wider. What’s more, I suspect that most US-based companies have something out of compliance, and would rather that information not be stumbled upon when a warrant allows an agency to search an employee’s e-mail for evidence pertaining to some other situation that may be entirely unassociated with the company.
Given that public clouds are all about sharing hardware resources, what if your customer data gets hauled off along with the data maintained by some criminal organization, just because it resides on the same physical server? I suppose you can second-guess this issue to death.
European and other offshore cloud providers already advertise that their clouds are US government-free. This arose mostly around the recent NSA data spying scandal that seems to be out of the news cycles now, but is still a concern for non-US businesses that want to leverage US-based cloud providers such as Google, AWS, and Microsoft.
I predict we’ll see the rise of something I call “safe clouds.” These will likely be offshore public clouds that are not beholden to US laws, and thus don’t have to comply with warrants to seize data. Think about a Swiss bank account for your data, where a value is placed on privacy.
While this may sound kind of shady, I don’t think it’s shady to want your data protected from searches by law enforcement that may or may not be justified. Also, if you’re a non US-based company, it’s not unreasonable to remove your data from risk of a legal breach from US agencies, especially if you’re not doing business in the US.
The reasons to use a safe cloud really depend upon your business, and the risk that data exposure could cause harm to your business in one way or another. If you are an illegal operation, then using any public cloud at all would seem stupid. So, I’m not too worried about that happening, and find arguments made by law enforcement agencies related to that scenario kind of silly. Not sure if bad guys worry about elasticity and cost efficiency when it comes to data management; they just purchase servers from Costco and call it a day.
The concept of a safe cloud is something we’ll see more of in the near future. I doubt they will be from mainstream cloud players, but they will meet a certain market need. Some companies will probably use both safe and non-safe clouds, with perhaps a 90/10 split, unsafe to safe. I won’t fault anyone for using safe clouds, and I’m not sure you should either.