Clarity in the Cloud

The adoption of Cloud services worldwide has continued to accelerate at an incredible pace, for many reasons. For almost all industries, the Cloud changes how people work, where people work, and the ways people do business. However, like any tool, technology can be abused and when that happens, trust is undermined.

In June 2013, Edward Snowden, a then 29-year-old contractor hired out to the U.S. National Security Agency (“NSA”), revealed to the world that it’s not always clear what governments are doing with our personal information. Snowden’s disclosures around a U.S. government surveillance program called “PRISM” undermined the public’s trust in technology and called into question the role that technology companies may have played in facilitating the bulk collection of data — outside of established legal process –— to support the NSA’s widespread surveillance program.

It is not uncommon for Canadian enterprises considering a move to the Cloud to cite PRISM, or the USA PATRIOT Act (the “Patriot Act”), as an obstacle. Many of these concerns stem from media reports that these programs broaden and expand the U.S. government’s ability to access data held by U.S.-based Cloud service providers (“CSPs”). Regardless of the accuracy of these reports, customers justifiably want clear commitments from their Cloud service provider on how their data will be handled.

CSPs who wish to be successful must recognize the concerns their customers have around government access to data and must share the responsibility for protecting their customers’ data. Customers need clarity around where data is stored and what happens when a local or foreign government requests access to that data.
 
Customers should look for a CSP that takes this issue seriously, is transparent, and shares its customers’ concerns around government access.

When evaluating CSPs, ask yourself the following questions when it comes to the issue of foreign government demands:
•     Will the CSP redirect orders seeking customer information to the customer?
•     Will the CSP commit to not granting direct or unfettered access to customer data and does it commit to only releasing specific data mandated by a valid legal demand?
•     When law enforcement agencies or governments from any jurisdiction request that the CSP provide customer data, will the CSP insist that they do so in accordance with the applicable legal process? Usually that means serving some form of court order on the CSP.
•     Will the CSP invest in legal resources to ensure that legal process has been followed?

In those very rare instances where a CSP must comply with an order to produce enterprise customer data, it is critical that the CSP does so only in accordance with the request and promptly notifies the customer, unless legally prohibited from doing so. Every enterprise customer of Cloud services should be looking for this contractual commitment.

Snowden’s disclosures shed light on one of the most controversial provisions of the Patriot Act concerning the “bulk collection” of communications originating, terminating or transiting the United States. The bulk collection provisions have since been removed by the passing of the USA Freedom Act of 2015. Once in effect, orders for disclosure of data must be targeted to individuals suspected of involvement in or the planning of an offence. Bulk collection will soon no longer be permitted, so any request made by the U.S. government would amount to data about an individual or group of individuals, not an entire population.

Nevertheless, you have a right to know how your data will be handled. At the end of the day, you own your data, not the CSP, and you should retain control of it.
 
Cory Freed is senior corporate counsel with Microsoft Canada (www.microsoft.ca).