Opinion: Data sovereignty raised in Microsoft's selection of Revera

As some jurisdictions want to enforce their laws in other countries, it makes sense to limit the data held in offshore datacentres, argues Randal Jackson

Microsoft’s recent selection of Revera as a cloud provider combines Revera’s private cloud and Microsoft’s public cloud offerings.

Revera general manager Robin Cockayne points out that the service is geared to organisations seeking a sovereign-safe cloud computing environment.

Data sovereignty and extraterritorial jurisdiction are important issues. All multinationals must comply with the laws of the countries in which they operate. That’s not contentious. However, some jurisdictions – notably the US – want to enforce their laws in other countries in which a company may operate, or extraterritorial jurisdiction in other words.

In the past, courts around the world typically interpreted laws with the implied limitation that the law applied only within the territorial limit of the jurisdiction that passed it. There were some explicit exceptions to this, and some international treaties that provided for extraterritorial jurisdiction.

In more recent times, claims of extraterritorial jurisdiction have increasingly played a role in prosecuting alleged commercial crimes. This dates back to the “United States v Alcoa” case in 1945, where the “effects doctrine” was introduced. US courts declared that they could exercise jurisdiction over non-US nationals and their activities outside of the US if an economic effect was felt in the US.

The US Patriot Act greatly expands the ability of US courts to grant “sneak and peak” warrants, where search warrants can be granted for officials to search secretly without informing the person or organisation being searched. The Act specifically allows business records of innocent third parties to be searched to assist in investigations.

US courts are specifically enabled by the Patriot Act to issue warrants in secret and outside of their normal geographic jurisdiction. In some cases, agencies are able to “self certify” and basically rubber stamp warrants themselves.

US authorities thus have the ability to oblige US-based companies, including foreign companies with a US presence, to provide them with any business records to which they have access – including data they hold on behalf of customers – without telling the customer.

These records need not be held in the US and need not belong to a US organisation; if a US-domiciled company has access to them, it can be compelled to turn them over.

Consider a New Zealand company which has outsourced its IT functions to a US-based company. The NZ company has an employee “of interest” to the US authorities. On this basis, the US service provider might be obliged to hand over copies, say, of the NZ company’s emails without advising the NZ company.

Under the Patriot Act, data gathered for one purpose can now be handed over to other US agencies investigating other alleged offences, such as economic or commercial crimes. Audits by the US Inspector General have found that the FBI has frequently abused these powers to go on extensive “fishing trips” for purposes far removed from the original intent of the Patriot Act.

Multinational IT vendors acknowledge the issue. According to Microsoft: “Providers can be caught in the impossible position when governments impose conflicting legal obligations and asset competing claims of jurisdiction over user data held by these providers.

“Divergent rules on data privacy, data retention, law enforcement access to user data and other issues can lead to ambiguity and significant legal challenges.” (Source: Privacy in the Cloud Computing Era, a Microsoft Perspective, November 2009.)

In these circumstances, it makes sense to minimise exposure by limiting data held in offshore datacentres beyond the reach of New Zealand law.

12 Comments

henareho

1

I agree with your comments here Randall.

However, while Revera is a locally owned and located company doesn't the fact that Microsoft who is a US-domiciled company mean that the aforementioned Patriot Act and other applies to them as well?

Anonymous

2

Its in upper case "US PATRIOT Act" - Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act of 2001

Anonymous

3

Great stuff on why companies and organisations in New Zealand should stay away from Cloud services provided by offshore providers such as being offered by Microsoft's Cloud. But it's not clear to me how Revera offering that service on Microsoft's behalf provides any protection. Surely it just provides a veneer of local hosting respectability for what is essentially an offshore Cloud...and all the problems and issues raised in the article are not addressed. Am I missing something here?

Anonymous

4

All you have to do is encrypt your hosted data and/or use an encrypted virtual disk in your hosted service, and "they" can't just access your 'anything'.
"They'll" need the key, and as that,and you is in New Zealand, "they'll" have to go through New Zealand courts to get it.

Your own onsite back-up will resolve any 'data-hostage' issues while "they're" at it

Why do people forget the basics of security when it comes to cloud?

Dave Lane

5

"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- Benjamin Franklin

The US has taken the wrong path. NZ must avoid following it.

Anonymous

6

As the Kim Dotcom saga shows

Anonymous

7

Patriot Act applies to US owned and located countries. NOT non-US companies. Revera and others are not US owned. IBM, HP and others are. The platform offered by Revera is NOT US owned. It is described as delivering MS products off an NZ owned platform. Therefore not at risk. Simple.

Anonymous

8

great article putting more fuel into the whole "cloud is bad" debate. What Randal fails to explain is that the Patriot Act did not address or alter the jurisdiction of the United States, which is based on contacts with or a presence in the U.S. If a customer has contacts with or a presence in the U.S., the U.S. Government would typically already have jurisdiction to make lawful demands - pursuant to legal process protections - directly to the customer. Thus, for such customers, the U.S. can assert jurisdiction over their data regardless of whether they use a U.S. or any other cloud service provider.

The Patriot Act does not provide for unfettered U.S. government access to online data.

Anonymous

9

The message is simple. Keep your data whithin the reach of New Zealand law if you want your data to be under New Zealand law. That means ensure your data is stored in a server WHITHIN New Zealand. If you choose not to, and place your data on a server somewhere, your personnal and/or business data is at the mercy of the law of whatever country the data is located at. If it is the US, then US law applies. How much simpler can this be?

John Holley

10

I wonder how many companies worried about data sovereignty have robust IDS/IPS systems in place along with full time security staff?

This is a classic example of not understanding business risks. Is your data more at risk from the US Govt or from hackers? There is almost a knee-jerk reaction here against the USA.

Where is the real analysis of the risks NZ businesses face in securing and protecting their data and IP?

What I am seeing is a lot of FUD by organsations with large data centres in country, which are normally at least twice to three times the cost of environments like Amazon's EC2.

If Govt legislation means you are required to keep you data in NZ then that it clear. But to use the Patriot Act as a justification for the need to pay for expensive local services is a self serving agenda by data centre providers and is short of real analysis of the risks businesses face.

Anonymous

11

The point everyone is (perhaps conviniently) missing that business decisions are inherently a risk vs. reward equation. Unless Revera provide similar price points and comparable service levels people will always consider the bigger providers and I would suggest as prudent operators should do.

Harold Finch

12

Randal writes an interesting article that is certainly important in sparking discussion.

The PATRIOT act is reasonably simple in it's approach and if you read the latest press then there is a lot of FUD around storing data in the US. However, if you look at the EU alternative it is a lot more intrusive.

DIA, my understanding, is in the process of standing up their "Government Cloud" programme. It's all over town apparently.

There are a few issues they are going to have to deal with. For example, cloud comes in three flavours. Private, community, and public. Each has different pricing and service level implications, and risk.

There are a lot of questions. If they are going to build a government "app store" who will own it? Who will manage it?

Canada, US, Japan, Ireland, UK, and Australia are well down this path.

The bottom line is that the cloud is coming. This is as significant as the adoption of internet or proliferation of servers under the Windows Server 3.1 model. If the government doesn't manage it now, then it will be managed for them.

Do it to them before they do it to you.

Comments are now closed

Microsoft WPC 2014: Cloud message resonating with Microsoft partners

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]