This is a guest post from Software Advice, which originally appeared at this location: Is Your Cloud System Safe From the Law?
There are no legal precedents concerning transnational laws and trade agreements with respect to cloud computing. Due to this lack of regulation, companies in smaller nations are vulnerable to foreign governments seizing their data when it’s hosted internationally in a cloud-based system. While this shouldn’t encourage paranoia, companies should seriously consider where they host their data in the cloud. A good solution is to host data on the same shores, or at least in a country with clear and trustworthy regulations.
Cloud computing introduces new levels of information globalization. For instance, a company in Sweden might use Salesforce.com, one of the leading cloud suppliers of CRM systems. Most of that company’s data centers are in the U.S. As a result, the Swedish company will usually connect to U.S.-hosted servers via Internet lines running through a number of different countries. When I connect to Salesforce.com from my current location, the data travels from Sweden to the UK, to the Netherlands, and finally to the U.S. The image below shows how the system is accessed.
This process raises two main questions. First, which country’s laws apply to the stored data? And secondly, which country’s laws apply to the data being transferred?
Let’s say the company in question works with high-tech weapons manufacturing. The company uses Salesforce.com to store highly sensitive data concerning Cuba as a potential customer. Sweden doesn’t have any trade restrictions with Cuba, but it’s another matter completely in the U.S. – especially with arms trade. Hence, the CIA, FBI, NSA, or Department of Homeland Security might suspect this relationship and subpoena the CRM database directly from SalesForce.com. The recent events concerning the U.S. Department of Justice, Twitter, and Wikileaks shows that U.S. legislation can give the investigating authority very broad liberties. Putting the court order under “seal,” for instance, wouldn’t even inform the Swedish company about the intrusion.
The Swedish company could be unknowingly placed in a threatened situation in which their entire CRM database, containing information about customers and other business opportunities, falls entirely into unknown hands. Large deals in the high-tech weapons industry can give a country strategic advantages by helping the domestic arms manufacturer’s efforts in research and development (R&D). Hence, in the nation’s “best interest,” the government could share the entire database with a U.S.-based competitor. There’s no substantial evidence that this has ever happened and no country would admit to doing it, but it’s certainly possible. There are rumors of the Echelon project being misused for this very reason.
A single person overseas can cause huge amounts of damage as well. For instance, an individual conducting this investigation with the FBI could share it with his uncle at Lockheed Martin. It’s illegal, of course, but this FBI employee has no incentive to safeguard the data; he has no interest in the commercial success of a Swedish high-tech arms manufacturer. An employee working with this information could also find notes on bribes or other suspicious information and share it with Wikileaks, causing major damage to the company. It’s important to reduce the number of people with access to such information to reduce the risk of leaks.
Even when a cloud-based system is hosted in a country that respects the customer’s integrity, the data can still travel through other countries that could intercept and misuse it. Much of this communication is based on SSL and other heavily-encrypted connections, but countries like the U.S. and UK have the resources to break most common encryption techniques. Large amounts of resources have been spent on scanning the Internet and other communication channels, as in the Echelon project example. These resources would be wasted if there weren’t any decryption mechanisms.
Cloud computing holds tremendous promise, but there are some aspects of this model that must be considered before jumping on board. Hosting a system in the same country at least makes it clear which laws apply. For companies within the European Union (EU), I suggest hosting within EU borders. Then there’s at least some common law for the EU that could be used in the courts. Hosting in countries with strict views on data integrity, like Switzerland has in banking, might also be an option. But when a company keeps its own data storage, it can at least be prepared when someone breaks down the door with a court order.
By: Gustaf Westerlund