Is Your Cloud System Safe From the Law?

by

CEO and Chief Architect, CRM-Konsulterna

There are no legal precedents concerning transnational laws and trade agreements with respect to cloud computing. Due to this lack of regulation, companies in smaller nations are vulnerable to foreign governments seizing their data when it’s hosted internationally in a cloud-based system. While this shouldn’t encourage paranoia, companies should seriously consider where they host their data in the cloud. A good solution is to host data on the same shores, or at least in a country with clear and trustworthy regulations.

Cloud computing introduces new levels of information globalization. For instance, a company in Sweden might use Salesforce.com, one of the leading cloud suppliers of CRM systems. Most of that company’s data centers are in the U.S. As a result, the Swedish company will usually connect to U.S.-hosted servers via Internet lines running through a number of different countries. When I connect to Salesforce.com from my current location, the data travels from Sweden to the UK, to the Netherlands, and finally to the U.S. The image below shows how the system is accessed.

This process raises two main questions. First, which country’s laws apply to the stored data? And secondly, which country’s laws apply to the data being transferred?

Let’s say the company in question works with high-tech weapons manufacturing. The company uses Salesforce.com to store highly sensitive data concerning Cuba as a potential customer. Sweden doesn’t have any trade restrictions with Cuba, but it’s another matter completely in the U.S. – especially with arms trade. Hence, the CIA, FBI, NSA, or Department of Homeland Security might suspect this relationship and subpoena the CRM database directly from SalesForce.com. The recent events concerning the U.S. Department of Justice, Twitter, and Wikileaks shows that U.S. legislation can give the investigating authority very broad liberties. Putting the court order under “seal,” for instance, wouldn’t even inform the Swedish company about the intrusion.

The Swedish company could be unknowingly placed in a threatened situation in which their entire CRM database, containing information about customers and other business opportunities, falls entirely into unknown hands. Large deals in the high-tech weapons industry can give a country strategic advantages by helping the domestic arms manufacturer’s efforts in research and development (R&D). Hence, in the nation’s “best interest,” the government could share the entire database with a U.S.-based competitor. There’s no substantial evidence that this has ever happened and no country would admit to doing it, but it’s certainly possible. There are rumors of the Echelon project being misused for this very reason.

A single person overseas can cause huge amounts of damage as well. For instance, an individual conducting this investigation with the FBI could share it with his uncle at Lockheed Martin. It’s illegal, of course, but this FBI employee has no incentive to safeguard the data; he has no interest in the commercial success of a Swedish high-tech arms manufacturer. An employee working with this information could also find notes on bribes or other suspicious information and share it with Wikileaks, causing major damage to the company. It’s important to reduce the number of people with access to such information to reduce the risk of leaks.

Even when a cloud-based system is hosted in a country that respects the customer’s integrity, the data can still travel through other countries that could intercept and misuse it. Much of this communication is based on SSL and other heavily-encrypted connections, but countries like the U.S. and UK have the resources to break most common encryption techniques. Large amounts of resources have been spent on scanning the Internet and other communication channels, as in the Echelon project example. These resources would be wasted if there weren’t any decryption mechanisms.

Cloud computing holds tremendous promise, but there are some aspects of this model that must be considered before jumping on board. Hosting a system in the same country at least makes it clear which laws apply. For companies within the European Union (EU), I suggest hosting within EU borders. Then there’s at least some common law for the EU that could be used in the courts. Hosting in countries with strict views on data integrity, like Switzerland has in banking, might also be an option. But when a company keeps its own data storage, it can at least be prepared when someone breaks down the door with a court order.
 
  • http://www.cloudsofchange.com/ Brian Gracely

    This is a very interesting discussion area for several reasons:

    1 – As the economy becomes more digitized and global, every company is now looking at ways to leverage skills and services that are most cost-effective or efficient for their business. In many cases, location is a lower priority consideration if the Internet is the deliver mechanism or costs (labor, delivery, energy, etc.) are significantly lower elsewhere. So this is a portfolio (risk vs. reward) discussion at some level.

    2 – Doing business in any foreign country introduces new risks. Those risks could be political, legal, currency exchange, cultural, etc. So as with any area of unknown circumstances, businesses must be willing to make the necessary investments to protect themselves if problems arise. In the case of cloud computing, it starts with negotiating SLAs and continues with auditing + the use of 3rd-party backup systems if it’s possible to extract the data into a reusable format.

    I don’t want to dismiss this example (foreign arms dealers) as extremely, but those folks typically don’t make decisions only to save a few $$. Most cloud computing customers will initially come for the cost-savings, but they ultimately stay for the flexibility (credit to: @jamesurquhart).

    It’s still yet to be seen if a few high-profile cases will deter enough customers to avoid international elements of Cloud Computing in favor of local or regional ones due to concerns about data ownership or seizure. If nothing else, this example might highlight a HUGE regional opportunity for ISPs, SPs and Startups to mimic popular Cloud Computing services so that data can stay within “friendly” legal administrative domains.

  • http://www.dbsweden.se/ Bernt-Olof Hellgren

    Interesting subject.

    The cloud is here but what´s behind the cloud?

    Its true that the cloudbased service causes legal difficulties for businesses. If for instance a company are using a cloudbased CRM
    as Salesforce and the data is stored in the US there are certain laws that will get into action.

    Data stored in US by a foreign company is under the Patriot Act and US goverment is allowed to copy and store all data without your concent. Might not be a problem but if this is a comcern for Your company You should make sure it´s stored elswere.

  • http://www.crmkonsulterna.se Gustaf Westerlund

    Brian; Yes, the example is extreme but necessary to accentuate the point I am making. I often feel that companies are moving many of their systems to the cloud without understanding that it does introduce new risks and parameters that should be taken into the equation when choosing the cloud or not as a delivery method. Other businesses that could be at risk are for instance Telcos, insurance and banking.

    Bernt-Olof; very interesting point you are making about the Patriot Act. I was not aware that it was actually that liberal (from the governments point of view).

  • Blogs by Market:
  • Subscribe to the Software Advice Enterprise Blog

Popular Blog Posts