For customers of cloud-based services, the July 31, 2014 ruling by a US district court judge that data stored on Microsoft’s email servers in Ireland are subject to US law and must be handed over to American authorities based on a “hybrid” warrant that may or may not be constitutional could be a wake-up call. No longer can companies and individuals assume that because their data is stored offshore it is immune to scrutiny by US authorities. If the hosting corporation is US owned, the presiding judge ruled that the data is US controlled, and thus subject to US law.
The European Union is not happy. Its privacy laws are much stricter than those in the US, and it contends that data stored on servers in its jurisdiction is subject to EU privacy laws (which are being further toughened, according to eWeek). And Microsoft is stuck in the middle. If it complies with the order, it violates Irish and EU laws. If it doesn’t, it is in trouble with US authorities.
So, Microsoft is appealing the decision (what else can it do?). According to a report in General Counsel Magazine, Brad Smith, Microsoft’s general counsel and executive vice president, Legal and Corporate Affairs, said, “We will appeal promptly and continue to advocate that people’s email deserves strong privacy protection in the US and around the world.”
It’s a messy situation that any multinational company should watch with great interest, and some trepidation. If customer data is not subject to the privacy laws of the country in which it’s resident, it’s a huge disincentive for enterprises to go with a global solution such as Office 365, or Gmail, or any other cloud service owned by a US-based entity. Vendors such as Verizon, AT&T, Cisco, and Apple, as well as the Electronic Frontier Foundation, have already, quite understandably, weighed in on Microsoft’s side; they all have a lot to lose if the government prevails.
It could also deliver a huge blow to the US economy. Forrester Research analyst James Staten blogged that the firm believes that the US cloud industry could lose up to $180 billion by 2016 — 25 percent of service provider revenues — from lost foreign opportunities and from US multinationals moving away from them for their international business. He also said that non-US based cloud providers would suffer a $100 billion loss in the same period.
Furthermore, he added, “The second impact is coming, make no mistake about it, and will be far more costly. It’s naive and dangerous to think that the NSA’s actions are unique. Nearly every developed nation on the planet has a similar intelligence arm which isn’t as forthcoming about its procedures for requesting and gaining access to service provider (and ultimately corporate) data.”
In an eWeek story, author Wayne Rash pointed out that things could really get ugly if the US prosecutor prevails. He said, “In addition to hurting US companies’ ability to competitively engage in international trade, such a ruling would open US companies to examination by foreign governments. The obvious possibilities could easily be such things as a warrant from a Chinese court to examine intellectual property and trade secrets at US defense contractors.
Without a treaty to fall back on, US companies would be prime pickings. The government would be powerless to even object, much less prevent such access simply because it would have authorized such things itself.”
Break out the tinfoil hats.
Fortunately, there are solutions that allow companies to use US-owned clouds while still protecting themselves from snooping: encrypt the data. Several vendors have offerings in the space that prevent even a willing cloud provider from giving up customer data by splitting the encryption key. Without the customer-held master key, the data is rubbish.
Dell Data Protection | Cloud Edition, for example, provides transparent encryption and decryption as data moves in and out of the cloud. It also takes care of any necessary mechanics involved in file sharing and storage, so the user can work as usual. Dell says that currently, data stored in cloud storage services is vulnerable to account hacking, user control after termination, SSL weaknesses, or is left to the provider to safeguard, since the provider is performing the actual encryption. Dell Data Protection | Cloud Edition provides an additional encryption key, stored on the customer’s network and owned by the customer, so data is guarded even from the storage provider itself.
HP Atalla Cloud Encryption comes in two editions, one for Amazon Web Services (AWS) clouds, and one for VMware. HP says it is suitable for public, hybrid, or private clouds. With HP Atalla Cloud Encryption, each data object (such as a disk) is stored in a secure virtual appliance and is encrypted using split-key encryption. Each key has two parts: The first part, the master key, is retained by the application owner and is never stored in open form in either the customer’s cloud account, or on the Key Management Server. The second part, the project key, is stored on the Key Management Server.
When the application needs to access the data store, a secure virtual appliance combines both parts of the key in a mathematical operation. Ordinarily, this would require both parts of the key to be exposed. However, with HP Atalla Cloud Encryption, both parts of the key are encrypted before and during startup of the virtual appliance. As a result, the keys are fully encrypted when they are resident in the cloud account.
There are other solutions, of course, and there will be even more as vendors see the opportunity and leap into the fray. We might even see something from Microsoft; it would certainly be in the company’s best interest to help customers encrypt the data it stores for them in such a way that it can’t reveal it. That way, situations such as the one in which it now finds itself could be avoided.
Meanwhile, legal experts expect that the case will go all the way to the US Supreme Court, given that it involves foreign relations and treaties as well, potentially, as constitutional issues. And that will take time. Time, one hopes, that gives vendors and enterprises a chance to get busy encrypting their data.