Transcending Borders but Not Laws

There’s a problem facing cloud computing that doesn’t have an easy solution yet.

Although it is often not obvious where data is actually residing when it’s uploaded to a cloud service such as Web-based e-mail, the location does matter. And depending on the legal jurisdiction where the data is stored, it could be exposed to government scrutiny or to unexpected regulations. “When data is physically located within a country, that country has the practical ability to force access to that data by various means,” says Katitza Rodriguez, international rights director for the Electronic Frontier Foundation, a tech-focused civil-rights organization.

That is cause for worry in Canada and some European countries, where activists fear that strict local privacy rules may not apply if citizens’ data is stored on servers in the United States. The powers of U.S. law enforcement to snoop on e-mail and other records were expanded by the USA Patriot Act, passed shortly after the September 11 terrorist attacks. The Canadian province of British Columbia responded with a 2004 law requiring public bodies to ensure that citizens’ personal information, such as health records, be “stored only in Canada and accessed only in Canada.”

The spread of restrictive data laws could make it more difficult for overseas companies and government agencies to use commercial cloud providers, the largest of which are based in the United States. Indeed, the U.S. Department of Commerce considers legal obstacles to “transborder data flows” a brewing threat to free trade. It has formed a committee with Mexico and Canada to make sure privacy laws don’t stand in the way.

The jurisdictional issue is already having effects. Francis deSouza, group president for enterprise products and services at Symantec, says his company has negotiated with a Swiss financial institution about running the bank’s e-mail servers and other software. In principle, they could be hosted in an existing Symantec data center anywhere. But because Swiss bank secrecy laws don’t apply outside the country, deSouza says, doing business will mean building a new data center in Switzerland.

Yet storing data outside the U.S. may not be enough to shield it from American law enforcement. Microsoft and Google inflamed anxieties in Europe this summer when they confirmed that even data stored outside the United States—including in European data centers—could be subject to lawful U.S. government requests (not to mention those of other nations). All this is making the cloud a difficult place to hide, particularly when it comes to sensitive data. Last year, for instance, Amazon booted the whistleblower organization WikiLeaks off its cloud servers amid complaints from Washington that WikiLeaks was storing stolen classified documents on the machines.

Another potential headache: some countries require data to be logged for a certain amount of time, while others require that data be deleted after a certain time. As a result, companies like Facebook that store data in multiple places may face conflicting mandates, says Daniel Garrie, general counsel for the Focused Solution Resource Delivery Group, which advises companies on cloud computing contracts.