blog Fledgling Australian cloud computing startup Ninefold has so far played relatively nice when it comes to the jurisdictional debate about where data should be stored, politely making its way amongst the likes of Amazon, Microsoft, Google and so on. But yesterday the company took the gloves off, following a high-profile incident in the US which saw the FBI seize a number of servers at the US-based datacentre operated by DigitalOne.
Writes Ninefold community manager Jonathan Crossfield:
“What is interesting about this particular incident is that the FBI has such seizure powers at all. DigitalOne wasn’t informed about the raid until three hours after it had begun, and then only because of a call from an employee at the data centre.
If DigitalOne hadn’t communicated with their customers, affected businesses would have had no idea that their website outage was not down to the usual suspects of technology or error, but instead due to their valuable data sitting in the back of an unmarked black van speeding away from the scene.”
Crossfield concludes that the same situation could happen in Australia – with ASIO or the Federal Police taking the part of the FBI. However, he adds, at least there might be some more due process around such an event, and you might have a legal leg to stand on in your own jurisdiction.
Now, frankly, Crossfield’s right. If your data is sensitive, it makes a lot of sense to host it in your own local jurisdiction where you can exercise greater control over it, and clearly the whole existence of a company like Ninefold is predicated on that idea. We’d like to see the global cloud computing players pay more attention to the needs of Australian companies; setting up local infrastructure to support local customers.
However, of course, that doesn’t mean it’s easy or often even practical to stop using global cloud computing services in general. Ninefold is obviously pushing its own messgae, and the arguments around a number of integrated software stacks — such as the ones provided by Google, Salesforce.com and increasingly, Microsoft (hello, Office 365), means that the global cloud is still going to attract interest, no matter how many servers are seized in the US. That’s life.
Image credit: FBI
Of course, as Microsoft’s admission yesterday showed, even if the global players open Aussie data centres, the data within it may just be as vulnerable to The USA Patriot Act. So local data from a locally-headquartered company is firming up in the legal debates to be the best and safest bet.
**Waves from our Sydney headquarters down the road from our Sydney data centre** ;-)
True, Jonathan, but there are also problems with local companies … for example, Ninefold doesn’t have the ability to offer the same integrated stack of infrastructure and applications which a company like Microsoft does — and from what I’ve seen, local prices are also substantially higher. I believe the cost around data transfer locally is a key obstacle, from what I’ve seen of cloud pricing so far?
Yes, Aussie bandwidth is more expensive, but then if they open data centres here and want to plug it into the internet, they’ll also have to incorporate that into their pricing model like everyone else does. Of course, being bigger, they may absorb the cost differently, can afford to loss-lead etc. But apples for apples, Aussie bandwidth just costs more no matter who you are.
And yes, I agree – we don’t have the infrastructure of Microsoft… Got me there…;-)
Wouldn’t describe that as a ‘problem with local companies’ though. Not everyone wants to go with the big monopoly brand for one thing. Otherwise you’re suggesting any clothing store that isn’t Myer is a problem because they’re not a department store when in reality they all do just fine as smaller businesses with happy customers.
But these are different issues. Comparing data centres based on their likelihood of being able to protect your data, US-headquartered businesses are at higher risk than local ones and that’s from the mouth of MS.
A curious tick to Telstra hosted Office365 perhaps ;-)
Office 365 isn’t hosted from a Telstra datacentre … it is purely a marketing and sales arrangement.
in a cloud dc it is probably a lot harder to carry away the server as usually there is not a single asset like a traditional rack server. ie big bunch of blades referring to networked storage maybe spread over multiple locations. Fbi etc would have to take the lot!
these days they probably directly access your portion of the cloud via the provider.
That’s a very good point, if servers are removed from a DigitalOne data centre why did the cloud service go down?
The whole point in a cloud service is that it’s stored online securely and accessible from multiple locations, if one location goes down for whatever reason the other(s) should operate as normal with no obvious impact to the end customer.
If anyone is interested, here are two whitepapers commissioned by Macquarie Telecom about The Cloud and Cross Border (data) Risks, both are PDF documents. They are written by International law firm Freshfields BruckhausDeringer:
USA – http://slidesha.re/ly8NJc
Singapore – http://slidesha.re/izwDex
Even if Microsoft, Google or whoever opened a data centre in Australia, it doesn’t “protect” you from anything. The reason is, while most of your day-to-day usage of the service would likely be out of the Australian data centre, that’s merely a convenience/performance/latency thing. There’s never any guarantee that your data is stored in a particular data centre, and in fact it’s highly likely that multiple copies of your data would be stored in other data centres around the world anyway — for the purposes of redundancy and resilience.
Westpac have just got around this local data issue by going with Microsoft’s hosted online collaboration solution using a local data centre operated by Fujitsu.
You are missing a crucial point. If you are an Australian or International company holding any personally identifiable data on Australian citizens you are breaching Australian laws and regulation by moving or making that data available in jurisdictions like USA and Singapore which have laws and regulations weakening the privacy of Australian data. There are also other implications as outlined in the whitepapers such as states being able to tax you even if data simply passes through a jurisdiction. It is your responsibility to be aware of the Australian regulations and laws as to maintaining the security and privacy of data on Australian citizens.
Thankfully Australia has high standards for privacy and data whereas countries like Singapore don’t really recognise the concept of private data and the USA through the Patriot Act means they can access your data whenever they like and do not have to notify you that they have accessed it.
So, regardless of what technology can and can’t do and how cloud and virtualisation work, you will be breaching Australian law by not ensuring your data is in a jurisdiction which protects the privacy of Australian citizens data.
There is absolutely a guarantee that your data is protected when you use Australian data centres.
You are missing a crucial point. If you are an Australian or International company holding any personally identifiable data on Australian citizens you are breaching Australian laws and regulation by moving or making that data available in jurisdictions like USA and Singapore which have laws and regulations weakening the privacy of Australian data.
Are you suggesting that all of those companies using Google Apps, Amazon’s services or (soon to be) Office 365 are breaking Australian law by doing so?
Anyway, my comment above wasn’t saying that there were no advantages in going with a small Australia-based cloud provider who only operated data centres in Australia. I was simply saying that even if the bigger providers opened a data centre in Australia, there’d be no advantages for them in terms of jursidiction because they’re not going to keep all of your data in a single data centre anyway.
The company I work for specifically signed up our 25,000+ users with Microsoft’s e-mail services because they could guarantee the data was held at their singapore datacenter, whereas Google (which was favoured from a technical POV) insisted all data to be stored in the US.
I’m sure if either was offering a Australian datastore instead they would have been considered strongly.
The geographical location of the DC which “holds your info” is only part of the story in regards data patriotism. Logistically it is pretty difficult for a uninformed third party (law enforcement or criminal) to come into a cloud DC and just take your info. I guess they could take some random disks but even then you’d be hard pressed to get much out of it. It’d be like getting the shredded paperwork from an embassy.
The real risk – which doesn’t appear to have much media attention – is that hypothetically if you choose a cloud provider which is a multinational law enforcement from other jurisdictions (ie the multiple nations) will have access to your information via the same method that the cloud provider uses to manage your services. It’ll be a lot quicker than just doing a DC raid – and a lot quieter too. The jurisdiction will probably claim that the cloud provider manages that information/operates the asset in that local jurisdiction and thus will need to provide it as per the warrant. Often, such as Google Apps/Gmail, they have a pre-arrangement to access information anyway (http://articles.cnn.com/2010-01-23/opinion/schneier.google.hacking_1_chinese-hackers-access-system-google?_s=PM:OPINION).
law enforcement will actually LOVE cloud providers as they are usually setup to manage a highly scaled aggregation of logically arranged information – very easy to do searches and haul away data without disruptive raids.
host your data with a multinational cloud = have law enforcement in the US (and by consequence China) well up to date on your affairs…
http://www.zdnet.com/blog/igeneration/microsoft-admits-patriot-act-can-access-eu-based-cloud-data/11225
If any personal information on Australian citizens as distinguished by the Australian Privacy Act 1988 is being kept or stored in those offshore systems and therefore held in a manner which would breach Australian law and regulations, then yes it will apply to Google Apps, AWS, Office365, Salesforce.com or anyone else. This is specifically why Westpac and others are not using those services in offshore clouds and mandated that the data is specifically stored in Australia (Fujitsu data centre).
If you (Australian business, government or individual) collects and stores any personal data on Australian citizens you are the defined record keeper of that data and will be liable for ensuring compliance with Australian laws and regulations. This includes company directors.
Australians have a right to know why information about them is being acquired, and who will see the information. Those in charge of storing the information have obligations to ensure such information is neither lost nor exploited. An Australian will also have the right to access the information unless this is specifically prohibited by law. The specific nature of the US Patriot Act alone is a breach of Australian Privacy Legislation because the U.S. Government can access data on Australians without warrant and without notification. Singapore has similar problems.
The existing laws are being strengthened even further; a revised Privacy Principle 8, released in an exposure draft in June 2010, creates new requirements for organisations outsourcing data that identifies Australian citizens to offshore data centres. Specifically, Privacy Principle 8 requires that any organisation storing information that identifies Australian citizens in overseas data centres must ensure that the organisation hosting that data offers the same protections as what is stated in Australia’s Privacy Principles.
Here are some extracts from the whitepapers:
Any regulated entity and businesses using or storing personal or business sensitive data should exercise particular caution. For example, the Australian Prudential Regulatory Authority (APRA) which oversees the domestic financial services sector, has stated that financial services companies that wish to transfer data offshore must first notify APRA and demonstrate to the regulator that appropriate risk management procedures are in place to protect the data. The company must also secure guarantees in its contract with the data hosting company that APRA will have access to that company to conduct site visits if required.
Some classes of customer may simply refuse to have their data transmitted and stored overseas. For example, the Commonwealth of Australia Government Contract for IT Services expressly prohibits suppliers from transmitting or storing their customer data outside of Australia.
Hosting a transactional website on servers in the U.S. can create a taxable presence for U.S. federal income tax purposes. While mere storage of data typically should not amount to the conduct of business within the U.S. for tax purposes, the activity can be treated as the conduct of business if the non-U.S. person stores data for the account of others, or allows customers or other third parties access to the data.
Hi – how do the banks etc get away with offshoring all the processing of billing info, service provision to India etc? Privacy laws didnt seem to stop them there.
PS are you the same Martin Walsh from Macquarie Bank?
DigitalOne themselves may have breached Section 215 of the USA Patriot Act by informing their customers of the FBI actions…
Comments are closed.