Your cloud data was never secure, says Microsoft


news Microsoft has attempted to dampen concerns about US Government access to Australian information hosted in American cloud computing facilities by claiming cooperation between governments would likely mean either country’s law enforcement branches could get access data they wanted anyway — regardless of where it was hosted.

Over recent months, Australian cloud computing companies such as Macquarie Telecom-backed Ninefold have raised worries about legal jurisdictions with regard to cloud computing facilities. For example, in mid-July the company warned any datacentre set up by global rival Amazon Web Services in Australia would still be subject to US legislation, despite being located in a different jurisdiction. And earlier that same month, the company highlighted a case in the US which saw the FBI seize a number of servers at the US-based datacentre operated by DigitalOne, without informing customers hosted in the facility about the raid.

At the centre of the debate is the controversial Patriot Act, which was signed into law in 2001 under then-US President George W. Bush. The legislation was a response to the September 2001 terrorist attacks, and reduced restrictions on law enforcement agencies’ abilities to access information held by organisations in the US.

However, in a blog post published last week, Microsoft Australia director of legal & corporate affairs Jeff Bullwinkel appeared to attempt to clarify the debate for those not familiar with the legal niceties.

“When I’m talking to customers, they’re often concerned about the idea that the U.S. government might have the ability to gain access to data stored outside the United States when the data is held by a U.S.-headquartered provider of cloud services. For a number of reasons and for the vast majority of organisations, however, the true impact of the Patriot Act in this context is negligible,” the executive wrote.

Bullwinkel stated the Patriot Act was really a compilation of amendments to other pre-existing laws — which had often already given the US Government access to information held by organisations in the country anyway. “US courts have long held that a company with a presence in the United States is obligated to respond to a valid demand by the US government for information – regardless of the physical location of the information – so long as the company retains custody or control over the data,” wrote Bullwinkel.

The rub for Australian organisations, he added, was that our own Government — like many other Governments around the world — complied with most requests for information from external governments for law enforcement purposes anyway.

“… even when data is hosted by a major cloud services provider with absolutely zero presence in or contacts with the United States (an unlikely scenario, given the economies of scale involved in cloud computing) that information would generally still be accessible to the US government if needed in connection with a criminal case,” wrote Bullwinkel.

“That’s because Australia and the United States, like most countries around the world, cooperate closely in law enforcement matters. Under a longstanding bilateral mutual legal assistance treaty providing for law enforcement cooperation between Australia and the United States, either government can gain access to data located within the territory of the other.”

“Are there interesting and challenging policy and regulatory issues that arise in the context of cloud computing? Yes there are, and organisations transitioning to cloud-based technologies are wise to consider them. But it’s important to ensure that the discussion isn’t clouded by misunderstandings or confusion about the legal landscape.

I’m not sure whether Bullwinkel’s comments are intended to reassure Australian organisations that it’s safe to host their data in Microsoft’s global cloud (which is served from datacentres in the US, as well as other countries such as Singapore and Hong Kong), or not.

In one sense, they would appear to be a useful, factual addition to the debate, and a useful counter to the somewhat fearful comments which Australian cloud computing providers like Ninefold have been injecting into the market. However, on the other hand, the arguments which Bullwinkel has outlined in his post, I would bet, would make many Australian organisations — particularly governments — even less likely to want to host their data in a global cloud computing facility with links to the US.

If cooperation between the Australian and US Governments on this issue is so well-established, even more reason to host your data in Australia, so the argument would go — at least you’re on your home turf and able to deal with your local law enforcement authorities, with your own local expert lawyers, if there’s a problem.

The fact remains, regardless of what the true legal situation on the ground is, that Australian organisations in a number of sensitive sectors — especially in the financial services and public sectors — remain highly reluctant to host their most sensitive data in the US, because of a perception that the country has gone too far in allowing its Government access to privately held data.

Microsoft needs to attack this perception, serve its customer’s needs and help them defend their rights if it is to make any headway in the ongoing debate on this issue. Simply pointing out that their data has always been accessible to shadowy foreign interests is not going to help its case at all.

Image credit: Karina Faiani, Royalty Free


  1. Patriot does not care where the date is hosted, mearly who owns the equipment the data is hosted on. A Microsoft/Amazon/Google DC in Bondi is treated exactally the same a desktop PC in Washington or NYC.

  2. Further to that if you an aussie company but your parent/head office is based in the US all your data is also subject to Patriot. Neat hunh :-)

  3. Well said Renai. Nothing like attracting customers by telling them their data isn’t safe in your hands. Besides, Microsoft’s objections are moot once it’s legislated that particular industries (public sector, finance, healthcare, etc) need to ensure their data is onshore.

    • Chris, I think you missed the point.

      Onshore data hosted by *Australian* providers can still be accessed by the US Government as the Australian authorities will hand it over if requested.

      Think of what happened with Julian Assange… the Australian Government gladly handed over everything it had to the US Government when requested. Julia Gillard even called him a criminal.

      • Yes however the point is (I’m told) that if hosted in the US, government intelligence agencies can run analytics on data and communications “en bloc”. In theory, you could be blacklisted by having too many associations with persons of interest, if the data showing those associations goes into the USA and gets picked up in some unrelated random scan. Then you turn up at LAX for a holiday and find yourself a person of interest.

  4. Renai, it’s great that you are engaged on this issue because it is important that customers make informed judgments about issues like data security and data sovereignty. To your point, Microsoft very much aligns itself with its customers’ needs and interests. An example of this was our drive many years ago to set up a Trustworthy Computing initiative across the company; that also helped ensure that our customers understood we were not only listening but also acting on that feedback. Related to that, we are strongly committed to protecting the privacy interests of our customers and do that in a number of ways; you can find more information on our privacy practices and activities at

    The purpose of my blog post was to provide context into the current and common misconceptions around the USA Patriot Act. We talk to many customers about cloud computing and they understand that governments (including the Australian and US governments) have for many years had the ability to access private information within the legal and diplomatic frameworks in which they operate. That ability existed long before the passage of the Patriot Act and, for that matter, before the advent of the internet. Interestingly, the fact that governments have long sought and exchanged information needed for criminal investigations – in accordance with well-established jurisdictional principles, legal process, and cooperation mechanisms – has not historically provoked the sort of fear, uncertainty and doubt that’s now associated with the debate surrounding the Patriot Act. And for that reason the discussion you’re helping to facilitate is useful in providing context for clearer and more informed decision-making by individuals and organisations.

    Jeff Bullwinkel

    • Hi Renai,

      The data sovereignty and security debate is an interesting and important one and as always the devil is in the detail. Commercial aspirations should not be constrained but rather informed by legislation. This means that companies and organizations need to understand what it means to have their data hosted in the cloud and have a range of options available to be able to make the right choice of service provider and the right choice of jurisdiction.

      Data is subject to the laws of the jurisdiction in which it is stored and for Australian customers considering storing data offshore, this can have wide ranging implications. Private data stored in the US is at risk of being accessed by US government agencies and the introduction of the Patriot Act has arguably made such access easier. The Act has relaxed the threshold standard to be met by the government in order to conduct foreign intelligence surveillance and has amended the procedures so there is less judicial oversight in respect of such surveillance.

      What organisations need is guidance and the facts so that they can make informed decisions and garner the benefits of the cloud.

      Heather Tropman
      General Counsel, Macquarie Telecom

    • hey Jeff,

      I’m aware of the intent of your blog post and I applaud Microsoft’s honesty in discussing this issue. Furthermore, as mentioned, I like what the company is doing product-wise at the moment.

      However, I still can’t help but feel your post was an example of Microsoft shooting itself in the foot a little … as I’ve witnessed a few times on the Govt blog operated in Australia ;)

      There is a real fear out there from Australian organisations about hosting their data in a US cloud. And companies like, Oracle, Amazon and more are starting to acknowledge that this means Australian cloud infrastructure is becoming a must if you wish to win certain types of business in this market.

      For all Microsoft’s flexibility in its product line (which is fantastic compared to most other vendors), on this one issue I’d like to see the company be a bit more amenable … an Azure cloud on Australian shores, or even Office 365/BPOS hosted locally, would go a long way to serving customers’ needs right now.



  5. Three simple questions:
    If a large corporation or government department places customer data somewhere that is not subject to the protection of Australian law (without customer permission), and that data is accessed without the customers permission (by anyone) then can the customer(s) sue the corporation or govt dept?

    If customers aren’t informed that their data will be stored outside Australian legal jurisdiction, can they sue the corporation / govt dept?

    Wouldn’t the corporation / govt dept. be better off knowing that the only way that the Australian Govt (or govt of another country) can gain access to customer data (assuming the technical security systems offer sufficient protection) is if they have to present a warrant issued within the Australian legal system?

  6. Even if you store your data in Australia, on an Australian Cloud provider say Ninefold and you do business in the USA like Commonwealth Bank or BHP you can be served with a Patriot Act warrant and be made to provide the US Gov’t with the data they want. Of course if you don’t want to do business in the USA you could refuse, but that’s not likely.

  7. I am late to this debate, but have had a closer look at the applicable legislation and treaties. It looks like Bullwinkel is correct. It doesn’t matter where the data is, who the host is, or whether you have any connection with the USA. If the AG gets a request, he has a discretion to act on it and hand over the relevant data. Commercially, what this does is equal the playing field. No-one can legitimately claim a customer advantage thay the data is local.

Comments are closed.