Dan Swinhoe (Global) - Data, Cloud, Government: The Dangers Of Data Sovereignty

Do you know where the data on your Cloud really resides? What if the government of that country could access your data legally, without telling you? Dan Swinhoe investigates.

When Obama signed an extension to the Patriot Act, something interesting happened. People became worried the US would be able to access their data, no matter which country they resided in, because it was kept on the Cloud. When questioned, Microsoft couldn't promise that people's data was secure on their Office 365 Cloud service, because though you may be working from the EU, Microsoft is a US company and has to comply with the rules, and doesn't necessarily have to tell you about it. These rules apply to Gmail, Amazon and a host of others, despite various EU laws preventing this kind of thing, because they are all US companies.

When all this information came to the fore, it put the spotlight on two things; the generally scary, Big Brother approach the US seem to be taking, and the issue of Data Sovereignty.

The legal term is ‘trans-border data flow'. Each country has their own data laws, all varying in strength and in regard to issues such as privacy and security, which is fine when you know where that data is being stored and are familiar with those rules. But what happens when your data is on the Cloud, on a server you can't find, subject to laws you don't know about? You might still be able to access your data, but can local governments? Or even departments from further afield? Though the Act is the main culprit of data sovereignty hysteria, it's just the tip of the cloudy iceberg.

Pirate Bay's journeyman approach to data hosting has highlighted how sketchy laws can be when it comes to data. Though recently the company is having domain troubles having switched from Swedish to Greenland-based domains, the Privateers moved to the Cloud in order to escape being shut down.  Even before the Cloud, the company had been linked to countries that exist outside regular jurisdiction, such as sea fort-turned-Micronation, Sealand and North Korea.

Recently, UK PM David Cameron had to sign a cybersecurity pact with the Indian government after deciding to host government data in the country , in order to reassure those concerned that this wasn't a fool-hardy idea. As Ian Lamont, IT security specialist at BMW told GigaOM; a stock photograph from a brochure might be ok to store anywhere, but "customer data or the company's crown jewels? No way." Adding to the problem is a lack of information and involvement on where the data is stored. "It doesn't help for a bank to hear its customer data will be in this European cloud ‘region'. Not specific enough."

So while I personally invite the US to look at my Facebook pics and inane Tweets, I'm not so hot on the idea of them getting a hold of my bank details, or messages to my mum. Likewise, with governments increasingly turning to the Cloud, the stakes become even higher - another country being able to access your whole identity is kind of scary, no?

People may argue that as long as you stay on the legal side of things everything is hunky dory, but that's an opinion, not a guarantee. It's also worth noting that the Patriot Act, while being the media grabber, isn't the only law of this kind and lots of countries can get their mitts on Cloud data, but that doesn't make it any more ok, does it?

Ignorance is bliss
Despite the PR hype the Cloud has had, there's still a degree of misunderstanding around it. A worryingly large segment of people think Cloud computing has something to do with the weather. Knowledge around Data Sovereignty is even patchier, and while white papers do exist, but lack of awareness is still a danger.

Currently, if you want to try and protect your data and embrace all those Cloud benefits, there are few options really. Keep data in-house, and be very cautious about where your data goes and make sure you know all the details when it is being stored elsewhere. For Cloud service providers, being open about where the data is being held, and what assurances they can provide on its protection should come as standard.

While new rules governing certain areas, for example more pan-EU legislation on the issue, isn't out of the question, that only fixes the problem to a certain extent. Cloud computing is a global concept, one which needs a globally unified set of rules from which everyone can play along to. As long as the rules vary by state, region, island, etc., the paranoia over who owns what, who's snooping where, and which country Pirate Bay will be based in next, will never end.

By Dan Swinhoe, Editorial Assistant, IDG Connect

How do you feel about putting your data on the Cloud? Are you worried about governments accessing your data without your knowledge or permission?

Take our survey now.