CANADA needs to get its head in the clouds: Editorial on the benefits of cloud computing for universities

The Halifax Chronicle Herald has a good editorial on the benefits of cloud computing for universities, prompted by the decision of Dalhousie University to switch to a cloud provider for e-mail systems:

Dalhousie email switch | The Chronicle Herald:

CANADA needs to get its head in the clouds.

Cloud computing, to be specific.

More a technological service than a product, cloud computing refers to storing data and running software programs remotely, even across borders, on servers that may be owned by someone else.

The advantages, in terms of efficiency and reducing costs, can be significant. That’s why so many businesses and public bodies in the U.S., Britain and Europe have made the switch to cloud computing for at least some of their online needs.

That’s also why Dalhousie University is wisely planning, pending a privacy review, to move its email system to a Microsoft cloud service, a change that the school estimates will save $2 million.

Overall, however, Canada has been a laggard on embracing cloud computing, say legal and technology experts.

The main reasons seem to be worries about security and privacy, and some confusion about what cloud computing means.

There’s no question it’s essential to ensure cloud service providers have sufficient security and privacy safeguards, especially when the servers storing Canadian data may be in other jurisdictions, such as the U.S.

But legal experts say there is widespread misunderstanding about what law enforcement can and cannot do, on both sides of the border. Even Ontario Privacy Commissioner Ann Cavoukian says cloud computing is "eminently doable" in Canada, provided proper vetting is done with service providers beforehand.

The misperception that privacy laws are preventing many sectors from embracing cloud computing and reaping its benefits — notably in the health system — has left Canada behind many other developed countries in utilizing cloud computing technology, legal exerts say.

So it’s good to see Dalhousie join a growing number of Canadian universities, such as the University of Toronto, the University of New Brunswick and the University of Alberta, in moving their email services to the clouds — and so realizing significant savings.

Given the fiscal challenges for universities — and many governments — today, investigating the cloud’s potential, carefully but thoroughly, is essential.

PATRIOT Act clouds picture for tech

Politico has an interesting article on how fears of the USA Patriot Act are having an impact upon US-based cloud vendors:

PATRIOT Act clouds picture for tech - David Saleh Rauf - POLITICO.com

Cloud computing is a gold mine for the U.S. tech industry, but American firms are encountering resistance from an unexpected enemy overseas: the PATRIOT Act.

The Sept. 11-era law was supposed to help the intelligence community gather data on suspected terrorists. But competitors overseas are using it as a way to discourage foreign countries from signing on with U.S. cloud computing providers like Google and Microsoft: Put your data on a U.S.-based cloud, they warn, and you may just put it in the hands of the U.S. government.

“The PATRIOT Act has come to be a kind of label for this set of concerns,” Ambassador Philip Verveer, U.S. coordinator for International Communications and Information Policy at the State Department, told POLITICO. “We think, to some extent, it’s taking advantage of a misperception, and we’d like to clear up that misperception.”

Reacting to concerns raised by some of the country’s most influential tech firms, the Obama administration is engaging in diplomatic talks around the world to put to rest fears in foreign capitals about the controversial surveillance law’s power to give the U.S. government access to international data stored by American companies.

The PATRIOT Act, which had key provisions extended by President Barack Obama in May, has become a flash point in sales of cloud computing services to governments in parts of Europe, Asia and elsewhere around the globe because of fears that under the law, providers can be compelled to hand over data to U.S. authorities.

While no foreign governments have moved to block U.S. tech companies, authorities in the Netherlands as recently as September floated the idea of banning U.S.-based cloud firms from competing for government contracts. And Verveer said on a trip to Germany in October that technology firms based in that country were openly using the PATRIOT Act as a “marketing proposition” to raise questions about U.S. cloud firms.

It has created a high-stakes trade issue that’s become a top agenda item for U.S. firms already profiting in the cloud and for those eyeing the technology for the future. It also registers high on the list of international tech priorities for the White House because of the potential negative impact such fears could have on the U.S. cloud market.

“I’ve heard directly from EU leaders, from Canadian policymakers and from companies all around the world about problems, or perceived problems, with the act,” said Phil Bond, a tech lobbyist and the former CEO of TechAmerica. “There is no shortage of people who misapprehend the law. If some of these misperceptions harden or real problems [are] not addressed, it will cause companies and governments to hesitate in doing business with U.S. cloud companies.”

For their part, the domestic tech industry, academics and even administration officials argue the PATRIOT Act is being hoisted up by foreign entities as a red herring to ban U.S. cloud firms from competing overseas. Laws in some countries allow governments to request private information from companies — and the fear is that this information could be turned over to U.S. authorities under the anti-terrorist law.

“It’s not at this point, I think, entirely clear that governments are doing this. But it is clear that for competitive purposes, this sort of thing is being raised,” Verveer said. “It’s definitely a genuine issue.”

Now, Washington-based tech trade groups are increasingly hearing from their members that foreign governments engaging in cloud contract discussions are raising questions about data moving outside their respective borders.

And the concerns are not isolated to Europe.

In the Asia-Pacific region, where cloud computing is experiencing a boom similar to the U.S., tech industry observers are also seeing the same issues pop up during government cloud contract negotiations, said Mark MacCarthy, vice president for public policy at the Software and Information Industry Association.

Some of that tension in the region could be alleviated as the result of recent trade discussions.

Obama earlier this month laid the foundation for an agreement with eight Pacific nations to drop trade barriers. That deal, which is still being negotiated, included provisions to the bar requirements for local data centers as well as cross-border data flow restrictions.

“It would be dramatically helpful for the cloud industry,” MacCarthy said. “That can then become the precedent for future trade agreements, and it might be the basis for further action with the [World Trade Organization].”

The PATRIOT Act argument has implications that extend to any U.S. company peddling in data that travels across the world.

But it’s an especially acute concern for cloud firms, experts say, because the whole business model is predicated on the ability of data to travel freely. Foreign countries are now asking cloud firms to restrict data flow within their respective borders.

“There’s a feeling that there’s a risk we’ll end up with a Tower of Babel with cloud computing,” said Darrell West, founding director of the Center for Technology Innovation at the Brookings Institution. “Several nations are imposing restrictions on data sharing to prevent data from moving across their own national boundaries, and that’s very shortsighted. You end up losing much of the benefit of cloud computing if you end with 192 systems.”

Aside from data restrictions, foreign governments are also asking U.S. cloud firms to establish data centers in their respective countries to keep a better eye on where data is being stored, creating another potential roadblock for international cloud contracts.

The need for the Obama administration to take an international lead on the issue was highlighted in a cloud computing report this summer authored by a coalition of 71 experts from some of the largest hardware, software and Internet companies, including Microsoft, Amazon and Salesforce.

Aside from reforming antiquated U.S. digital privacy laws, the report urged the Commerce Department to conduct a study of the PATRIOT Act and national security laws in other countries to determine a company’s ability to deploy cloud computing services in the global marketplace.

“This action may provide insights into how best to address uncertainty and confusion caused by national security statutes … that are perceived as impediments to a global marketplace for cloud services,” the report said.

And if the U.S. and other countries don’t simplify the complex legal environment surrounding cloud computing soon, experts are warning the environment will become riddled with uncertainty and confusion that could dampen the competitive position of U.S. firms in the future.

And for now, Congress is taking a back seat because “the point of the sword is in the administration,” MacCarthy said, noting that agencies tasked with trade responsibilities are handling the bulk of the negotiations.

The concern over the PATRIOT Act also mirrors a broader worry for U.S. tech companies — that protectionist efforts here and abroad will put a damper on the international cloud market.

But Congress may not be a silent player in the long run. Tech associations caution that lawmakers should avoid following suit by taking restrictive actions that harm foreign tech companies. That could backfire.

Instead, lawmakers should craft policy to ensure “trade barriers don’t get adopted” that impinge on the ability of foreign cloud providers to land government contracts in the U.S., said Robert Holleyman, president and CEO of the Business Software Alliance.

“It’s absolutely essential that the U.S. gets this right as a policy matter,” Holleyman said. “The stakes around this are huge. If the U.S. gets this wrong, it’s going to be a field day for other countries to emulate a protectionist example.”

Top federal tech officials have laid out guidance for how agencies should categorize data and what type of data should be kept within U.S. borders. Verveer, a lead official in the State Department’s efforts to establish an international framework for cloud computing, said agencies are supposed to peg only “high-sensitivity” data for cross-border restrictions.

But several recent cloud contracts point in the direction of federal agencies increasingly requiring providers to maintain domestic data centers and restrict the flow of data within U.S. borders.

For example, a General Services Administration solicitation for a governmentwide procurement vehicle for cloud-based email contained an element to restrict where data centers could be located. The federal government’s top watchdog shot down that part of the contract last month as part of a bid protest because the GSA could not provide a justifiable reason for the location requirement.

And the Department of the Interior recently reissued a request for information for cloud computing services with several location requirements. According to procurement documents, the agency wants its cloud provider to keep software development inside the U.S. to the “maximum extent practical,” and the physical data centers housing cloud data must also be located in the U.S.

“There’s an important role for the federal [chief technology officer] and federal [chief information officer] to play in helping define this,” Holleyman said. “When the CTO and CIO speak out on this issue, they need to know words matter. Other countries will look for signals.”

Never mind the Patriot Act, watch your thumb drives

Earlier this week, I spoke on a panel at Reboot's Privacy and Security conference in Ottawa about privacy and security in cloud computing. I didn't have a powerpoint, but IT World Canada has a pretty good write-up of the presentation ...

Never mind the Patriot Act, watch your thumb drives - Page 1 - Security

By: Grant Buckler On: 01 Dec 2011 For: ComputerWorld Canada

Businesses that think storing their cloud-based data north of the border protects them from government intrusion are wrong, a panel says. Why thumb drives are the real threat to info security

OTTAWA – Businesses contemplating cloud computing should worry less about the U.S. Patriot Act and more about thumb drives and border crossings, panelists at the Privacy and Information Security Congress said here Monday.

David Fraser, partner with the Atlantic Canadian law firm McInnes Cooper, said many people believe it is illegal to put data in the cloud if that means it will be stored south of the border because of provisions in the U.S. Patriot Act that allow the American security establishment to seize information without a conventional warrant or any notification to the data’s owners.

Whether or not many people believe it is illegal (it is not, though some provinces put limits on where certain data such as health records may be stored), comments from the audience showed there are concerns about the Patriot Act, particularly the fact that the law expressly forbids a cloud service provider from notifying a data owner when data is seized under the act.

But Fraser argued that Canada has similar legislation and that U.S. law applies to any company with a substantial connection to that country anyway, so insulating oneself from such government intrusion is not as simple as ensuring data stays north of the border.

And he said other risks are more significant – like thumb drives that plug into Universal Serial Bus (USB) ports. These are the No. 1 source of data breaches, according to Fraser.

“Go to the front desk of a hotel and say that you’ve lost your thumb drive,” he said, “and they’ll probably pull out a box of them.”

And if you’re concerned about governments snooping into your data, he added, “any time you cross the border … they can open up your laptop and they can clone your hard drive.”

Cloud computing could actually be a solution to both those problems by allowing computer users secure access to data from anywhere so they need not carry sensitive data on laptop hard drives or USB thumb drives, said Fraser.

Omkhar Arasaratnam, cloud security lead architect for SmartCloud Enterprise at IBM Canada Ltd., agreed with Fraser that keeping data at home is no panacea. And he said cloud security is not much different from information security in general, which is mainly about risk management and education.

Putting too many restrictions on what people can do won’t work, said Arasaratnam. “If you as an IT department are too restrictive, your end user community, your executives or their children will find ways around it.”

The best hope, he said, is to educate people so they understand why some behavior is risky, and look for ways to ensure security without restricting people’s use of technology too much.

The fact that cloud computing is new doesn’t necessarily mean it is insecure, said Arasaratnam. But Winn Schwartau, moderator of the panel, well-known speaker and author of several books on security, observed that IT has swung back and forth between centralization and decentralization several times since the 1950s, and asked the panelists what businesses should do to ensure they can get off the cloud should the pendulum swing again.

Fraser advised making sure contracts are clear about ownership of data and the client’s right to have it returned. Arasaratnam added that it’s important to ensure the data comes back in usable form, not as paper printouts or files in incomprehensible formats.

Privacy and Security in the Cloud

Today I participated in a webinar with Sheepdog Inc. and Google on Privacy and Security in the cloud. Below is my presentation, in case it's of interest:

Cloudlaw: Law and Policy in the Cloud

I'm spending the day today at a conference being hosted by the University of Toronto's Faculty of Law and the Centre for Innovation Law and Policy focused on cloud computing. The full agenda is at cloudlaw.ca and it looks like it will be a very interesting day.

I'm speaking at 1:00 on a panel that includes Patricia Kosseim (General Counsel to the Office of the Privacy Commissioner of Canada) and Professor Christopher Millard (Professor of Privacy and Information Law at the University of London). The topic is, not surprisingly, "Privacy and Security".

Here is my presentation, in case it's of interest:

Privacy and security in the cloud webinar

I've been invited by SheepDog Inc. to lead a free webinar on Privacy and Security in the Cloud on August 16, 2011. Full information and the registration form are both available on the event page on the site: Privacy and Security Webinar with David Fraser -- SheepDogInc.ca.

Google announces security certification for Apps and Apps Engine

For business thinking about moving data into the cloud, among the first questions to ask (and they do, trust me) is whether their data will be secure. Google has generally published a lot of information on the security of their enterprise products (including an interesting Whitepaper),

This week, Google announced that it has obtained certification for the next generation of SAS 70, SSAE 16 Type II attestation and its international counterpart, ISAE 3402 Type II. From the Official Google Enterprise Blog: Security First: Google Apps and Google App Engine receive SSAE-16 certification.

Legal issues in cloud computing contracts

Yesterday, IT World Canada published a very lengthy article on the manifold legal issues that need to be considered when a company moves its data to the cloud, including a lengthy interview with me given a little while ago.

Here's the first part ...

Canadian cloud contracts: Liabilities and limitations - Page 1 - Leadership

More companies in Canada are turning to the cloud — or, at least, thinking about it — for flexibility, agility and cost savings. But there is often the perception that using cloud-computing services could compromise corporate and customer data, or may even be against the law.

But there’s no law that prevents most Canadian businesses from exporting personal information, said David Fraser, partner with McInnis Cooper, president of the Canadian IT Law Association and chair of the National Privacy and Access Law Section of the Canadian Bar Association.

“Once you move into a real cloud computing model, all of a sudden you don’t know where your data is — where in Canada or where in the world — and we’ve seen a big privacy-related backlash against cloud computing,” he said. So a large part of his job is telling people they’re wrong, since there’s a huge amount of misinformation out there.

Private-sector privacy laws require that you ensure a comparable level of security for personal information, regardless of whether you permit it to be managed by a Canadian company or a non-Canadian company. And some highly regulated industries, such as banking, have special rules that may include additional regulation for outsourced services.

“The Patriot Act is the big thing that people freak out about,” he said, “but we have a Canadian version of the Patriot Act, which is just as offensive.”

Here’s the deal: In 2001, the U.S. Congress passed the USA Patriot Act, which expanded the powers of law enforcement and national security agencies to carry out investigations and obtain intelligence in connection with anti-terrorism investigations.

But the provisions that have attracted the most criticism, said Fraser, have equivalents under Canadian law. Regardless of where information resides, it will always be subject to lawful disclosure to law enforcement or national security bodies. In Canada, he said, this includes search warrants under the Criminal Code of Canada and the Canadian Security Intelligence Service Act. Many European countries also permit broader law enforcement and national security access to information than in both the U.S. and Canada.

Of course, where the data sits can have an impact on that data. If it’s in North Korea or China, it’s at high risk, said Fraser. In the U.S., it may in some cases be significant, but in most cases it won’t be. “How interested would the FBI be in getting their hands on that data and would they be able to justify getting a subpoena? In most cases no,” he said. “And if it’s a person of interest they can get it in Canada.”

Many people are surprised to learn there’s a secret court in the U.S. where judges hear applications made by Department of Justice lawyers for search warrants (and other such things) and there’s nobody on the other side to oppose those applications.

“We have a secret court in Canada,” said Fraser. “We have a bunker in Ottawa where judges hear lawyers from the Department of Justice and CSIS for warrants to do things as potentially offensive as break into your house and install wiretapping equipment. These orders can specifically provide for authorities to go back in and change the batteries. So people don’t often think that Canada is engaged in these types of cloak and dagger things, and we are. Our definition of anti-terrorism is as broad and offensive as the U.S.”

Canadian authorities have virtually identical powers under the Canadian Security Intelligence Service Act, he said, which permits secret court orders that authorize CSIS to intercept communications or to obtain anything named in the warrant.

On top of that, Canada has a mutual legal assistance treaty with the U.S. (as well as informal agreements), so if the FBI wants data and it’s in the hands of a Canadian company, the FBI calls the RCMP or CSIS. “So when you dig into it, that cross-border issue, at least in most cases, really is not the large issue that many people are led to believe it is,” he said, adding that the Patriot Act has become shorthand for just saying no.

Only British Columbia and Nova Scotia have laws strictly regulating the export of personal information from Canada by public bodies, said Fraser. For all other jurisdictions, including the federal jurisdiction, export is permitted, but the public body must ensure a comparable level of security for personal information, regardless of whether it’s managed by a Canadian or non-Canadian company.

What businesses need to do is benchmark their existing privacy infrastructure and compare it to the privacy infrastructure of the proposed cloud provider. What are the real risks to the data, and to privacy and security? A lot of businesses have significant existing vulnerabilities — from insecure desktops, to playing catch-up with security patches, to mobile employees running around with laptops. Or thumb drives. “Nothing is more stupid or dangerous,” said Fraser. “In a cloud model if the computer is lost you lose nothing.”

Very often, this benchmark leans heavily in favour of the cloud provider that has squadrons of security people. Small businesses, in particular, are vulnerable to power outages and basic continuity issues. A reputable large-scale cloud provider will have multiple data centres, so things will stay up and running.

Read more ...

Alberta Commissioner seeks leave to appeal Leon's case to the Supreme Court

In April, the Alberta Court of Appeal handed a significant defeat to the Information and Privacy Commissioner in Leon’s Furniture Limited v. Alberta (Information and Privacy Commissioner), 2011 ABCA 94 (CanLII), a case about whether a retailer is justified in collecting drivers' license and license plate information from customers picking up furniture. (See: Canadian Privacy Law Blog: Alberta Court of Appeal overrules province's Commissioner on license info.) Now it appears the Commissioner is taking the case to the Supreme Court of Canada. The application for leave to appeal was filed on May 26. The Court has discretion to determine whether it will hear the appeal, so it will be interesting to see whether the Court determines this to be a matter of national importance.

Cloud computing presentation to University of Windsor

On May 26, 2011, I had the pleasure of speaking at the University of Windsor's annual Campus Technology Day. Windsor has just recently made the decision to "Go Google" for student e-mail services.

My topic was cloud computing and privacy (with a little bit on copyright thrown in for good measure). Here is the presentation:

There were many active tweeters using #uwctd, in case you're looking for play-by-play commentary.