Monday, April 28, 2014

Data location doesn't matter: US Federal Judge

In a decision that should not come as a big surprise, a US Federal Court judge has determined that the location of data under Microsoft's custody is not relevant. If Microsoft can produce it, it is required to do so.

As reported in Computerworld, the decision relates to a search warrant that directed Microsoft to produce the contents of one of its customer’s e-mails, where that information is stored on a server located in Dublin, Ireland. Microsoft contended that courts in the US cannot issue warrants for extraterritorial search and seizure, but the judge denied Microsoft's motion to quash the warrant. It argued, in part, that a US court can't issue a search warrant for premises outside of the United States so they should not be able to do so virtually.

However, the Court found that these orders may look like search warrants but they are more like subpoenas. They order an American company to do something entirely in the Unites States:

But the concerns that animate the presumption against extraterritoriality are simply not present here: an SCA Warrant does not criminalize conduct taking place in a foreign country; it does not involve the deployment of American law enforcement personnel abroad; it does not require even the physical presence of service provider employees at the location where data are stored. At least in this instance, it places obligations only on the service provider to act within the United States....

This case, for some Canadian readers will be reminiscent of the Canadian Federal Court decision in eBay Canada Ltd. v. M.N.R., 2008 FCA 348, where the Court ordered eBay in Canada to turn over information about Canadian "powersellers" regardless of the fact that the data was not within the territorial jurisdiction of the Court.

Microsoft is appealing this decision, but for now it stands for the proposition that the location of data is largely irrelevant in determining whether a government can order it to be turned over. The location or nationality of the custodian is much more relevant.

Monday, March 31, 2014

Charmaine Borg MP introduces private members bill to add breach notification to the federal Privacy Act

Charmaine Borg, the NDP's digital issues critic and the most activist MP in the area of privacy has tabled Bill C-580 to update the federal Privacy Act to require breach notification and a mandatory 5-year review of the Act. More info here: LEGISinfo - Private Member’s Bill C-580 (41-2).

In the wake of so many privacy breaches by federal government departments, I can get onboard with this.

Friday, March 28, 2014

Cloud Computing FAQ for Canadian In-house Counsel

The Canadian Corporate Counsel Association Magazine (CCCA Magazine) Spring 2014 edition had a strong focus on privacy, "Managing your Privacy Risk: An In-house Guide." The edition included a version of my Cloud Computing and Privacy FAQ, focused at in-house counsel. Click the image (or here) to get the full article:

Wednesday, January 22, 2014

Microsoft to agree to local storage of foreign users' data

According to the Financial Times, Microsoft is going to break from the pack of other cloud service providers by agreeing to store data locally. FT.com content is behind an annoying paywall, but here's the gist of it along with some commentary.

Microsoft to shield foreign users’ data - FT.com

By James Fontanella-Khan in Brussels and Richard Waters in San Francisco

Microsoft will allow foreign customers to have their personal data stored on servers outside the US, breaking ranks with other big technology groups that until now have shown a united front in response to the American surveillance scandal.

Brad Smith, general counsel of Microsoft, said that although many tech companies were opposed to the idea, it had become necessary following leaks that showed the US National Security Agency had been monitoring the data of foreign citizens from Brazil to across the EU.

“People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides,” he told the FT. ...


This decision seems to be based on (or appealing to) the fiction that the location of data is somehow determinative of whether law enforcement or national security folks can get access to data. As I said, it's mostly a fiction. Governments can assert control over things, or people, or entities on a number of bases. One of them is the presence of the thing (a server) in the physical jurisdiction, but most importantly is the presence of the person who can obtain and hand over the data.

... Some critics of the idea have questioned whether such a move would be effective in putting the personal data of non-Americans outside the reach of the NSA, since US tech companies have to hand over information about specific users when ordered to by a secret US court, regardless of where it is held.

However, keeping the information off US soil and under local data protection rules should make it harder for the NSA to tap into illicitly, Mr Chester said. “If the data are not being transported, then it does stop that kind of access.” ...


While this isn't really a solution to the principal problem that many people associate with the USA Patriot Act and the FISA Amendments Act, it may be an economically rational decision since many customers will only ask where the data is, rather than what it really means.

Mr Smith acknowledged that it would be expensive but added “does it mean that you ignore what customers want? That’s not a smart business strategy.” ...

I do agree, however, that the big question which is the driver behind all of this needs to be addressed at a government-to-government level.

Mr Smith also said that the US and EU should consider signing an international agreement that ensures they will not try to seek data in each other’s territory via technology companies.

“If you want to ensure that one government doesn’t seek . . . to reach data in another country, the best way to do it is . . . an international agreement between those two countries. Secure a promise by each government that it will act only pursuant to due process and along the way improve the due process.”

He argued that the existing “Mutual Legal Assistance Treaty” mechanism used by the US and EU to protect individuals’ rights from the two blocs is outdated: “It needs to be modernised or replaced.”

Tuesday, January 14, 2014

Privacy Commissioner of Canada offers outsourcing guidance

Today, the Office of the Privacy Commissioner of Canada posted a "Fact Sheet: Privacy and Outsourcing", which leads to two resources depending on whether you're looking at the public sector (Privacy Act) or the private sector (PIPEDA).

The fact sheets are mostly a collection of useful links and resources, though there are some general statements. The one the I find most interesting is the following:

Organizations need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction. They must do this in clear and understandable language. Ideally they should do it at the time the information is collected. Once an informed individual has chosen to do business with a particular company, they do not have an additional right to refuse to have their information transferred.

When personal information is in the hands of a third-party service provider operating on foreign soil, it is subject to the laws of that country and no contract can override that. This could mean, for instance, that the organization may be obliged to respond to a subpoena or other mechanism that would give law enforcement officials access to personal information.


This has consistently been the position of the OPC, starting with a PIPEDA finding from 2005 when the Commissioner said that a bank should (not must) advise customers that the processing of data will be outsourced to a US service provider. I have to note, though, that PIPEDA doesn't contain any actual obligation to provide such notice. So I'm not sure where the obligatory language from the OPC's new fact sheet comes from.

In any event, the fact sheets do provide useful information about the OPC's take on cross-border outsourcing.

Monday, December 16, 2013

US congressional group calling out Canada on trade protectionism under the banner of national security

The National Post is reporting that a group of powerful US lawmakers are calling out Canada on the frivolous use of "National Security" as a thinly-veiled effort at protectionism. In an number of very large scale procurement contracts, regardless of the security classification of the information, the government has disqualified any vendor where the data may cross the Canadian frontiers.

I have seen this first-hand where government paranoia about the cloud simply leads bureaucrats to the risk-averse decision of keeping data exclusively in Canada under the banner of "data sovereignty." This is one of the reasons why Canada lags behind in the adoption of cloud computing and why Canadian governments spend hundreds of millions of dollars on operating and maintaining thousands of little data centres instead of taking advantage of the massive savings offered by cloud computing.

The Treasury Board of Canada has long-standing guidelines that require a risk assessment in every case that takes into account the sensitivity of the data and the risk of exposure, but Public Works appears to have adopted a one size fits all "no-can-do" attitude.

It will be interesting to see if this turns into a proceeding before the international trade tribunals.

See: John Ivison: Powerful U.S. Congress group accuses Canada of trade protectionism under guise of national security | National Post.

Thursday, May 9, 2013

UK Government announces "Cloud First" policy

The Government of the UK has just announced its "Cloud First" policy.

Government announces 'Cloud First' procurement policy - Government Computing Network:

Government announces 'Cloud First' procurement policy

Charlotte Jee

Published 05 May 2013

Mandates central government to consider cloud solutions before all others when buying IT



The government has confirmed that it has adopted a 'Cloud First' policy, making it mandatory for buyers of IT products and services in central government to consider purchases through the cloud as their first option.

Cabinet Office minister Francis Maude said that the policy will drive wider adoption of cloud computing in the public sector, boosting business through the G-Cloud programme's CloudStore, and ensuring the public sector buys IT in a 'quicker, cheaper, more competitive way'.

According to the Cabinet Office, as of now, when they buy new or existing services, public sector organisations should consider and fully assess potential Cloud solutions first, before looking at any other option.

A statement explained, "This approach is mandated to central government and strongly recommended to the wider public sector. Departments will remain free to choose an alternative to the Cloud if they can demonstrate that it offers better value for money."

Alongside today's announcement, the third iteration of G-Cloud (G-Cloud III) is going live today, with 708 firms offering over 5,000 services listed on the new framework- up from the 458 suppliers and 3,000 services on G-Cloud II when it went live last October .

Maude said, "Many government departments already use G-Cloud, but IT costs are still too high. One way we can reduce them is to accelerate the adoption of Cloud across the public sector to maximise its benefits.

"The Cloud First policy will embed the skills a modern civil service needs to meet the demands of 21st-century digital government and help us get ahead in the global race."

The policy has been under consideration for some time, with G-Cloud programme director Denise McDonagh suggesting at a roundtable in March that Maude was likely to give it the go-ahead.

McDonagh, who has long advocated a 'Cloud First' policy, said, "Sales from G-Cloud are rising steadily, with cumulative spend now over £18 million - two-thirds of it with SMEs. This is still small relative to overall government IT spend, and the transition to widespread purchasing of IT services as a commodity won't happen overnight.

"The adoption of a Cloud First policy will give added impetus for Whitehall and the wider public sector to move in this direction - complementing our ongoing work to encourage Cloud adoption and to help buyers adapt to this way of purchasing IT, which is already showing results."

US federal agencies have been operating with a cloud first policy since December 2010, and a number of other countries are believed to be considering instituting similar directives.

Friday, March 15, 2013

US federal district court judge rules National Security Letters are unconstitutional

The Electronic Frontier Foundation is reporting that a US Federal District Court judge in San Francisco has ruled that National Security Letters are unconstitutional as a violation of the First Amendment of the US Constitution and the separation of powers. The Judge's order has been stayed for 90 days to permit the federal government time to appeal.

National Security Letters (NSLs) are a form of administrative subpoena that can be issued by a senior official of the FBI, which requires the recipient to provide non-content or transactional information and is usually accompanied by a gag order.

According to EFF's media release, Judge Susan Illston ordered that the FBI stop issuing NSLs and cease enforcing the gag provision in this or any other case.

From the EFF: National Security Letters Are Unconstitutional, Federal Judge Rules | Electronic Frontier Foundation

A copy of the Judge's decision is available here, also on the EFF website.

Monday, February 11, 2013

New Zealand Privacy Commissioner offers cloud guidance

The Privacy Commissioner of New Zealand has released a checklist for businesses and a guidance document [PDF] to about cloud computing. Here is the Commissioner's summary of the two documents: Cloud computing guidelines.

From the Checklist:

  1. Figure out which cloud services will work for you and what your current risk level is
  2. Know what information you'll be sending to the cloud
  3. Recognise that the responsibility is ultimately yours
  4. Security - lock it down
  5. Check out your provider
  6. Know exactly what you're signing up for
  7. Be as up front with your clients as you can
  8. Location - where will the information be?
  9. Use and disclosure - who sees the information and what will it be used for?
  10. Ability to exit, and deleting information

Monday, January 14, 2013

Note to HRSDC: Cloud computing and remote access dramatically reduces the risk of portable device data breaches

The Canadian news has been full of reports related to two significant privacy breaches emanating from the federal ministry of Human Resources and Skills Development Canada. The first to be reported was the loss of a USB thumb drive containing the personal information (including personal health information) of more than 5,000 disabled Canadians who were receiving benefits under programs administered by HRSDC. In the course of investigating that first breach, a second came to light. Apparently someone at HRSDC thought it would be wise to backup the data of over half a million student loan recipients onto a portable USB hard-drive, which could be easily lost or misplaced. Guess what happened ... it was lost or misplaced.

Problems with storing sensitive personal information on USB storage devices are not unknown. The Information and Privacy Commissioner of Ontario, Ann Cavoukian, has recently been on a tear over a USB-related breach by Elections Ontario resulting from poorly understood policies, bad training and a lack of accountability. In fact, she's published reams of reports on the breach, its root causes and what should be done to prevent it from happening again. (The TL;DR version: Employees were engaged in a project where they had to clean up electoral lists at an off-site location. They decided to transfer the data using USB thumb drives and didn't even do that well.)

The HRSDC Minister's media release says that, as a response to the second breach, employees will be given training on a new information security policy. That suggests to me that the reckless practice of placing unencrypted personal information on portable storage devices was A-OK. Well, it's not. Never has been and never will be.

The full facts of the HRSDC breaches are still very sparse, but we know that the second breach was caused by an employee or employees who wanted to make a backup of data (probably a good idea) and put the backup on a small portable device (a very bad idea). It may be that the first breach was caused by an employee who either needed to work offsite with the data or needed to move it from one computer to another. Both are reasonable things to want to do. And in some computing environments, can only be accomplished by making a copy of the data and USB devices are a handy way of accomplishing that.

A large part of my practice is advising clients on cloud computing. And I also often get invited to speak to groups of IT professionals and fellow lawyers on legal issues related to cloud computing. For the past few years, the majority of questions about the risk of cloud computing have focused on the fact that the data may be outside of Canada and that the customer is trusting someone else to secure the data. Those are both important questions to ponder, but few turn their minds to the fact that, in most cases, cloud computing is much safer for the data and significantly lowers the risk to data.

If Elections Ontario or HRSDC were using a cloud computing model, none of these breaches would have happened in any of the scenarios outlined above. Cloud computing keeps the data on a server or series of servers in highly secured data centres. There's no need to copy or move the data to get access to it remotely. This is accomplished through secured connections between an authorized computer or browser and the data centre. If you want it backed up, that's usually done on tapes in the data center and the data seldom has to leave the secured premises. In any data centre worth its salt, disk inventory is carefully controlled and audit tools are used to keep track of who has accessed what data. If tapes are moved offsite for redundancy's sake, there is usually a much higher level of diligence exercised as it follows documented processes.

When questions are being asked about how this happened and what can be done to prevent such breaches from happening again, the government should carefully consider how cloud computing or other remote access models dramatically reduce the risk of such breaches.