Friday, December 2, 2011

PATRIOT Act clouds picture for tech

Politico has an interesting article on how fears of the USA Patriot Act are having an impact upon US-based cloud vendors:

PATRIOT Act clouds picture for tech - David Saleh Rauf - POLITICO.com

Cloud computing is a gold mine for the U.S. tech industry, but American firms are encountering resistance from an unexpected enemy overseas: the PATRIOT Act.

The Sept. 11-era law was supposed to help the intelligence community gather data on suspected terrorists. But competitors overseas are using it as a way to discourage foreign countries from signing on with U.S. cloud computing providers like Google and Microsoft: Put your data on a U.S.-based cloud, they warn, and you may just put it in the hands of the U.S. government.

“The PATRIOT Act has come to be a kind of label for this set of concerns,” Ambassador Philip Verveer, U.S. coordinator for International Communications and Information Policy at the State Department, told POLITICO. “We think, to some extent, it’s taking advantage of a misperception, and we’d like to clear up that misperception.”

Reacting to concerns raised by some of the country’s most influential tech firms, the Obama administration is engaging in diplomatic talks around the world to put to rest fears in foreign capitals about the controversial surveillance law’s power to give the U.S. government access to international data stored by American companies.

The PATRIOT Act, which had key provisions extended by President Barack Obama in May, has become a flash point in sales of cloud computing services to governments in parts of Europe, Asia and elsewhere around the globe because of fears that under the law, providers can be compelled to hand over data to U.S. authorities.

While no foreign governments have moved to block U.S. tech companies, authorities in the Netherlands as recently as September floated the idea of banning U.S.-based cloud firms from competing for government contracts. And Verveer said on a trip to Germany in October that technology firms based in that country were openly using the PATRIOT Act as a “marketing proposition” to raise questions about U.S. cloud firms.

It has created a high-stakes trade issue that’s become a top agenda item for U.S. firms already profiting in the cloud and for those eyeing the technology for the future. It also registers high on the list of international tech priorities for the White House because of the potential negative impact such fears could have on the U.S. cloud market.

“I’ve heard directly from EU leaders, from Canadian policymakers and from companies all around the world about problems, or perceived problems, with the act,” said Phil Bond, a tech lobbyist and the former CEO of TechAmerica. “There is no shortage of people who misapprehend the law. If some of these misperceptions harden or real problems [are] not addressed, it will cause companies and governments to hesitate in doing business with U.S. cloud companies.”

For their part, the domestic tech industry, academics and even administration officials argue the PATRIOT Act is being hoisted up by foreign entities as a red herring to ban U.S. cloud firms from competing overseas. Laws in some countries allow governments to request private information from companies — and the fear is that this information could be turned over to U.S. authorities under the anti-terrorist law.

“It’s not at this point, I think, entirely clear that governments are doing this. But it is clear that for competitive purposes, this sort of thing is being raised,” Verveer said. “It’s definitely a genuine issue.”

Now, Washington-based tech trade groups are increasingly hearing from their members that foreign governments engaging in cloud contract discussions are raising questions about data moving outside their respective borders.

And the concerns are not isolated to Europe.

In the Asia-Pacific region, where cloud computing is experiencing a boom similar to the U.S., tech industry observers are also seeing the same issues pop up during government cloud contract negotiations, said Mark MacCarthy, vice president for public policy at the Software and Information Industry Association.

Some of that tension in the region could be alleviated as the result of recent trade discussions.

Obama earlier this month laid the foundation for an agreement with eight Pacific nations to drop trade barriers. That deal, which is still being negotiated, included provisions to the bar requirements for local data centers as well as cross-border data flow restrictions.

“It would be dramatically helpful for the cloud industry,” MacCarthy said. “That can then become the precedent for future trade agreements, and it might be the basis for further action with the [World Trade Organization].”

The PATRIOT Act argument has implications that extend to any U.S. company peddling in data that travels across the world.

But it’s an especially acute concern for cloud firms, experts say, because the whole business model is predicated on the ability of data to travel freely. Foreign countries are now asking cloud firms to restrict data flow within their respective borders.

“There’s a feeling that there’s a risk we’ll end up with a Tower of Babel with cloud computing,” said Darrell West, founding director of the Center for Technology Innovation at the Brookings Institution. “Several nations are imposing restrictions on data sharing to prevent data from moving across their own national boundaries, and that’s very shortsighted. You end up losing much of the benefit of cloud computing if you end with 192 systems.”

Aside from data restrictions, foreign governments are also asking U.S. cloud firms to establish data centers in their respective countries to keep a better eye on where data is being stored, creating another potential roadblock for international cloud contracts.

The need for the Obama administration to take an international lead on the issue was highlighted in a cloud computing report this summer authored by a coalition of 71 experts from some of the largest hardware, software and Internet companies, including Microsoft, Amazon and Salesforce.

Aside from reforming antiquated U.S. digital privacy laws, the report urged the Commerce Department to conduct a study of the PATRIOT Act and national security laws in other countries to determine a company’s ability to deploy cloud computing services in the global marketplace.

“This action may provide insights into how best to address uncertainty and confusion caused by national security statutes … that are perceived as impediments to a global marketplace for cloud services,” the report said.

And if the U.S. and other countries don’t simplify the complex legal environment surrounding cloud computing soon, experts are warning the environment will become riddled with uncertainty and confusion that could dampen the competitive position of U.S. firms in the future.

And for now, Congress is taking a back seat because “the point of the sword is in the administration,” MacCarthy said, noting that agencies tasked with trade responsibilities are handling the bulk of the negotiations.

The concern over the PATRIOT Act also mirrors a broader worry for U.S. tech companies — that protectionist efforts here and abroad will put a damper on the international cloud market.

But Congress may not be a silent player in the long run. Tech associations caution that lawmakers should avoid following suit by taking restrictive actions that harm foreign tech companies. That could backfire.

Instead, lawmakers should craft policy to ensure “trade barriers don’t get adopted” that impinge on the ability of foreign cloud providers to land government contracts in the U.S., said Robert Holleyman, president and CEO of the Business Software Alliance.

“It’s absolutely essential that the U.S. gets this right as a policy matter,” Holleyman said. “The stakes around this are huge. If the U.S. gets this wrong, it’s going to be a field day for other countries to emulate a protectionist example.”

Top federal tech officials have laid out guidance for how agencies should categorize data and what type of data should be kept within U.S. borders. Verveer, a lead official in the State Department’s efforts to establish an international framework for cloud computing, said agencies are supposed to peg only “high-sensitivity” data for cross-border restrictions.

But several recent cloud contracts point in the direction of federal agencies increasingly requiring providers to maintain domestic data centers and restrict the flow of data within U.S. borders.

For example, a General Services Administration solicitation for a governmentwide procurement vehicle for cloud-based email contained an element to restrict where data centers could be located. The federal government’s top watchdog shot down that part of the contract last month as part of a bid protest because the GSA could not provide a justifiable reason for the location requirement.

And the Department of the Interior recently reissued a request for information for cloud computing services with several location requirements. According to procurement documents, the agency wants its cloud provider to keep software development inside the U.S. to the “maximum extent practical,” and the physical data centers housing cloud data must also be located in the U.S.

“There’s an important role for the federal [chief technology officer] and federal [chief information officer] to play in helping define this,” Holleyman said. “When the CTO and CIO speak out on this issue, they need to know words matter. Other countries will look for signals.”

Thursday, December 1, 2011

Never mind the Patriot Act, watch your thumb drives

Earlier this week, I spoke on a panel at Reboot's Privacy and Security conference in Ottawa about privacy and security in cloud computing. I didn't have a powerpoint, but IT World Canada has a pretty good write-up of the presentation ...

Never mind the Patriot Act, watch your thumb drives - Page 1 - Security

By: Grant Buckler On: 01 Dec 2011 For: ComputerWorld Canada

Businesses that think storing their cloud-based data north of the border protects them from government intrusion are wrong, a panel says. Why thumb drives are the real threat to info security

OTTAWA – Businesses contemplating cloud computing should worry less about the U.S. Patriot Act and more about thumb drives and border crossings, panelists at the Privacy and Information Security Congress said here Monday.

David Fraser, partner with the Atlantic Canadian law firm McInnes Cooper, said many people believe it is illegal to put data in the cloud if that means it will be stored south of the border because of provisions in the U.S. Patriot Act that allow the American security establishment to seize information without a conventional warrant or any notification to the data’s owners.

Whether or not many people believe it is illegal (it is not, though some provinces put limits on where certain data such as health records may be stored), comments from the audience showed there are concerns about the Patriot Act, particularly the fact that the law expressly forbids a cloud service provider from notifying a data owner when data is seized under the act.

But Fraser argued that Canada has similar legislation and that U.S. law applies to any company with a substantial connection to that country anyway, so insulating oneself from such government intrusion is not as simple as ensuring data stays north of the border.

And he said other risks are more significant – like thumb drives that plug into Universal Serial Bus (USB) ports. These are the No. 1 source of data breaches, according to Fraser.

“Go to the front desk of a hotel and say that you’ve lost your thumb drive,” he said, “and they’ll probably pull out a box of them.”

And if you’re concerned about governments snooping into your data, he added, “any time you cross the border … they can open up your laptop and they can clone your hard drive.”

Cloud computing could actually be a solution to both those problems by allowing computer users secure access to data from anywhere so they need not carry sensitive data on laptop hard drives or USB thumb drives, said Fraser.

Omkhar Arasaratnam, cloud security lead architect for SmartCloud Enterprise at IBM Canada Ltd., agreed with Fraser that keeping data at home is no panacea. And he said cloud security is not much different from information security in general, which is mainly about risk management and education.

Putting too many restrictions on what people can do won’t work, said Arasaratnam. “If you as an IT department are too restrictive, your end user community, your executives or their children will find ways around it.”

The best hope, he said, is to educate people so they understand why some behavior is risky, and look for ways to ensure security without restricting people’s use of technology too much.

The fact that cloud computing is new doesn’t necessarily mean it is insecure, said Arasaratnam. But Winn Schwartau, moderator of the panel, well-known speaker and author of several books on security, observed that IT has swung back and forth between centralization and decentralization several times since the 1950s, and asked the panelists what businesses should do to ensure they can get off the cloud should the pendulum swing again.

Fraser advised making sure contracts are clear about ownership of data and the client’s right to have it returned. Arasaratnam added that it’s important to ensure the data comes back in usable form, not as paper printouts or files in incomprehensible formats.

Tuesday, November 22, 2011

Privacy and Security in the Cloud

Today I participated in a webinar with Sheepdog Inc. and Google on Privacy and Security in the cloud. Below is my presentation, in case it's of interest:

Friday, October 14, 2011

Cloudlaw: Law and Policy in the Cloud

I'm spending the day today at a conference being hosted by the University of Toronto's Faculty of Law and the Centre for Innovation Law and Policy focused on cloud computing. The full agenda is at cloudlaw.ca and it looks like it will be a very interesting day.

I'm speaking at 1:00 on a panel that includes Patricia Kosseim (General Counsel to the Office of the Privacy Commissioner of Canada) and Professor Christopher Millard (Professor of Privacy and Information Law at the University of London). The topic is, not surprisingly, "Privacy and Security".

Here is my presentation, in case it's of interest:

Thursday, August 11, 2011

Privacy and security in the cloud webinar

I've been invited by SheepDog Inc. to lead a free webinar on Privacy and Security in the Cloud on August 16, 2011. Full information and the registration form are both available on the event page on the site: Privacy and Security Webinar with David Fraser -- SheepDogInc.ca.

Sunday, August 7, 2011

Google announces security certification for Apps and Apps Engine

For business thinking about moving data into the cloud, among the first questions to ask (and they do, trust me) is whether their data will be secure. Google has generally published a lot of information on the security of their enterprise products (including an interesting Whitepaper),

This week, Google announced that it has obtained certification for the next generation of SAS 70, SSAE 16 Type II attestation and its international counterpart, ISAE 3402 Type II. From the Official Google Enterprise Blog: Security First: Google Apps and Google App Engine receive SSAE-16 certification.

Friday, June 10, 2011

Legal issues in cloud computing contracts

Yesterday, IT World Canada published a very lengthy article on the manifold legal issues that need to be considered when a company moves its data to the cloud, including a lengthy interview with me given a little while ago.

Here's the first part ...

Canadian cloud contracts: Liabilities and limitations - Page 1 - Leadership

More companies in Canada are turning to the cloud — or, at least, thinking about it — for flexibility, agility and cost savings. But there is often the perception that using cloud-computing services could compromise corporate and customer data, or may even be against the law.

But there’s no law that prevents most Canadian businesses from exporting personal information, said David Fraser, partner with McInnis Cooper, president of the Canadian IT Law Association and chair of the National Privacy and Access Law Section of the Canadian Bar Association.


“Once you move into a real cloud computing model, all of a sudden you don’t know where your data is — where in Canada or where in the world — and we’ve seen a big privacy-related backlash against cloud computing,” he said. So a large part of his job is telling people they’re wrong, since there’s a huge amount of misinformation out there.

Private-sector privacy laws require that you ensure a comparable level of security for personal information, regardless of whether you permit it to be managed by a Canadian company or a non-Canadian company. And some highly regulated industries, such as banking, have special rules that may include additional regulation for outsourced services.

“The Patriot Act is the big thing that people freak out about,” he said, “but we have a Canadian version of the Patriot Act, which is just as offensive.”

Here’s the deal: In 2001, the U.S. Congress passed the USA Patriot Act, which expanded the powers of law enforcement and national security agencies to carry out investigations and obtain intelligence in connection with anti-terrorism investigations.

But the provisions that have attracted the most criticism, said Fraser, have equivalents under Canadian law. Regardless of where information resides, it will always be subject to lawful disclosure to law enforcement or national security bodies. In Canada, he said, this includes search warrants under the Criminal Code of Canada and the Canadian Security Intelligence Service Act. Many European countries also permit broader law enforcement and national security access to information than in both the U.S. and Canada.

Of course, where the data sits can have an impact on that data. If it’s in North Korea or China, it’s at high risk, said Fraser. In the U.S., it may in some cases be significant, but in most cases it won’t be. “How interested would the FBI be in getting their hands on that data and would they be able to justify getting a subpoena? In most cases no,” he said. “And if it’s a person of interest they can get it in Canada.”

Many people are surprised to learn there’s a secret court in the U.S. where judges hear applications made by Department of Justice lawyers for search warrants (and other such things) and there’s nobody on the other side to oppose those applications.

“We have a secret court in Canada,” said Fraser. “We have a bunker in Ottawa where judges hear lawyers from the Department of Justice and CSIS for warrants to do things as potentially offensive as break into your house and install wiretapping equipment. These orders can specifically provide for authorities to go back in and change the batteries. So people don’t often think that Canada is engaged in these types of cloak and dagger things, and we are. Our definition of anti-terrorism is as broad and offensive as the U.S.”

Canadian authorities have virtually identical powers under the Canadian Security Intelligence Service Act, he said, which permits secret court orders that authorize CSIS to intercept communications or to obtain anything named in the warrant.

On top of that, Canada has a mutual legal assistance treaty with the U.S. (as well as informal agreements), so if the FBI wants data and it’s in the hands of a Canadian company, the FBI calls the RCMP or CSIS. “So when you dig into it, that cross-border issue, at least in most cases, really is not the large issue that many people are led to believe it is,” he said, adding that the Patriot Act has become shorthand for just saying no.

Only British Columbia and Nova Scotia have laws strictly regulating the export of personal information from Canada by public bodies, said Fraser. For all other jurisdictions, including the federal jurisdiction, export is permitted, but the public body must ensure a comparable level of security for personal information, regardless of whether it’s managed by a Canadian or non-Canadian company.

What businesses need to do is benchmark their existing privacy infrastructure and compare it to the privacy infrastructure of the proposed cloud provider. What are the real risks to the data, and to privacy and security? A lot of businesses have significant existing vulnerabilities — from insecure desktops, to playing catch-up with security patches, to mobile employees running around with laptops. Or thumb drives. “Nothing is more stupid or dangerous,” said Fraser. “In a cloud model if the computer is lost you lose nothing.”

Very often, this benchmark leans heavily in favour of the cloud provider that has squadrons of security people. Small businesses, in particular, are vulnerable to power outages and basic continuity issues. A reputable large-scale cloud provider will have multiple data centres, so things will stay up and running.

Read more ...

Saturday, June 4, 2011

Alberta Commissioner seeks leave to appeal Leon's case to the Supreme Court

In April, the Alberta Court of Appeal handed a significant defeat to the Information and Privacy Commissioner in Leon’s Furniture Limited v. Alberta (Information and Privacy Commissioner), 2011 ABCA 94 (CanLII), a case about whether a retailer is justified in collecting drivers' license and license plate information from customers picking up furniture. (See: Canadian Privacy Law Blog: Alberta Court of Appeal overrules province's Commissioner on license info.) Now it appears the Commissioner is taking the case to the Supreme Court of Canada. The application for leave to appeal was filed on May 26. The Court has discretion to determine whether it will hear the appeal, so it will be interesting to see whether the Court determines this to be a matter of national importance.

Thursday, May 26, 2011

Cloud computing presentation to University of Windsor

On May 26, 2011, I had the pleasure of speaking at the University of Windsor's annual Campus Technology Day. Windsor has just recently made the decision to "Go Google" for student e-mail services.

My topic was cloud computing and privacy (with a little bit on copyright thrown in for good measure). Here is the presentation:


There were many active tweeters using #uwctd, in case you're looking for play-by-play commentary.

Tuesday, May 17, 2011

Patrick Leahy introduces update to Electronic Communications Privacy Act

Today, May 17, 2011, Patrick Leahy introduced a bill to amend and substantially fix the Electronic Communications Privacy Act (ECPA). The bill made sense at the time it was first authored by Leahy a quarter century ago, but it has needed a substantial re-write in this cloud computing age. The most problematic provision allows obtaining stored communications that are more than 180 days old with just a subpoena, rather than a warrant based on probable cause. Twenty-five years ago, you might consider an un-downloaded e-mail message to have been abandoned, but that is no longer the case when millions of users are keeping all of their e-mails and documents in the cloud.

The Digital Due Process Coalition has been heavily lobbying for this change for some time.

For more info: Patrick Leahy introduces update to electronic privacy law - Post Tech - The Washington Post

Friday, May 6, 2011

Canadian Privacy Commissioner releases consultation report on cloud computing and online profiling

The Privacy Commissioner of Canada has just today released her report that resulted from last year's consumer consultations, which focused on cloud computing, online tracking/profiling. The report is here: Report on the 2010 Office of the Privacy Commissioner of Canada's Consultations on Online Tracking, Profiling and Targeting, and Cloud Computing.

The summary is:

In the spring of 2010, the Office of the Privacy Commissioner of Canada (OPC) held consultations on online tracking, profiling and targeting, and cloud computing. The OPC received in total 32 written submissions and held public events in Toronto, Montreal and Calgary, attended by representatives of other privacy commissioner offices and industry, as well as academics, advocates and members of the public. On October 25, 2010, the OPC released a draft report on the consultations, seeking further comments on a range of issues, from the public/private divide to cloud computing. Twelve responses were received, addressing some of these issues.

With respect to online tracking, profiling and targeting, we heard primarily about the privacy issues related to behavioural advertising: what it is, what the benefits are, what risks to privacy exist, and what self-regulatory measures are in place. In terms of general privacy concerns, the blurring of the public/private divide and its effects on reputation was seen as a significant issue that arises from online tracking, profiling and targeting. Children's activities online and the need to incorporate privacy into digital citizenship programs were also items that were raised.

The consultations were an opportunity to examine the practices of online tracking, profiling and targeting through the lens of the Personal Information Protection and Electronic Documents Act (PIPEDA). While most industry participants were of the view that PIPEDA can handle the evolving technological environment, certain challenges with respect to applying the law were raised by many respondents and participants. Defining what is (or is not) personal information, determining the appropriate form of consent, limiting the use of personal information, implementing reasonable safeguards, providing access and correction to online information, and ensuring accountability were cited as PIPEDA-related issues that need careful attention. Online tracking, profiling and targeting are still largely invisible to most individuals, and most respondents and participants agreed that greater transparency is needed for the benefit of individuals and to ensure innovation.

With respect to cloud computing, the OPC learned about the different characteristics and models of cloud computing. We heard about its benefits and risks to enterprises and consumers. Again, most respondents and participants were of the view that PIPEDA can address issues that arise from cloud computing while others suggested that more should be done. Most of the PIPEDA-related issues concerned jurisdiction and availability of personal information to third parties; safeguards; new uses for the personal information and retention; and access.

The OPC is proposing to undertake specific activities in relation to online tracking, profiling and targeting, specifically in terms of research and outreach activities, as well as policy development. The OPC also intends to reach out to individuals and small and medium-sized enterprises with respect to privacy issues related to cloud computing. The comments related to PIPEDA compliance will also be considered in any review of the legislation.

Monday, April 18, 2011

Cloud Computing and Privacy FAQ

[Printer Friendly Version]

Cloud Computing and Privacy FAQ[1]
David TS Fraser
In Canada, there is often a perception that using cloud computing services may be against the law or may undermine privacy. This is often not the case, but the perception remains. The purpose of this frequently asked questions is to dispel some of the mythology and to provide the reader with a framework so that cloud computing and privacy can be properly assessed.
One important consideration for anyone contemplating a cloud computing solution is that the “baseline” from which you should measure any potential decision is your existing information system, warts and all. As objectively as possible, you will need to consider the security and privacy risks that are inherent in your corporate infrastructure. This may include insecure desktop systems, users with unencrypted mobile devices and constantly playing catch-up with patches and security updates. When making comparisons about the different options, keep your eyes as open as you can. Also, factor in the cost of bringing your existing system up to your desired standards as a matter of comparison.


Is it illegal for a Canadian business to outsource services, such as cloud computing, to a non-Canadian company?

No. There is no law that prevents most Canadian businesses from “exporting” personal information. Private sector privacy laws require that you ensure a comparable level of security for personal information, regardless of whether you permit it to be managed by a Canadian company or a non-Canadian company. (Some highly regulated industries, such as banking, have special rules which may include additional regulation for outsourced services.)


Is it illegal for a Canadian public sector or government body to outsource services, such as cloud computing, to a non-Canadian company?

It depends on the jurisdiction of the public sector or government body. Only British Columbia and Nova Scotia have laws strictly regulating the export of personal information from Canada by public bodies. For all other jurisdictions, including the federal jurisdiction, export is permitted but the public body must ensure a comparable level of security for personal information, regardless of whether you permit it to be managed by a Canadian company or a non-Canadian company.
Alberta has enacted legislation that makes it an offense for a public body or a service provider to disclose personal information in response to an order that does not have jurisdiction in Alberta.


What is all the fuss about privacy and cloud computing?

In 2001, the United States Congress passed the USA Patriot Act, which expanded the powers of law enforcement and national security agencies to carry out investigations and to obtain intelligence in connection with anti-terrorism investigations. Investigative powers that had been restricted to counter-intelligence (spy vs. spy stuff) were extended to anti-terrorism investigations. In Canada, attention was focused on the USA Patriot Act when the British Columbia government proposed to outsource processing of medicare claims to the Canadian subsidiary of a US company. Public sector unions who opposed the outsourcing focused on the fact that the company was American and suggested that sensitive health information would be readily available to US authorities. The British Columbia Information and Privacy Commissioner carried out an inquiry into the impact of this outsourcing on the privacy of British Columbians and recommended wide prohibitions on the “export” of personal information by BC’s public bodies.
British Columbia amended its Freedom of Information and Protection of Privacy Act to prohibit the export of personal information. (It is notable that the government did outsource the processing to the Canadian subsidiary of the US company and the legislature has had to amend the Act to scale back some of the unworkable provisions.) For more information, see below.
Nova Scotia followed suit with the passage of the Personal Information International Disclosure Protection Act. For more information, see below.


What does British Columbia’s anti-export law say?

Amendments to the Freedom of Information and Protection of Privacy Act require that information under the custody and control of a public body be stored only in Canada and accessed only in Canada unless the individual has consented to its storage or disclosure outside of Canada or one of a number of narrow exceptions apply. The public body and any of its service providers are under a legal obligation to  report any foreign demands for disclosure. Violating any of these provisions is an offense.


What does Nova Scotia’s anti-export law say?

The Personal Information International Disclosure Protection Act requires that information under the custody and control of a public body be stored only in Canada and accessed only in Canada unless the individual has consented to its storage or disclosure outside of Canada or one of a number of narrow exceptions apply. Importantly, the head of a public body may authorize the storage of personal information or access to personal information from outside of Canada if the head of the public body determines it is for the necessary operations of the public body. The head is obliged to report these exceptions to the Minister of Justice after the year end in which these decisions are made.
The public body and any of its service providers are under a legal obligation to  report any foreign demands for disclosure. Violating any of these provisions is an offense.


Is information better protected from law enforcement and national security access in Canada than in the United States?

Not necessarily. The provisions of the USA Patriot Act that have attracted the most criticism have equivalents under Canadian law. Regardless of where information resides, it will always be subject to lawful disclosure to law enforcement or national security bodies. In Canada, this includes search warrants under the Criminal Code of Canada and the Canadian Security Intelligence Service Act, and administrative subpoenas such as those issued under the Income Tax Act.
It should also be noted that many European countries permit broader law enforcement and national security access to information than in both the United States and Canada.
Secret Court Orders - The Foreign Intelligence Surveillance Act (amended by the USA Patriot Act) permits a specialized court - the Foreign Intelligence Surveillance Court - to issue secret court orders for the production of “any tangible thing” in connection with terrorism investigations. These orders are accompanied by a “gag order”, which prevents the recipient of the order from telling anyone other than legal counsel about the order. Canadian authorities have virtually identical powers under the Canadian Security Intelligence Service Act, which permits secret court orders that authorize CSIS to intercept communications or to obtain any thing named in the warrant.
Warrantless Wiretapping - The Foreign Intelligence Surveillance Act law permits the American government to intercept foreign communications and international communications without a warrant. Canada’s National Defence Act has essentially the same powers.
National Security Letters - National Security Letters are a form of administrative subpoena that permits a senior official of the Department of Justice to compel a third party (such as a bank, a telecom provider or an Internet service provider) to hand over information about a person’s use of the third party’s services. For example, they can require a telephone company to provide information about a customer’s use of the telephone, such as phone numbers called and the phone numbers of callers to the target of surveillance. It does not authorize the provision of the contents of any communications. Canada does not have an equivalent, but authorities in Canada can obtain this information by use of production orders.


Does keeping data in Canada keep it away from American law enforcement and national security agencies?

In short, no. Canada, the United States and most western democracies engage in a very high level of cooperation that includes mutual legal assistance treaties[2] and ad hoc information sharing. If US agencies are interested in an individual who has ties to Canada, the Federal Bureau of Investigation can make a formal request of the Royal Canadian Mounted Police or CSIS to obtain the relevant information on their behalf. Most Canadian privacy laws actually permit this sort of information sharing under treaties or informal arrangements. And if you are concerned about covert access to this sort of data, American laws do not prohibit federal agencies from seeking the information covertly if it is not in the United States. Some have suggested that information is safer from US authorities in the US because of this.


If we go with a cloud solution, should we give notice of this to our customers/users?

Under most Canadian laws, you technically do not need to seek consumer consent or provide notice. However, the Privacy Commissioner of Canada has taken the position that businesses that propose to have personal information processed outside of Canada should give notice of this to customers. This is not required under the statute, but probably represents a best practice. If you are required to give notice or elect to as a best practice, you should be mindful of how it is presented to your customers so that it does not appear to be a request for consent that they can “opt out” of or that raises concerns. Under the Alberta and Quebec private sector laws, you are required to give notice of this to your customers.  


What are the legal security requirements for Canadian companies considering cloud computing?

Canadian legislation is silent about what particular security practices should be adopted when using cloud computing. The Personal Information Protection and Electronic Documents Act, for example, only says that safeguards must be adopted that are commensurate with the sensitivity of the information. The more sensitive the information, the greater the precautions that should be taken. The general prevailing view is that you should insist on at least the industry best practices for the sort of data at issue.
The original organization remains legally responsible for the safeguarding personal information even if it is outsourced. It is up to the organization to make sure that any service provider implements adequate protections.
One must be mindful of any additional risks introduced by cloud computing, which is principally related to having data in transit over the open Internet. These risks can generally be mitigated by the use of SSL, VPN or other encryption technologies to make the information safe in transit.
When evaluating the security and privacy implications of outsourcing services, you should benchmark the provider against the status quo at your organization. If the provider you are considering is compliant to a national or international standard such as ISO27001 or FISMA/FIPS or SAS 70, consider whether your current systems would be compliant.
Provided a reputable provider is used, information is generally safer when in the custody of a cloud service provider.  This is generally because cloud providers have greater resources to devote to security and because mobile users will no loner have to carry data with them in vulnerable devices, such as laptops and USB/thumb drives.


What role should jurisdiction play in a decision about whether to adopt cloud computing?

Jurisdiction is not irrelevant, but is less relevant that many people believe. For example, you should be very wary of any situation that casts doubt over whether your contract with your service provider will be enforceable. Afterall, their obligations to secure your data are set out in the contract. This means, at a minimum, you should be sure that your service provider is based in a jurisdiction with a mature and fair legal system. You should be aware that data may fall under the jurisdiction of any country that is reasonably connected to, so this would include at a minimum where you are located, where the service provider is based and where the data resides (which may be difficult for the customer or any third party to determine). For each of these jurisdictions, you should consider whether any them introduce any significantly meaningful increase in risk to your data. Expert legal advice should be sought as it is very difficult to determine and measure this risk.


What should I be looking for in the contract with my service provider?

Below is a list of what you should be asking for. Not every service provider will negotiate these terms and some are simply difficult or impossible to deliver depending on the model of cloud computing the provider uses, but you should ask for them and consider any response.
1.        Limit service provider to only using your data for your purposes and for no other purpose
Depending on the service, it is reasonable that your provider will want to gather analytics about how users use the service so  they can improve it, but the provider should be limited in what possible secondary uses they can make of your own data. In most cases, they should not make any use of this data for their own purposes unless you explicitly consent.
2.        Include provision that data is held “in trust” for customer
The purpose of this stipulation is to make it clear that the data remains yours and their role is to process/store/manage it on your behalf. In addition, if the data is held for you in trust, their obligations with respect to the data are increased as they are a legal fiduciary.
3.        No disclosures of information without your consent
The provider should not permit -- and should be legally responsible for -- any disclosures of your data other than as expressly set out in the service agreement.  The service agreement should contemplate what the provider should do to respond to a legal order for access.
4.        Liquidated damages for any disclosure without consent
It is often difficult to quantify the harm resulting from disclosure of information, so it is a good idea to try to set out in the agreement a reasonable sum of damages that the service provider should pay in the event of a disclosure without your consent. It should not be a fixed sum, but rather a multiplier connected to the extent of the disclosure. And make sure that it is “general damages”, so that you are not precluded from claiming additional damages for the out-of-pocket costs associated with any claims made by your customers against you, any fines that may be levied and your costs associated with notifying your customers.
5.        Obligation to resist – to the extent lawful – orders to disclose information without consent
If the service provider receives legal process that would require them to hand over the data and they are  not able to tell anyone about it, this would make it mandatory for them to resist the disclosure to the extent that they can. For example, if they receive a subpoena or a production order, they should not just hand it over but apply to the issuing court to have the subpoena quashed. (There is never any assurance that it will be successful, however.) It should be noted that some orders, such as search warrants, cannot be resisted at the time but an application can be made to have the warrant set aside and the data returned.
6.        Obligation to cooperate with you in any regulators’ investigations
In the event of any investigation by the Privacy Commissioner or some other regulator, your service provider should be obliged to assist you with such an investigation.
7.        Will not deal with any regulators related to your information without your participation
In the event of any investigation by the Privacy Commissioner or some other regulator, your service provider should not be dealing directly with the investigators. It is your data and you are ultimately responsible for it, so the job of addressing any complaints should be yours alone.
8.        Implement safeguards to protect information – Set minimums but shift as much responsibility to the service provider
Cloud computing agreements are complicated, technologies are subject to constant change and security standards shift over time, so it is better to have the service provider agree to abide by well-known information security standards instead of dictating particular technologies to use. Make sure your provider is regularly audited against these standards and make sure that you will have the right to obtain copies of the audit reports. It is unlikely that you will be able to audit them yourselves (which is a good thing, because you don’t want other customer’s auditors going through the systems on which your data resides).
Make sure they warrant that they will abide by these standards and that they will cover all of your costs in the event of any breach that results from their lapse.
If possible, you should make sure that you are able to audit your users’ access of the data, which may be necessary if there is a breach of security that originates within your systems.
9.        Do not accept any limitations of liability related to privacy and security – full indemnity
One of the reasons for choosing a cloud provider is because of their expertise in securing your data. The agreement should not limit their liability to a nominal amount if they fail to safeguard the data. Their warranty and indemnity should cover all of your costs and any remedies you have to offer your customers due to a security breach. The service provider should have adequate insurance for incidents such as these and the provider should be obliged to keep their insurance in force and to provide you with certificates of insurance evidencing this.
10.        No retention of your information after the contract is finished (and make sure you get all your data back!)
You should make sure that any contract with your service provider permits you to get all our data out if you choose to terminate the agreement or if it expires and that the provider cannot retain or use any of your data (other than general analytics information that is used to improve the service) after that point. It just makes sense.


What are the best practices for decision-making around cloud computing?

As with any new program that involves the handling of personal information, the organization should undertake a privacy impact assessment (also known as a “PIA”). PIAs are a systematic way of canvassing all of the privacy issues inherent in a project so they can be identified and hopefully mitigated. PIAs are widely done in the public sector and should be undertaken by private sector organizations who are considering moving customer or employee data to a service provider. The author has considerable experience with PIAs and can provide training and additional information.


About the author

DAVID FRASER is a partner with McInnes Cooper, working with a range of private and public sector clients to implement compliance programs for Canadian privacy legislation. He regularly provides opinions related to Canadian privacy law for both Canadian and international clients and is a frequently invited speaker on this topic. He is the author of the popular Canadian Privacy Law Blog (http://blog.privacylawyer.ca) and the Canadian Cloud Law Blog (http://www.cloudlawyer.ca).
David is widely recognized as one of Canada’s foremost experts on privacy law and other legal issues associated with cloud computing. He regularly advises vendors and customers in connection with implementing cloud computing projects, in both the public and private sectors. David is particularly known for his ability to cut through the rhetoric often associated with cross-border outsourcing to implement clear risk-based assessment of such projects.
In addition, David is the Past President of the Canadian IT Law Association and the former Chair of National Privacy and Access Law Section of the Canadian Bar Association. David was honoured to be included in the inaugural (2006) and each subsequent edition of The Best Lawyers in Canada in the category of Information Technology law. He is listed among the world’s leading lawyers in Internet and eCommerce Law in the International Who’s Who of Business Lawyers. In the spring of 2006, David was a recipient of an Outstanding Young Canadian Award by the Junior Chamber of Commerce International - Halifax Chapter.  In 2009, David was named as one of Canada’s “Top 40 Lawyers Under 40” by Lexpert.
He is a member of the faculty of Dalhousie Law School, where he teaches Internet and Media Law, Law and Technology, and Law and Policy for Electronic Commerce. He is on the editorial board of the Canadian Journal of Law and Technology. Active in the Halifax technology community, David is secretary and director of advocacy for Digital Nova Scotia, the IT industry association of Nova Scotia.

[1] This document is intended to be a summary of common questions along with brief answers. It is meant to provide a brief guide so that the reader is able to seek relevant legal advice and is not intended to be a substitute for competent legal advice.
[2]See the Mutual Legal Assistance in Criminal Matters Act (R.S.C., 1985, c. 30 (4th Supp.)) athttp://laws-lois.justice.gc.ca/eng/acts/M-13.6/. For a list of the countries with which Canada has mutual legal assistance treaties, see http://www.treaty-accord.gc.ca/index.asp?lang=eng.

Tuesday, March 22, 2011

University of Alberta on Google goes live

The Official Google Enterprise Blog announces today that the University of Alberta is about to flick the switch to "Go Google" for student e-mail. The remaining faculty and staff will be switched over in the next months. This has been closely watched by most other Canadian universities as they look at cloud computing to cut IT costs and to provide more tools to students, faculty and staff. See: Official Google Enterprise Blog: The Green and Gold Goes Google.

Sunday, March 13, 2011

Dalhousie University's cloud conversation

Over the last few months, Dalhousie University has been looking much more closely to the possibility of replacing much of its expensive infrastructure with an outsourced cloud service. I was part of the conversation with my presentation (large mov file) on campus on Data Privacy Day and the conversation has been continuing. It has been very interesting to look at three recent articles on Dal News, including a two-part interview with Dwight Fischer, the University's CIO, and particularly the comments by students and other stakeholders on those articles. Check them out:

If you are a member of the University community (have a dal.ca login), you can join the conversation here: https://blogs.dal.ca/connectedU/.

Thursday, March 3, 2011

Ontario access to information decision may affect cloud computing decisions

Dan Michaluk has a great summary of a recent and important access to information case from Ottawa, City of Ottawa v. Ontario (Information and Privacy Commissioner) (13 December 2010, Ont Div. Ct.): Case Report – Personal e-mails not subject to FOI legislation « All About Information.

I think this is probably one of the most important access decisions of the past year. It's similar to Johnson v Bell Canada, but seems to go even further. It will have a big impact in universities, where professors have generally been wrangling for exclusion of their e-mail from access legislation.

Most importantly, I think: This case may also have an impact on cloud computing for universities and USA Patriot Act-blocking statutes, because these statutes only apply to information under the "custody or control" of the public body. This case can be interpreted to support the proposition that student e-mail, at least, is not under the custody or control of the public body for the purposes of such statutes.


Update (30 December 2010): Canadian Privacy Law Blog: Ontario Commissioner to appeal personal email decision.

Thursday, February 24, 2011

Ryerson University looks to the clouds

Today, I had the great pleasure of being one of the speakers at Ryerson University's broad consultation on the possibility of adopting cloud computing at the university. It was an incredibly high-quality event with a packed auditorium (in the middle of reading week, no less) and a very engaged audience.

The agenda is here: E-mail and Collaboration Tools Consultation | Email & Collaboration Tools Consultation.

My presentation is here:

If you can't see the embedded presentation, try this link: https://docs.google.com/present/view?id=ddpx56cg_415c4c8k5g5&interval=60

The full symposium was webcast live and will be available here:

If you want to see the many, many tweets which were sent out, search Twitter for #ryeprivacy.

UPDATE: Over at Slaw.ca, Dan Michaluk, who was at the symposium, has posted a few of his observations on the day: Commissioner Cavoukian says the Patriot Act is nothing.