Wednesday, December 19, 2012

Keeping data in Canada provides illusory protection against foreign government access

I was invited by CATA to give a presentation on cloud computing, privacy and cross border data flows for a number of its members and stakeholders who are involved with the fledgling Shared Services initiative coming out of the Government of Canada.

Here is the presentation, in case it is of interest:

IT World Canada was in attendance and has posted the following article:

Keeping data here no protection against US: Lawyer:

Ottawa may not allow cloud providers to store citizens' data across the border. But a lawyer says a better protection against US law is risk mitigation

By: Howard Solomon

ComputerWorld Canada (19 Dec 2012)

The refusal of some federal government departments to allow outsourcers to store personal data of citizens outside Canada won’t keep foreign governments from getting legal access to it, says a lawyer who specializes in cloud computing.

“Data sovereignty is a bit of an illusion because we’re so interconnected (with law enforcement agencies) and there’s so much data sharing taking place,” David Fraser told an audio conference call Tuesday sponsored by the Canadian Advanced Technology Alliance (CATA).

In particular, fears that the USA Patriot Act acts as a “huge vacuum cleaner” for American law enforcement agencies to get at personal data is baseless, he said.

The Patriot Act is a “boogey man,” he said.

The fact is most developed countries have legal tools that allow their law enforcement agencies to make legal claims on data held in their countries or outside their borders, Fraser said.

Fraser, a partners with the Halifax firm McInnes Cooper, argued the real issue for Ottawa when considering outsourcing that includes storing data in the U.S. should be assessing the risk that data can be lost or unlawfully accessed and taking steps to lower the risk.

The teleconference is part of a campaign by CATA, which represents IT manufacturers, solution providers, system integrators and consultants trying to sell products and services to governments, to get Ottawa to clarify its position on outsourcing data.

In an interview John Reid, CATA chief executive officer, said that since the creation last year of Shared Services Canada, an agency trying to consolidate federal IT services, the government has suggested it may mandate that personal data of citizens must be held in data centres here.

There isn’t a formal federal policy on cross-border data storage, Fraser told the conference call. Nor is there federal law that prohibits it. Instead, it is up to individual departments to do a risk assessment if they decide cross-border data storage is justified and take appropriate privacy measures. Only two provinces, British Columbia and Nova Scotia, have policies forbidding cloud providers from storing provincial data outside Canada.

Shared Services Canada has been trying to create new buying and outsourcing policies, setting up several committees on which CATA and other private sector groups sit. It is those committees, Reid said, that CATA is getting signals of SSC’s only-in-Canada intent.

Earlier this month CATA sent a letter to SSC asking for the department’s intentions, but Reid said he hasn’t had a reply yet.

The department didn’t respond to a request Tuesday from IT World Canada for clarification

One person on the conference call said some government departments already demand in requests for proposals (RPFs) her organization that any outsourced solution has to keep data in Canada.

Reid wants to persuade Ottawa to be more open to cloud solutions where data is stored outside the country in part so his members get opportunities to bid on business, and in part, he said, because the government shouldn’t turn aside possible solutions that will make it more efficient.

Fraser noted that according to international law, U.S. law enforcement authorities have the right to subpoena data even if the data is held outside its borders, as long as there are connecting factors. (The same is true for police here, he added.)

For example, he said, if the data is held in Canada the U.S. could subpoena it through a person working for a company there.

For that reason, he said, a Canadian data centre owner might be able to safeguard data here if none of its executives ever crossed the border.

More practically, he said the Canadian government could take a number of steps to reduce the odds of the personal data of its citizens being misused by U.S. authorities.

The first is to encrypt the data – which should be a standard procedure anyway, he said ---- and make sure control of the encryption keys is held here.

Second, the government could decide that only “low risk” data can be sent out of the country.

Third, the government could demand certain contractual provisions with a service provider, such as clauses that says the data belongs to the customer, not the data centre, that the service provider won’t turn data over unless legally required to so, and that it will notify the customer of any subpoenas.

There could also be a requirement the provider to go a U.S. court to resist a subpoena, although Fraser admitted there’s no guarantee will be successful.

“There isn’t a shortage of ideas of how to mitigate risk,” he said.

Fraser didn’t say, but these risk mitigation options also apply to private sector companies who have been shy about adopting American cloud-based solutions.

Wednesday, December 12, 2012

Google offers model contract clauses for EU data protection compliance

Google has today announced that it is making Model Contract Clauses available to customers who have to deal with EU data protection rules.

Model contract clauses are one mechanism that permit an entity to export European personal information outside of the EU, which is in addition to safe harbor and binding corporate rules.

The announcement is found here: Official Google Enterprise Blog: Google Apps offers additional compliance options for EU data protection.

Monday, October 1, 2012

Nova Scotia trade union resurrects the USA Patriot Act boogeyman to prevent outsourcing

For those who have been following this topic in Canada, you'll remember that the first time that the USA Patriot Act appeared on the country's radar in earnest was when the British Columbia government proposed to outsource IT processing to the Canadian subsidiary of a US company. The union, most likely concerned about job losses latched onto the USA Patriot Act as the hook that would get some traction in the media and in the public mind.

That led to the inquiry by BC's Information and Privacy Commissioner, then amendments to that province's Freedom of Information and Protection of Privacy Act and then Nova Scotia's Personal Information International Disclosure Protection Act.

Now, somewhat predictably, the principal Nova Scotia trade union for public employees is resurrecting the boogeyman to try to stop outsourcing of IT services by the provincial government. We'll see how this plays out ...

Data at risk in private-sector deal | The Chronicle Herald

Union worried Nova Scotian’s records vulnerable

The province’s largest public-sector union is worried about the security of Nova Scotians’ information if the government contracts out information technology work in a deal workers say could total $100 million over 10 years.

Joan Jessome, president of the Nova Scotia Government and General Employees Union, said Thursday that there’s a vast amount and array of data in the SAP computer system. She said it includes everything from payroll numbers to procurement information and data from the Registry of Motor Vehicles.

“There probably isn’t a single Nova Scotian ... that has not been impacted by SAP,” Jessome said.

“(Our members) are telling us that we have reason, no matter what the agreement is, that once that (information) goes to an international company, we should always be concerned about how far that goes and what acts does it cover in different countries across the world.”

She said employees mentioned the Patriot Act in the United States, passed after the 9-11 attacks. It requires U.S. companies to provide records to the American government upon demand.

A 2005 provincial auditor general’s report raised a concern that U.S. companies with Canadian subsidiaries could also be compelled to turn over information. In 2006, the minority Tory government of the day passed the Personal Information International Disclosure Protection Act, meant to prevent U.S. authorities from inappropriately accessing Nova Scotians’ information under the Patriot Act.

Finance Department spokeswoman Michelle Lucas had said Wednesday that ensuring information is secure would be a top priority. She had no further comment on the potential outsourcing Thursday.

On Monday, government officials met with employees who run the system to tell them about the possibility their jobs will be contracted out. There are about 73 unionized workers, and another 35 who aren’t unionized. The non-union workers run the system for district health authorities and the IWK Health Centre.

Jessome said workers told her that the government is considering a 10-year contract for the work, worth $10 million a year.

Lucas had said Wednesday that a multinational firm approached the province last year about setting up a “global delivery centre” in the province. Its main office would be in Halifax, with a smaller one in Sydney.

Sources have said the firm is IBM Canada. Jessome said the government has told her which company, but she agreed to keep it confidential.

IBM Canada spokeswoman Carrie Bendsza said the company, which has employees in Halifax now, doesn’t comment on rumour or speculation. She also said it doesn’t reveal how many employees it has in individual cities or countries.

Jessome said there are currently eight union SAP information technology workers in Sydney, three in Truro, and the rest in Halifax.

Lucas has said that if the province does make a deal with the company, all affected provincial employees would be offered a job. Jessome said many have already indicated they wouldn’t take it.

She said they’d lose the security of being in the union, the work week would likely go up to 40 hours from 35, their pension plan would change to defined contribution from defined benefit, and they could face months-long placements at the company’s other locations, such as China and India.

“They’re certainly concerned about their jobs, no question, but the other thing that they were scared of is the security of information,” Jessome said.

Lucas also said the potential contracting out isn’t being considered as a cost-cutting measure, but as an economic development opportunity in the hope of creating more jobs.

The province has spent many millions on the SAP system since first adopting it in 1996, with some projects going over budget, and the system not always working properly.

Friday, September 21, 2012

Ontario Information Privacy Commissioner blesses cross-border outsourcing of province's hunting and fishing license system

This decision from the Information and Privacy Commissioner of Ontario snuck under my radar this summer while I was on vacation.

This investigation is the result of a complaint brought by a Member of the Provincial Parliament about the Ontario Government's decision to outsource the processing and management of fishing and hunting licenses to a US-based business. The Commissioner did a thorough investigation and I am told they were pleasantly surprised by what they found. With regard to the USA Patriot Act, the Commissioner wrote:


The complainant has expressed concerns that the personal information of Ontarians will be subject to and accessible under American laws, including the PATRIOT Act. It is important to remember that, in Ontario, there is no legislative prohibition against the storing of personal information outside of the province or Canada. In other words, Ontario law, including the Act, does not speak to this issue. However, the Act and its regulations do require provincial institutions to ensure that reasonable measures are in place to protect the privacy and security of their records containing personal information. This applies regardless of where the records are located. Further, Ontario provincial institutions remain accountable for the actions of their agents or service providers, whether located in Ontario or in other jurisdictions.

I understand the complainant’s concern that the PATRIOT Act may be used by U.S. law enforcement agencies to access Ontarians’ personal information. However, the risk that law enforcement agencies may access personal information is not restricted to information held in the U.S. In fact, Canadian law enforcement agencies have similarly robust legal powers to obtain personal information held in Canada, and similar powers exist throughout most countries in the world. Further, law enforcement agencies in Canada, the U.S. and other countries have the ability to reach across borders to access personal information under various laws and agreements.

In this regard, the federal Privacy Commissioner of Canada has found that the privacy risks posed by the PATRIOT Act are similar to those found in Canada and, therefore, the privacy protection afforded by a U.S. service provider is comparable to that of a Canadian-based provider. In particular, the federal Privacy Commissioner has stated:

The risk of personal information being disclosed to government authorities is not a risk unique to U.S. organizations. In the national security and anti-terrorism context, Canadian organizations are subject to similar types of orders to disclose personal information held in Canada to Canadian authorities.

The federal Privacy Commissioner has also found that prior to the passing of the PATRIOT Act, U.S. authorities were able to access records held by U.S.-based firms relating to foreign intelligence gathering in a number of ways, including through formal bilateral agreements.3

Canadian legal scholars and practitioners have also carefully examined and commented on the privacy implications of the PATRIOT Act. Professor Michael Geist, Canada Research Chair in Internet and E-commerce Law, has written:

Claims that the enactment of the USA Patriot Act has dramatically altered the legal landscape are simply false. The U.S. law enforcement toolkit, which allows for the compelled, secret disclosure of personal information, pre-dates the USA Patriot Act by decades. Suggestions that the problem can be solved by keeping personal information from flowing outside the country are not realistic from a real-world, commercial perspective, where data is transferred and stored instantly on computer servers in other jurisdictions without regard for location.

David T.S. Fraser, a prominent Canadian privacy lawyer, has also been very clear in writing:

Most people are surprised to learn that some of the most “problematic” provisions of the USA Patriot Act are replicated in Canadian law in the Anti-Terrorism Act. We just don’t hear about it as much. People are also surprised to learn of huge amount of information sharing that takes place between agencies in Canada and their counterparts in the US.

The Act does not prohibit provincial institutions from outsourcing services on the basis that foreign law, including the PATRIOT Act, may apply. Similarly, there is no prohibition on the storage of personal information by government institutions outside the province. In fact, as noted by Professor Geist, outsourcing of technology services is a reality, whether by government agencies or private sector companies. Personal information may be subject to disclosure to law enforcement authorities, whether stored in the province or elsewhere. The critical question for institutions which have outsourced their operations across provincial or international borders is whether they have taken reasonable steps to protect the privacy and security of the records in their custody and control. I have always taken the position that you can outsource services, but you cannot outsource accountability. With this in mind, I now turn to consider what measures the Ministry has put into place in the circumstances of this complaint.

The decision is worth reading in its entirety: IPC - Office of the Information and Privacy Commissioner/Ontario | Reviewing the Licensing Automation System of the Ministry of Natural Resources: A Special Investigation Report [PC12-39].

Thursday, July 26, 2012

US cloud vendors complain to Congress about foreign privacy FUD

The United States House of Representatives Judiciary Committee (through its Internet subcommittee) this past week held a hearing to discuss issues related to cloud computing. Specifically, the hearing highlighted how fear, uncertainty and doubt is being spread regarding US privacy protections to discourage the use of American cloud vendors. The hearing included representatives of the Business Software Alliance, Rackspace, IBM and ITIF.

Principally, hysteria about the USA Patriot Act is being used by some non-US vendors to market their services. This ignores the fact that most countries have legal regimes very similar to the USA Patriot Act.

Check it out:

US Groups: Foreign Cloud Providers Marketing Against Privacy Concerns

IDG News Service (Washington, D.C., Bureau) — Cloud computing services from outside the U.S. are trying to exploit perceived weaknesses in privacy laws to drive business away from U.S. providers, according to some representatives of the tech industry.

Deutsche Telekom and other companies are marketing their cloud products as more private than those from U.S. vendors because of the Patriot Act and other laws, representatives of the Business Software Alliance and Rackspace told a U.S. House of Representatives subcommittee during a hearing Wednesday.

Foreign cloud computing vendors are spreading "fear, uncertainty and doubt" about U.S. privacy standards, Justin Freeman, corporate counsel for Rackspace, told members of the House Judiciary Committee's Internet subcommittee.

"We commonly see almost absurd positioning of what the Patriot Act permits, to the extent that it allows almost any U.S. government agency to, without notice or warrant, access any private data that's on a server contained within the United States," Freeman said.

"That's totally false," said Representative Bob Goodlatte, a Virginia Republican.
Witnesses from the U.S. tech industry and some lawmakers complained that some of the privacy problems are more perceived than actual, but some also called for Congress to change U.S. privacy laws to better protect data stored in the cloud.

The U.S. Electronic Communications Privacy Act (ECPA) allows law enforcement agencies easier access to information stored in the cloud than to information stored on a hard drive or in a file cabinet, noted Representatives Zoe Lofgren, a California Democrat, and Jerrold Nadler, a New York Democrat.

Some countries have "legitimate concerns, honestly, about the lack of standards in American law," Lofgren said. "We have a lot of work to in this area."

In addition to marketing campaigns, several nations have passed or are considering laws that require their residents' data to be stored on servers within the country, said Daniel Castro, senior analyst with the Information Technology and Innovation Foundation (ITIF), a tech-focused think tank. Many countries are using privacy and security concerns to pass domestic storage laws, he said.

"Some countries are using unfair policies to intentionally disadvantage foreign competitors and grow their domestic cloud computing industry," Castro said. "The rise of cloud mercantilism is an emerging threat to global trade and information technology."

Greece, China, Russia and Venezuela are among the countries that have passed data localization requirements, Castro said. He called on the U.S. government to push against such laws.

Castro and Robert Holleyman, the BSA's president and CEO, also asked Congress to update ECPA to better protect stored data.

Congress also needs to consider ways to better protect stored information on cloud services, Lofgren said. The U.S. Department of Justice, when it shuttered the Megaupload file-sharing site in January, left the data of many innocent users in limbo, she said.

Holleyman, whose trade group supports strong law enforcement actions against file sharing sites, said he didn't have a suggestion for how to protect innocent users.

"Nobody seems to feel any responsibility toward people who are completely innocent here," Lofgren said. "There seems to be no interest or obligation to innocent bystanders to this action."

Wednesday, July 25, 2012

Economist editorial: spot-on about cloud privacy and law enforcement

The Economist has an absolutely spot-on editorial on privacy in the age of cloud computing:

Data privacy: Out of shape | The Economist

The rules on what data governments can demand from communications companies need tightening
Jul 21st 2012 | from the print edition

SNOOPING, like so many things in life, is going mobile and online. In 2011 Google received 12,271 requests for data from the American government and acceded to all but a few of them. American mobile-phone carriers together fielded more than 1.3m such requests. Some covered multiple subscribers. Some were for “tower dumps”, which reveal the phone numbers of everyone—criminal suspects or not—in range of a certain mobile-phone tower at a certain time.

The rate of government requests has been growing: Verizon, America’s biggest mobile-service provider, says it has gone up by 15% in each of the past five years. Large mobile companies now have teams of employees that do nothing other than respond to government requests for data (see article).

This is happening partly because technology makes snooping easier, and partly because the law has not caught up with the technology. In the offline world, governments generally need a judge to sign a warrant to put a wire-tap in place; the same goes for a physical search of property. In the online world, most data—concerning who called or e-mailed whom, or visited what website, though not the content of a communication—is handed over without any such judicial review.

This is not just an American issue; European states are at least as careless of their citizens’ privacy as America. The European Union’s Data Retention Directive requires telecoms firms to store vast amounts of data about their customers’ activities, which may then be provided to law-enforcement agencies. In Britain, a draft Communications Data bill gives intelligence agencies even wider powers to intercept and store such data.

There are decent arguments in favour of giving governments such powers. Criminals, as well as law-enforcement agencies, make effective use of digital communications, so states need to be able to respond in kind. Rescue services sometimes need phone data to locate someone who needs urgent help. And where such information can help catch criminals, it should be made available. But there are also arguments for greater restraint. Communications technology these days compromises people’s privacy more than it used to. Mobile-phone records can reveal where people are, what websites they visit, what they are interested in and what they buy. Law-enforcement agencies should not be allowed unrestricted access to such complete, and intrusive, pictures of people’s lives.

Rewind, please

There is, at least, some kickback. The European law has been found unconstitutional in several member states, and the European Commission intends to revise it. But Britain’s bill seems likely to become law, despite much criticism. In America, the main federal law on the subject was written in 1986, when the internet barely existed. It badly needs an overhaul.

A good general principle would be to afford data stored in a private e-mail account as much protection as letters stored in a locked desk drawer—that is, law-enforcement agencies wanting to get a look at them should need a warrant. Internet and mobile-phone companies, and the agencies that get data from them, must be subject to proper reporting requirements. Only if people know more clearly what information is being collected about whom, and to what uses it is being put, can they judge whether the benefits of greater safety the surveillance state has brought them are worth the huge loss of privacy they have suffered as a result.

Thursday, June 7, 2012

Google to incorporate EU model contract clauses for European customers

Google has just announced that it will offer and incorporate the EU's Model Contract Clauses in its Google Apps for Enterprise customers in Europe. See the announcement from the Google Enterprise blog: Official Google Enterprise Blog: Google Apps to offer additional compliance options for EU data protection.

Monday, May 28, 2012

Google Apps receives ISO 27001 certification

Google has just announced, on its official Google Enterprise Blog that Google Apps has just received ISO27001 certification. This is in addition to their SSAE 16/ ISAE 32 audits and FISMA certification for Google Apps for Government. Check it out: Official Google Enterprise Blog: Google Apps receives ISO 27001 certification.

Saturday, May 26, 2012

White paper compares government access to cloud data in ten jurisdictions

In the last week, law firm Hogan Lovells released a very interesting white paper on government access to cloud data across ten jurisdictions, mainly focused on debunking many of the myths associated with the USA Patriot Act. The white paper was released in association with a Round Table on Government Access to Data with European policy makers at the Openforum Academy.

More information is available at the Hogan Lovells Chronicle of Data Protection: Hogan Lovells White Paper on Governmental Access to Data in the Cloud Debunks Faulty Assumption That US Access is Unique : HL Chronicle of Data Protection.

Here's the white paper: A Global Reality: Governmental Access to Data in the Cloud -- A comparative analysis of ten international jurisdictions.

Monday, January 30, 2012

CANADA needs to get its head in the clouds: Editorial on the benefits of cloud computing for universities

The Halifax Chronicle Herald has a good editorial on the benefits of cloud computing for universities, prompted by the decision of Dalhousie University to switch to a cloud provider for e-mail systems:

Dalhousie email switch | The Chronicle Herald:

CANADA needs to get its head in the clouds.

Cloud computing, to be specific.

More a technological service than a product, cloud computing refers to storing data and running software programs remotely, even across borders, on servers that may be owned by someone else.

The advantages, in terms of efficiency and reducing costs, can be significant. That’s why so many businesses and public bodies in the U.S., Britain and Europe have made the switch to cloud computing for at least some of their online needs.

That’s also why Dalhousie University is wisely planning, pending a privacy review, to move its email system to a Microsoft cloud service, a change that the school estimates will save $2 million.

Overall, however, Canada has been a laggard on embracing cloud computing, say legal and technology experts.

The main reasons seem to be worries about security and privacy, and some confusion about what cloud computing means.

There’s no question it’s essential to ensure cloud service providers have sufficient security and privacy safeguards, especially when the servers storing Canadian data may be in other jurisdictions, such as the U.S.

But legal experts say there is widespread misunderstanding about what law enforcement can and cannot do, on both sides of the border. Even Ontario Privacy Commissioner Ann Cavoukian says cloud computing is "eminently doable" in Canada, provided proper vetting is done with service providers beforehand.

The misperception that privacy laws are preventing many sectors from embracing cloud computing and reaping its benefits — notably in the health system — has left Canada behind many other developed countries in utilizing cloud computing technology, legal exerts say.

So it’s good to see Dalhousie join a growing number of Canadian universities, such as the University of Toronto, the University of New Brunswick and the University of Alberta, in moving their email services to the clouds — and so realizing significant savings.

Given the fiscal challenges for universities — and many governments — today, investigating the cloud’s potential, carefully but thoroughly, is essential.