tag:blogger.com,1999:blog-51870602782242189792024-03-13T03:59:49.956-07:00Canadian Cloud Law BlogNews and commentary on legal aspects of cloud computing from a Canadian perspective.privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.comBlogger45125tag:blogger.com,1999:blog-5187060278224218979.post-54158753614560480392014-04-28T10:57:00.001-07:002014-04-28T10:57:19.510-07:00Data location doesn't matter: US Federal Judge<P>In a decision that should not come as a big surprise, a US Federal Court judge has determined that the location of data under Microsoft's custody is not relevant. If Microsoft can produce it, it is required to do so.<br />
<br />
<P>As reported in <a href="http://www.computerworld.com/s/article/9247946/Microsoft_vows_to_appeal_federal_email_privacy_ruling?taxonomyId=17">Computerworld</a>, the <a href="https://www.documentcloud.org/documents/1149373-in-re-matter-of-warrant.html">decision</a> relates to a search warrant that directed Microsoft to produce the contents of one of its customer’s e-mails, where that information is stored on a server located in Dublin, Ireland. Microsoft contended that courts in the US cannot issue warrants for extraterritorial search and seizure, but the judge denied Microsoft's motion to quash the warrant. It argued, in part, that a US court can't issue a search warrant for premises outside of the United States so they should not be able to do so virtually. <br />
<br />
<P>However, the Court found that these orders may look like search warrants but they are more like subpoenas. They order an American company to do something entirely in the Unites States:<br />
<br />
<blockquote>But the concerns that animate the presumption against extraterritoriality are simply not present here: an SCA Warrant does not criminalize conduct taking place in a foreign country; it does not involve the deployment of American law enforcement personnel abroad; it does not require even the physical presence of service provider employees at the location where data are stored. At least in this instance, it places obligations only on the service provider to act within the United States....</blockquote><br />
<P>This case, for some Canadian readers will be reminiscent of the Canadian Federal Court decision in <a href="http://www.canlii.org/en/ca/fca/doc/2008/2008fca348/2008fca348.html">eBay Canada Ltd. v. M.N.R.</a>, 2008 FCA 348, where the Court ordered eBay in Canada to turn over information about Canadian "powersellers" regardless of the fact that the data was not within the territorial jurisdiction of the Court.<br />
<br />
<P>Microsoft is appealing this decision, but for now it stands for the proposition that the location of data is largely irrelevant in determining whether a government can order it to be turned over. The location or nationality of the custodian is much more relevant.<br />
privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com0tag:blogger.com,1999:blog-5187060278224218979.post-17525774544101223962014-03-31T09:32:00.001-07:002014-03-31T09:32:02.351-07:00Charmaine Borg MP introduces private members bill to add breach notification to the federal Privacy Act<P>Charmaine Borg, the NDP's digital issues critic and the most activist MP in the area of privacy has tabled Bill C-580 to update the federal Privacy Act to require breach notification and a mandatory 5-year review of the Act. More info here: <a href="http://www.parl.gc.ca/LegisInfo/BillDetails.aspx?Language=E&Mode=1&billId=6475960">LEGISinfo - Private Member’s Bill C-580 (41-2)</a>.<br />
<P>In the wake of so many privacy breaches by federal government departments, I can get onboard with this.privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com0tag:blogger.com,1999:blog-5187060278224218979.post-61722326067279976742014-03-28T05:33:00.002-07:002014-03-28T05:33:26.122-07:00Cloud Computing FAQ for Canadian In-house Counsel<p>The Canadian Corporate Counsel Association Magazine (<a href="http://www.ccca-accje.org/EN/magazine/main/archive.aspx">CCCA Magazine</a>) Spring 2014 edition had a strong focus on privacy, "Managing your Privacy Risk: An In-house Guide." The edition included a version of my Cloud Computing and Privacy FAQ, focused at in-house counsel. Click the image (or <a href="https://drive.google.com/file/d/0B_bUaJvZ9k_BRFYtSThWYy15UUU/edit?usp=sharing">here</a>) to get the full article:
<div class="separator" style="clear: both; text-align: center;"><a href="https://drive.google.com/file/d/0B_bUaJvZ9k_BRFYtSThWYy15UUU/edit?usp=sharing" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3USvBbAyOuGg78CVucZRwQZr4MUUCF_6bNEtxeKnVfqM2sClaRVhMwC2xta5uai3H6LoE7HYm6KxaHCu_N_S8R0sAW5V0i1-mwqv2a_ZphsqFD2cNz8P9rhvL06H8p7UrznECN83yQrZs/s400/CCCA+-+Spring+2014+-+David+Fraser+-+Cloud+FAQ_1.png" /></a></div>privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com1tag:blogger.com,1999:blog-5187060278224218979.post-4655513467429136852014-01-22T13:53:00.001-08:002014-01-22T13:53:49.950-08:00Microsoft to agree to local storage of foreign users' data<P>According to the Financial Times, Microsoft is going to break from the pack of other cloud service providers by agreeing to store data locally. FT.com content is behind an annoying paywall, but here's the gist of it along with some commentary.<br />
<br />
<blockquote><a href="http://www.ft.com/intl/cms/s/0/e14ddf70-8390-11e3-aa65-00144feab7de.html#axzz2rAKlyh8M">Microsoft to shield foreign users’ data - FT.com</a><br />
<br />
<P>By James Fontanella-Khan in Brussels and Richard Waters in San Francisco<br />
<br />
<P>Microsoft will allow foreign customers to have their personal data stored on servers outside the US, breaking ranks with other big technology groups that until now have shown a united front in response to the American surveillance scandal.<br />
<P>Brad Smith, general counsel of Microsoft, said that although many tech companies were opposed to the idea, it had become necessary following leaks that showed the US National Security Agency had been monitoring the data of foreign citizens from Brazil to across the EU.<br />
<P>“People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides,” he told the FT. ...</blockquote><br />
<P>This decision seems to be based on (or appealing to) the fiction that the location of data is somehow determinative of whether law enforcement or national security folks can get access to data. As I said, it's mostly a fiction. Governments can assert control over things, or people, or entities on a number of bases. One of them is the presence of the thing (a server) in the physical jurisdiction, but most importantly is the presence of the person who can obtain and hand over the data. <br />
<br />
<blockquote>... Some critics of the idea have questioned whether such a move would be effective in putting the personal data of non-Americans outside the reach of the NSA, since US tech companies have to hand over information about specific users when ordered to by a secret US court, regardless of where it is held.<br />
<P>However, keeping the information off US soil and under local data protection rules should make it harder for the NSA to tap into illicitly, Mr Chester said. “If the data are not being transported, then it does stop that kind of access.” ...</blockquote><br />
<P>While this isn't really a solution to the principal problem that many people associate with the <i>USA Patriot Act</i> and the <i>FISA Amendments Act</i>, it may be an economically rational decision since many customers will only ask where the data is, rather than what it really means.<br />
<br />
<blockquote>Mr Smith acknowledged that it would be expensive but added “does it mean that you ignore what customers want? That’s not a smart business strategy.” ... </blockquote><br />
<P>I do agree, however, that the big question which is the driver behind all of this needs to be addressed at a government-to-government level.<br />
<br />
<blockquote>Mr Smith also said that the US and EU should consider signing an international agreement that ensures they will not try to seek data in each other’s territory via technology companies.<br />
<P>“If you want to ensure that one government doesn’t seek . . . to reach data in another country, the best way to do it is . . . an international agreement between those two countries. Secure a promise by each government that it will act only pursuant to due process and along the way improve the due process.”<br />
<P>He argued that the existing “Mutual Legal Assistance Treaty” mechanism used by the US and EU to protect individuals’ rights from the two blocs is outdated: “It needs to be modernised or replaced.”</blockquote>privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com0tag:blogger.com,1999:blog-5187060278224218979.post-57004277056960692202014-01-14T16:59:00.001-08:002014-01-14T16:59:25.631-08:00Privacy Commissioner of Canada offers outsourcing guidance<P>Today, the Office of the Privacy Commissioner of Canada posted a "<a href="http://www.priv.gc.ca/resource/fs-fi/02_05_d_57_os_e.asp">Fact Sheet: Privacy and Outsourcing</a>", which leads to two resources depending on whether you're looking at the <a href="http://www.priv.gc.ca/resource/fs-fi/02_05_d_57_os_02_e.asp">public sector</a> (Privacy Act) or the <a href="http://www.priv.gc.ca/resource/fs-fi/02_05_d_57_os_01_e.asp">private sector</a> (PIPEDA).<br />
<br />
<P>The fact sheets are mostly a collection of useful links and resources, though there are some general statements. The one the I find most interesting is the following:<br />
<br />
<blockquote>Organizations need to <b>make it plain</b> to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction. They must do this in <b>clear and understandable</b> language. Ideally they should do it <b>at the time the information is collected</b>. Once an informed individual has chosen to do business with a particular company, they do not have an additional right to refuse to have their information transferred.<br />
<br />
<P>When personal information is in the hands of a third-party service provider operating on foreign soil, it is subject to the laws of that country and no contract can override that. This could mean, for instance, that the organization may be obliged to respond to a subpoena or other mechanism that would give law enforcement officials access to personal information.</blockquote><br />
<P>This has consistently been the position of the OPC, starting with a <a href="http://www.priv.gc.ca/cf-dc/2005/313_20051019_e.asp">PIPEDA finding from 2005</a> when the Commissioner said that a bank <b>should</b> (not must) advise customers that the processing of data will be outsourced to a US service provider. I have to note, though, that PIPEDA doesn't contain any actual obligation to provide such notice. So I'm not sure where the obligatory language from the OPC's new fact sheet comes from. <br />
<br />
<P>In any event, the fact sheets do provide useful information about the OPC's take on cross-border outsourcing.privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com0tag:blogger.com,1999:blog-5187060278224218979.post-41086584402273853662013-12-16T05:22:00.001-08:002013-12-16T05:22:12.045-08:00US congressional group calling out Canada on trade protectionism under the banner of national security<P>The National Post is reporting that a group of powerful US lawmakers are calling out Canada on the frivolous use of "National Security" as a thinly-veiled effort at protectionism. In an number of very large scale procurement contracts, regardless of the security classification of the information, the government has disqualified any vendor where the data may cross the Canadian frontiers. <br />
<br />
<P>I have seen this first-hand where government paranoia about the cloud simply leads bureaucrats to the risk-averse decision of keeping data exclusively in Canada under the banner of "data sovereignty." This is one of the reasons why Canada lags behind in the adoption of cloud computing and why Canadian governments spend hundreds of millions of dollars on operating and maintaining thousands of little data centres instead of taking advantage of the massive savings offered by cloud computing. <br />
<br />
<P>The Treasury Board of Canada has long-standing guidelines that require a risk assessment in every case that takes into account the sensitivity of the data and the risk of exposure, but Public Works appears to have adopted a one size fits all "no-can-do" attitude.<br />
<br />
<P>It will be interesting to see if this turns into a proceeding before the international trade tribunals. <br />
<br />
<P>See: <a href="http://fullcomment.nationalpost.com/2013/12/16/john-ivison-powerful-u-s-congress-group-accuses-canada-of-trade-protectionism-under-guise-of-national-security/">John Ivison: Powerful U.S. Congress group accuses Canada of trade protectionism under guise of national security | National Post</a>.privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com0tag:blogger.com,1999:blog-5187060278224218979.post-35392781522045396372013-05-09T02:47:00.001-07:002013-05-09T02:47:10.492-07:00UK Government announces "Cloud First" policy<P>The Government of the UK has just announced its "Cloud First" policy.<br />
<blockquote><a href="http://central-government.governmentcomputing.com/news/government-announces-cloud-first-procurement-policy">Government announces 'Cloud First' procurement policy - Government Computing Network</a>: <br />
<br />
<P>Government announces 'Cloud First' procurement policy<br />
<P>Charlotte Jee<br />
<P>Published 05 May 2013<br />
<P>Mandates central government to consider cloud solutions before all others when buying IT<br />
<br />
<br />
<br />
<P>The government has confirmed that it has adopted a 'Cloud First' policy, making it mandatory for buyers of IT products and services in central government to consider purchases through the cloud as their first option.<br />
<br />
<P>Cabinet Office minister Francis Maude said that the policy will drive wider adoption of cloud computing in the public sector, boosting business through the G-Cloud programme's CloudStore, and ensuring the public sector buys IT in a 'quicker, cheaper, more competitive way'.<br />
<br />
<P>According to the Cabinet Office, as of now, when they buy new or existing services, public sector organisations should consider and fully assess potential Cloud solutions first, before looking at any other option.<br />
<br />
<P>A statement explained, "This approach is mandated to central government and strongly recommended to the wider public sector. Departments will remain free to choose an alternative to the Cloud if they can demonstrate that it offers better value for money."<br />
<br />
<P>Alongside today's announcement, the third iteration of G-Cloud (G-Cloud III) is going live today, with 708 firms offering over 5,000 services listed on the new framework- up from the 458 suppliers and 3,000 services on G-Cloud II when it went live last October .<br />
<br />
<P>Maude said, "Many government departments already use G-Cloud, but IT costs are still too high. One way we can reduce them is to accelerate the adoption of Cloud across the public sector to maximise its benefits.<br />
<br />
<P>"The Cloud First policy will embed the skills a modern civil service needs to meet the demands of 21st-century digital government and help us get ahead in the global race."<br />
<br />
<P>The policy has been under consideration for some time, with G-Cloud programme director Denise McDonagh suggesting at a roundtable in March that Maude was likely to give it the go-ahead.<br />
<br />
<P>McDonagh, who has long advocated a 'Cloud First' policy, said, "Sales from G-Cloud are rising steadily, with cumulative spend now over £18 million - two-thirds of it with SMEs. This is still small relative to overall government IT spend, and the transition to widespread purchasing of IT services as a commodity won't happen overnight.<br />
<br />
<P>"The adoption of a Cloud First policy will give added impetus for Whitehall and the wider public sector to move in this direction - complementing our ongoing work to encourage Cloud adoption and to help buyers adapt to this way of purchasing IT, which is already showing results."<br />
<br />
<P>US federal agencies have been operating with a cloud first policy since December 2010, and a number of other countries are believed to be considering instituting similar directives.</blockquote>privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com0tag:blogger.com,1999:blog-5187060278224218979.post-67254052806072539732013-03-15T16:45:00.003-07:002013-03-15T16:45:51.003-07:00US federal district court judge rules National Security Letters are unconstitutional<p>
The Electronic Frontier Foundation is reporting that a US Federal District Court judge in San Francisco has ruled that National Security Letters are unconstitutional as a violation of the First Amendment of the US Constitution and the separation of powers. The Judge's order has been stayed for 90 days to permit the federal government time to appeal.
<p>
National Security Letters (NSLs) are a form of administrative subpoena that can be issued by a senior official of the FBI, which requires the recipient to provide non-content or transactional information and is usually accompanied by a gag order.
<p>
According to EFF's media release, Judge Susan Illston ordered that the FBI stop issuing NSLs and cease enforcing the gag provision in this or any other case.
<p>
From the EFF: <a href="https://www.eff.org/press/releases/national-security-letters-are-unconstitutional-federal-judge-rules">National Security Letters Are Unconstitutional, Federal Judge Rules | Electronic Frontier Foundation</a>
<p>
A copy of the Judge's decision is available <a href="https://www.eff.org/document/nsl-ruling-march-14-2013">here</a>, also on the EFF website.
privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com0tag:blogger.com,1999:blog-5187060278224218979.post-20475006140020810072013-02-11T16:55:00.001-08:002013-02-11T17:02:17.305-08:00New Zealand Privacy Commissioner offers cloud guidance<P>The Privacy Commissioner of New Zealand has released a checklist for businesses and a <a href="http://privacy.org.nz/assets/Files/Brochures-and-pamphlets-and-pubs/OPC-Cloud-Computing-guidance-February-2013.pdf">guidance document [PDF]</a> to about cloud computing. Here is the Commissioner's summary of the two documents: <a href="http://privacy.org.nz/using-the-cloud/">Cloud computing guidelines</a>. <P>From the <a href="http://privacy.org.nz/cloud-computing-checklist-for-small-business/">Checklist</a>: <br />
<ol><li>Figure out which cloud services will work for you and what your current risk level is <br />
<LI>Know what information you'll be sending to the cloud <br />
<LI>Recognise that the responsibility is ultimately yours <br />
<LI>Security - lock it down <br />
<LI>Check out your provider <br />
<LI>Know exactly what you're signing up for <br />
<LI>Be as up front with your clients as you can <br />
<LI>Location - where will the information be? <br />
<LI>Use and disclosure - who sees the information and what will it be used for? <br />
<LI>Ability to exit, and deleting information</ol>privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com1tag:blogger.com,1999:blog-5187060278224218979.post-89836930236461445442013-01-14T07:33:00.000-08:002013-01-14T07:33:42.870-08:00Note to HRSDC: Cloud computing and remote access dramatically reduces the risk of portable device data breachesThe Canadian news has been full of reports related to two significant privacy breaches emanating from the federal ministry of Human Resources and Skills Development Canada. The first to be reported was the <a href="http://blog.privacylawyer.ca/2012/12/government-loses-sensitive-personal.html">loss of a USB thumb drive</a> containing the personal information (including personal health information) of more than 5,000 disabled Canadians who were receiving benefits under programs administered by HRSDC. In the course of investigating that first breach, a second came to light. Apparently someone at HRSDC thought it would be wise to backup the data of over <a href="http://blog.privacylawyer.ca/2013/01/hrsdc-loses-sensitive-personal.html">half a million student loan recipients onto a portable USB hard-drive</a>, which could be easily lost or misplaced. Guess what happened ... it was lost or misplaced.<br />
<div>
<br /></div>
<div>
Problems with storing sensitive personal information on USB storage devices are not unknown. The Information and Privacy Commissioner of Ontario, Ann Cavoukian, has recently <a href="http://ipc.on.ca/english/advanced-search/Results/?orderTypeOR=&legislationOR=&subjectOR=&topicOR=&resourceTypeOR=&PHIPAIndices=&FIPPAIndices=&MFIPPAIndices=&publishedFrom=&publishedTo=Sunday,%20January%2013,%202013&orderNum=&keywords=(%22elections+ontario%22)&origKeywords=%22elections+ontario%22&pageNum=1&pageSize=10&order=3&classificationTypeOR=&resourceType=0&classificationType=0&orderType=0&subjectAND=&topicAND=&sectionAND=&onlyJudicialReviews=False&refineTrail=keywords*%5e_(%22elections+ontario%22)%5e_*keyword%3d%22elections+ontario%22_*%5e&SEARCHTYPE=1">been on a tear</a> over a USB-related breach by Elections Ontario resulting from poorly understood policies, bad training and a lack of accountability. In fact, she's published reams of reports on the breach, its root causes and what should be done to prevent it from happening again. (The TL;DR version: Employees were engaged in a project where they had to clean up electoral lists at an off-site location. They decided to transfer the data using USB thumb drives and didn't even do that well.)<br />
<br />
The HRSDC Minister's <a href="http://blog.privacylawyer.ca/2013/01/government-release-on-loss-of-personal.html">media release</a> says that, as a response to the second breach, employees will be given training on a new information security policy. That suggests to me that the reckless practice of placing unencrypted personal information on portable storage devices was A-OK. Well, it's not. Never has been and never will be.<br />
<br />
The full facts of the HRSDC breaches are still very sparse, but we know that the second breach was caused by an employee or employees who wanted to make a backup of data (probably a good idea) and put the backup on a small portable device (a very bad idea). It may be that the first breach was caused by an employee who either needed to work offsite with the data or needed to move it from one computer to another. Both are reasonable things to want to do. And in some computing environments, can only be accomplished by making a copy of the data and USB devices are a handy way of accomplishing that.<br />
<br />
A large part of my practice is advising clients on cloud computing. And I also often get invited to speak to groups of IT professionals and fellow lawyers on legal issues related to cloud computing. For the past few years, the majority of questions about the risk of cloud computing have focused on the fact that the data may be outside of Canada and that the customer is trusting someone else to secure the data. Those are both important questions to ponder, but few turn their minds to the fact that, in most cases, cloud computing is much safer for the data and significantly lowers the risk to data.<br />
<br />
If Elections Ontario or HRSDC were using a cloud computing model, none of these breaches would have happened in any of the scenarios outlined above. Cloud computing keeps the data on a server or series of servers in highly secured data centres. There's no need to copy or move the data to get access to it remotely. This is accomplished through secured connections between an authorized computer or browser and the data centre. If you want it backed up, that's usually done on tapes in the data center and the data seldom has to leave the secured premises. In any data centre worth its salt, disk inventory is carefully controlled and audit tools are used to keep track of who has accessed what data. If tapes are moved offsite for redundancy's sake, there is usually a much higher level of diligence exercised as it follows documented processes.<br />
<br />
When questions are being asked about how this happened and what can be done to prevent such breaches from happening again, the government should carefully consider how cloud computing or other remote access models dramatically reduce the risk of such breaches.</div>
privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com3tag:blogger.com,1999:blog-5187060278224218979.post-12555024771937670332012-12-19T09:36:00.001-08:002012-12-19T09:45:57.773-08:00Keeping data in Canada provides illusory protection against foreign government accessI was invited by CATA to give a presentation on cloud computing, privacy and cross border data flows for a number of its members and stakeholders who are involved with the fledgling Shared Services initiative coming out of the Government of Canada. <P>Here is the presentation, in case it is of interest:<P><iframe allowfullscreen="true" frameborder="0" height="389" mozallowfullscreen="true" src="https://docs.google.com/presentation/embed?id=1srV-Ei96A220-y8iEbbbNhv9pqHvrsRZFBokQ_zR_iY&start=false&loop=false&delayms=30000" webkitallowfullscreen="true" width="480"></iframe><P>IT World Canada was in attendance and has posted the following article:<P><blockquote><P><a href="http://www.itworldcanada.com/news/keeping-data-here-no-protection-against-us-lawyer/146516?goback=%2Eanp_4210358_1355933427717_1#ixzz2FVygVjLz">Keeping data here no protection against US: Lawyer</a>: <P>Ottawa may not allow cloud providers to store citizens' data across the border. But a lawyer says a better protection against US law is risk mitigation<P>By: Howard Solomon<P>ComputerWorld Canada (19 Dec 2012)<P>The refusal of some federal government departments to allow outsourcers to store personal data of citizens outside Canada won’t keep foreign governments from getting legal access to it, says a lawyer who specializes in cloud computing.<P>“Data sovereignty is a bit of an illusion because we’re so interconnected (with law enforcement agencies) and there’s so much data sharing taking place,” David Fraser told an audio conference call Tuesday sponsored by the Canadian Advanced Technology Alliance (CATA).<P>In particular, fears that the USA Patriot Act acts as a “huge vacuum cleaner” for American law enforcement agencies to get at personal data is baseless, he said.<P>The Patriot Act is a “boogey man,” he said.<P>The fact is most developed countries have legal tools that allow their law enforcement agencies to make legal claims on data held in their countries or outside their borders, Fraser said.<P>Fraser, a partners with the Halifax firm McInnes Cooper, argued the real issue for Ottawa when considering outsourcing that includes storing data in the U.S. should be assessing the risk that data can be lost or unlawfully accessed and taking steps to lower the risk.<P>The teleconference is part of a campaign by CATA, which represents IT manufacturers, solution providers, system integrators and consultants trying to sell products and services to governments, to get Ottawa to clarify its position on outsourcing data.<P>In an interview John Reid, CATA chief executive officer, said that since the creation last year of Shared Services Canada, an agency trying to consolidate federal IT services, the government has suggested it may mandate that personal data of citizens must be held in data centres here.<P>There isn’t a formal federal policy on cross-border data storage, Fraser told the conference call. Nor is there federal law that prohibits it. Instead, it is up to individual departments to do a risk assessment if they decide cross-border data storage is justified and take appropriate privacy measures. Only two provinces, British Columbia and Nova Scotia, have policies forbidding cloud providers from storing provincial data outside Canada.<P>Shared Services Canada has been trying to create new buying and outsourcing policies, setting up several committees on which CATA and other private sector groups sit. It is those committees, Reid said, that CATA is getting signals of SSC’s only-in-Canada intent.<P>Earlier this month CATA sent a letter to SSC asking for the department’s intentions, but Reid said he hasn’t had a reply yet.<P>The department didn’t respond to a request Tuesday from IT World Canada for clarification<P>One person on the conference call said some government departments already demand in requests for proposals (RPFs) her organization that any outsourced solution has to keep data in Canada.<P>Reid wants to persuade Ottawa to be more open to cloud solutions where data is stored outside the country in part so his members get opportunities to bid on business, and in part, he said, because the government shouldn’t turn aside possible solutions that will make it more efficient.<P>Fraser noted that according to international law, U.S. law enforcement authorities have the right to subpoena data even if the data is held outside its borders, as long as there are connecting factors. (The same is true for police here, he added.)<P>For example, he said, if the data is held in Canada the U.S. could subpoena it through a person working for a company there.<P>For that reason, he said, a Canadian data centre owner might be able to safeguard data here if none of its executives ever crossed the border.<P>More practically, he said the Canadian government could take a number of steps to reduce the odds of the personal data of its citizens being misused by U.S. authorities.<P>The first is to encrypt the data – which should be a standard procedure anyway, he said ---- and make sure control of the encryption keys is held here.<P>Second, the government could decide that only “low risk” data can be sent out of the country.<P>Third, the government could demand certain contractual provisions with a service provider, such as clauses that says the data belongs to the customer, not the data centre, that the service provider won’t turn data over unless legally required to so, and that it will notify the customer of any subpoenas.<P>There could also be a requirement the provider to go a U.S. court to resist a subpoena, although Fraser admitted there’s no guarantee will be successful.<P>“There isn’t a shortage of ideas of how to mitigate risk,” he said.<P>Fraser didn’t say, but these risk mitigation options also apply to private sector companies who have been shy about adopting American cloud-based solutions.<P></blockquote><P>privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com2tag:blogger.com,1999:blog-5187060278224218979.post-46543155662140282992012-12-12T10:45:00.001-08:002012-12-13T03:05:11.521-08:00Google offers model contract clauses for EU data protection complianceGoogle has today announced that it is making <a href="https://www.google.com/intl/en/enterprise/apps/terms/mcc_terms.html">Model Contract Clauses</a> available to customers who have to deal with EU data protection rules. <br />
<br />
<br />
Model contract clauses are one mechanism that permit an entity to export European personal information outside of the EU, which is in addition to safe harbor and binding corporate rules.<br />
<br />
<br />
The announcement is found here: <a href="http://googleenterprise.blogspot.ca/2012/12/google-apps-offers-additional.html?utm_source=entblog&utm_medium=blog&utm_campaign=Feed:+OfficialGoogleEnterpriseBlog+(Official+Google+Enterprise+Blog)">Official Google Enterprise Blog: Google Apps offers additional compliance options for EU data protection</a>.<br />
<br />
privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com0tag:blogger.com,1999:blog-5187060278224218979.post-55627421099257919352012-10-01T03:32:00.003-07:002012-10-01T03:32:40.980-07:00Nova Scotia trade union resurrects the USA Patriot Act boogeyman to prevent outsourcing<p>
For those who have been following this topic in Canada, you'll remember that the first time that the USA Patriot Act appeared on the country's radar in earnest was when the British Columbia government proposed to outsource IT processing to the Canadian subsidiary of a US company. The union, most likely concerned about job losses latched onto the USA Patriot Act as the hook that would get some traction in the media and in the public mind. <p>
That led to the <a href="http://blog.privacylawyer.ca/2004/10/bc-information-and-privacy.html">inquiry</a> by BC's Information and Privacy Commissioner, then amendments to that province's <a href="http://www.bclaws.ca/EPLibraries/bclaws_new/document/ID/freeside/96165_00">Freedom of Information and Protection of Privacy Act</a> and then Nova Scotia's <a href="http://nslegislature.ca/legc/bills/60th_1st/3rd_read/b019.htm">Personal Information International Disclosure Protection Act</a>. <p>
Now, somewhat predictably, the principal Nova Scotia trade union for public employees is resurrecting the boogeyman to try to stop outsourcing of IT services by the provincial government. We'll see how this plays out ... <blockquote>
<a href="http://thechronicleherald.ca/novascotia/140645-data-at-risk-in-private-sector-deal">Data at risk in private-sector deal | The Chronicle Herald</a> <p>
Union worried Nova Scotian’s records vulnerable <p>
The province’s largest public-sector union is worried about the security of Nova Scotians’ information if the government contracts out information technology work in a deal workers say could total $100 million over 10 years. <p>
Joan Jessome, president of the Nova Scotia Government and General Employees Union, said Thursday that there’s a vast amount and array of data in the SAP computer system. She said it includes everything from payroll numbers to procurement information and data from the Registry of Motor Vehicles. <p>
“There probably isn’t a single Nova Scotian ... that has not been impacted by SAP,” Jessome said. <p>
“(Our members) are telling us that we have reason, no matter what the agreement is, that once that (information) goes to an international company, we should always be concerned about how far that goes and what acts does it cover in different countries across the world.” <p>
She said employees mentioned the Patriot Act in the United States, passed after the 9-11 attacks. It requires U.S. companies to provide records to the American government upon demand. <p>
A 2005 provincial auditor general’s report raised a concern that U.S. companies with Canadian subsidiaries could also be compelled to turn over information. In 2006, the minority Tory government of the day passed the Personal Information International Disclosure Protection Act, meant to prevent U.S. authorities from inappropriately accessing Nova Scotians’ information under the Patriot Act. <p>
Finance Department spokeswoman Michelle Lucas had said Wednesday that ensuring information is secure would be a top priority. She had no further comment on the potential outsourcing Thursday. <p>
On Monday, government officials met with employees who run the system to tell them about the possibility their jobs will be contracted out. There are about 73 unionized workers, and another 35 who aren’t unionized. The non-union workers run the system for district health authorities and the IWK Health Centre. <p>
Jessome said workers told her that the government is considering a 10-year contract for the work, worth $10 million a year. <p>
Lucas had said Wednesday that a multinational firm approached the province last year about setting up a “global delivery centre” in the province. Its main office would be in Halifax, with a smaller one in Sydney. <p>
Sources have said the firm is IBM Canada. Jessome said the government has told her which company, but she agreed to keep it confidential. <p>
IBM Canada spokeswoman Carrie Bendsza said the company, which has employees in Halifax now, doesn’t comment on rumour or speculation. She also said it doesn’t reveal how many employees it has in individual cities or countries. <p>
Jessome said there are currently eight union SAP information technology workers in Sydney, three in Truro, and the rest in Halifax. <p>
Lucas has said that if the province does make a deal with the company, all affected provincial employees would be offered a job. Jessome said many have already indicated they wouldn’t take it. <p>
She said they’d lose the security of being in the union, the work week would likely go up to 40 hours from 35, their pension plan would change to defined contribution from defined benefit, and they could face months-long placements at the company’s other locations, such as China and India. <p>
“They’re certainly concerned about their jobs, no question, but the other thing that they were scared of is the security of information,” Jessome said. <p>
Lucas also said the potential contracting out isn’t being considered as a cost-cutting measure, but as an economic development opportunity in the hope of creating more jobs. <p>
The province has spent many millions on the SAP system since first adopting it in 1996, with some projects going over budget, and the system not always working properly.</blockquote>
privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com1tag:blogger.com,1999:blog-5187060278224218979.post-70147595119098597872012-09-21T10:24:00.001-07:002012-09-21T10:24:24.648-07:00Ontario Information Privacy Commissioner blesses cross-border outsourcing of province's hunting and fishing license system<P>This decision from the Information and Privacy Commissioner of Ontario snuck under my radar this summer while I was on vacation.<br />
<br />
<P>This investigation is the result of a complaint brought by a Member of the Provincial Parliament about the Ontario Government's decision to outsource the processing and management of fishing and hunting licenses to a US-based business. The Commissioner did a thorough investigation and I am told they were pleasantly surprised by what they found. With regard to the USA Patriot Act, the Commissioner wrote:<br />
<br />
<blockquote><p><b>The PATRIOT Act</b></p><br />
<p>The complainant has expressed concerns that the personal information of Ontarians will be subject to and accessible under American laws, including the <i>PATRIOT Act</i>. It is important to remember that, in Ontario, there is no legislative prohibition against the storing of personal information outside of the province or Canada. In other words, Ontario law, including the Act, does not speak to this issue. However, the Act and its regulations do require provincial institutions to ensure that reasonable measures are in place to protect the privacy and security of their records containing personal information. This applies regardless of where the records are located. Further, Ontario provincial institutions remain accountable for the actions of their agents or service providers, whether located in Ontario or in other jurisdictions.</p><br />
<p>I understand the complainant’s concern that the <i>PATRIOT Act</i> may be used by U.S. law enforcement agencies to access Ontarians’ personal information. However, the risk that law enforcement agencies may access personal information is not restricted to information held in the U.S. In fact, Canadian law enforcement agencies have similarly robust legal powers to obtain personal information held in Canada, and similar powers exist throughout most countries in the world. Further, law enforcement agencies in Canada, the U.S. and other countries have the ability to reach across borders to access personal information under various laws and agreements.</p><br />
<p>In this regard, the federal Privacy Commissioner of Canada has found that the privacy risks posed by the PATRIOT Act are similar to those found in Canada and, therefore, the privacy protection afforded by a U.S. service provider is comparable to that of a Canadian-based provider. In particular, the federal Privacy Commissioner has stated:</p><br />
<blockquote>The risk of personal information being disclosed to government authorities is not a risk unique to U.S. organizations. In the national security and anti-terrorism context, Canadian organizations are subject to similar types of orders to disclose personal information held in Canada to Canadian authorities.</blockquote><br />
<p>The federal Privacy Commissioner has also found that prior to the passing of the <i>PATRIOT Act</i>, U.S. authorities were able to access records held by U.S.-based firms relating to foreign intelligence gathering in a number of ways, including through formal bilateral agreements.3</p><br />
<p>Canadian legal scholars and practitioners have also carefully examined and commented on the privacy implications of the <i>PATRIOT Act</i>. Professor Michael Geist, Canada Research Chair in Internet and E-commerce Law, has written:</p><br />
<blockquote>Claims that the enactment of the <i>USA Patriot Act</i> has dramatically altered the legal landscape are simply false. The U.S. law enforcement toolkit, which allows for the compelled, secret disclosure of personal information, pre-dates the <i>USA Patriot Act</i> by decades. Suggestions that the problem can be solved by keeping personal information from flowing outside the country are not realistic from a real-world, commercial perspective, where data is transferred and stored instantly on computer servers in other jurisdictions without regard for location.</blockquote><br />
<p>David T.S. Fraser, a prominent Canadian privacy lawyer, has also been very clear in writing:</p><br />
<blockquote>Most people are surprised to learn that some of the most “problematic” provisions of the <i>USA Patriot Act</i> are replicated in Canadian law in the <i>Anti-Terrorism Act</i>. We just don’t hear about it as much. People are also surprised to learn of huge amount of information sharing that takes place between agencies in Canada and their counterparts in the US.</blockquote><br />
<p>The Act does not prohibit provincial institutions from outsourcing services on the basis that foreign law, including the <i>PATRIOT Act</i>, may apply. Similarly, there is no prohibition on the storage of personal information by government institutions outside the province. In fact, as noted by Professor Geist, outsourcing of technology services is a reality, whether by government agencies or private sector companies. Personal information may be subject to disclosure to law enforcement authorities, whether stored in the province or elsewhere. The critical question for institutions which have outsourced their operations across provincial or international borders is whether they have taken reasonable steps to protect the privacy and security of the records in their custody and control. I have always taken the position that you can outsource services, but you cannot outsource accountability. With this in mind, I now turn to consider what measures the Ministry has put into place in the circumstances of this complaint.</p></blockquote><br />
<br />
<p>The decision is worth reading in its entirety: <a href="http://www.ipc.on.ca/English/Decisions-and-Resolutions/Decisions-and-Resolutions-Summary/?id=8933">IPC - Office of the Information and Privacy Commissioner/Ontario | Reviewing the Licensing Automation System of the Ministry of Natural Resources: A Special Investigation Report [PC12-39]</a>.privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com0tag:blogger.com,1999:blog-5187060278224218979.post-12860222697001010992012-07-26T03:59:00.000-07:002012-07-26T03:59:38.218-07:00US cloud vendors complain to Congress about foreign privacy FUD<P>The United States House of Representatives Judiciary Committee (through its Internet subcommittee) this past week held a <a href="http://judiciary.house.gov/hearings/Hearings%202012/hear_07252012_2.html">hearing to discuss issues related to cloud computing</a>. Specifically, the hearing highlighted how fear, uncertainty and doubt is being spread regarding US privacy protections to discourage the use of American cloud vendors. The hearing included representatives of the Business Software Alliance, Rackspace, IBM and ITIF. <br />
<P>Principally, hysteria about the USA Patriot Act is being used by some non-US vendors to market their services. This ignores the fact that most countries have legal regimes very similar to the USA Patriot Act.<br />
<br />
Check it out:<br />
<br />
<blockquote><a href="http://www.cio.com/article/712184/US_Groups_Foreign_Cloud_Providers_Marketing_Against_Privacy_Concerns?source=rss_cloud_computing&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+cio%2Ffeed%2Fdrilldowntopic%2F3024+%28CIO.com+-+Cloud+Computing%29">US Groups: Foreign Cloud Providers Marketing Against Privacy Concerns CIO.com</a><br />
<br />
<P>IDG News Service (Washington, D.C., Bureau) — Cloud computing services from outside the U.S. are trying to exploit perceived weaknesses in privacy laws to drive business away from U.S. providers, according to some representatives of the tech industry.<br />
<P>Deutsche Telekom and other companies are marketing their cloud products as more private than those from U.S. vendors because of the Patriot Act and other laws, representatives of the Business Software Alliance and Rackspace told a U.S. House of Representatives subcommittee during a hearing Wednesday.<br />
<P>Foreign cloud computing vendors are spreading "fear, uncertainty and doubt" about U.S. privacy standards, Justin Freeman, corporate counsel for Rackspace, told members of the House Judiciary Committee's Internet subcommittee.<br />
<P>"We commonly see almost absurd positioning of what the Patriot Act permits, to the extent that it allows almost any U.S. government agency to, without notice or warrant, access any private data that's on a server contained within the United States," Freeman said.<br />
<P>"That's totally false," said Representative Bob Goodlatte, a Virginia Republican.<br />
Witnesses from the U.S. tech industry and some lawmakers complained that some of the privacy problems are more perceived than actual, but some also called for Congress to change U.S. privacy laws to better protect data stored in the cloud.<br />
<P>The U.S. Electronic Communications Privacy Act (ECPA) allows law enforcement agencies easier access to information stored in the cloud than to information stored on a hard drive or in a file cabinet, noted Representatives Zoe Lofgren, a California Democrat, and Jerrold Nadler, a New York Democrat.<br />
<P>Some countries have "legitimate concerns, honestly, about the lack of standards in American law," Lofgren said. "We have a lot of work to in this area."<br />
<P>In addition to marketing campaigns, several nations have passed or are considering laws that require their residents' data to be stored on servers within the country, said Daniel Castro, senior analyst with the Information Technology and Innovation Foundation (ITIF), a tech-focused think tank. Many countries are using privacy and security concerns to pass domestic storage laws, he said.<br />
<P>"Some countries are using unfair policies to intentionally disadvantage foreign competitors and grow their domestic cloud computing industry," Castro said. "The rise of cloud mercantilism is an emerging threat to global trade and information technology."<br />
<P>Greece, China, Russia and Venezuela are among the countries that have passed data localization requirements, Castro said. He called on the U.S. government to push against such laws.<br />
<P>Castro and Robert Holleyman, the BSA's president and CEO, also asked Congress to update ECPA to better protect stored data.<br />
<P>Congress also needs to consider ways to better protect stored information on cloud services, Lofgren said. The U.S. Department of Justice, when it shuttered the Megaupload file-sharing site in January, left the data of many innocent users in limbo, she said.<br />
<P>Holleyman, whose trade group supports strong law enforcement actions against file sharing sites, said he didn't have a suggestion for how to protect innocent users.<br />
<P>"Nobody seems to feel any responsibility toward people who are completely innocent here," Lofgren said. "There seems to be no interest or obligation to innocent bystanders to this action."</blockquote>privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com0tag:blogger.com,1999:blog-5187060278224218979.post-13054800892264667652012-07-25T17:25:00.001-07:002012-07-25T17:25:56.773-07:00Economist editorial: spot-on about cloud privacy and law enforcement<P>The Economist has an absolutely spot-on editorial on privacy in the age of cloud computing:<br />
<br />
<blockquote><a href="http://www.economist.com/node/21559345?fsrc=scn/gp/wl/ar/outofshapes">Data privacy: Out of shape | The Economist</a><br />
<P>The rules on what data governments can demand from communications companies need tightening<br />
Jul 21st 2012 | from the print edition<br />
<br />
<P>SNOOPING, like so many things in life, is going mobile and online. In 2011 Google received 12,271 requests for data from the American government and acceded to all but a few of them. American mobile-phone carriers together fielded more than 1.3m such requests. Some covered multiple subscribers. Some were for “tower dumps”, which reveal the phone numbers of everyone—criminal suspects or not—in range of a certain mobile-phone tower at a certain time.<br />
<br />
<P>The rate of government requests has been growing: Verizon, America’s biggest mobile-service provider, says it has gone up by 15% in each of the past five years. Large mobile companies now have teams of employees that do nothing other than respond to government requests for data (see article).<br />
<br />
<P>This is happening partly because technology makes snooping easier, and partly because the law has not caught up with the technology. In the offline world, governments generally need a judge to sign a warrant to put a wire-tap in place; the same goes for a physical search of property. In the online world, most data—concerning who called or e-mailed whom, or visited what website, though not the content of a communication—is handed over without any such judicial review.<br />
<br />
<P>This is not just an American issue; European states are at least as careless of their citizens’ privacy as America. The European Union’s Data Retention Directive requires telecoms firms to store vast amounts of data about their customers’ activities, which may then be provided to law-enforcement agencies. In Britain, a draft Communications Data bill gives intelligence agencies even wider powers to intercept and store such data.<br />
<br />
<P>There are decent arguments in favour of giving governments such powers. Criminals, as well as law-enforcement agencies, make effective use of digital communications, so states need to be able to respond in kind. Rescue services sometimes need phone data to locate someone who needs urgent help. And where such information can help catch criminals, it should be made available. But there are also arguments for greater restraint. Communications technology these days compromises people’s privacy more than it used to. Mobile-phone records can reveal where people are, what websites they visit, what they are interested in and what they buy. Law-enforcement agencies should not be allowed unrestricted access to such complete, and intrusive, pictures of people’s lives.<br />
<br />
<P>Rewind, please<br />
<br />
<P>There is, at least, some kickback. The European law has been found unconstitutional in several member states, and the European Commission intends to revise it. But Britain’s bill seems likely to become law, despite much criticism. In America, the main federal law on the subject was written in 1986, when the internet barely existed. It badly needs an overhaul.<br />
<br />
<P>A good general principle would be to afford data stored in a private e-mail account as much protection as letters stored in a locked desk drawer—that is, law-enforcement agencies wanting to get a look at them should need a warrant. Internet and mobile-phone companies, and the agencies that get data from them, must be subject to proper reporting requirements. Only if people know more clearly what information is being collected about whom, and to what uses it is being put, can they judge whether the benefits of greater safety the surveillance state has brought them are worth the huge loss of privacy they have suffered as a result.</blockquote>privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com2tag:blogger.com,1999:blog-5187060278224218979.post-27787287175243528442012-06-07T02:43:00.001-07:002012-06-07T02:43:11.266-07:00Google to incorporate EU model contract clauses for European customers<P>Google has just announced that it will offer and incorporate the EU's <a href="http://ec.europa.eu/justice/policies/privacy/modelcontracts/index_en.htm">Model Contract Clauses</a> in its Google Apps for Enterprise customers in Europe. See the announcement from the Google Enterprise blog: <a href="http://googleenterprise.blogspot.ca/2012/06/google-apps-to-offer-additional.html?utm_source=entblog&utm_medium=blog&utm_campaign=Feed:+OfficialGoogleEnterpriseBlog+(Official+Google+Enterprise+Blog)">Official Google Enterprise Blog: Google Apps to offer additional compliance options for EU data protection</a>.privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com1tag:blogger.com,1999:blog-5187060278224218979.post-52380176813094931962012-05-28T11:47:00.001-07:002012-05-28T11:47:19.929-07:00Google Apps receives ISO 27001 certification<P>Google has just announced, on its <a href="http://googleenterprise.blogspot.ca">official Google Enterprise Blog</a> that Google Apps has just received ISO27001 certification. This is in addition to their SSAE 16/ ISAE 32 audits and FISMA certification for Google Apps for Government. Check it out: <a href="http://googleenterprise.blogspot.ca/2012/05/google-apps-receives-iso-27001.html?utm_source=entblog&utm_medium=blog&utm_campaign=Feed:+OfficialGoogleEnterpriseBlog+(Official+Google+Enterprise+Blog)">Official Google Enterprise Blog: Google Apps receives ISO 27001 certification</a>.privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com3tag:blogger.com,1999:blog-5187060278224218979.post-69298857589962781892012-05-26T16:38:00.003-07:002012-05-26T16:38:20.440-07:00White paper compares government access to cloud data in ten jurisdictions<p>
In the last week, law firm Hogan Lovells released a very interesting <a href="http://www.hldataprotection.com/uploads/file/Hogan%20Lovells%20White%20Paper%20Government%20Access%20to%20Cloud%20Data%20Paper%20(1).pdf">white paper</a> on government access to cloud data across ten jurisdictions, mainly focused on debunking many of the myths associated with the USA Patriot Act. The white paper was released in association with a Round Table on Government Access to Data with European policy makers at the <a href="http://www.openforumacademy.org/">Openforum Academy</a>. <p>
More information is available at the Hogan Lovells Chronicle of Data Protection: <a href="http://www.hldataprotection.com/2012/05/articles/international-eu-privacy/hogan-lovells-white-paper-on-governmental-access-to-data-in-the-cloud-debunks-faulty-assumption-that-us-access-is-unique/">Hogan Lovells White Paper on Governmental Access to Data in the Cloud Debunks Faulty Assumption That US Access is Unique : HL Chronicle of Data Protection</a>. <p>
Here's the white paper: <a href="http://www.hldataprotection.com/uploads/file/Hogan%20Lovells%20White%20Paper%20Government%20Access%20to%20Cloud%20Data%20Paper%20(1).pdf">A Global Reality: Governmental Access to Data in the Cloud -- A comparative analysis of ten international jurisdictions</a>.privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com1tag:blogger.com,1999:blog-5187060278224218979.post-3066803255667640162012-04-25T14:03:00.001-07:002012-04-25T14:03:58.981-07:00How Amazon counters the cloud security cynics<p>An interesting look into the security of the Amazon AWS cloud: <a href="http://www.cloudpro.co.uk/cloud-essentials/cloud-security/3439/how-amazon-counters-cloud-security-cynics">How Amazon counters the cloud security cynics | Cloud Pro</a>.privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com5tag:blogger.com,1999:blog-5187060278224218979.post-90851570870879062592012-01-30T09:56:00.000-08:002012-01-30T09:56:20.453-08:00CANADA needs to get its head in the clouds: Editorial on the benefits of cloud computing for universities<P>The Halifax Chronicle Herald has a good editorial on the benefits of cloud computing for universities, prompted by the decision of Dalhousie University to switch to a cloud provider for e-mail systems:<br /><blockquote><a href="http://thechronicleherald.ca/editorials/57074-dalhousie-email-switch">Dalhousie email switch | The Chronicle Herald</a>: <P>CANADA needs to get its head in the clouds.<br /><br /><P>Cloud computing, to be specific.<br /><br /><P>More a technological service than a product, cloud computing refers to storing data and running software programs remotely, even across borders, on servers that may be owned by someone else.<br /><br /><P>The advantages, in terms of efficiency and reducing costs, can be significant. That’s why so many businesses and public bodies in the U.S., Britain and Europe have made the switch to cloud computing for at least some of their online needs.<br /><br /><P>That’s also why Dalhousie University is wisely planning, pending a privacy review, to move its email system to a Microsoft cloud service, a change that the school estimates will save $2 million.<br /><br /><P>Overall, however, Canada has been a laggard on embracing cloud computing, say legal and technology experts.<br /><br /><P>The main reasons seem to be worries about security and privacy, and some confusion about what cloud computing means.<br /><br /><P>There’s no question it’s essential to ensure cloud service providers have sufficient security and privacy safeguards, especially when the servers storing Canadian data may be in other jurisdictions, such as the U.S.<br /><br /><P>But legal experts say there is widespread misunderstanding about what law enforcement can and cannot do, on both sides of the border. Even Ontario Privacy Commissioner Ann Cavoukian says cloud computing is "eminently doable" in Canada, provided proper vetting is done with service providers beforehand.<br /><br /><P>The misperception that privacy laws are preventing many sectors from embracing cloud computing and reaping its benefits — notably in the health system — has left Canada behind many other developed countries in utilizing cloud computing technology, legal exerts say.<br /><br /><P>So it’s good to see Dalhousie join a growing number of Canadian universities, such as the University of Toronto, the University of New Brunswick and the University of Alberta, in moving their email services to the clouds — and so realizing significant savings.<br /><br /><P>Given the fiscal challenges for universities — and many governments — today, investigating the cloud’s potential, carefully but thoroughly, is essential.</blockquote>privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com2tag:blogger.com,1999:blog-5187060278224218979.post-21921203130122059622011-12-02T03:14:00.000-08:002011-12-02T03:14:27.814-08:00PATRIOT Act clouds picture for tech<P>Politico has an interesting article on how fears of the USA Patriot Act are having an impact upon US-based cloud vendors:<br /><blockquote><a href="http://www.politico.com/news/stories/1111/69366.html">PATRIOT Act clouds picture for tech - David Saleh Rauf - POLITICO.com</a><P>Cloud computing is a gold mine for the U.S. tech industry, but American firms are encountering resistance from an unexpected enemy overseas: the PATRIOT Act.<br /><br /><P>The Sept. 11-era law was supposed to help the intelligence community gather data on suspected terrorists. But competitors overseas are using it as a way to discourage foreign countries from signing on with U.S. cloud computing providers like Google and Microsoft: Put your data on a U.S.-based cloud, they warn, and you may just put it in the hands of the U.S. government.<br /><br /><P>“The PATRIOT Act has come to be a kind of label for this set of concerns,” Ambassador Philip Verveer, U.S. coordinator for International Communications and Information Policy at the State Department, told POLITICO. “We think, to some extent, it’s taking advantage of a misperception, and we’d like to clear up that misperception.”<br /><br /><P>Reacting to concerns raised by some of the country’s most influential tech firms, the Obama administration is engaging in diplomatic talks around the world to put to rest fears in foreign capitals about the controversial surveillance law’s power to give the U.S. government access to international data stored by American companies.<br /><br /><P>The PATRIOT Act, which had key provisions extended by President Barack Obama in May, has become a flash point in sales of cloud computing services to governments in parts of Europe, Asia and elsewhere around the globe because of fears that under the law, providers can be compelled to hand over data to U.S. authorities.<br /><br /><P>While no foreign governments have moved to block U.S. tech companies, authorities in the Netherlands as recently as September floated the idea of banning U.S.-based cloud firms from competing for government contracts. And Verveer said on a trip to Germany in October that technology firms based in that country were openly using the PATRIOT Act as a “marketing proposition” to raise questions about U.S. cloud firms.<br /><br /><P>It has created a high-stakes trade issue that’s become a top agenda item for U.S. firms already profiting in the cloud and for those eyeing the technology for the future. It also registers high on the list of international tech priorities for the White House because of the potential negative impact such fears could have on the U.S. cloud market.<br /><br /><P>“I’ve heard directly from EU leaders, from Canadian policymakers and from companies all around the world about problems, or perceived problems, with the act,” said Phil Bond, a tech lobbyist and the former CEO of TechAmerica. “There is no shortage of people who misapprehend the law. If some of these misperceptions harden or real problems [are] not addressed, it will cause companies and governments to hesitate in doing business with U.S. cloud companies.”<br /><br /><P>For their part, the domestic tech industry, academics and even administration officials argue the PATRIOT Act is being hoisted up by foreign entities as a red herring to ban U.S. cloud firms from competing overseas. Laws in some countries allow governments to request private information from companies — and the fear is that this information could be turned over to U.S. authorities under the anti-terrorist law.<br /><br /><P>“It’s not at this point, I think, entirely clear that governments are doing this. But it is clear that for competitive purposes, this sort of thing is being raised,” Verveer said. “It’s definitely a genuine issue.” <br /><br /><P>Now, Washington-based tech trade groups are increasingly hearing from their members that foreign governments engaging in cloud contract discussions are raising questions about data moving outside their respective borders. <br /><br /><P>And the concerns are not isolated to Europe. <br /><br /><P>In the Asia-Pacific region, where cloud computing is experiencing a boom similar to the U.S., tech industry observers are also seeing the same issues pop up during government cloud contract negotiations, said Mark MacCarthy, vice president for public policy at the Software and Information Industry Association. <br /><br /><P>Some of that tension in the region could be alleviated as the result of recent trade discussions. <br /><br /><P>Obama earlier this month laid the foundation for an agreement with eight Pacific nations to drop trade barriers. That deal, which is still being negotiated, included provisions to the bar requirements for local data centers as well as cross-border data flow restrictions. <br /><br /><P>“It would be dramatically helpful for the cloud industry,” MacCarthy said. “That can then become the precedent for future trade agreements, and it might be the basis for further action with the [World Trade Organization].” <br /><br /><P>The PATRIOT Act argument has implications that extend to any U.S. company peddling in data that travels across the world. <br /><br /><P>But it’s an especially acute concern for cloud firms, experts say, because the whole business model is predicated on the ability of data to travel freely. Foreign countries are now asking cloud firms to restrict data flow within their respective borders. <br /><br /><P>“There’s a feeling that there’s a risk we’ll end up with a Tower of Babel with cloud computing,” said Darrell West, founding director of the Center for Technology Innovation at the Brookings Institution. “Several nations are imposing restrictions on data sharing to prevent data from moving across their own national boundaries, and that’s very shortsighted. You end up losing much of the benefit of cloud computing if you end with 192 systems.” <br /><br /><P>Aside from data restrictions, foreign governments are also asking U.S. cloud firms to establish data centers in their respective countries to keep a better eye on where data is being stored, creating another potential roadblock for international cloud contracts. <br /><br /><P>The need for the Obama administration to take an international lead on the issue was highlighted in a cloud computing report this summer authored by a coalition of 71 experts from some of the largest hardware, software and Internet companies, including Microsoft, Amazon and Salesforce. <br /><br /><P>Aside from reforming antiquated U.S. digital privacy laws, the report urged the Commerce Department to conduct a study of the PATRIOT Act and national security laws in other countries to determine a company’s ability to deploy cloud computing services in the global marketplace.<br /><br /><P>“This action may provide insights into how best to address uncertainty and confusion caused by national security statutes … that are perceived as impediments to a global marketplace for cloud services,” the report said. <br /><br /><P>And if the U.S. and other countries don’t simplify the complex legal environment surrounding cloud computing soon, experts are warning the environment will become riddled with uncertainty and confusion that could dampen the competitive position of U.S. firms in the future. <br /><br /><P>And for now, Congress is taking a back seat because “the point of the sword is in the administration,” MacCarthy said, noting that agencies tasked with trade responsibilities are handling the bulk of the negotiations. <br /><br /><P>The concern over the PATRIOT Act also mirrors a broader worry for U.S. tech companies — that protectionist efforts here and abroad will put a damper on the international cloud market. <br /><br /><P>But Congress may not be a silent player in the long run. Tech associations caution that lawmakers should avoid following suit by taking restrictive actions that harm foreign tech companies. That could backfire. <br /><br /><P>Instead, lawmakers should craft policy to ensure “trade barriers don’t get adopted” that impinge on the ability of foreign cloud providers to land government contracts in the U.S., said Robert Holleyman, president and CEO of the Business Software Alliance. <br /><br /><P>“It’s absolutely essential that the U.S. gets this right as a policy matter,” Holleyman said. “The stakes around this are huge. If the U.S. gets this wrong, it’s going to be a field day for other countries to emulate a protectionist example.” <br /><br /><P>Top federal tech officials have laid out guidance for how agencies should categorize data and what type of data should be kept within U.S. borders. Verveer, a lead official in the State Department’s efforts to establish an international framework for cloud computing, said agencies are supposed to peg only “high-sensitivity” data for cross-border restrictions. <br /><br /><P>But several recent cloud contracts point in the direction of federal agencies increasingly requiring providers to maintain domestic data centers and restrict the flow of data within U.S. borders. <br /><br /><P>For example, a General Services Administration solicitation for a governmentwide procurement vehicle for cloud-based email contained an element to restrict where data centers could be located. The federal government’s top watchdog shot down that part of the contract last month as part of a bid protest because the GSA could not provide a justifiable reason for the location requirement. <br /><br /><P>And the Department of the Interior recently reissued a request for information for cloud computing services with several location requirements. According to procurement documents, the agency wants its cloud provider to keep software development inside the U.S. to the “maximum extent practical,” and the physical data centers housing cloud data must also be located in the U.S. <br /><br /><P>“There’s an important role for the federal [chief technology officer] and federal [chief information officer] to play in helping define this,” Holleyman said. “When the CTO and CIO speak out on this issue, they need to know words matter. Other countries will look for signals.”</blockquote>privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com2tag:blogger.com,1999:blog-5187060278224218979.post-70952264411778062422011-12-01T16:27:00.001-08:002011-12-01T16:27:26.637-08:00Never mind the Patriot Act, watch your thumb drives<p>
Earlier this week, I spoke on a panel at Reboot's Privacy and Security conference in Ottawa about privacy and security in cloud computing. I didn't have a powerpoint, but IT World Canada has a pretty good write-up of the presentation ...<p>
<blockquote>
<a href="http://www.itworldcanada.com/news/never-mind-the-patriot-act-watch-your-thumb-drives/144397">Never mind the Patriot Act, watch your thumb drives - Page 1 - Security</a> <p>
By: Grant Buckler
On: 01 Dec 2011
For: ComputerWorld Canada <p>
Businesses that think storing their cloud-based data north of the border protects them from government intrusion are wrong, a panel says. Why thumb drives are the real threat to info security <p>
OTTAWA – Businesses contemplating cloud computing should worry less about the U.S. Patriot Act and more about thumb drives and border crossings, panelists at the Privacy and Information Security Congress said here Monday. <p>
David Fraser, partner with the Atlantic Canadian law firm McInnes Cooper, said many people believe it is illegal to put data in the cloud if that means it will be stored south of the border because of provisions in the U.S. Patriot Act that allow the American security establishment to seize information without a conventional warrant or any notification to the data’s owners. <p>
Whether or not many people believe it is illegal (it is not, though some provinces put limits on where certain data such as health records may be stored), comments from the audience showed there are concerns about the Patriot Act, particularly the fact that the law expressly forbids a cloud service provider from notifying a data owner when data is seized under the act. <p>
But Fraser argued that Canada has similar legislation and that U.S. law applies to any company with a substantial connection to that country anyway, so insulating oneself from such government intrusion is not as simple as ensuring data stays north of the border. <p>
And he said other risks are more significant – like thumb drives that plug into Universal Serial Bus (USB) ports. These are the No. 1 source of data breaches, according to Fraser. <p>
“Go to the front desk of a hotel and say that you’ve lost your thumb drive,” he said, “and they’ll probably pull out a box of them.” <p>
And if you’re concerned about governments snooping into your data, he added, “any time you cross the border … they can open up your laptop and they can clone your hard drive.” <p>
Cloud computing could actually be a solution to both those problems by allowing computer users secure access to data from anywhere so they need not carry sensitive data on laptop hard drives or USB thumb drives, said Fraser. <p>
Omkhar Arasaratnam, cloud security lead architect for SmartCloud Enterprise at IBM Canada Ltd., agreed with Fraser that keeping data at home is no panacea. And he said cloud security is not much different from information security in general, which is mainly about risk management and education. <p>
Putting too many restrictions on what people can do won’t work, said Arasaratnam. “If you as an IT department are too restrictive, your end user community, your executives or their children will find ways around it.” <p>
The best hope, he said, is to educate people so they understand why some behavior is risky, and look for ways to ensure security without restricting people’s use of technology too much. <p>
The fact that cloud computing is new doesn’t necessarily mean it is insecure, said Arasaratnam. But Winn Schwartau, moderator of the panel, well-known speaker and author of several books on security, observed that IT has swung back and forth between centralization and decentralization several times since the 1950s, and asked the panelists what businesses should do to ensure they can get off the cloud should the pendulum swing again. <p>
Fraser advised making sure contracts are clear about ownership of data and the client’s right to have it returned. Arasaratnam added that it’s important to ensure the data comes back in usable form, not as paper printouts or files in incomprehensible formats.</blockquote>privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com0tag:blogger.com,1999:blog-5187060278224218979.post-75772727924192060572011-11-22T11:07:00.001-08:002011-11-22T11:07:35.973-08:00Privacy and Security in the Cloud<P>Today I participated in a webinar with Sheepdog Inc. and Google on Privacy and Security in the cloud. Below is my presentation, in case it's of interest:
<P><iframe src="https://docs.google.com/present/embed?id=ddpx56cg_896cz2bgcgn&size=m" frameborder="0" width="555" height="451"></iframe>privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com1tag:blogger.com,1999:blog-5187060278224218979.post-15695873174133163512011-10-14T06:46:00.001-07:002011-10-14T06:46:54.835-07:00Cloudlaw: Law and Policy in the Cloud<P>I'm spending the day today at a conference being hosted by the University of Toronto's Faculty of Law and the Centre for Innovation Law and Policy focused on cloud computing. The full agenda is at <a href="http://www.cloudlaw.ca">cloudlaw.ca</a> and it looks like it will be a very interesting day.
<P>I'm speaking at 1:00 on a panel that includes Patricia Kosseim (General Counsel to the Office of the Privacy Commissioner of Canada) and Professor Christopher Millard (Professor of Privacy and Information Law at the University of London). The topic is, not surprisingly, "Privacy and Security".
<P>Here is my presentation, in case it's of interest:<iframe src="https://docs.google.com/present/embed?id=ddpx56cg_864fw7phsfx&interval=30&loop=true&size=m" frameborder="0" width="555" height="451"></iframe>privacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.com0