Is Your Cloud System Safe From the Law?
By: Gustaf Westerlund, contributing author to Software Advice; CEO of CRM-Konsulterna
There are no legal precedents concerning transnational laws and trade agreements with respect to cloud computing. Some companies in smaller nations are vulnerable to foreign governments seizing their internationally hosted data in a cloud-based system. A good solution is to host data on the same shores, or at least in a country with clear and trustworthy regulations.
Cloud computing has major ramifications for globalized information. For instance, a company in Sweden could use Salesforce.com, one of the leading suppliers of cloud-based CRM software. Most of that company’s data centers are located in the U.S. Consequently, the Swedish company would usually connect to U.S.-hosted servers via Internet lines running through several different countries. When I connect to Salesforce.com from my current location, the data travels from Sweden to the UK, to the Netherlands, and finally to the U.S.
This raises two key questions. First, which national laws apply to the stored data? Secondly, whose laws apply to transferred data?
Consider a company that works with high-tech weapons manufacturing. The company uses Salesforce.com to store sensitive data concerning Cuba as a potential customer. Sweden has no trade restrictions with Cuba, but it’s another matter completely in the U.S. – especially with arms trade. Hence, the CIA, FBI, NSA, or Department of Homeland Security could be suspicious of this relationship and subpoena the CRM database directly from SalesForce.com. The events concerning the U.S. Department of Justice, Twitter, and Wikileaks shows that U.S. legislation can give investigating authorities broad liberties. Putting the court order under “seal,” for instance, wouldn’t even inform the Swedish company about the intrusion.
The Swedish company could be unknowingly threatened; their entire CRM database, containing information about customers and other business opportunities, could fall entirely into unknown hands. Large deals in the high-tech weapons industry can give a country strategic advantages by helping a domestic arms manufacturer’s research and development (R&D). Hence, in the nation’s “best interest,” the government could share the entire database with a U.S.-based competitor. There’s no substantial evidence that this has ever happened, but it’s certainly possible. There are rumors of the Echelon project being misused for the same reason.
Even when a cloud-based system is hosted in a country that respects the customer’s integrity, the data can still travel through other countries that could intercept and misuse it. Much of this communication is based on SSL and other heavily-encrypted connections, but countries like the U.S. and UK have the resources to break most common encryption techniques. Large amounts of resources have been spent on scanning the Internet and other communication channels, as in the Echelon project example. These resources would be wasted if there weren’t any decryption mechanisms.
Cloud computing is certainly promising, but there are some aspects that ought to be considered before jumping on board. Hosting a system in the same country at least makes it clear which laws apply. For companies within the European Union (EU), I suggest hosting within EU borders. Then there’s at least some common law for the EU that could be used in the courts. Hosting in countries with strict views on data integrity, like Switzerland has in banking, might also be an option. But when a company keeps its own data storage, it can at least be prepared when someone breaks down the door with a court order.
Gustaf Westerlund is a Software Advisory Board (SAB) member at Software Advice, a resource for business accounting systems. His original post can be found here: Is Your Cloud System Safe From the Law?
Read More In: International Focus