If you want to ensure your data stays where it should, keep it on your own hardware, says Jason Walsh
As businesses and public sector bodies scramble to offload their computation and storage to the cloud – a magical wonderland where everything is somebody else’s problem – growing geopolitical tensions and the technology industry’s penchant for obscurity should be cause for concern.
A report published yesterday by Computer Weekly found that the tech giant is refusing to tell Scottish police where and how sensitive law enforcement data uploaded to its cloud services will be processed.
The news comes as Scotland’s police force is in the process of migrating to Microsoft 365 (formerly Office 365) to store and process law enforcement data as part of a UK-wide cloud push among police forces.
advertisement
Responding to a freedom of information request by the publication, Scotland’s police regulator, the Scottish Police Authority (SPA), released a data protection impact assessment that stated Microsoft was “unable to specify what data originating from SPA will be processed outside the UK for support functions,” and also declined to provide transfer risk assessments for countries where data could be processed.
This leaves the Scottish force unable to prove it is in compliance with Britain’s 2018 Data Protection Act.
This is far from the only uncertainty over cloud computing. In June, Microsoft said that it “cannot guarantee” French citizens’ data will not be handed over to the US authorities, the kind of statement that should be enough to give businesses pause for thought. In most cases it won’t.
The admission, made by Microsoft France’s director of public and legal affairs Anton Carniaux during a senate hearing, relates to the extra-territorial nature of US regulations, and Microsoft should not be considered alone in being unable or unwilling to make good on sovereignty guarantees. The US government’s Cloud Act means that data held by the so-called ‘hyperscalers’, all of which are US based, is potentially subject to US jurisdiction even if that data is not held in the US.
In an interview with The Register, Solange Viegas Dos Reis, chief legal officer with competing French-based cloud outfit OVHcloud, said the admission was “not a surprise”, though it will have shocked some users.
Indeed. In the face of laws attempting to force extra-territorial compulsion, concepts such as ‘sovereign cloud’, increasingly bandied about by the industry in an attempt to ensure their products and services are fully buzzword compliant, ring hollow.
I guess the cloud really is just somebody else’s computer.