Forget Snowden and data tapping. It’s been an open secret for a long time that intelligence agencies hoover up all sorts of data and analyse it. The “Echelon” programme has been doing that since the 60’s.
Instead, the data wars have opened up on a new front: Extra-territorial data grabbing from foreign data centres, but this time not clandestinely, but head-on via the courts.
If you could monitor the email and social media traffic of the large cloud providers at the moment, the name “Loretta Preska” would be trending. Who she? Loretta Preska is a US Judge who ruled last week that Microsoft should hand over emails that it is storing in an Irish data centre. And the rationale? That as Microsoft controls the data (albeit via a foreign subsidiary) it is required to comply with the US search warrant. The location of the data is immaterial.
Ok, on first pass, it looks like it is time for a large intake of breath.
Can the US courts really reach out half way across the world, and force data held seemingly outside its jurisdiction, to be sent back “home”? Is it fair or reasonable? Certainly the US cloud providers don’t think so, and Cisco, Apple, AT&T as well as Verizon all submitted briefs in favour of Microsoft’s position.
But let’s wind back a bit, and think about some of the reasons why it might, in some circumstances, be reasonable to grant this sort of extra-territorial data grab.
Back in the old days, if you wanted to stash something, say all of the paper files detailing your malfeasance, you had to find a large truck, pile them all on, and start driving. Then you had to find a border to get over and a no-questions asked warehouse to store them in. And if you needed to refer to any of them, you had to high-tail it back over said border and back again. Repeat ad-nauseam.
In these electronic days, shifting those files takes a matter of minutes, and this is the point made by the US Government. Therefore the location of the files becomes immaterial and you have to look at the issue of who actually controls that data.
Fundamentally, there is no right or wrong answer to this question, but it does raise very serious issues for US cloud providers. There is already great disquiet in Europe about the activities of the NSA and this brings the fragility of data privacy into sharp relief. If I am a European Bank and I want to know who can have access and when to my data, would I use a US provider, or one a lot closer to home?
It is a difficult choice, but one made more difficult by other factors. The fact that said bank decides to hide all of its data in a European data centre may preclude it from doing other things, like trading in the US, for example, where certain records must be kept on non-volatile storage in the US. Or worse, failure to comply with a US court ruling may see foreign executives arrested at the border (See here). A knee-jerk reaction to drop US providers may not ultimately be in everyone’s best interests.
Ideally, once all of the rhetoric has settled down, the various data privacy authorities around the world will hammer out a simple and streamlined way of allowing sensible requests to be honoured in a timely, bi-lateral way. If someone has committed a criminal offence, and has used the speed of the Internet to spirit away the evidence (and possible gains) of their criminality, should we not support their pursuit?
The ruling is subject to appeal, but it is an issue that is not going away.
The world may a much smaller place than it used to be, but we still need to make sure that the long arm of the law is long enough.