From time to time, organizations are asked to provide access to data for legal reasons. Those requests can be more complicated when the data is in the cloud. But a new report sheds some light on one critical aspect of such requests.
One risk with cloud computing is that the customer has less control over who can access its data. When customer data is stored on and processed by the cloud vendor's data center instead of in-house, what's to stop a third party, such as the government, from going directly to the cloud vendor to obtain access to that data without the customer's permission or knowledge? And if that happens, will the cloud vendor's priority be to protect its customer's rights and data or to protect itself?
With the April 30, 2013, release of its third "Who Has Your Back?" report, the Electronic Frontier Foundation (EFF) has tried to answer these questions. The report reflects that, as with most things in the cloud, vendors vary widely on how they handle third-party requests for access to data. For the 2013 report, the EFF used six criteria to assess cloud vendors, and awarded a star for good performance in each category. The six criteria are:
Does the cloud vendor publish transparency reports?
Google was the first out of the gate when it began issuing its Google Transparency Report three years ago. Since then, more cloud vendors, including Twitter, Dropbox and, most recently, Microsoft have followed suit by issuing their own transparency reports. These reports typically provide statistics regarding how often the vendor receives and fulfills government requests to provide access to customer data. In response to the changing technological and legal landscape, these reports continue to evolve. Effective March 5, 2013, Google announced that it will begin including data about National Security Letters (NSL) in its transparency report.
Does the cloud vendor notify customers?
Does the vendor tell customers about government data requests, unless prohibited by law? Doing so provides customers with the opportunity to protest or defend against overreaching government demands for their data.
The caveat "unless prohibited by law" is directly connected to NSLs. Five different federal statutes enable the FBI to obtain records for foreign intelligence or international terrorism investigations via an NSL that the FBI can issue on its own authority and without court approval. The Patriot Act expanded on this to include a "gag" provision prohibiting the vendor recipient of an NSL from revealing anything about the NSL, including that it has been received. This prevents the vendor from notifying anyone, including the owner of the data requested, that such a demand has been made. NSLs have understandably been controversial.
Sign up for CIO Asia eNewsletters.