Ireland’s public service needs to develop a greater understanding of the legal implications of cloud computing in terms of where the data resides, argues Dr Bob Strunz from the University of Limerick.
The rural myth of the tourist who, when asking for directions was given the advice"if I wanted to go there sir, I wouldn’t be starting from here" is probably apocryphal. The recent Government report on Cloud Computing in the Public Service is on the other hand, authentic and its advice is to be welcomed. At a time when everybody wants to move everything into the cloud and it is almost seen as heretical to think otherwise, there are some good reasons to be cautious.
Cloud-based service platforms such as Gmail, Yahoo! Mail or Hotmail offer organisations an answer to a major headache. The provision of email and other essential services to an organisation is not usually its core business and yet it can be highly resource intensive. Outsourcing this task to an external service provider has very clear potential benefits in relation to cost-savings.
The situation however is not quite as clear cut as it appears. The difficulty arises when an organisation that currently has its own private email service, hosted in Ireland or Europe, makes a decision to move that service to a jurisdiction that is subject to US law. This action changes the legal status of the end users and it also exposes them to other risks that need to be carefully managed if they are not to become liabilities.
Recently, Google lost control of its own data and its share-price took a massive hit as a consequence of the early release of an incomplete financial statement. Companies opting to use cloud-based services need to be aware that their employees may suddenly be able to very easily share their data with the entire world and that this enablement may well have unintended consequences. What might have been an accidental internal leak in the old days can now, just as easily turn into a disaster that has global ramifications.
Employees may be empowered by these technologies but companies cannot simply deploy them and expect people to understand and manage the risks themselves, policies, procedures and training are all required in advance of such a deployment. Deployment in the absence of proper policies, procedures and training incurs risks to both the individual and the organisation that are considerable. This is a major change in the manner of doing business for an organisation, it can devolve very high levels of responsibility for data security down to the individual employees and the question of whether the individual employees are ready for this responsibility needs to be addressed before it is handed to them.
Were this an isolated issue it could be managed but there are other issues that are less easy to manage. In Ireland, the authorities are inhibited from intercepting our communications without justification and without a rigorous process that seeks to protect individual human rights. This is not to say that the authorities in Ireland cannot investigate individuals or groups but rather that the law requires that they must provide justification for so doing and that they must also seek permission from the minister or the individuals themselves to access their private communications data or metadata.
In the case of a US company providing cloud-based email services to an Irish organisation, there is an immediate change in the legal rights of the individual employee. The US Patriot Act gives US law-enforcement authorities the right to investigate and examine data stored in clouds that are owned by US companies, irrespective of where on the globe they are physically hosted.
This means that data belonging to your organisation can be subject to scrutiny if it is hosted by a US company with a data centre in Ireland. This circumvents many of the legislative and constitutional protections that are the right of your employees as Irish citizens.
On foot of the receipt of a National Security Letter (NSL), US companies are obliged to provide access to your data; they are also obliged not to divulge the fact that they have provided access, they are heavily ‘gagged’. There is no requirement for any judicial process; there is no requirement for probable cause. The American Council for civil liberties reports that the US department of Justice found in January 2010 that there was ‘systemic, widespread abuse of power’ with respect to the use of these NSLs by the FBI. What they meant by this is unclear, was it human-rights abuses or perhaps industrial espionage between US and non-US companies, either is possible, both have happened before in other contexts.
The counter-argument to this is that the Patriot Act ‘only allows access to metadata’; but these can be weasel words. Metadata is precisely what the cloud service provider decides it is; it certainly includes the header of an email and it could very well include keywords or even the full-text of an email, particularly if that email has been scanned by the service provider for indexing.
It is a truism to assert that ‘hard cases make bad law’ but consider, for example, the case of an Irish citizen who is unaware that his or her communications have been intercepted by the FBI. Rightly or wrongly, the individual is deemed to be involved in international terrorism and then they leave the country. While in transit they are subject to an ‘extraordinary rendition’ by the CIA and they find themselves in Guantanamo Bay. In Guantanamo, they are considered by the US Department of Justice to be outside US legal jurisdiction, they have become a non-person, stateless and without rights. This is an extreme but perfectly plausible and wholly extrajudicial scenario by which an individual, quite possibly an innocent one, could end up going through a process which is not subject to any checks and balances whatsoever.
What the potential ramifications of this might be is unclear, however, it could potentially expose personal data in an employment context or employment data in a personal context. It will be clear to any employer who thinks about it that there is a very significant risk of litigation here. What an employee does in his or her spare time has no place in the workplace unless both employee and employer agree to it. If an employee was denied a US holiday visa because of an intercepted work-related email, who would be at fault? Would it be the employee, the cloud service provider or the employer that knowingly exposed them to the risk of interception?
It is not the case that Europe has been reticent to criticise and to try to change the situation vis-à-vis companies such as Google but the jury is still deliberating. Billy Hawkes, the Irish data protection commissioner, has advised caution, the Government expert group has advised caution and any organisation that does not take heed of this advice must be prepared to take on a significant chunk of what could be termed ‘unmanaged risk’ because the landscape is so uncertain.
Cloud-based email and services are immensely attractive to organisations and for good reason, this is the place that everyone wants to go to, the problem is the current starting point. Organisations should be starting from the position of trusting the cloud providers and current US legislation and also their response to the European data protection authorities make it very hard to do so.
To paraphrase slightly the Dalai Lama, decision-makers should remember that not getting what we want is sometimes a wonderful stroke of luck and with this in mind organisations should ‘make haste slowly’ and they should make every effort to bring their stakeholders with them during the process.
Dr Bob Strunz
Join Ireland’s digital leaders who will gather to discuss cloud computing and the big data revolution at the Cloud Capital Forum on Friday, 23 November, at the Convention Centre Dublin