Feeds

Privacy lawsuits: Will sueballs lobbed at US cloud services hit you where it HURTS?

Probably not... yet

High performance access to file storage

Sysadmin blog Thinking of using US cloud services, outsourcing to a US-based provider or just leasing a piece of their cloud and concerned about lawsuits? Here's some food for thought.

Privacy, of course, became the overarching concern of many after former US National Security Agency sysadmin Edward Snowden leaked documents about the country's global web surveillance scheme PRISM. At present, however, there is no legal precedent that says that using US cloud services has any implications when it comes to privacy suits.

This is not to say that that there aren't laws that can be used to sue businesses for storing data in the cloud. It is also not saying that there aren't legal theories on how such lawsuits might succeed.

What this means is that there are no precedent-setting cases in the EU, Canada, Australia or New Zealand that have successfully gotten a company in trouble for using American cloud services (under existing laws).

Cloud advocates might point to this lack of extant precedent and say: "It is safe because nobody has gone to jail or paid huge fines for this." But the flip side of this is that it only means nobody has succeeded yet, and there remain some nasty untested legal waters.

Canada has slightly more lax laws than the European Union has regarding privacy and should theoretically have a smaller privacy attack surface. I'll use Canadian law to illustrate what I mean by untested waters.

Fact sheets

The Canadian government has put out a charmingly vague "fact sheet" about cloud computing privacy concerns. It says "privacy is not a barrier but it must be taken into consideration". This – and the rest of the document – doesn't exactly tell you much, but it is actually a great summary of the Canadian approach to this whole mess. The FAQ "fact sheet" (a separate document) is far more helpful:

According to the document:

The Personal Information Protection and Electronic Documents Act (PIPEDA) does not prohibit cloud computing, even when the cloud provider is in another country. Under PIPEDA, organizations must ensure that they collect personal information for appropriate purposes and that these purposes be made clear to individuals; they obtain consent; they limit collection of personal information to those purposes; they protect the information; and that they be transparent about their privacy practices.

PIPEDA also requires that when an organization transfers personal information to a third party for processing, it remains accountable for that information. It must use contractual or other means to ensure that the personal information transferred to the third-party is appropriately protected.

Therefore, an organization that is considering using a cloud service remains accountable for the personal information that it transfers to the cloud service, and it must ensure that the personal information remain protected in the hands of that cloud service provider. Organizations need to carefully review the terms of service of the cloud provider and ensure that the personal information it entrusts to it will be treated in a manner consistent with PIPEDA. For more information on transferring of personal information to third parties, please see our Guidelines for Processing Personal Data Across Borders.

Now we're getting somewhere. So under Canadian law, I can send my data wherever I please, however, I must ensure ("by contract or other means") that whomever is sent that data agrees to treat that data more or less the same way that a Canadian would expect the data to be treated under Canadian law. There are some big squigglies on the details here, though; we're Canadian and we try to be accommodating and understanding that different places do things a little differently.

The Canadian Privacy Commissioner's "Guidelines for Processing Personal Data Across Borders" promises to clear this up once and for all. The first thing I note is that the guidelines are from January of 2009, which means the review that generated these guidelines took place in 2008, at the earliest. Not exactly post-Snowden guidance, but we'll trundle on.

Under a section labelled "What Must Organizations Do?" there is a discussion of a very important complaint investigation: PIPEDA Case Summary #313 (Bank's notification to customers triggers PATRIOT Act concerns). I won't go in to full detail here, but the result is summarised in the document thusly:

In the case of outsourcing to another jurisdiction, PIPEDA does not require a measure by measure comparison by organizations of foreign laws with Canadian laws. But it does require organizations to take into consideration all of the elements surrounding the transaction. The result may well be that some transfers are unwise because of the uncertain nature of the foreign regime or that in some cases information is so sensitive that it should not be sent to any foreign jurisdiction.

Not discussed in the document – but critically important – is PIPEDA Case Summary #365 (Responsibility of Canadian financial institutions in SWIFT’s disclosure of personal information to US authorities considered) in which the conclusion reached is essentially the same: banks don't need your OK to transfer data out of Canada. That data is subject to the laws of the nation where it will reside when transferred outside of Canada, and Canada is OK with this as long as those laws are more or less like our own.

But what happens when the laws are substantially different than our own? The short answer: nobody knows.

Top three mobile application threats

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
Number crunching suggests Yahoo! US is worth less than nothing
China and Japan holdings worth more than entire company
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.