Wednesday, January 22, 2014

Microsoft to agree to local storage of foreign users' data

Crossposted from Canadian Cloud Law Blog: Microsoft to agree to local storage of foreign users' data:

According to the Financial Times, Microsoft is going to break from the pack of other cloud service providers by agreeing to store data locally. content is behind an annoying paywall, but here's the gist of it along with some commentary.

Microsoft to shield foreign users’ data -

By James Fontanella-Khan in Brussels and Richard Waters in San Francisco

Microsoft will allow foreign customers to have their personal data stored on servers outside the US, breaking ranks with other big technology groups that until now have shown a united front in response to the American surveillance scandal.

Brad Smith, general counsel of Microsoft, said that although many tech companies were opposed to the idea, it had become necessary following leaks that showed the US National Security Agency had been monitoring the data of foreign citizens from Brazil to across the EU.

“People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides,” he told the FT. ...

This decision seems to be based on (or appealing to) the fiction that the location of data is somehow determinative of whether law enforcement or national security folks can get access to data. As I said, it's mostly a fiction. Governments can assert control over things, or people, or entities on a number of bases. One of them is the presence of the thing (a server) in the physical jurisdiction, but most importantly is the presence of the person who can obtain and hand over the data.

... Some critics of the idea have questioned whether such a move would be effective in putting the personal data of non-Americans outside the reach of the NSA, since US tech companies have to hand over information about specific users when ordered to by a secret US court, regardless of where it is held.

However, keeping the information off US soil and under local data protection rules should make it harder for the NSA to tap into illicitly, Mr Chester said. “If the data are not being transported, then it does stop that kind of access.” ...

While this isn't really a solution to the principal problem that many people associate with the USA Patriot Act and the FISA Amendments Act, it may be an economically rational decision since many customers will only ask where the data is, rather than what it really means.

Mr Smith acknowledged that it would be expensive but added “does it mean that you ignore what customers want? That’s not a smart business strategy.” ...

I do agree, however, that the big question which is the driver behind all of this needs to be addressed at a government-to-government level.

Mr Smith also said that the US and EU should consider signing an international agreement that ensures they will not try to seek data in each other’s territory via technology companies.

“If you want to ensure that one government doesn’t seek . . . to reach data in another country, the best way to do it is . . . an international agreement between those two countries. Secure a promise by each government that it will act only pursuant to due process and along the way improve the due process.”

He argued that the existing “Mutual Legal Assistance Treaty” mechanism used by the US and EU to protect individuals’ rights from the two blocs is outdated: “It needs to be modernised or replaced.”

No comments: