Friday, December 21, 2012

Do Govt. Laws Present Undue Risk To Cloud Computing?

(updated 12/12)  There has been a bit of a buzz regarding access to citizen and company data by the U.S government and the associated risks of Cloud computing in that regard.  I’m talking about the recent searches of gMail and Facebook of WikiLeaks supporters.  Paul Carr’s Tech Crunch article  and  David Linthicum’s InfoWorld story refer to these events.  In addition, the New York Times ran a story on secret F.B.I. subpoenas. When you move your data to the cloud, you lose some control over government access to your data during what may (or may not) be a legal search.  I touched briefly on this last year (here), in my article on the Challenges and Risks to Cloud Computing.  For the purposes of this article, I’ll assume your data is still in the US, not a foreign country data center, which poses an entirely different set of risks.

At issue: an individual or business person’s ability to stop an illegal search of their data when law enforcement shows up at your data’s door (that “door” being the door to your cloud provider’s data center).  There is also worry that Fourth Amendment rights will be trampled on because application data has moved to the cloud.  Because your data now lives in a data center, presumably operated outside your company or home, you lose the ability to know when you are being searched, to stop warrantless searches, and to analyze the warrant and validate that the search is, in fact, legal.  Unless you (or preferably your lawyers) are at the data center during the search, you can’t ensure that it adheres to the boundaries set by the warrant to prevent fishing expeditions.  At the same time, you may lose control of privacy or company secrets as part of that search.  How do you protect your Fourth Amendment rights if you don’t even know you are being searched?  If your data is co-located with other individuals or businesses that are being searched, how are you protected from information leakage when they are searched?