Note: This article applies to public cloud computing. Private clouds where you own the equipment and software in your computer room/data centre are not affected.
Regular readers will know that I used to work in the hosting business and that something I warn people to be aware of is the USA Patriot Act – a legacy of George W. Bush’s war on terror (some might argue it was a war on freedom) and that lives on under the “moderate” Democratic government a decade later.
The ZDnet article, “Case study: How the USA PATRIOT Act can be used to access EU data”, by Zack Whittaker is an excellent analysis of the problems that the Patriot Act causes for non-American organisations with cloud services provided by USA owned companies, no matter where their subsidiaries or data centres are located.
I’ve been able to attend a number of cloud computing events since the trend kicked off. Those who have invested themselves in the likes of Amazon, Azure, or Google, will vehemently deny that the Patriot Act applies. Some of them will toss their toys out. They kind of remind me when Irish PM Bertie Ahern told us critics to go commit suicide when we questioned the health of the economy (he resigned a few months later when he finally saw the financial tsunami that was coming). Their lack of willingness to discuss or listen should make you wonder.
Last year I asked an Amazon evangelist about the Patriot Act and how it would apply to data stored in Amazon’s European data centres. The rather cocky answer was that it wouldn’t because the Amazon company in Ireland was an Irish registered company. Indeed it is, but it is also owned by a USA owned corporation that must comply with the Patriot Act.
A few years ago at the Microsoft BPOS launch, I asked a MSFT speaker about the Patriot Act (I am a bold boy!). He had to admit that there was an issue even if the data stayed in the Dublin data centre. But straight away, MSFT sales and marketing were out talking about geo-location and how that was the solution to data protection issues. Some of us knew that to be BS, and others went and developed their HR SaaS, or whatever, applications on Azure (I did have a few giggles, I have to admit, thinking of the impending ex-employee versus employer lawsuits that could follow). Finally Steve Ballmer admitted to the issue at a CEO conference … but try stop sales and marketing!
For you nay-sayers, here’s a couple of bits from this excellent article:
“The bottom line is that both Microsoft and Google — and therefore any other cloud service provider operating in Europe — cannot provide satisfactory guarantees that data supplied by EU customers and housed in datacenters on European soil will not leave the European Economic Area under any circumstances”.
“These subsidiary companies and their U.S.-parent corporations cannot provide the assurances that data is safe in the UK or the EEA, because the USA PATRIOT Act not only affects the U.S.-based corporations but also their worldwide wholly-owned subsidiary companies based within and outside the European Union”.
I’ve met loads of people who love EC2. I know an Azure MVP and he’s fallen for it as a developer. All quite understandable. To me, things like Office365 do offer amazing opportunities in the right circumstances. Will anything change regarding the Patriot Act?
Rumour is that Amazon and MSFT lobby strongly over this issue. Some believe they had a lot to do with some of the contentious pieces of the Cyber Security Act being stripped out. I’d believe it – the USA might be the big player in cloud computing right now, but if data laws continue to cause concerns then what’s to stop a Chinese operator dominating there, or a French/UK/German operator dominating in Europe, or a South American provider dominating down there? That would put a seriously big pinch on Amazon’s plans to be online content kings of the world, and Microsoft’s plans to dominate PaaS/SaaS just like they’ve dominated Office software. Maybe there will come a time when the USA government will cop on and relinquish these communist-like demands over hosters. That would be of benefit to us all. But we have learned from history that both USA political parties are willing and able to undo freedoms at a moment’s notice; we only have to look at the original drafts of the Cyber Security Act to see that.
So are people listening to the warnings? As I’ve already alluded to: no they’re not. The louder voices of those who are already invested are drowning out those urging caution. And there are those who see those oh-so-tempting low sticker prices of an Azure or an EC2 and then don’t want to listen to anything else. I’ve had those conversations in the past. To be quite honest, most people don’t want to listen. It’s like telling a gambling/spending addict they they shouldn’t get that sixth credit card. They either berate you for questioning “progress”, try to change the topic of conversation to that of technical features, say that the Patriot Act will never be used against them (it’s known to have been used over 80 times – and the fact is that data that is susceptible to the PA is at risk to not being protected by the European Data Protection Act), or they engage the lah-lah-lah arguement. I gave up; that’s why I’m not in the hosting business any more.
So give the ZDnet article a read. It’s well constructed, telling the story of the author’s investigation. He uses a case study and approaches some big service providers directly to get their official responses on the issue.
Now, let me get back to folding that tin (aluminium) foil hat to keep those pesky NSA satellites out of …