It was big news last month when Dropbox, the popular cloud storage provider, announced that it was offering new multiuser business accounts at a competitive price. The business which initially launched as a consumer service announced that it woiuld now be offering its new service to small and medium size corporate clients. Corporate users would be able to create virtual disk folders on their computers which would be mirrored on the cloud and would be available anywhere.
The promotional information for the new service promoted its high level of security which includes password protection and user side encryption. What Dropbox did not easily disclose in its promotional materials was that the service does not meet the requirements of Payment Card Industry (PCI), the Health Insurance Portability and Accountability Act (HIPAA) or the Sarbanes-Oxley law. Use of the service by a corporation subject to these acts could result in substantial fines and penalties.
Although many similar servies also do not meet these requirements, Dropbox’s new service is directed not at the home user but at corporate customers in industries likely to be governed by these regulations. Dropbox’s explanation for not emphasizing this shortcoming in its promotional literature was that its customers were more concerned with collaborative ease than with regulator compliance.
Ultimately, this is an example of the basic rule of all cloud computing – user beware. A corporation in a regulated industry needs to be proactive in confirming that a service which it intends to use fulfills its regulatory requirements. Furthermore, corporations need to create, promote and enforce internal guidelines to avoid use of cloud based services which could results in regulatory violations. For such guidelines to be effective, the company’s employees need to be educated to avoid using such services for company information without prior company approval.
The 9th Circuit has ruled in Suzion Energy Ltd v. Microsoft Corporation, that emails belonging to a non-US national which are hosted on US based servers by a US Cloud providers. The Electronic Communications Privacy Act of 1986 (ECPA) provides that “a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communica- tion while in electronic storage by that service.”
In this case Suzlon sought emails under to use in a civil fraud proceeding pending against Rajogopalan Sridhar and others in the Federal Court of Australia (the “Australian Proceedings”). Although Sridhar is a citizen of India and is imprisoned abroad, the relevant emails are stored on a US server by a domestic corporation, Microsoft. The district court initially granted Suzlon’s petition for production of documents. In response, Microsoft filed objections that the district court deemed to be a motion to quash.
The Court construed the term person as defined in the Act to extend to “any person” regardless of nationality. Thereby the court expands the application of the ECPA to foreign nationals. This reading is consistent with other decisions that have interpreted similar laws such as the Freedom of Information Act.
On June 28, 2011, at the launch of Office 365, the new cloud based version of its well-known office tools, Microsoft stated that data that you store on the cloud is subject to scrutiny by the US government even when it is stored overseas. ZDNet reporter Zack Whittaker reported that, when asked if Microsoft could guarantee that data stored in the European Union would not leave the European Economic Area, Gordon Frazer, managing director of Microsoft UK, explained that it could not. Because Microsoft is a US based company it has to comply with US laws and would be forced to disclose data to the US government if required to do so under the Patriot Act. When asked if customers would be notified of a government ordered disclosure, he said that neither Microsoft nor any other company can provide such a guaranty. Gagging orders, injunctions and U.S. National Security Letters can prohibit disclosure of information requests to the owners of the information.
These public admissions are consistent with similar admissions previously made by Microsoft in a white paper detailing Office 365 security which states:
In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service).
Accordingly, if a governmental entity approaches Microsoft Online Services directly for information hosted on behalf of our customers, [Microsoft] will try in the first instance to redirect the entity to the customer to afford it the opportunity to determine how to respond. …and will use commercially reasonable efforts to notify the enterprise customer in advance of any production unless legally prohibited.
In addition to the insecurity that this language creates for European users who, by using the service, may be exposed to US government scrutiny, it also brings into question the legality US run cloud services in the Europe. European data security directives prohibit removal of data from Europe without the data owner’s consent. Microsoft did not explain how it reconciles its obligations under US and European law.
Microsoft’s own white paper increases concern about the extra territorial transfer of data:
As a general rule, customer data will not be transferred to data-centers outside that region. There are, however, some limited circumstances where customer data might be accessed by Microsoft personnel or subcontractors from outside the specified region (e.g., for technical support, troubleshooting, or in response to a valid legal subpoena)
This language not only creates concerns for European customers of the Office 365 service but for US customers concerned with running afoul of export controls which might hold them strictly liable for foreign transfer of certain technical information.
While some readers may shrug off the disclosure requirement assuming that laws such as the Patriot Act are limited in use to terrorist investigations, it is important to understand that nothing restricts the scope of information obtained under the act or the transfer of information gained to other government agencies. In fact, the government has repeatedly refused to disclose how it feels that it can use the Patriot Act and where there has been disclosure, the interpretation has been expansive.
So what do these disclosures suggest for users of cloud services. For one thing, it is likely that European users will shy away from accessing cloud services provided by US companies. We are also likely to eventually see litigation reconciling European Union data rules against compelled disclosure under national security laws such as the Patriot Act. Finally, companies that are subject to export control compliance would be wise to shy away from cloud services and instead opt for restricted hosting services where they can assure no foreign access to their data.
Your cloud data may be relatively protected from disasters such as floods, storms and earthquakes. However, it has no protection from the overreaching hand of law enforcement.
Early yesterday morning the FBI raided an Internet hosting facility in Renton, Va., and seized several of its servers. The facility is owned by DigitalOne, a company based in Switzerland. The raid and seizure seem to be related to the FBI’s search for a wanted hacking organization Lulz Security Group (“LulzSec”). LulzSec is associated with a series of Internet denial of service attacks against CIA and other government agencies. At the same time that the Virginia raids were taking place Scotland Yard arrested Ryan Cleary in the United Kingdom for alleged involvement with the organization.
Although the FBI was only interested in one of DigitalOne’s clients whose data was hosted on one of the seized servers and who may have had ties to LulzSec, various servers were seized thereby shutting down access for “tens of clients” who also maintained data on the server. In an email to a client, published by the New York Times, DigitalOne’s chief executive, Sergej Ostroumow, said that in the “night FBI has taken three enclosures with equipment plugged into them, possibly including your server. . . After FBI.’s unprofessional ‘work’ we can not restart our own servers, that’s why our website is offline and support doesn’t work.” The New York Times reported that Mr Ostroumow said DigitalOne had provided the FBI with details of how to find servers linked to an IP address they were investigating, but agents also seized unrelated equipment. The DigitalOne website was still not accesible this morning, a day after the raid.
This seizure is reminiscent of a raid undertaken by the FBI in 2009 where it seized servers belonging to Core IP Networks in Dallas, Texas. In the 2009 raid the FBI was investigating two companies who had allegedly defrauded AT&T and other telecom companies of service fees. The seizure of the servers effectively shut down dozens of a companies. One company in particular, Liquid Motors, a provider of data services for car dealerships was effectively shut down by the raid. A legal suit for return of the servers filed by Core IP Networks before the U.S. District Court for the Northern District of Texas failed where the Court found that there was probable cause the servers had served as an instrumentality of a crime.
There is an old Cuban saying “dime con quien andas y te diré quien eres” which translates to “tell me who you hang out with and I will tell you who you are.” It seems that these days being identified as an Internet company does not say much good about you. Just a week after Facebook was found planting stories with bloggers against Google, PayPal has filed suit alleging that Google reneged on a deal by hiring away PayPal’s employees.
PayPal is a well-known on-line payment service. Google is the internet services behemoth offering services which span everything from search engine, to office suite, to e-mail, to social networking. PayPal filed suit against Google, a former officer of eBay and a former officer of PayPal before the California Superior Court for San Mateo County (a Court that the cloud blogger has appeared before).
The Complaint alleges misappropriation of trade secrets, breach of contract, interference with a contractual relationship and breach of fiduciary duty. It tells how Google approached PayPal and negotiated for two years to have PayPal provide payment services for Google mobile devices. On the eve of signing the deal, Google backed out and hired away the PayPal executive who had been negotiating on behalf of PayPal, Osama Bedier. According to the complaint, Stephanie Tilenius, a former a former eBay executive and named defendant in this suit solicited Mr. Bevier and induced him to join Google. After joining Google, Bedier also solicited and tried to lure away other PayPal employees.
According to the complaint:
[F]rom 2008 to 2010, Google and PayPal were negotiating a commercial deal where PayPal would serve as a payment option for mobile app purchases on Google’s Android Market. During that time PayPal provided Google with an extensive education in mobile payments. [Defendant] Bedier was the senior PayPal executive accountable for leading the negotiations with Google on Android during this period. At the very point when the companies where negotiating and finalizing the Android-PayPal deal, Bedier was interviewing for a job at Google – without informing PayPal of this conflicting position.
Supposedly, Google used Mr. Bedier’s knowhow to craft its new mobile wallet mobile payment strategy which Google announced on May 26, 2011, the date the suit was filed.
So you are considering moving some of your information functions to the cloud in order to save money, increase scalability and build redundancy. However, are you also being environmentally responsible?
A study commissioned by Microsoft in 2010 estimated that companies could cut energy consumption and carbon emissions by 30 percent by switching over to the cloud. This claim was based on four basic premises. First, by provisioning resources to cloud customers as needed, dynamically, the cloud provides for less waste of computing resources. Second, by serving large number of users on shared resources, loads are more evenly balanced and peaks in consumption are avoided. Third, servers are used much closer to their capacity. Finally, advanced data centers avoid the waste of many smaller, older in-house environments.
These results were supported by market research and consulting firm Pike Research which suggested in its own study that by 2020 cloud computing could reduce information systems related energy consumption by 38 percent.
However, everyone is not convinced by these predictions. Greenpeace, the well known environmental organization, updated its 2008 report “Make IT Green: Cloud Computing and its Contribution to Climate Change” and issued a 2010 “Smart 2020” report which challenges some of these optimistic results. According to Greenpeace’s research, data centers and telecommunications networks — which together are the two key components of cloud computing — are going to triple their overall consumption of energy by 2020, all because of the rise of cloud computing. By increasing accessibility to portable devices such as smart-phones and tablets, demand for data storage and processing is will lead to more and larger data centers. Moreover, on the cloud, we are able to run operations which use far more resources than we could ever draw upon just a few years ago. These data centers generate huge demands for electricity in cooling and processing.
University of Melbourne professor, Rod Tucker, speaking at a green IT virtual conference also identified the transportation of data across the network as an additional source of cloud inefficiency. Professor Tucker, who served as Director of the university’s Institute for a Broadband-Enabled Society (IBES), conducted research into the energy efficiency of various cloud computing tasks and how they related to traditional, local computing processes. He determined that the more often and numerous the exchange of data on the network the more energy efficient that local processing becomes by comparison since the transportation of the data along the network requires energy resources.
This is not to say that some data centers are not trying to find ways to be energy efficient. Web hosting services Fat Cow and ThinkHost, amongst others, brag that their energy is derived 100% from wind generation or solar sources. However, Greenpeace would contend that by driving demand and increasing network traffic, cloud providers actually outstrip their ability to compensate with energy efficiency. So what can you do? Unfortunately most IT decisions are going to be driven by the financial benefits that the cloud brings to corporate IT pocketbooks. Growth in demand is unavoidable. Future energy costs and legislation will have to work with public pressure to help induce efficiency and conservation on the cloud.
On Wednesday April 6, 2011, the Senate Judiciary Committee met to discuss overhauling the Electronic Communications Privacy Act of 1986 (“ECPA”). This law governs privacy related to data collection and electronic communications but is lacking in any provisions regarding new technologies and practices such as mobile phones, mobile hotspots, social networking and cloud computing.
At least one party opposed to changing the law is the Department of Justice. (“DOJ”) James A. Baker, associate deputy attorney general for the DOJ, told the committee that “the government’s ability to access, review, analyze, and act promptly upon the communications of criminals that we acquire lawfully, as well as data pertaining to such communications, is vital to our mission to protect the public from terrorists, spies, organized criminals, kidnappers, and other malicious actors.”
Mr. Baker tried to persuade the panel that great government access to our private and corporate information actually provides for a more private environment. “By authorizing law enforcement officers to obtain evidence from communications providers, ECPA enables the government to investigate and prosecute hackers, identity thieves, and other online criminals. Pursuant to ECPA, the government obtains evidence critical to prosecuting these privacy-related crimes.”
What solution does the DOJ offer? Well, for the moment none, however, Cameron F. Kerry, general counsel for the U.S. Department of Commerce, told the committee that the departments of Commerce and the DOJ “have been working together to develop a specific set of legislative proposals.” No suggested tie frame for these proposals was stated.
Senator Patrick Leahy, chairman of the committee, opening remarks at the hearing suggest that the committee might be deferential to the DOJ and DOC on these topics.
The money flowing into cloud computing seems to grow from year to year. This week alone several significant announcements portend substantial growth.
- Dell, Inc., well known manufacturer and reseller of ms-dos based computers and laptops, announced that it plans to invest over $1 billion on cloud computing initiatives during the next fiscal year. The bulk of the investment will be centered on building data centers that will provide customers with computer infrastructure services (IAAS). Dell announced 12 new such data centers this coming year with more to follow. The data centers will be built worldwide. Dell will brand some of their new data centers as vStart. vStart data centers are planned to allow customers simple virtualized system environments. According ton Dell, up to 200 virtual machines for a single customer. These environments will be created in cooperation with VMWare.
- Microsoft Corporation and Toyota Media Service Co. are working together to tie your car to the Internet. The initial goal is to provide power-savings tools for hybrid cars such as tracking the best time of day to charge the car, avoiding peak hours and higher electricity costs. The remote control system might also be extended to the home allowing the user to turn on air conditioning automatically or control energy systems at home remotely. The system is expected to be controllable via smartphones. A presenter for Toyota predicted that consumers will soon learn to demand Internet connectivity for their cards.
- On April 6 IBM announced two new products: Smartcloud and Workload Deployer. Smartcloud is an IBM managed online cloud infrastructure for enterprises to host environments on the Internet. One option under Smartcloud are IBM SAP Managed Application Services which will allow cloud based SAP solutions for customers. Workload Deployer is an appliance for developing private corporate clouds.
- Forbes interviewed David Eiswert, manager of T.Rowe Price’s Global Technology Fund, who was quoted as staying “Intel is virtually doubling their capital expenditure this year. And they’re not doing that because PCs are flying off the shelves.”