Editorial & Analysis
Also by this author
12 Jun 2013
Details are still sketchy, but many cloud customers will have been unnerved by reports of a US scheme by which intelligence agencies can harvest data on individuals from technology providers.
What does the recent furore over the US Government’s ‘Prism’ programme mean for European cloud customers? In recent days, newspapers on both sides of the Atlantic have reported on the scheme, which allegedly permits the National Security Agency in the US to collect data “directly from the servers” of Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple.
In principle, that means that US spooks can access email communications, photos, video and voice chats, as well as online social networking details. In other words, the system is intended to pry into the affairs of individuals, rather than companies - but that could, of course, have implications for companies that entrust customer and employee details to these cloud providers, and possibly others, too.
And, according to some reports, spooks in the UK can have that information too, because NSA is said to have shared details of the information gathered through Prism with GCHQ. Foreign Secretary William Hague is sticking to the line that allegations that GCHQ has used its partnership with the US to access data it can’t (currently) obtain under UK law as “baseless” - but it does raise important questions over the UK’s own proposed Data Communications Bill.
After all, if spies in the UK already have access to Prism, then why would they even need to bug the nation’s own ISPs - unless, of course, they needed a way to legally present, as evidence in a UK court, communications that they’d already intercepted via Prism?
Right now, details of Prism are vague. Many of the companies said to be involved have denied it. Some believe they may have a case, since it’s totally possible that a US Government scheme like Prism might be able to pull data directly from major network providers. In fact, that’s exactly the right that the UK Government is seeking to obtain with its proposed Data Communications Bill.
So, right now, it’s hard to say what the implications might be for corporate cloud customers - although it’s generally felt that many will have been “unnerved” by this week’s reports, says Marc Dautlich, a data protection expert at law firm Pinsent Masons.
“Those firms will want urgent answers from their providers about what kind of access law enforcement and intelligence agencies have had to their data,” he says.
It they can’t provide those assurances, convincingly, then companies will need to evaluate whether they can continue to meet their data protection obligations, he adds: “Some may be prompted to explore alternative arrangements with smaller, non-US cloud providers; some may look instead to more traditional data centre storage options; while others may elect to keep the responsibility for storing data in their own hands.”
At Gartner, meanwhile, analyst Gregor Petri argues that Prism could help European cloud providers at the same time as it damages US-based ones: infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS), he says in a recent blog posting, “are a domain where several local alternaties do exist, both at a national and a pan-European level. Some of these providers are even global, offering services from facilitieis they run in ‘neutral’ - but latency-wise, quite close by - locations like Canada or Switzerland.”
Difficulties could arise, however, in situations where third party providers, whether knowingly or otherwise, fail to disclose to customers about potential circumstances in which personal data in their control may be processed or shared. Until more details on Prism - or indeed the proposed UK Data Communications Bill - are forthcoming, it remains impossible for any company using a third-party provider to have much confidence that they truly know the score in the US or the UK.