Cloud computing and privacy: OPC Submission Paper: CATAAlliance
April 14, 2010

++ Action Item: Please contact Barry Gander at bgander@cata.ca with any guidance you may wish to provide on the Cloud Computing and Privacy position paper presented below:

According to many CATA executives, the Cloud  --  especially the ‘Mobile Cloud”  --  is emerging as the hottest opportunity area for Information and Communications Technology (ICT) companies.  CATA in fact has started a community to share information about the “Mobile Cloud”.  The Cloud is the next stage in the evolution of the Internet; it makes information available to a mass market.  By using remote server capabilities to deliver information, the Cloud is “the PC that never breaks”.  The Cloud is an always-on repository and delivery agency for a limitless amount of digital information.  The Mobile Cloud Cluster is the central coordinating agency for innovations and alliances that promote the more rapid adoption of Cloud Computing for mobile devices and applications, by organizations and the general public.  Ultimately, the Mobile Cloud Alliance aims to make a meaningful contribution to the enhancement of prosperity and the equality of peoples, by lighting up globe with universal access to all knowledge.

 

Much attention has been focused as of late on the borderless nature of cloud computing, and the potential impact of this on privacy. Often, the spectre of the USA Patriot Act is raised as a short-hand argument against cloud computing. Somehow, the argument goes, the mere fact of putting information in the cloud will make it accessible to law enforcement and national security authorities. A reality check is in order. Information, wherever it is resident, is vulnerable to lawful access by law enforcement and national security agencies. Every mature democracy has a set of laws that can require law enforcement or national security access to information, regardless of the media and the form of the data.
 
We live in a networked world. Most electronic information resides on servers (whether owned by the original custodian, rented from service providers by the original custodian, or owned by a service provider and accessed through a services agreement). Most of these serviers are connected to high-speed networks that are integral to or are connected to the Internet. Most information is theoretically accessible world-wide. This is the case whether the orgininal custodians own the server or not.

 

Unlike a physical document, electronic information can exist in multiple places (stored on multiple servers, or multiple media). Whether a law enforcement agency or a national security entity is in a position to take “jurisdiction” over that information depends upon a number of factors. We conventionally think about jurisdiction being based on where the information “is”. Clearly, a legal system is able to take jurisdiction over things and people that are within its territory. A Canadian court can cause the seizure of a server that is in Canada. A second basis for jurisdiction is the ability to make an order against a person who can produce information. Either the person is in the territory of the court taking jurisdiction or that person has assets that are vulnerable to seizure. In such a case, a Canadian court can issue an order against a non-Canadian company for records that are not stored in Canada but are accessible or managed from Canada.  This means, effectively, that any Canadian information or information accessible from Canada, is subject to Canadian law.

 

A second question is, practically speaking, how a law enforcement agency from another country is able to use international agreements or arrangements to obtain access to the information. Canadian law enforcement and national security agencies participate in the reciprocal exchange of information, both informally and as set out in Mutual Legal Assistance Treaties (MLATs). MLATs formalize a reciprocal relationship where law enforcement agencies in two countries agree to provide mutual assistance in matters such as obtaining evidence, serving documents, and producing documents. The Mutual Legal Assistance in Criminal Matters Act  sets out the legalities and procedures for dealing with foreign requests for assistance under the various MLATs to which Canada is a party. The legislation specifically provides authority and procedures for Canadian law enforcement to carry out searches, seizures and other collections of evidence on behalf of a foreign state in much the same manner as can be done by Canadian authorities with respect to a Canadian investigation. This specifically includes obtaining search warrants. If a foreign state is seeking access to information stored in Canada, the MLAT procedures can be used to lawfully compel the production of that information.

 

What is not generally known is that Canada’s laws permitting law enforcement and national security access to information virtually mirror those provisions in the United States that have garnered considerable attention, including those in the USA Patriot Act. For example, the Foreign Intelligence Surveillance Court in the US has its counterpart under the Canadian Security Intelligence Service Act, where the judges have even greater powers for surreptitious surveillance of Canadians and non-Canadians alike.

 

These lawful access powers exist regardless of whether the information being sought is “in the cloud” or is resident on a closed system. To say that there is greater vulnerability “in the cloud” is to misunderstand the powers that such laws bestow. One may argue that information “in the cloud” is at less risk to lawful access because it is potentially interspersed with other information that law enforcement cannot legally obtain. In addition, the reputable purveyors of cloud computing services have protocols in place for responding to warrants, subpoenas and court orders. Single purpose server operators seldom have the expertise to respond to such a request other than to simply comply.

 

Cloud computing providers may be in a position to offer better privacy protection than alternative means of storing, managing and providing access to data. To begin with, most are staffed by professionals who devote resources to protecting the information and authenticating users. A large cloud-service provider almost certainly puts more resources into data security than any small or medium sized enterprise is able to muster. While thousands of thumb-drives go missing each year, often at the expense of personal data breaches, the cloud is not vulnerable to being misplaced or lost. A breach will usually result in a small-scale loss of security for one account rather than a wholesale loss of collections of records. Once a breach is detected, the account can be closed or the vulnerability can be addressed. If a laptop is stolen, it and all of its data are completely beyond the control of the original custodian.

 

Simply concluding that information in the cloud is at greater risk because of laws like the USA Patriot Act is to misunderstand how law enforcement and others obtain access to information. Information wholly in Canada is vulnerable to lawful access under the myriad of laws that permit police and national security agencies to compel information. Information in Canada is also vulnerable to access by non-Canadian agencies.

 

Canada has robust privacy laws that are based on best practices and flexible principles. Most importantly, the original custodian of personal information remains responsible for its protection regardless of where the information goes. Any organization proposing to use cloud computing services (or any other service to manage data for that matter) needs to carry out a risk assessment to determine whether using the service introduces any additional risks and how these can be mitigated. The original custodian needs to make informed choices about how to handle the data, including what services and service providers to use for its processing. This should be a sensible, risk-based approach.

 

At the end of the day, existing Canadian privacy law is sufficiently sensible, flexible and robust to properly manage personal privacy in the cloud.


 


 

© 2009 Canadian Advanced Technology Alliance. All rights reserved.