I often have CIOs ask me my opinion about putting e-mail in the public cloud. My answer is pretty simple, check with your lawyers. Indeed the issue is not technical, but has to do with ownership of e-mails and what can happen to them.
Last week, an interesting blog post got my attention. It’s titled FBI takes down servers in quest of LulzSec hackers. If you don’t know who LulzSec is, read the excellent Wall Street Journal article titled Inside the anonymous army of ‘hactivist’ attackers.
Now what has this story to do with e-mail in the cloud? Well, if your e-mail happens to be on one of the servers that have been sized by the FBI…., bad luck, it’s gone to the authorities. This is the clash between the physical and the virtual world. Justice needs “ physical evidence” and I stress the term physical. In the cloud everything is increasingly virtual. Information is scattered over multiple physical enclosures, mixed with information from others. And that is precisely where the problem is. In their need to seize physical evidence, authorities not only get the information they are looking for, but also many other information items not related with the case.
There is no trustworthy mechanism in place for cloud service providers to hand over the information authorities request for their case. And this leads to cases such as this one. As the New York Times reports, many customers were really unhappy.
Actually, it seems the FBI has been quite gracious as it could have considered the whole datacenter as a crime scene, specifically if the service provider was not able to show proof that they could pinpoint the exact devices, locations and files/images that were hacked, one of my sources tells me.
One month ago, the German authorities seized servers from Pirate Party’s collaborative document drafting service Piratepad, as investigators believed the service was used by unnamed users to plan DDoS attacks on EDF. In March servers were sized at internet hosting companies to take down a Botnet. And I could go on like that. Often you don’t hear of the “collateral damage” to the companies using the same service or hosted in the same facilities.
Mirroring your cloud environment in two datacenters could obviously address this, but adds to the cost. Scenarios such as the one above should be included in the risk management I discussed in a previous blog entry.
To come back to e-mail, scenarios such as the above may put your data into the hands of authorities without your will, but there is also another aspect. Who owns your e-mails when they are stored in the cloud? What happens if your mail is in the cloud and you are subject to a subpoena? Who will decide whether the information is handed over or not? ZDNet published an interesting article, titled Microsoft: “We can hand over Office 365 data without your permission”. They actually recognize that: “In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service).” And the article describes how data can travel between regions without the customer being advised, making compliance to regional legislation more complicated.
In the many contacts I’ve had with CIOs all over the globe, I have been astonished to see that many of them decide to use public cloud services for e-mail, collaboration and other functions without thinking through these points. My advice remains the same, discuss these scenarios with your lawyers first as there might be serious implications for the company. And it may end up costing the company way more than the saving gained by using the service in the first place. The industry needs to work with authorities to find a solution that is acceptable to all parties. While the industry absolutely wants to help authorities addressi crime successfully, they want to avoid subjecting innocent customers from the wrong-doings of others.
In the meantime, keep this in the back of your mind, and if you have to make a decision whether to use a public cloud service or not, make sure you get proper legal advice.