Technology, Security

Consider legal implications when using cloud for email

Blog-post by,
HP Blogger

I often have CIOs ask me my opinion about putting e-mail in the public cloud.  My answer is pretty simple, check with your lawyers. Indeed the issue is not technical, but has to do with ownership of e-mails and what can happen to them.

Last week, an interesting blog post got my attention. It’s titled FBI takes down servers in quest of LulzSec hackers. If you don’t know who LulzSec is, read the excellent Wall Street Journal article titled Inside the anonymous army of ‘hactivist’ attackers.

Now what has this story to do with e-mail in the cloud? Well, if your e-mail happens to be on one of the servers that have been sized by the FBI…., bad luck, it’s gone to the authorities. This is the clash between the physical and the virtual world. Justice needs “ physical evidence”  and I stress the term physical. In the cloud everything is increasingly virtual. Information is scattered over multiple physical enclosures, mixed with information from others.  And that is precisely where the problem is. In their need to seize physical evidence, authorities not only get the information they are looking for, but also many other information items not related with the case.

There is no trustworthy mechanism in place for cloud service providers to hand over the information authorities request for their case. And this leads to cases such as this one. As the New York Times reports, many customers were really unhappy.

Actually, it seems the FBI has been quite gracious as it could have considered the whole datacenter as a crime scene, specifically if the service provider was not able to show proof that they could pinpoint the exact devices, locations and files/images that were hacked, one of my sources tells me.

One month ago, the German authorities seized servers from Pirate Party’s collaborative document drafting service Piratepad, as investigators believed the service was used by unnamed users to plan DDoS attacks on EDF. In March servers were sized at internet hosting companies to take down a Botnet. And I could go on like that. Often you don’t hear of the “collateral damage” to the companies using the same service or hosted in the same facilities.

Mirroring your cloud environment in two datacenters could obviously address this, but adds to the cost. Scenarios such as the one above should be included in the risk management I discussed in a previous blog entry.

To come back to e-mail, scenarios such as the above may put your data into the hands of authorities without your will, but there is also another aspect. Who owns your e-mails when they are stored in the cloud? What happens if your mail is in the cloud and you are subject to a subpoena? Who will decide whether the information is handed over or not? ZDNet published an interesting article, titled Microsoft: “We can hand over Office 365 data without your permission”. They actually recognize that: “In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service).” And the article describes how data can travel between regions without the customer being advised, making compliance to regional legislation more complicated.

In the many contacts I’ve had with CIOs all over the globe, I have been astonished to see that many of them decide to use public cloud services for e-mail, collaboration and other functions without thinking through these points. My advice remains the same, discuss these scenarios with your lawyers first as there might be serious implications for the company. And it may end up costing the company way more than the saving gained by using the service in the first place. The industry needs to work with authorities to find a solution that is acceptable to all parties. While the industry absolutely wants to help authorities addressi crime successfully, they want to avoid subjecting innocent customers from the wrong-doings of others.

In the meantime, keep this in the back of your mind, and if you have to make a decision whether to use a public cloud service or not, make sure you get proper legal advice.

(1) (1)

Would you like to comment on this content? Log in or Register.
Paul Muller 119 Points | Thu, 06/30/2011 - 23:02

Look before you click!

Christian Verstraete 429 Points | Tue, 06/28/2011 - 15:35

Judy and John, yes times are interesting, and the cloud thinking continues to be chellenged with unexpected events. Actually the FBI case was not the only one. A cloud service provider in Italy got a similar experience when one of its customers got a subpoena to release their e-mails. Due to the virtual nature of storage in the cloud and the judicial requirement for physical evidence, many other customers, including a couple swiss companies, got their e-mail made available to the judges. In my mind it's partly to do with the fact the laws are not really in line with the new technologies that appear. So, still loads of space for improvement.

Judy Redman
Judy Redman 55 Points | Sun, 06/26/2011 - 16:51

Christian, interesting post.  I read in my local Sunday newspaper that AP reports LulzSec announced via Twitter that it is disbanding.  Who knows if the report will bear truth in the long run. In order to go out in a big way, the group released documents it claims it had hacked from AT&T.  Earlier this week it hacked into the Department of Public Safety records in Arizona where I live--and the claim is that the hacking group has home phone numbers and other personal information on officers.  Arizona DPS says the breach came through an email system with weak password requirements.  The lesson from all this is that we need to take computer security much more  seriously, in spite of the fact that the name Lulz is supposedly a twist on the Internet acronym LOL, "laughing out loud."  Computer security is no laughing matter. 

John Dodge 1535 Points | Mon, 06/27/2011 - 13:11

Reading Christian's post is enough to scare any company to pull back on pulling back on cloud e-mail. But the FBI's server seizure seemed like a ham-handed fishing expedition. They take 10 servers when in theory, DigitalOne officials could have told investigators that what they were looking was on this or that server. It's like the FBI getting a warrant to search your car and searching every car in the adjacent neighborhood. Also, the FBI could be opening itself to some lawsuits.

But you raise another excellent point: what else do they find beyond what they expected to find? It is a lawerly subject, indeed.