In a story reported yesterday evening by the NY Times at http://bits.blogs.nytimes.com/2011/06/21/f-b-i-seizes-web-servers-knocking-sites-offline/, the FBI decided to take down activity from a suspicious IP address by seizing three enclosures full of servers from a hosting Facility in Reston , VA, used by DigitalOne, the hosting company, based in Switzerland, that was being used by the target of the FBI investigation.
The only problem was that the three enclosures worth of servers apparently included the sites for many more customers than just the one being investigated and DigitalOne is responding to the outages reported by those customers by letting them know that the FBI has those servers and there is no way that they can check on them, or do anything else with them, for that matter.
Despite their interest in just a single DigitalOne client, the FBI's actions have affected "tens" of clients, according to DigitalOne CEO Segej Ostroumow. The FBI has not yet commented on their actions nor have they provided any way for the customers they were not interested in to recover their server data.
So what does this mean to cloud and internet service providers, and more importantly, their customers? What happens when the FBI decides that a fellow customer of a cloud service that your business uses needs to be investigated and shut down? Does the distributed nature of the cloud mean that the FBI will shut off and confiscate every server and storage device potentially involved in their investigation?
If you are a current colo customer, it would appear that there is, at the moment, a potential problem for you if you don't have full racks, enclosures, or your own suites. The actions of a completely unrelated customer of your datacenter host can have consequences that put you out of business, if their servers simply happen to co-reside with yours.
I'm given wonder if any of the servers in the confiscated enclosures were mirroring or backing up to a different physical site, and if they had been, would the FBI have raided that second facility to confiscate that equipment, on the off-chance that their targets data was being passed along.
This governmental action brings to light a new take on privacy and security, especially with the cloud. Will the government continue to make what appears to be"guilt by association" assumption related solely by proximity, that they have the right to damage and destroy unrelated businesses while performing their investigations? Or will someone step forward, admit that this was as bad as serving a no-knock warrant at the wrong address with devastating results and require that the FBI, and any other government entity that could potentially do this, examine their policies and come up with ways to prevent this kind of collateral damage.