There is no surprise here, you are reporting on activities that have been going on since 2004. The only difference between outsourced and cloud exposure is that, when your data is in a specific datacenter, you at least know who might get access to it. If you have stuff in an IBM DC in Germany, you know who can look at it:
- US (all Federal agencies via Patriot Act)
- Germany (Bundespolizei and Bundeskriminalamt)
- EU (Interpol and 17 associated organizations).
But in the cloud, you really have no idea where your data resides, it could be sitting on a server in Shanghai, which means that any number of Chinese local and national groups could demand access, including the PLA. Once again, you have no idea if such access is happening, because the hoster is prevented from informing you.
LONDON — At the Office 365 launch, Gordon Frazer, managing director of Microsoft UK, gave the first admission that cloud data — regardless of where it is in the world — is not protected against the USA PATRIOT Act.
It was honestly music to my ears. After a year of researching the Patriot Act’s breadth and ability to access data held within protected EU boundaries, Microsoft finally and openly admitted it.
The question put forward:
“Can Microsoft guarantee that EU-stored data, held in EU based datacenters, will not leave the European Economic Area under any circumstances — even under a request by the Patriot Act?”
Frazer explained that, as Microsoft is a U.S.-headquartered company, it has to comply with local laws (the United States, as well as any other location where one of its subsidiary companies is based).
Though he said that “customers would be informed wherever possible”, he could not provide a guarantee that they would be informed — if a gagging order, injunction or U.S. National Security Letter permits it.
He said: “Microsoft cannot provide those guarantees. Neither can any other company“.
While it has been suspected for some time, this is the first time Microsoft, or any other company, has given this answer.
Any data which is housed, stored or processed by a company, which is a U.S. based company or is wholly owned by a U.S. parent company, is vulnerable to interception and inspection by U.S. authorities.
Last week, Microsoft opened up its Online Services Trust Center which explained in great detail how data was managed, handled and if necessary, handed over to the authorities.
Related content:
- Mary Jo Foley: Microsoft launches Office 365: Here’s what you need to know
- Microsoft: ‘We can hand over Office 365 data without your permission’
- Why ‘Office 365′, and what do students get out of it?
- Live@edu rebranded: Introducing Office 365 for Education
Also read ZDNet’s Patriot Act series:
