The pitfalls of offshore cloud

The pitfalls of offshore cloud

Summary: CIOs who send their data to an offshore or global cloud may be in for more legal and financial trouble than it's worth, according to a new whitepaper released yesterday.

SHARE:

CIOs who send their data to an offshore or global cloud may be in for more legal and financial trouble than it's worth, according to a new whitepaper released yesterday.

Connie Carnabuci

Whitepaper co-author, Connie Carnabuci, partner at law firm Freshfields Bruckhaus Deringer (Credit: Luke Hopewell/ZDNet Australia)

The whitepaper, commissioned by Macquarie Telecom in partnership with law firm Freshfields Bruckhaus Deringer and entitled "The Cloud and US Cross-Border Risks", aims to warn not just CIOs of the legal dangers of offshore cloud, but every level of a company considering a cloud move.

Matt Healy, head of Regulatory and Government for Macquarie Telecom, told the The Cloud and US Cross-Border Risks roundtable that as business moves to global cloud, traditional economic borders begin to break down, presenting new legal and financial risks.

Legal risks

Businesses looking to host their data in a US-based, offshore cloud environment open themselves up to a whole new world of legal strife, according to whitepaper co-author, Connie Carnabuci, partner at law firm Freshfields Bruckhaus Deringer.

Data stored in a US-based cloud, for example, has a higher chance of being accessed by government agencies, making privacy assurances difficult.

US-based data faces exposure to the controversial Patriot Act and Foreign Intelligence and Surveillance Act, meaning that data stored in an offshore cloud environment may be accessed by US federal law enforcement agencies, regardless of who owns the data.

Australia has very strict regulations in terms of how private data can be handled, Carnabuci explained, a view which the US does not share. The US handles data privacy on a sector-by-sector basis, while several key pieces of legislation make it easy for law enforcement agencies to access data for any and all investigations.

"There's no doubt that the US Government has got much greater powers to access private data than the Australian Government has under corresponding laws," Carnabuci said, adding that agencies can view data with a lower probable cause than would normally be required.

"You don't, for example, need to be able to show probable cause that the target is engaged in criminal activity, so it is potentially the case that government may seek access to your private data stored in the US," she said.

Aussies hosting data in US clouds also can't claim protections under the Fourth Amendment, which protects against unlawful search and seizure of property and information, due to the fact that data is held by a third-party cloud provider.

"The Fourth Amendment falls away and is not applicable where data has been provided to a third party," Carnabuci explained.

"The reasonable expectation of privacy is extinguished when you've provided data to that third party," she added.

Data privacy is eroded further by mutual treaties and agreements signed between countries, such as the European Convention on Cybercrime, meaning data stored in the US may end up in the hands of European law enforcement if required, without the knowledge of the customer.

The biggest risk, however, according to Carnabuci, is how customers will see your company if it hosts data offshore.

"If your company becomes the centre of an investigation, it's going to cost you time and it's going to involve money to deal with that investigation … [however] it's not about the penalties under the data privacy laws, it's about disruption to business and losing customers," she said.

Financial risks

The simple act of storing data can, in some circumstances, be classed as operating a business within the US, opening Aussie companies up to additional income tax obligations from the federal and state governments where the hosting is taking place.

"While mere storage of data typically should not amount to the conduct of business within the US for tax purposes, the activity can be treated as the conduct of business if the non-US person stores data for the account of others, or allows customers or other third parties access to the data," the whitepaper said.

"Anyone who's looking at a global cloud solution would do well to get advice because you need to look at all the circumstances. If there's a dedicated facility or if you take an equity stake in a hosting provider, for example," Carnabuci said.

Macquarie Telecom's Healy said that given the minefield surrounding global cloud hosting, businesses would do well to go with a local, mid-range cloud provider first in order to suss out the regulatory framework around global hosting.

"It may be more appropriate to take its first steps into cloud computing via an onshore provider where the controls and arrangements are perhaps more transparent," he said.

(Front page image credit: Steep Drop image by Mat Walker, CC BY-SA 2.0)

Topics: Cloud, Government, Legal, Security, Enterprise 2.0

Luke Hopewell

About Luke Hopewell

A fresh recruit onto the tech journalism battlefield, Luke Hopewell is eager to see some action. After a tour of duty in the belly of the Telstra beast, he is keen to report big stories on the enterprise beat. Drawing on past experience in radio, print and magazine, he plans to ask all the tough questions you want answered.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • "The reasonable expectation of privacy is extinguished when you've provided data to that third party"

    That is a very broad claim and this is not settled law. As recently as last month, US courts have stated that emails enjoy protection against warrantless searches:

    http://www.inc.com/articles/2010/12/federal-court-protects-email-privacy.html
    Yay-25a47
  • Online financial software providers such as Xero are particularly at risk because they actually use a US based cloud provider Rackspace. Currently they are lobbying NZ Government actively to allow them to host client data on the cloud (which they are already doing anyway).

    Choose your online software providers carefully. Not all of them like to adhere to local laws!
    Azizi Khan
  • Is the whitepaper available anywhere?
    aidos-0aca0
  • Hi Aidos,
    I'll endeavor to have the whitepaper available to view tomorrow.

    Cheers,
    Luke Hopewell
    Journalist | ZDNet Australia
    LHopewell
  • That is a very specific case. There is nothing there to say that the Patriot Act couldn't be used to access data of foreign entities stored within the USA. The ruling was that e-mail is protected by the 4th amendment and requires a warrant to search. This does not mean a warrant couldn't have been easily obtained.
    m00nh34d
  • The requirement for a warrant is to protect privacy - requiring judicial review of the search request is the US' mechanism to balance the competing interests of law enforcement and personal privacy. Australia has a similar mechanism.

    The argument put forward was that there was "no reasonable expectation of privacy", i.e. law enforcement do not require a warrant to search. Clearly there is *some* expectation of privacy, but it can be overruled by following the warrant process. The same process exists in Australia, so as far as risk goes it's pretty much the same whether it's onshore or offshore.

    I don't know enough about the US / Australia judicial process to know how the warrant process compares, but I imagine there are a range of judges in both countries, with some being stricter than others.
    Yay-25a47
  • This article looks more like a plug for Macquarie Telecom entering the space of offering online services in their own local data center by creating competitive FUD. I bet it would be an interesting exercise seeing how much of their own software they leverage internally is hosted offshore...
    Gaz-80288
  • Gaz:
    Interesting take on it Gaz. Any evidence to back it up?

    Luke: why is the US the only cloud country mentioned? Are there no Singapore or otherwise nearer clouds with less issues? Is there really no Aussie Cloud supplier?
    wheelyweb
  • Luke: what part of evidence do you need? The whitepaper has been commissioned by Macquarie Telecom and if you visit their webpage http://www.macquarietelecom.com/hosting/data_centre/data_centre.htm they clearly have a interest in discrediting offshore cloud vendors to drive their own local infrastructure (which they rebrand as cloud) offerings. I think when you want to seriously start talking about risks - lets hear from local cloud suppliers about their back up and fail over standards that cater for disaster recovery. Here is AAPT's effort http://www.zdnet.com.au/floods-take-out-aapt-datacentre-339308533.htm

    Datacom experienced exactly the same thing last year.

    This whole forth amendment, patriot act perspective really is clutching at straws I'm afraid.
    Gaz-80288
  • The consequences:
    http://www.wired.com/threatlevel/2011/01/twitter/
    U.S. government recently got a court order demanding that Twitter turn over information about a number of people connected to WikiLeaks, including founder Julian Assange, accused leaker Pfc. Bradley Manning, former WikiLeaks spokeswoman Birgitta Jonsdottir and WikiLeaks activist Jacob Appelbaum.
    grump3
  • I might consider cloud computing based in Australia and subject to Australian Law, but he Offshore Cloud is a fool's paradise.
    Yoda7
  • Hi Readers,
    As promised, the whitepaper is now available for download from our Whitepapers section. You can follow the link to it here or at the top of the article:

    http://www.zdnet.com.au/whitepaper/the-cloud-and-the-us_wp-9922529153.htm

    Wheelyweb: The paper only deals with the possible legal implications of hosting data in a US-based cloud environment.

    Thanks,
    Luke Hopewell
    Journalist | ZDNet Australia
    LHopewell
  • I think what Healy et al is trying to point out is that the US government has been known to exercise extremes when it thinks it needs to. The point is that whatever data is stored on US soil has the risk of exposure from government authorities.

    I don't think anything being reported here is out of bounds or unrealistic. I do sense the sensationalism which you have caught onto fairly quickly. :)
    binary0
  • Its not about DR, its about regulatory requirements. Australian financial data has to be protected from "overseas" prying eyes - hence why banks and most financial providers are building local "private clouds" to adhere to this requirements.

    Unfortunately some software vendors think these rules should not apply to them, especially since they earn brownie points to get into US markets.

    One software vendor for online accounting software is lobbying the NZ government because they host their cloud using US servers which is against NZ policies.

    Most people do not realize the severity of this issue, where your financial information becomes playground for US intelligence.

    I am all for cloud. But we need to adhere to local financial security laws.
    Azizi Khan
  • Private cloud is a preferred method when there are financial and other sensitive information. But how many smaller software providers are considering this?
    anonymous
  • When you're a smaller software provider, you then to make sure you work well within the laws and framework provided because you don't have the money to splash around lobbying governments.

    I know if one Australian made SaaS accounting provider which works closely with the regulators and government agencies to provide a superior product. Little things like calculating proper payroll taxes are done correctly which have been a huge problem with larger software vendors who "prefer to do it their way".

    When it comes to accounting software - many people put a lot of faith in their software not realising that a lot of the time due to sheer ego, their software vendors do not do the right thing.

    Speaking of which - how many software vendors have commercially available SBR enabled products ? Think about it.
    Azizi Khan