U.K. Parliament wedges head in the privacy sand, plans move to cloud despite NSA spying scandal

U.K. Parliament wedges head in the privacy sand, plans move to cloud despite NSA spying scandal

Summary: Headstrong U.K. parliamentary IT fellows believe, in spite of an ongoing scandal over NSA spying on non-U.S. citizens, a move to the cloud is still a good idea. Here's why it's not.

SHARE:
screen-shot-2013-06-27-at-08-52-52-610x406

From the Computing.co.uk "original reporting" department:

The Houses of Parliament want to move to Microsoft Office 365, and will mitigate the risk of the US Patriot Act by making contractual agreements to ensure sensitive data sits in Europe. [...] When asked how the Houses of Parliament can ensure that the data stays within the EU, [the head of parliamentary ICT at the Houses of Parliament] said that it was looking for contractual agreements that would ensure that the data remains in Europe.

You would have thought, maybe in light of recent events — I don't know, perhaps a little thing called mass U.S. surveillance of foreign nationals — that the U.K. parliament, of all institutions, would be taking data protection and privacy a little more seriously.

Not so much.

According to the publication, the U.K. parliament's IT chief Joan Miller told delegates at the Cloud World Forum in London last Thursday that despite the temptation for foreign governments to "hoover up data and gain information from us," the IT chief and her staff "don't think it is a problem."

With the U.S. National Security Agency brouhaha continuing to spin in headlines, one might think it would be a good time to back off away from putting potentially sensitive parliamentary data into the cloud, which would make it easier for U.S. authorities to serve secret data requests in spite of existing legal channels.

But these legal instruments, which have come to greater prominence as a result of the NSA leaks, have been known in political circles for years. And Parliament is wedging its head in the privacy sand at the expense of these extraterritorial surveillance laws in order to save a quid or two.

Let's rewind a little bit.

Reason one: U.K. privacy watchdog warns of cloud danger

The U.K.'s data watchdog, the Information Commissioner's Office (ICO), told ZDNet in April 2011, "the USA PATRIOT Act could be used to get EU-sourced information from a U.S. company. If the U.S. company approached the EU company with a request for the information, then the EU company would have to consider whether to disclose the data." 

Parliament may report to the watchdog on data protection matters, but it doesn't have to listen — though at its own peril. The ICO confirmed this a year later in a conference deck for data protection officers.

Reason two: Microsoft admits issues of cloud jurisdiction

Referring back to the aforementioned Microsoft U.K.'s then-managing director's comments — perhaps ironically in this case — at the launch of Office 365 in London in June 2011, Gordon Frazer said the software giant "cannot provide [...] guarantees" that that EU-stored data, held in EU based datacenters, will not leave the EU under any circumstances — even under a request by the Patriot Act.

That's about as explicit as you're going to get from the industry, which ultimately turned out to be a valid concern knowing what we are now aware of in regards to the NSA's spying on foreign nationals, which includes EU and U.K. residents.

Reason three: Contract clauses don't protect against third-country laws

Miller told attendees at the London conference: "...sensitive data like e-mail systems and Microsoft Office files need contractual agreements to manage where the data sits," adding that contractual agreements would ensure the data remains in Europe.

Except, again, not wanting to bring up the NSA "unpleasantness," these contractual clauses don't protect against third-country law. What Miller brought up were the "model clauses" set up between Microsoft and the EU in December 2011, just months after the reach of the Patriot Act was disclosed by the company's own U.K. chief. These clauses determine exactly where data resides. 

The cloud pact offers, for all intents and purposes, a safer cloud than those that do not provide such guarantees. In a world where domestic and foreign government agencies can slurp up as much data as they like within the loosely-defined scope of the laws they are bound by, in fact it makes very little difference to the end user, client, or customer.

The takeaway lessons for the CIO, CPO

The fact that the Houses of Parliament is, now of all times in light of recent news, considering a cloud solution isn't actually the headline here. It's the blasé and ignorant attitude towards cloud security, data protection, and privacy that also ultimately puts politicians and their electorate at risk from foreign surveillance.

Chief information and privacy officers, above all else, are responsible not only for corporate data but the data they hold on their customers. In the parliament's case, it's split between political affairs, sensitive communications with parliamentary committees, and correspondence with their electorate.

Parliament's customers in this case are the politicians, who are accountable the electorate. In public sector services, you can't always take the easy option in the hope that the cost benefits at the time offset the public anger in the future when they discover their data has gone astray or been "inadvertently" (or deliberately) vacuumed up by a foreign intelligence service.

Despite tech stocks taking a nosedive over the past few quarters, and with still a shaky economy, there still isn't an excuse. IT budgets may be pressed, and spending may have been cut back. But often the simplest and cost-effective service isn't always the best solution.

And ignorance is not a defense. Let alone when you're accountable to the wider public.

Topics: Security, Government UK, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Anti-Microsoft bias?

    Certain tech commentators in the US love to put a negative spin on stories about Microsoft. If the government had chosen Google, the story would not be framed in this way.

    But notably, after thorough consideration, with the extreme transparency and public accountability of national decisions, by far the best choice was Microsoft. In fact, Google's cloud offering just does not do everything that Office 365 can do. And unlike Google, Microsoft is clear and honest about the legal realities of jurisdiction, allowing the issue to be addressed.

    If American commentators hate Microsoft so much, we'd be happy to have them here in the UK where we'd appreciate the jobs and monumental economic value of such a successful tech business.
    Tim Acheson
    • Actually, I caught them out

      They only admitted it because their then U.K. MD was a bungle who didn't clear he what he said with the lawyers, who you could see having a collective heart attack at the side of the stage.
      zwhittaker
    • It isn't Anti-Micrsoft bias

      Zack illustrates the legal conundrum that all cloud providers face. It isn't about who has better functionality in thier service, it is a legal conundrum that the cloud presents to the custodians of the data, and the vendors who are hosting it for them.

      Even if the vendor said in thier contract "I'm not going to comply with the Patriot Act request", they would eventually be forced to comply without the custodian's knowledge.
      NZO893
  • Got lobbyists?

    I can easily lobbyists for cloud providers having some influence here, especially if their executives are making discreet financial contributions to the major parties.
    John L. Ries