Outsourcing and confidentiality

the bureaucracy's failure to really understand either the roleidentification plays in law enforcement
Written by Paul Murphy, Contributor
Several of the people who commented on my Feb 14th out-sourcing blog mentioned concerns over data privacy. Here's how no_axe_to_grind phrased it:


One negative you missed. Law enforcement/spying

Assume you out source something/anything to do with your companies/customers data. If you are served with a court order to hand it over you may well decide to throw big money at fighting the order. But will the company you out sourced too be willing to do that on your behalf?

Assume you are paying an out source company $50K a year in fees. Are they going to be willing to spend say $200K on legal fees, lawyers, time to put up a defense for your data? I would say in most cases the answer is no.

That's my guess too, but I don't think he goes far enough. What I think would happen isn't just that the typical outsourcer would find ways to cut its cost on defending your data, but would actively distance itself from, and thereby obstruct, your attempts to do so on its behalf.

As I said in a blog series starting on December 12th of last year, most of the activities leading to the concern no_axe is grinding away at here result, at least in the United States and Britain, from the bureaucracy's failure to really understand either the role identification plays in law enforcement or what alternatives to traditional methods exist.

It will take years for that to work itself out, and there's little reason to doubt that no_axe's concerns will be realized in that process, but a far more immediate concern arises from the fact that companies like Microsoft, Yahoo, and Google try to take a "pragmatic" approach to working with foreign governments. Microsoft, for example, licensed Windows source to Communist China while denying the U.S. defence department access (see: Microsoft, Open Source and National Security (Linuxinsider, April 22/04) and both Yahoo and Google have recently been caught accommodating Communist China to provide both censorship support and user identification information.

This kind of abuse of privilege does not, however, have to be so blatantly obvious. It's possible, for example, for a company which might refuse on principle to hand over user emails to instead accept incentives to put global processing centers or other services inside communist China, or jurisdictions it controls, that have the effect of routing email from target areas like Taiwan or Palo Alto through filters we're never likely to hear about.

On a less paranoid level a somewhat comparable argument applies to unorganized industrial espionage: your outsourcer's employees have relatively easy access to your data, and could be shopping it to their next employer - your competitor.

That's true of your own employees too, of course, but if your Joe becomes their Joe, someone in your organization will know about it and alarms will go off when the new employer start to pick off all your best customers. That human control is missing in the outsourcer situation: you don't know who works for your outsourcer, you don't know who has access to your data, you don't know where those people came from, and you don't know where they go next.

Indeed you don't even really know if the controls you contracted for are in place and it may take a disgruntled former outsourcer employee's decision to contact the press for you even to find out that your data has been stolen.

And all of that raises a very difficult question: Sarbanes-Oxley requires senior management to guarantee that adequate data integrity controls are in place, but all they can really do in an out-sourced IT situation is attest that the contract they signed with the outsourcer calls for those controls to be in place. To go beyond that requires sending their own auditors into the outsourcer's operation - a process that has its own legal risks because a through audit of a shared facility is virtually certain to expose competitor information and business processes.

Editorial standards