Where in the Cloud am I? And more importantly: Where are my data? I know that many managers and CIOs are asking themselves similar questions. In fact, as I have posted before, a colleague of mine put that question to Martin Jetter, CEO of IBM Germany, at a briefing about a year ago, namely: “If I give you my data to store in the Cloud, where exactly are they?” Mr. Jetter didn’t quite get the question at first, so he launched into a lengthy technical explanation, but the guy interrupted him and insisted: “I mean, physically, where are they?”
Of course, there was no really good answer, and Jetter sort of danced around the question and then hurried on to something completely different (in the famous words of John Cheese of Monty Python fame). The scene came to my mind recently when I read a Software Advice blog post by Gustav Westerlunds, CEO of CRM-Konsulterna, a Swedish consultancy, entitled “Is Your Cloud Safe From the Law?” in which he discusses the lack of legal precedents concerning transnational laws and trade agreements with respect to cloud computing. He asks two deceptively simple questions, just like my colleague did to Mr. Jetter, namely:
- Which country’s laws apply to the data stored in the Cloud?
- Which country’s laws apply to the data being transferred?
I have blogged about this subject myself concerning the ramifications of European data protection laws which have forced Amazon, for instance, to operate a completely self-contained “European Cloud” based in Dublin so that their European customers won’t go to jail (or have pay the maximum fine of 300.000 Euros stipulated by the EU directive) just because somebody’s name and address made it across the Atlantic due to the magic of packet switching. But Westerlund takes the issue a step further.
What he asks if a company is manufacturing hi-tech weapons and uses salesforce.com to store highly sensitive data concerning, say, Cuba as a potential customer. Okay, Sweden doesn’t have an embargo, but the U.S. does, and presumably the CIA, the FBI or the NSA would be extremely interested in checking out what’s going on. In fact, they might even issue a subpoena in order to lay their hands on the CRM database if it is stored on a server located in the United States. And who’s to stop them? The Cloud provider, if based in the U.S., is subject to local law, even though the Swedish company isn’t. In the worst case, their database is gone or at least it could fall into foreign (American) hands.
And even if the Cloud Provider and the company are both based in “neutral” countries, what’s to stop U.S. authorities from intercepting the data en route? After all, it is physically located in the United States, if only for a few milliseconds (probably longer, since the hop server will probably keep it in cache for a while).
Westerlund recommends that European companies, at least, make sure their Cloud Provider is located in Europe, too, and that mechanisms are in place to prevent the data leaking out of the EU. If you take that idea to its logical conclusion, you wind up with a patchwork pattern of “national clouds” in places like China, Saudi Arabia, or Russia where authorities might try and enforce their own notions of legality on the Internet. Does this mean that the Net will wind up resembling one of those funny-looking historical maps of Germany in the 18th century, when the country was split into more than 300 mini-principalities and fiefdoms? Good question – almost as good as the one my colleague surprised poor Martin Jetter with.