Global data privacy law firm Hogan Lovells just published a white paper outlining the results of a study about governmental access to data in the cloud. The paper was written by Christopher Wolf, co-director of Hogan Lovells’ Privacy and Information Management practice, and Paris office partner Winston Maxwell. The Hogan Lovells press release is here and full white paper here.
Worldwide IT press picked up the study, including Computerworld, PC World, IT World, and IDG News. Unfortunately, the articles generally say “The US Patriot Act gives the US no special rights to data” and downplay differences between laws in the US and ten other countries.
It’s true that in most countries, if the government wants your company’s data, they have a way to get it. It’s also true that if a Western government wants your data sitting on a cloud server in another Western country, they have a way to get it.
I confirmed this last point in person with a Deputy Director from the FBI at a security conference. I asked, “What would you do if you needed to get data from a German company at a cloud provider in Germany for a US investigation? You have no rights there.” She smiled and said something like, “We would just call our colleagues in German intelligence and ask for the data. They would give it to us because we would return the favor on their next investigation.” There are also MLAT treaties in effect of course that put some legal framework around this.
The study did point out – in the fine print – that only Germany and the US have gag order provisions that prevent a cloud provider from mentioning the fact that it has disclosed the data you paid it to protect. This is the part of the Patriot act that hurts US cloud providers.
Any IT security professional would want to know if his company’s data has been accessed, regardless of whether it is lawful access from a government investigation or whether it’s a cybercriminal attact. The point is that if it’s YOUR data, anyone who wants to see it should present YOU with a lawful order to disclose the data.
For a government to ask your cloud provider to do this behind your back is underhanded, cowardly, and bad for all cloud providers worldwide. It fundamentally breaks the trusted business relationship between a cloud provider and its customers.
But at a higher level, this research proves a bigger point – that your data will be disclosed with or without your permission, and with or without your knowledge, if you’re in one of the 10 countries covered. What’s an IT professional to do?
There is only one answer, and it’s probably obvious: encryption. If your data sitting in the cloud is “locked” so only someone with keys can see it, you’re protected. If a government – or anyone else – wants to see your data, they need to ask you – lawfully – for the keys, which gives you the right to fight the request if it is indeed lawful.
The small detail that matters most here is how you handle the encryption keys. If your data is sitting right next to your keys at the same cloud provider, the cloud provider can be forced to hand over your keys and your data, and you don’t get any real protection.
On the other hand, if your data is safely encrypted at your cloud provider, and your encryption keys are on a policy-based key management server at another cloud provider, or under your own control, then your keys can only be disclosed to authorized parties, and you control who the authorized parties are.
In other words, policy based key management will protect you from potentially unlawful data requests from your own government, from other governments, and from cybercriminals.
It’s time to ask yourself why you’re not using policy based key management in the cloud, if you’re not doing it already.