The rise of cloud computing raises a lot of legal issues, and one of the thorniest involves the variations in national laws governing the storage and use of personal and other information. Controls on data threaten, for instance, to prevent certain information from being stored in data centers outside a user’s home country, hence eroding some of the efficiencies promised by a global cloud.
And yet does the location of the data center really matter? I was listening recently to comments by an executive from Mozy, the online backup service. Noting that Mozy allows its customers to use a personal encryption key to encrypt the data that they store with the company (making it impossible for Mozy or anyone other than the owner to decipher it), he asked whether such encrypted information resides legally where the data is stored or where the encryption key is held. It’s an interesting and important question, as encryption promises to separate “information” from the bits of data that carry it.
Sounds like my thesis from 10 years ago: “Encryption and Public Policy”. Of course that was during the Clipper Chip era.
I believe that all information on any public network that may be personal, private or IP related must be encrypted. Certainly this will make things more difficult for law enforcement, but when did anyone say law enforcement was supposed to be easy?
Encrypting more information will provide law abiding people and enterprises with a level of protection they do not currently enjoy. Government entities will be put to task to crack this encryption, as they feel it is their mandate to do so, but isn’t that how technological innovation comes about?
If encryption were perfect and garaunteable, then perhaps, but it ain’t. Sure, we can get practical protection in most circumstances, but particularly in the case of governments we don’t know what their capabilities are. For example, if you were a company like Intel, and your IP was worth billions, would you hold it on a server in China and hope the encryption held and your key remained secret? Anyway, I’m not sure that it matters. Under EU law you can only pass to a ‘safe harbour’, and security is but one of the requirements. I’m not sure that encryption negates the other requirements. I can’t imagine a Judge buying the idea that encrypted personal data is not personal data. I certainly don’t!
Interestingly, I’ve just started re-reading Neal Stephenson’s Cryptonomicon, which has a very similar topic as a main sub-plot line: establishment of a “neutral” data-haven that is free from any and all government intrusion. Encryption is, of course, a key part of the plan. (Although the actual main plot of the book remains a mystery to me, establishment of the data-haven was but a step on the way to creating a hard “virtual-currency”.)
A bit dated maybe (published in ’99), but still an entertaining read.
Throw another wrinkle in there – imagine that Mozy was outside of the US
Encryption then becomes a US Trade Law issue.
You might want to check with Mike Godman, he was at EFF during Clipper, and did a lot of work in this area.
While Dave Evans is technically correct, that even strong crypto can be broken, in practice it is not possible. See Bruce Schneier’s Applied Cryptography for calculations. With sufficiently strong keys, it would take as many computers as there are molecules in the Universe.
But, Mr Evans is correct in that the only secure computer is turned off, disconnected from all wires, inside a SCIF and protected by a squad of US Marines. If its on the ‘net, there are easier ways to get the data than breaking RSA. Nearly all access is done with social engineering. its a lot easier.
Nick, according to Gartner locality (geographical) is least popular feature of cloud for corporate respondents. This raises a legitimate question of why cloud provider would want to move your data to, say, China or Russia (besides economical reasons).
In my practice geotargeting used mostly for high availability solutions or content delivery networks like Akamai (obviously not used to make your SSN or health records available globally).
I see very loose logical relation between cloud computing, different countries’ legislation and various data attributes/lifecycle like encryption, privacy, retention, locality etc. It might work in pairs (encryption – legislation, cloud computing – encryption and so on), but not always altogether.
cheers,
Khazret Sapenov
Nick:
“Mozy allows its customers to use a personal encryption key to encrypt the data that they store with the company (making it impossible for Mozy or anyone other than the owner to decipher it)…” (emph. added)
Boy, that branches on a big assumption.
The integrity of encryption is a classic Popperian black swan problem. We have no idea whether encryption is broken. We can only know whether someone has publicly shown it to be broken. Given the incentives to keep such information private, that’s of little comfort.
Patrick:
“You might want to check with Mike Godman…”
I suspect you mean Mike Godwin.
I suspect the answer to that question is similar to the question of whether your stuff, lying in a swiss bank locker, are infact in Switzerland if you hold the key in the US, and nobody can open your locker without that key.
Never forget that, Phillip Zimmerman, when he released the source code for PGP, was investigated and almost charged for “munitions export without a license.” This was because the US government classified any encryption algorithm that used keys of greater than 40 bits as explosives. Bet you never knew that computer code printed in a book could explode!No smoking in the CS section of your library, please! Your tax dollar at work! Don’t you just feel safer already!