It seems the Patriot Act revision, which allows warrantless access to anything people store at a data centre in the United States, is already putting US-based cloud service providers at a disadvantage. Some European providers are using it as a selling point. Their potential clients can’t be accused of any misunderstanding over the Patriot Act, as protections against any unauthorised access to their data should always be a core demand.
I don’t see the situation changing anytime soon. It’s something most SaaS providers and their customers didn’t anticipate when negotiating SLAs, so the firms actually running the data centres have little obligation to challenge the government.
There are two further arguments here, which leads us to a rather tricky conundrum. Some, like myself, believe security, privacy and free expression are paramount, and must be protected by solid technical measures. Others believe law enforcement agencies should have ready access to anyone’s data, in the interests of fighting crime and terrorism.
Stephen Biggs, from the University of Wales Newport, takes the latter position and puts forward a reasonable argument for it. At least 70% of electronic crime is related to indecent images (and videos) of children, and potentially many criminals are utilising the cloud. In truth, we don’t know the actual extent of this problem, because any incriminating data is hard to access, hard to attribute, and even harder to pass off as reliable evidence. But should that argument be applied to the Patriot Act and undefined ‘terrorists’? Who exactly are the terrorists, and how many of them really are using the cloud?
Although I take a much different position to Biggs here, he pointed out in a recent conversation something most of us never thought of: Everyone’s being encouraged to outsource the storage and management of their information assets to third parties, but cloud computing isn’t mature enough for this. A decade ago, nobody was discussing the security issues related to it either. In other words, maybe we’re entirely wrong to assume confidentiality can be guaranteed with cloud computing.
Paradoxically, too little trust is given for the cloud computing industry to reach its full market potential. Any organisation can be compromised, and that risk is multiplied when another third party also has access to the data. Normally the SaaS and PaaS companies already have access to it, and now so does the US government. A compromise could happen through any of those entities.
Combined with the earlier point, I reckon it’s just a matter of time before a major provider and its corporate clients are compromised. Others are aware of that risk, and aren’t prepared to take it, especially with intellectual property theft and industrial espionage allegedly on the rise.