A ruling handed down by the US Second Circuit Court of Appeals on 14 July is good news for the cloud computing sector globally. The case, between Microsoft and the US government, revolved around a search warrant issued to the US Department of Justice, which sought to access e-mails stored on a Microsoft server located in Ireland. After being defeated twice, Microsoft won on appeal, when the judge ruled the search warrant could not be executed to obtain information residing outside of US jurisdiction.
A bit of background: in 2013, a New York federal magistrate's court issued a search warrant to the US Department of Justice (DOJ), against Microsoft. The warrant gave the DOJ the right to access personal user data and e-mail contents related to an ongoing narcotics investigation. Microsoft challenged the warrant on the basis that information stored in Ireland fell outside the US's jurisdiction, and that the DOJ should use the applicable international legal channels should it wish to gain access to the information.
By their very nature, cloud computing infrastructures are distributed, and user data can be housed in data centres across the globe. This feeds into the debate as to whether that data is protected under the laws of the country in which it resides, or the point of origin of the data, or the location of the data subject.
Cloud clarity
The ruling is important for the cloud computing sector specifically because it provides a high profile case in which a point of law has been clarified. A ruling against Microsoft would have created legal precedent for governments to request data from providers outside of their geographical jurisdictions. In the Microsoft case, one of the company's arguments was that the scope of the warrant was too broad. Had it stood, it would have opened up a potential floodgate of user information and data requests from governments related to national security and criminal investigations (to name a few).
The outcome of the DOJ vs Microsoft ruling will go a long way to establishing trust in cloud services, particularly as it pertains to whether governments may or may not demand access to data housed outside their jurisdiction.
There is no debate that South African cloud providers have a responsibility to protect personal data residing on their servers. In terms of local data privacy legislation, specifically the Protection of Personal Information Act (POPI), a cloud provider would be considered an operator (ie, a company that processes information on behalf of other companies) because it owns the infrastructure on which personal information is gathered, processed or stored. Compliance requires that any data originating in SA only be hosted in a jurisdiction which has equal or better data privacy laws.
Repositories of data, like those found in cloud systems, are honeypots for cyber criminals.
While the MS vs DOJ case sets a global precedent, South Africans will have to wait until the Cybercrimes and Cybersecurity Bill becomes an Act to know what data will be prohibited from residing outside of SA.
Stringent protection
Jurisdictional privacy aside, what about data security?
While the ruling provides some clarity on the right to privacy of individuals when it comes to their data in the cloud, there is still the matter of the security of that data. The cloud computing industry has been subject to very public data breaches (mentioned in my previous Industry Insight), which have raised questions as to whether or not personal data in the cloud is safe from cyber criminals.
Security needs to extend beyond network level security (firewalls) and encryption at the database level. Repositories of data, like those found in cloud systems, are honeypots for cyber criminals, and need to be rigorously protected, across multiple layers.
Data security isn't a destination, it's an ongoing journey for both cloud providers and data owners, as responsibility for data security lies with both. Confidential information must be secured at every point - whether it is housed on a company's systems, in transit to a cloud provider or external party, or when it is stored and archived.
Beyond authentication access to systems, documents should be individually encrypted. Access to data should be controlled by strict policies and procedures to ensure people only have contact with the data they are authorised to access.
Share