More on the insecurity of cloud data

As I previously discussed in a guest posting at Software Advice, the legal aspects of cloud computing are interesting and an article recently in “Computer Sweden” (Swedish) again raised this issue with references to the law at hand in the US.

The article references the law Foreign Intelligence Amendments Act, FISAAA, and describes how it can be used without any court order or by-case permits required. According to the interpretation of the law it has some limitations but can rather freely be used to gather non-american data. It does not have to be political data, but can just be data from a forign region affecting US foreign affairs.

As it does not require case-by-case permissions, the interpretation of the law is probably handled quite far down the ranks were this is deemed necessary. The interpretation could hence also be quite wide and I would not be surprised if data such as defence industry business opportunities fall within this area and probably other related areas. Foreign affairs is a wide definition, automobile export, telecomunication equipment and software export is defintley within the boundaries.

I would hence, strongly advice against putting data in countries with legislation similar to this (USA is definetly not the only country). When using the Microsoft Dynamics CRM Online service in Europe, the case is a bit better as the data is stored in countries within the EU:s juristiction. The US law is, however, interesting in this part as it focuses on the companies being american and not where the data is actually stored. Hence, the fact might be that the US government might be able to push Microsoft/SalesForce/Google or any other american cloud systems supplier into handing over data backed up by this law even if the data is stored in other countries.

To be on the safe side, from the legal aspect, storing the data in your own servers run by your own people, is always the safest. Their loyalty lies with your company and you have control over the physical storage of the data. Do not that this, however, is no safeguard agains hackers.

Gustaf Westerlund
MVP, CEO and owner at CRM-konsulterna AB