Subscribe to CIO Magazine »

Does your cloud vendor protect your rights?

From time to time, organizations are asked to provide access to data for legal reasons. Those requests can be more complicated when the data is in the cloud. But a new report sheds some light on one critical aspect of such requests.

One risk with cloud computing is that the customer has less control over who can access its data. When customer data is stored on and processed by the cloud vendor's data center instead of in-house, what's to stop a third party, such as the government, from going directly to the cloud vendor to obtain access to that data without the customer's permission or knowledge? And if that happens, will the cloud vendor's priority be to protect its customer's rights and data or to protect itself?

With the April 30, 2013, release of its third "Who Has Your Back?" report, the Electronic Frontier Foundation (EFF) has tried to answer these questions. The report reflects that, as with most things in the cloud, vendors vary widely on how they handle third-party requests for access to data. For the 2013 report, the EFF used six criteria to assess cloud vendors, and awarded a star for good performance in each category. The six criteria are:

Does the cloud vendor publish transparency reports?

Google was the first out of the gate when it began issuing its Google Transparency Report three years ago. Since then, more cloud vendors, including Twitter, Dropbox and, most recently, Microsoft have followed suit by issuing their own transparency reports. These reports typically provide statistics regarding how often the vendor receives and fulfills government requests to provide access to customer data. In response to the changing technological and legal landscape, these reports continue to evolve. Effective March 5, 2013, Google announced that it will begin including data about National Security Letters (NSL) in its transparency report.

Does the cloud vendor notify customers?

Does the vendor tell customers about government data requests, unless prohibited by law? Doing so provides customers with the opportunity to protest or defend against overreaching government demands for their data.

The caveat "unless prohibited by law" is directly connected to NSLs. Five different federal statutes enable the FBI to obtain records for foreign intelligence or international terrorism investigations via an NSL that the FBI can issue on its own authority and without court approval. The Patriot Act expanded on this to include a "gag" provision prohibiting the vendor recipient of an NSL from revealing anything about the NSL, including that it has been received. This prevents the vendor from notifying anyone, including the owner of the data requested, that such a demand has been made. NSLs have understandably been controversial.

On March 14, 2013, Judge Susan Illston of the Federal District Court for the Northern District of California ruled that the NSL provisions in federal law violate the First Amendment and the separation of powers principle, and ordered that the FBI stop issuing NSLs and cease enforcing associated gag provisions. This ruling is stayed for 90 days to allow the government to appeal. The appeal is still pending.

Does the cloud vendor defend customer rights in court?

Has the vendor defended its customer's rights by contesting government access requests in court?

Google earned its EFF star for fighting for customers' privacy in court, in part, for its recent efforts to push back on an NSL. According to a March 29, 2013, filing in the case of "In Re Google Inc. (GOOG)'s Petition to Set Aside Legal Process, 13-80063, U.S. District Court, Northern District of California (San Francisco)", Google is challenging a government demand for access to customer data in a national security probe. The results of Google's efforts are still pending.

Twitter earned its EFF star for fighting for customers' privacy in court, in part, for its efforts last year in the case of New York v. Harris. In this case, Twitter was subpoenaed for the records of Twitter user Malcolm Harris who was involved in Occupy Wall Street protests. These Twitter records identify not only the content of the user's tweets, but the date they were sent, and the location of user at the time they were sent. The court ruled Harris had no right to contest this subpoena, so Twitter contested, but lost and then appealed. After waiting on the appeal ruling for seven months, Twitter was forced to provide records on Sept. 14, 2012, prior to results of appeal.

Does the cloud vendor require a warrant?

Does the vendor require the government to produce a warrant supported by probable cause before handing over customer data? The following Facebook policy was cited as being exemplary in this area:

A search warrant issued under the procedures described in the Federal Rules of Criminal Procedure or equivalent state warrant procedures upon a showing of probable cause is required to compel the disclosure of the stored contents of any account, which may include messages, photos, videos, wall posts, and location information.

Does the cloud vendor publish law enforcement guidelines?

Does the vendor have established policies or guidelines regarding how they respond to data demands from the government? If so, does it make those publicly available? Thirteen of the 18 vendors evaluated received stars in this category.

Does the cloud vendor fight for customer rights in Congress?

Does the vendor support efforts to modernize electronic privacy laws to defend users in the digital age by joining the Digital Due Process Coalition?

Customers concerned about their data need to be aware of their cloud vendors' policies in this area. When the vendor does have appropriate policies regarding how it responds to government data access requests, a customer should incorporate those policies into its cloud contract to reduce the risk that the policies might be diminished going forward.

Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Dropbox, EFF, Electronic Frontier Foundation, Facebook, FBI, Google, Inc., Microsoft, Wall Street
Comments are now closed.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Google, security, internet, cloud computing
Latest Blog Posts
  • The CIO Paradox
    As there are timeless leadership principles underlying IT value, there are unfortunately also timeless challenges that thwart the IT organisations efforts and make for a rocky path to CIO success. These are the inherent contradictions we call the CIO Paradox.
    Learn more »
  • ERP in the Cloud and the Modern Business
    Businesses are realizing that the cloud is the future of enterprise software and offers many attractive business benefits. But there is much to think about when evaluating the potential move to a cloud model, especially for core systems like ERP. View IDC’s White Paper ERP in the Cloud and the Modern Business, written by Mike Fauscette, Group Vice President, Software Business Solutions, IDC, to review IDC CloudTrack Survey findings, gain expert insight into the challenges and opportunities the cloud presents, and determine which deployment option could provide the biggest benefits for your organization. View the White Paper to discover: How to run your business more effectively in the cloud; How to choose the right deployment model for your ERP solutions; How new technologies create opportunities to innovate, giving you that competitive advantage
    Learn more »
  • Information Management
    Valuable data can be a needle in a haystack, but by leveraging the value in existing information assets, organisations can generate real and achievable gains in revenue generation, IT investments and productivity gains. This whitepaper discusses how Information Management (IM) is a multi-faceted discipline that can be employed to meet or exceed your business objectives.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Latest Jobs
Salary Calculator

Supplied by

View the full Peoplebank ICT Salary & Employment Index

Recent comments