UK cloud providers issue warning as Google loses privacy case to FBI
Google has been ordered to move some of its email data from foreign datacentres back to the US - a move which UK hosting providers claim jeopardises UK customers
UK-based public cloud providers have cautioned UK organisations storing data with US cloud firms after Google lost a lawsuit against the FBI.
On Friday US Judge Thomas Rueter ruled that Google must transfer emails stored on servers abroad back to the US for the FBI to view, Reuters reported.
The judge ruled that transferring the data to the US would not have any negative impact on the account holders of the emails, and that no infringement would technically be made until the emails had been seized by the FBI.
"Though the retrieval of the electronic data by Google from its multiple datacentres abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States," Judge Rueter wrote.
Google has said it will appeal the judgment, but managed hosting providers in the UK have been quick to point out that they warned something like this was coming.
The background
The confusion around the jurisdiction of the US government when it comes to data stored outside of the US has long been an issue raised by UK-based cloud providers, who maintain that the US government has the power to seize information from outside its own borders if the company storing it is American.
This has regularly been played down by the likes of Amazon Web Services, Microsoft and Google which - having brought datacentres to the UK - claim that data can be stored safely in the UK to meet data sovereignty requirements.
"The US government are making it very clear, if you host your data, use email services or have any technological dealings with global American firms, you need to be prepared for them to access your data at will. It's as simple as that" - Lawrence Jones, UKFast
Their confidence was seemingly backed-up when Microsoft won a court case in July 2016 meaning it did not have to turn over information from its Dublin datacentre to the FBI - but a number of recent developments have raised concerns in the UK cloud market.
Nicky Stewart, commercial director at UKCloud, argued that the Google court case should leave UK organisations, particularly public sector bodies, feeling concerned about the safety of their data.
"Public sector bodies with contracts with US cloud firms need to make an immediate privacy impact assessment, and if necessary, seek expert legal advice," she said.
"They may need to scope out migration options to move workloads so data privacy and sovereignty can be assured.
"As they prepare for Brexit and GDPR as well as the Prime Minister's new industrial strategy which actively favours UK firms for government contracts and procurement for growth in the post Brexit world, departments are going to need to weigh up the risks, in terms of data privacy and sovereignty and currency fluctuations, of doing business with non-UK providers."
Mounting concerns
Stewart highlighted several other concerns that she says prove that UK data is not safe in US-based firms.
In December last year Rule 41 of the Federal Rules of Criminal Procedure came into force in the US which potentially gives US judges the right to issue warrants allowing the FBI to remotely access data anywhere in the world.
Donald Trump also issued an executive order last month weakening the privacy rights of non-US citizens.
Section 14 of his order states: "Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."
On top of the political moves, the US Department of Justice is refusing to accept defeat in its legal battle with Microsoft, and at the end of last month saw further attempts to overturn the ruling rejected. Further appeals have not been ruled out.
Lawrence Jones, CEO at cloud provider UKFast, said the problem lies in what he sees as the US' disregard for privacy laws in other territories.
"My concern is that the US appears to position itself above the law with regards to other countries," he said. "It's extremely important to respect other countries' laws especially where data privacy is concerned.
"The UK and Ireland have a simple and clear process that we follow for allowing access to data if someone appears to have broken the law.
"The FBI in this current Google case shows complete disregard for people around the world and our privacy. Laws that are in place to protect people and prevent serious crimes like terrorism are now being abused to allow instant access to all manner of requests.
"That being said I actually think that we have got the best clarity that we've ever had before. The US government are making it very clear, if you host your data, use email services or have any technological dealings with global American firms, you need to be prepared for them to access your data at will. It's as simple as that."
Don't panic
While the UK cloud providers have been quick to seize any opportunities that arise from unrest in public cloud customers, Chris Bunch, head of Europe at cloud MSP Cloudreach, explained that the Google situation is not as severe as it might seem.
He explained firstly that the judge's ruling refers to a small part of Google's cloud offering; and secondly Google will sometimes move data around its datacentres to maintain speeds for certain end users - but not if an enterprise has to abide by data sovereignty regulations.
The data for a UK-based consumer, for example, would more than likely be stored in the UK - but if they went on holiday to Australia, Google may shift some of the data to its Sydney datacentre for performance reasons.
"Google automatically shuffles around some of your data into different datacentres for a variety of reasons, which is good," he said. "As a consumer it doesn't bother me. Google has one of the most advantaged file sharing systems in the world.
"What the judge is saying is the US government is allowed access to these emails specifically on the grounds that Google is moving this data around anyway which doesn't apply in the case of Google Cloud, or Amazon, or Microsoft Azure. In those cases you pick your datacentre and the data stays there unless you tell that cloud provider that you want to set up some replication.
"The reason this one got through I think is possibly due to a misunderstanding of the technology by the judge, or at least his interpretation of what is an incredibly advanced distributed file system that Google has created and it only applies to their Gmail and G Suite products - not the normal cloud offering.
"It doesn't make sense that a similar offering from Microsoft can have their appeal upheld, and then they let the same thing go through for Google because of a slightly different technology quirk."
Bunch said that enterprises who follow strict regulations on where their data is stored should not be concerned about this issue because their data will not be moved around in the same manner.
"For anyone putting their data in Amazon, Google Cloud or Azure they don't have to worry about this and nor would any of those enterprises that are now employing some of the best legal teams in the world relating to this type of information," he said,
"You see some of the most secure organisations on the planet - whether that's central government in the UK or the US, or financial services - moving sensitive public data to the public cloud and they're doing it because they know it is safe."