This week, I attended Think G-Cloud, which was MC'd by our own Stuart Lauchlan. The line up of speakers was excellent and the name badges were easily among the most important of UK government departments. However, it was the ending keynote given by Joan Miller, Director of Parliamentary ICT Service, that caught my attention.
During her walk through of their G-Cloud initiative, Ms Miller talked at length about how her unit angsted over security issues. Inevitably, she had some discussion about PRISM. Afterwards, I asked her to explain in more detail what she meant when she alluded to risk assessment for PRISM.
It turns out that in the early stages of discussion with Microsoft - their preferred partner for cloud based office productivity - and some two years ago, both sets of lawyers hammered out an appropriate wording to their agreement on data location, privacy and security. Ms Miller said that Microsoft has provided Parliament with assurances that its data is held in centers not subject to the Patriot Act and all that flows from that, except for maybe 'five percent risk.'
Right now there are conflicting reports about whether Microsoft's non-US data centers can be the subject of a snooping order. This from Zach Whittaker on CBS News:
"Most cloud providers, and certainly the market leaders, fall within the U.S. jurisdiction either because they are U.S. companies or conduct systematic business in the U.S.," Axel Arnbak, one of the authors of the research paper, told CBS News.
And this from Chris Jager at Lifehacker:
“If a European customer is running a European data centre, it will not be subject [to the Patriot Act]. That particular piece of hardware is owned by that European company. This is something we have been dealing with for several years now,” [Microsoft’s senior director for servers and business tools, Steven] Martin explained.
Which is it? We may never know as any dispute would likely be part of a secret court hearing. Having said that Zach Whittaker most recently provides a blow by blow account of legislative efforts in the EU which suggests that the US ability to snoop is far from settled.
However, it comes as no surprise then that when PRISM hit the headlines, the topic was revisited. "It all comes down to location," said Ms Miller with a beaming smile. In other words, The US government can snoop all it wants but communications from the UK's lawmakers are considered safe from prying eyes.
There are clear lessons for all who are engaged in cloud based development and those using cloud services. If you believe Microsoft, you are a European business and want to assure customers they are not subject to PRISM then make sure your data is located outside US jurisdiction. If you are primarily a European business using data centers located outside of the US, then you are safe anyway.
Image credit: Parliament