Legal Battles Over Local Data: Why Your Cloud Location Matters

Placing data in the cloud comes with a set of concerns — accessibility (will my information always be available if the cloud has technical problems?) and security (how safe is my data when I can’t control the security measures?) chief among them. Of these, security has long been the primary concern for technology decision makers considering the cloud.

Recent surveys reveal that while security remains top of mind, the location of data is rising in prominence as a barrier or concern for cloud adoption. These concerns stem in part from the difficulty of visibility into data transit and storage. Customers might want to know where exactly their data is residing so they can retrieve it quickly — and also for legal implications, which we’ll get into momentarily.

With many clouds, because of the way cloud storage works, data might be spread over several servers or storage arrays, and even between multiple data center facilities. This makes it hard for even the provider to identify exactly where data is stored.

But while transparent cloud service providers might be forthcoming with their infrastructure design details and maintain their security through a strong web of compliance standards and data security best practices, there remain legal entanglements to the storage of data in the cloud.

The Government is Even Less Transparent than CSPs

Cloud service providers (CSPs) are often companies that are notorious for their secrecy. Amazon, Google, and Microsoft do not want to reveal how their technology works for good reason: they want to maintain their market share and technological advantages. They’re beginning to see that some customers demand transparency, however, and in fact Google, Facebook, and others have posted detailed technical explanations of their in-house developments for hosting and data center design.

One player is not so forthcoming. The federal government wants access to data to help in ongoing investigations (and potentially for general surveillance, but we won’t go down a particularly political rabbit hole in this blog). State and local government organizations may also need access to cloud data. And if your company is embroiled in a legal issue, the courts may request access to information stored in the cloud.

Of course, things get difficult here for reasons we have already explained. If even the CSP doesn’t know where data is stored, who has jurisdiction over it? If the CSP is storing information in an offshore data center, does the United States government have the legal right to access it? What other laws from other countries might apply to your information?

Different countries have different data protection laws; each with their own set of requirements and prohibited behavior. Some may practice unfettered surveillance over data stored within their borders. In the United States, you may not even know if your information has been accessed by a government entity.

Microsoft vs. the Feds

That’s the crux of an ongoing fight between Microsoft and the feds, which may end up in the Supreme Court. The most recent development was a refusal from a Seattle District judge to allow to case to proceed. Essentially, Microsoft filed the lawsuit in 2016, arguing that its customers should have the right to know when the government requests access to their data. Currently, the government has a gag order on all data requests with no expiration date, which Microsoft says is a violation of the First and Fourth Amendment rights.

This isn’t Microsoft’s first fight with the feds over customer data. In late 2013, the Department of Justice sued Microsoft for access to customer emails stored in a Dublin data center facility. Microsoft’s argument was that because the information was stored abroad, it was outside United States legal jurisdictions. Microsoft lost and subsequently appealed, winning the appeal in mid-2016. This latest ruling comes from the DOJ appealing that overturning of its original ruling, arguing that data storage is arbitrary. Because the appeals court ended in a deadlock, it is likely to reach the Supreme Court, assuming the DOJ once again appeals.

Such court cases bring to mind a future in which offshore data storage is coveted similarly to a Cayman Islands bank account — a way to discourage or altogether avoid forces of the law within ones own country. You shouldn’t consider this paradigm as one solely useful for criminals though. Information privacy is vital to us all.

Google Fights a Similar Battle

Strangely, Google lost its own case at nearly the same time as Microsoft won its appeal. In this case, data was also stored overseas, and Google turned some of it over to the FBI as part of an investigation. The ruling judge explained that, “transferring data from a server in a foreign country to Google’s data center in California does not amount to a ‘seizure’ because there is no meaningful interference with the account holder’s possessory interest in the user data.”

The ruling essentially came down to the fact that, as explained above, cloud providers often move data between facilities and even countries, often without notifying the customer. Indeed, the judge remarked that Google may not even know itself, or be able to relay to customers, where exactly that information is stored. Therefore, transferring it to the authorities is an arbitrary operation.

Google has appealed the ruling, citing Microsoft as a precedent. It is clear from these contrasting and remarkably similar cases that government access to cloud data is far from standing on solid legal grounds.

Your Data Location Matters

When contracting with a massive CSP, you may or may not be able to wrangle a deal to keep your data within certain geographic boundaries. The City of Los Angeles, for example, was able to keep some specific information within the continental United States.

However, for sensitive information, you are likely better off working with a smaller provider that has a smaller footprint. They will be better able to design a cloud infrastructure around your specific location and compliance requirements, and are also more likely to be amenable to informing you about data access from other parties — if, that is, they are legally able to oblige. Of course a smaller provider won’t be able to take on the feds in court on your behalf, unlike the big dogs.

For many workloads, this isn’t really a major concern. Cloud security is often stronger than on-premise systems and access by third parties is extremely rare. Whichever route you take, remember that the location of your data in the cloud does carry both legal and security ramifications.