Wild Wild Cloud: Verification of Data Protection Impossible

Neelie Kroes, the EU Commissioner for the Digital Agenda, is currently working on a European strategy for cloud computing. She planned to present her concept to the public a few days ago, but then postponed. Policymakers have not yet given a reason for this, but it is likely that the topic is simply too complex to be decided quickly.

But Kroes gave insight into her general approach at the end of July. She wishes not only to define the legal framework, but also to document technical standards and initiate corresponding pilot projects. Her first goal is likely the most difficult. The 27 member states all have different laws and regulations, but no cloud users know in what country their data or parts of their data are stored when using a service from an international provider. This is especially problematic when the data are stored outside of the European Union, for example in the USA where there are no federal data protection regulations.

Verification of data protection virtually impossible
The rights of the cloud users are correspondingly vague. Thilo Weichert, state commissioner for data protection in Schleswig-Holstein, recently published the results of his study on "Cloud Computing and Data Protection." He discovered that there are also serious deficits in the European Union when personal information is processed.

For example, Weichert found that it is "virtually impossible" for data protection authorities to audit security in clouds that store data in outside countries without specific grounds. He knows of no single audit of this kind within the EU; the data protection authorities are powerless. The people running the clouds can manipulate the infrastructure as they wish to avoid data protection audits.

Security through obfuscation
Weichert also stresses that the technical and organizational measures that are implemented for data protection need to be specified in the user agreement. "Security through obfuscation" as is largely practiced today is not a viable solution. By way of example, he named Google, which calls data protection "a question of trust."

Weichert also sees the need to define the liability of cloud providers to their users. The cloud operator must cover damages that the user is not responsible for, he said. For this, the applicable laws and the place of jurisdiction need to be defined. And what will happen with the stored data when the provider goes bankrupt or is acquired by a different company also needs to be defined.

Safe harbor not enough
There is also a cross-border problem. European data may only be stored in outside countries that have "adequate data protection standards." At present, the only countries that meet these requirements are Switzerland, Canada, and Argentina. The EU Commission could not verify this for the USA, where the largest commercial cloud providers are headquartered.

The Safe Harbor Agreement, which is intended to facilitate practical data transfer between the USA and Europe, is not a suitable framework, said Thilo Weichert. It is based on the self-certification of US companies. This does not allow the stricter data protection regulations in Europe to be complied with.

The SAS 70 Type II certificate that American providers like Google and Salesforce use to document their trustworthiness is only partially acceptable because it does not take all interests of the affected parties into account for data transfers. But such a certificate at least indicates that the data centers are audited by independent third parties. According to Weichert, one solution would be binding internal rules that companies could use to contractually guarantee an adequate level of protection. But no companies have yet done this.

Cross-border eavesdropping
Another issue is legal communications monitoring. Governments give themselves widely varying access rights. For example, the US Patriot Act requires data access at foreign subsidiaries of US companies. And data can be accessed for investigations into suspected tax, financial, economic, and drug crimes as well as organized crime on the basis of a "Bank of Nova Scotia Subpoena." Clouds are also specifically covered by the Foreign Intelligence Surveillance Act (FISA), which allows non-US citizens to be monitored outside of the USA over remote computing services, which include clouds.

Countries such as China and the Arab states are also known to have similar access rights to cloud data. And European Union member states also have their ways to snoop. A British law called the Regulations of Investigatory Powers Act has required users and operators to provide cryptographic keys under threat of imprisonment since 2000. In Sweden, an intelligence law permits the comprehensive Internet and telecommunications monitoring of non-Swedish citizens, and permits information to be passed on to other countries. What this means is that affected cloud users have no way of determining who is accessing what data.

Users need to assess the risks
Because the European Telecommunications Standards Institute has already developed a technical standard for the acquisition and storage of communication in Web 2.0 services – which are usually organized as clouds – we can assume that police agencies will soon have access to cloud communication throughout Europe, possibly without sufficient judicial oversight.

Schleswig-Holstein`s deputy state commissioner for data protection, Marit Hansen, has dealt extensively with this problem and came to the following conclusion: "Users need to be informed of all possible processing locations." Otherwise, there is no way to analyze the risks in connection with legal access rights.