Sunday, July 24, 2011

If Your Data Lives In Moscow, Are You At Risk In The U.S.?

Google's new data center - Finland
Even though I'm a U.S. citizen residing in the U.S., my Gmail messages, attached files, Google documents, and Google chat logs may reside in one of 17 different nation states, and may be accessed through differing legal standards in each. Those states are the U.S., Canada, Brazil, Germany, Switzerland, The Netherlands, Belgium, France, U.K., Ireland, Italy, Russian Federation, Japan, Peoples Republic of China, Malaysia, Austria, and Finland. If the foreign government of a state where Google does business issues an order for Google to provide information on parties of interest who represent a threat, have committed a crime, or whatever is required under that state's security laws, then Google is frequently obligated to comply. This also applies in states where Google has established a sales office but not a data center.

2008 Wayfaring map of Google data centers
Google provides partial information on the user data requests that it receives from governments here and information about its Transparency program can be found here. It's interesting that neither Russia nor China are on the user data list, but Hong Kong is (with 90 requests in the 2H 2010). That's probably due to the very low use of Google services by Russian and Chinese mainland citizens.

The question that's puzzling me is whether or not a U.S. citizen's data which is hosted on a foreign server can be accessed via a request from that state's security agency? And an even more basic question is shouldn't I as the owner of my own data know where in the world that data resides and have a say in the matter? Google's Privacy Policy specifies that your data may be moved around:
Google processes personal information on our servers in the United States of America and in other countries. In some cases, we process personal information outside your own country.
In a different twist on the same problem, Gordon Frazer of Microsoft U.K. was recently asked a very pointed question:
Can Microsoft guarantee that EU-stored data, held in EU based datacenters, will not leave the European Economic Area under any circumstances — even under a request by the Patriot Act?
Frazer's answer was "Microsoft cannot provide those guarantees. Neither can any other country." Most folks won't be affected by this layer of extended vulnerability, but for those individuals who are of interest to foreign states, including the U.S. government if you're from another country, it should serve as a warning to avoid cloud-based services as much as possible. Speaking personally, I've cut way back on my use of Gmail and I'm having second thoughts about my use of Google +. The same would apply to Microsoft, Amazon or any other cloud provider that refuses to guarantee that my personal data will stay in the same country that I live in.

UPDATE (9 AUG 11): Google acknowledges the same legal requirements that Microsoft did regarding its E.U. customers and its requirements under the U.S. Patriotic Act in this German article (Google Translate).

No comments:

Post a Comment