Last week I wrote about the perils of using proprietary software, where companies regularly hand over zero-day vulnerabilities to the US authorities who then go on to use them to break into foreign systems (and maybe domestic ones, too, but they're not owning up to that, yet....). Of course, cloud-based solutions are even worse, as we've known for some time. There, you are handing over all your data to the keeping of a company that may be on the receiving end of a secret US government order to pass it on to them – perhaps with necessary encryption keys too.
Against that background, this looks curious:
Eighteen months on and the Houses of Parliament is now in the process of moving a number of applications to the public cloud as part of plans to create a ‘digital parliament', while making budgetary savings of 23 percent over four years. This includes a deal to migrate to Microsoft Office 365.
Er, that wouldn't be the same Microsoft as this lot, would it?
"The big outstanding element was data sovereignty," said Miller. "We needed to know what was happening to that data in the cloud, and that anything that happened to that data was in our control."
She continued: "We have been looking in a lot of detail at the workings of the Patriot Act in particular, and have had a lot of help from Microsoft in looking at how the Patriot Act in America might involve any services that we put into a cloud."
Oh, look, there's Microsoft again, offering completely objective advice about how it would never ever hand over UK customer data to the NSA. Except when it is told to, of course...
Fortunately, the Houses of Parliament IT people do seem to have been reading the news recently:
In addition, reports of the unofficial access to servers through the US National Security Agency's Prism scheme were taken into consideration. However, it was found that there was no reason to reassess plans to move data into the cloud, and overall the security benefits of using the cloud were clear.
"We were thinking we have to go back and check our work [following the Prism reports], and make sure that what we have done to measure the risk is adequate to deal with the knowledge that is public and not so public about the American government's use of data," Miller said. "In fact, we are reassured that everything we thought about is still covered in the work we have already done."
So why might that be?
According to Miller much of the data held by the Houses of Parliament is actually relatively low risk. She explained that, other than in certain circumstances, the majority of the data is already destined for the public domain.
This is a crucial point. If you host anything in the cloud run by US companies, it's effectively sending a copy straight to the US government. You should therefore treat it as if it were in the public domain. As the above indicates, the material that the Houses of Parliament plan to put in the cloud is, indeed, destined for the public domain, so using US systems like Microsoft Office 365 is really just giving the US government a sneak preview.
If you're happy with that, by all means continue using US-based clouds and US proprietary software. If, on the other hand, you are placing sensitive or even business-critical material in either of those, now would be a good time to starting drafting that letter explaining to your soon-to-be ex-boss why you have been passing your company's business secrets to the US government, and thence to any US firms that compete with you. Good luck.