Latest Posts

Latest Comments


Project Prism – do you know where your data is?


Posted by |

Facebook and Microsoft are among numerous American technology organisations revealing details of requests for data, made by the National Security Agency (NSA), as part of their data recovery project, Prism. In the wake of Edward Snowden’s whistleblowing, it has come to light that many American corporations have been subject to requests from the US government for data pertinent to investigations into local crime and national security. And while some information, due to the way it is encrypted, is not recoverable (iMessages and Skype logs), in the name of security, user and data privacy has been compromised.

Most Cloud providers will be affected by the development as a large proportion are US companies, and many of those who aren’t have extensive dealings in the US. The USA Patriot Act, signed in 2001, grants the US government access to any data processed and stored in the US. And within the US legal framework, the ‘extra-territorial jurisdiction’ doctrine suggests that even EU Cloud providers will be subject to compliance once they fall under US laws, e.g. when transferring data to the US. Though Facebook’s servers hold data for 1.06 billion active monthly users, and requests for information pertained to just 18,000 accounts, it is important that CIOs looking to move data to the Cloud reflect on the lessons to be learned from this incident.

No matter the nature of the business, companies are bound to generate – and require storage for – sensitive data. While many CIOs realise the importance of choosing a managed service provider who is based in the same country (for security and compliance reasons, as well as for the improved support service they are likely to receive), and a large proportion are aware of UK and EU data protection laws, not everyone realises that data can be, and often is, transferred to the US for hosting. Once it enters US territory, it is vulnerable. It is my hope that this incident can pose as food for thought for those not paying attention to what happens to their data once it is ‘handed over,’ either when taking Infrastructure as a Service or Software as a Service solutions. CIOs should thoroughly research where the HQ of the managed service provider is, and where data is stored and processed – does it remain in the EU? And rather than digging through hidden clauses in a contract, it is important to simply ask the key questions you need answering. Where data resides should be a deciding factor for CIOs in light of this revelation, and it is important to be proactive in the search of information that will improve the security and privacy of your data.



Post a comment

Comment submitted! Comments needs approval before being displayed.