For quite some time now, the United States Department of Justice has been putting cloud service providers into a difficult position. Because cloud providers lease storage space to tenants, and are therefore technically in possession of the tenants' data, providers have been increasingly served with subpoenas for that data. In such cases, cloud providers have often been forced to essentially betray their tenants to comply with law enforcement.
Not surprisingly, cloud service providers have not been thrilled by their role as the go-to source for law enforcement officers seeking access to data. Such a practice puts the provider at odds with a paying customer--namely, the tenant whose data the provider is forced to surrender to law enforcement. This potentially jeopardizes the provider’s ability to do business with that tenant.
Another problem for cloud providers is that complying with subpoenas for tenant data can be a costly and time-consuming process. Anyone who has ever performed an e-discovery operation can appreciate just how tedious and time consuming the process can be. With that in mind, imagine the resources required for a cloud provider to perform several concurrent e-discovery operations when multiple tenants are under investigation.
Of course, the process is just as burdensome (if not more so) for the tenants themselves, but there are also disadvantages to this practice from the DOJ’s prospective.
When a law enforcement agency subpoenas a cloud service provider for tenant data, the provider’s goal is to comply in the least resource-consuming way possible. This means that the provider is likely to hand over more data than it really needs to, potentially leaving its tenant legally exposed.
By way of comparison, a company that is subpoenaed for its data will typically try to protect itself by scrutinizing its data, and handing over only what is required by law--nothing more. In contrast, a cloud provider could conceivably hand over all of the tenant’s data to law enforcement in an effort to minimize the effort required to compile the data, or to eliminate any risks of accidentally failing to turn over required data.
When a cloud provider surrenders too much of a tenant’s data, the result from a law enforcement prospective is that the investigation becomes far more costly and time consuming than it otherwise would have been. The opposite can also be true. Sometimes sending a subpoena to a cloud provider results in the law enforcement agency not receiving any useful tenant data. This can happen because some companies have realized the need to protect themselves against cloud providers. In doing so, some companies have adopted the practice of encrypting data in the cloud, or using erasure coding to stripe data across several clouds in a way that ensures no one single cloud provider has a complete copy of the data. In either case, the cloud provider is unable to give law enforcement any useful data.
Late last year, the Department of Justice finally acknowledged that the practice of acquiring tenant data from cloud providers was problematic. The DOJ issued a new set of cloud data storage guidelines advising prosecutors to get data directly from the organization that is under investigation, rather than trying to get the data from a cloud provider.
Needless to say, this cloud data storage directive is a big win for companies that can now sort through their own data, rather than having a cloud provider hand all of their data over to law enforcement.
The DOJ's new directive is part of a greater push by the government and business alike to get their hands more firmly around legal ramifications of data in the cloud. Microsoft, Google and Apple, for example, have thrown their support behind proposals in Congress to deal with cross-border data requests from law enforcement.
As welcome as this news may be, however, the new guidelines are just that--guidelines. In fact, the DOJ has advised prosecutors to consider whether getting data from the company that is being investigated will compromise the investigation or is even practical. In such cases, a law enforcement agency would still be within its rights to send a subpoena to a cloud provider rather than trying to get data from the company that is being investigated.
It's a slippery slope if there ever was one. What's your experience? Let us know in the comments section.