The revelations by Edward Snowden about the amount of data gathered by the U.S. government from various IT companies, including Microsoft, through their PRISM program has inevitably caused concern in companies who are considering moving some or all of their IT infrastructure to cloud services. It’s a fair concern as no one wants to have the government meddling in their affairs, even if the government assures all and sundry that everything is done through due process as dictated by the law, something of course that the government controls.
Given that Microsoft is a U.S. corporation, it is no surprise that their operations – even if conducted in places like Singapore and Ireland – come under the aegis of U.S. law, including the Patriot Act. This fact was acknowledged soon after the launch of Office 365 in June 2011 when the Managing Director of Microsoft in the U.K. confirmed that data stored in Office 365 could be made available to U.S. authorities. That access continues today. Microsoft General Counsel Brad Smith published a note (July 16) describing how Microsoft interacts with the U.S. government to respond to their requests for information. The applicable text relating to Office 365 is:
- Enterprise Email and Document Storage: If we receive a government demand for data held by a business customer, we take steps to redirect the government to the customer directly, and we notify the customer unless we are legally prohibited from doing so. We have never provided any government with customer data from any of our business or government customers for national security purposes. In terms of criminal law enforcement requests, we made clear in our Law Enforcement Requests Report that throughout 2012 we only complied with four requests related to business or government customers. In three instances, we notified the customer of the demand and they asked us to produce the data. In the fourth case, the customer received the demand directly and asked Microsoft to produce the data. We do not provide any government with the ability to break the encryption used between our business customers and their data in the cloud, nor do we provide the government with the encryption keys.
I’ve received a lot of email (all of which is available to the U.S. government because I use Office 365) to ask what impact the revelations are likely to have on Office 365. My response is that I don’t think the situation has changed very much. Certainly more information has come to light and the general level of consciousness has been raised about privacy and control over customer data, but the salient fact remains that governments have been retrieving information through legal means (whatever they are) from IT providers for a long time now. Once investigators might have seized magnetic tapes (including those of the 1600 bpi 9-track variety), today they simply get the required data transferred to them electronically. Or they examine data as it passes across the major pipes that make up the Internet. Let’s face it, most email is transferred between servers in unencrypted form and is perfectly available to anyone who cares to eavesdrop using utilities that are easily found. Even 128-bit or 256-bit SSL-encoded traffic can be decrypted given sufficient computing power – and that power exists in abundance within government agencies.
The current situation creates an interesting opportunity for local hosting providers outside the U.S. Hosted Exchange, SharePoint, or Lync is not the sole domain of Office 365. A local provider who can deliver these services will probably cost more than Office 365 because that company will not have the same advantages that Microsoft possesses. For example, their scale of operation will be much lower than exists in the massive Microsoft datacenters and their costs will be higher because they have to pay software licensing fees. On the other hand, a local hosting company in somewhere like the U.K., Australia, Germany or France can provide an assurance that customer data will remain in-country and will not come under the purview of the U.S. Patriot Act. And a local hosting company will probably provide better and more personal support than is available in Office 365 today. You get what you pay for.
It’s also probable that some companies will put a break on their dash to the cloud and keep more applications on-premises than they originally planned. I know of a couple of companies that have already decided to proceed with an on-premises deployment of Exchange 2013 rather than to create a hybrid environment with Office 365. This might turn out to be more of a holding pattern than a long-term decision as it's possible that they are simply waiting to see what other information comes into the public domain over time.
In a funny way, Microsoft might actually welcome a slow-down in the Office 365 pipeline as it would allow them to build out their infrastructure under less pressure and to resolve some of the other problems that people report with Office 365, such as poor first level support experience (especially when dealing with more complex aspects such as directory synchronization or hybrid connectivity) or a lack of knowledgeable resources in the field who can help customers to migrate to Office 365.
But at the end of the day, I suspect that economic pressures will win out and that the move to cloud services will resume at pace. Governments will clarify just what they monitor (as much as governments ever clarify anything) and sufficient reassurances will be given to assuage the concerns now being expressed. The European Union will demand better control over private data and the U.S. will make whatever reassuring noises are required to keep Brussels happy. But at the end of the day, the lure of predictable costs, ever-green software, and the offloading of mundane tasks like server maintenance to cloud providers will continue to exert an attraction, especially for companies operating in the small-to-medium category.
As for me? I’ll remain using Office 365 because I find it the most efficient and effective way to run applications that keep me productive. I don’t worry about spooks reading my email because I don’t have anything in my email that is likely to get me into trouble. At least, I don’t think so…
Follow Tony @12Knocksinna