Control vs. Location: A Potential Turning Point for Enterprise Cloud

A United States judge has ruled that control, not location, dictates which laws must be adhered to for access to stored electronic data. If the result goes against Microsoft, it will likely be a short-term blow to the broader cloud industry. However, in the long run, it will accelerate the development of technologies to help keep data stored on massively scaled systems private, no matter the location.

Last month, a U.S. District Judge upheld a ruling that Microsoft must turn over emails stored in a server in Dublin, Ireland. This decision comes on the heels of a U.S. Federal Magistrate decision last December whereby Microsoft was ordered to hand over data but refused, arguing that because the data resided outside the United States, it was subject to local privacy laws. This most recent decision compels Microsoft to turn over the data, although the judge granted Microsoft a stay to provide time for an appeal. (Note: In late August, the U.S. Department of Justice asked the judge to vacate the stay, meaning the Justice Department wants the ruling enforced now.)

Microsoft General Counsel Brad Smith obviously disagrees with the DoJ:

.@MikeScarcella We disagree with the Gov. that any new step is needed in order for us to appeal the NY warrant ruling.

 
 

 

This ruling is important because it’s generally viewed as the first case in which a corporation has challenged a U.S. search warrant seeking data held abroad. Here’s a former Justice Department computer crime prosecutor on the ruling:

“It’s been one of those things we’ve chosen to ignore, and it’s been recognized in every online contract, in every cloud contract, as something that’s a problem. So in a sense what the court did was, it picked at the scab of transnational jurisdiction.”

Ouch.

The outcome of this decision will likely set a precedent for many years to come: is it control or location that dictates which laws take precedence for stored data?

If Microsoft’s appeal is unsuccessful, the company will be forced to provide the data to the U.S. Justice Department, violating both Irish and European Union data protection laws. However, if Microsoft doesn’t provide the data, it could be held in contempt of a U.S. court. Guess which option Microsoft will select.

Pundits often forecast of the death of cloud computing based on this type of litigation. However, such a prediction is oversimplifying the issue and it does not reflect today’s reality:

  • Although there has been plenty of debate during the past several years about the U.S. Government gaining access to hosted data via the Foreign Intelligence Surveillance Act (FISA) and subsequent amendments by the Patriot Act, the fact is that the overwhelming number of government data requests are criminal in nature, and not related to FISA national security requests or National Security Letters.
  • Requests are overwhelmingly focused on “consumer” messaging platforms. The bulk of these requests are for access to emails, text messages, and chat sessions for Gmail, Hotmail, Outlook.com and iCloud. We are not yet talking about Google Apps for Enterprise or for Microsoft 365 tenants with more than 50 users.

So although it’s safe to assume that government requests for data, both criminal and national security in nature, will continue to increase, it’s also very interesting to look at this through the lens of the outsourcing industry.

For years, outsourcing customers have understood that if law enforcement comes knocking, it is them, not their providers, who will need to answer the door. This has been institutionalized in outsourcing contracts for more than two decades and is a function, to some degree, of the fact that the systems used for outsourcing were dedicated to each customer. However, what happens when the underlying systems that underpin outsourcing contracts, or simply stand alone, replace legacy dedicated systems? This scenario is actually happening today, and at a pretty amazing clip. Take a look at the proliferation of highly standardized, multi-tenant platforms for email, collaboration, HR and IT service management. They are everywhere and multiplying quickly.

Case in point: 365 is Microsoft’s fastest-ever growing product. Google’s enterprise adoption is accelerating. The percentage of Apple devices in the enterprise has more than doubled during the past three years. Enterprises are quickly adopting (knowingly, or unknowingly) massively scaled, shared infrastructure— the kind of infrastructure that tends to be the target of the previously mentioned data requests.

Does this mean that cloud adoption will slow outside the United States? I don’t think so — the overarching concerns around privacy, security and data sovereignty will eventually bend in favor of digitalization, cost reduction and speed. Here at ISG we actually see the strongest demand for cloud-based unified communications and collaboration (UCC) coming from Europe. While it will certainly cause a pause, I don’t think long-term adoption trends will change even if the decision goes against Microsoft.

What it will mean, however, is a dramatically increased focus on making data unreadable, no matter the location, and no matter who wants access to it. Cloud cryptography — ensuring that only authorized users can read data, but doing so over today’s distributed cloud architectures is getting a lot of attention from some very smart people. If I were a betting man, this is where I’d be placing my bets. Forget if standardized, multi-tenant platforms will win in the end, they will. The question is: how do we keep our conversations private in an increasingly shared, platform-based world?

About the author

Stanton helps enterprise IT and sourcing leaders rationalize and capitalize on emerging technology opportunities in the context of the global sourcing industry. He brings extensive knowledge of today’s cloud and automation ecosystems, as well as other disruptive trends that are helping to shape and disrupt the business computing landscape. Stanton has been with ISG for more over a decade. During his tenure he has helped clients develop, negotiate and implement cloud infrastructure sourcing strategies, evaluate and select software-as-a-service platforms, identify and implement best-in-class service brokerage models, and assess how the emerging cloud master architecture can be leveraged for competitive advantage. Stanton has also guided a number of leading service providers in the development of next-generation cloud strategies. Stanton is a recognized industry expert, and has been quoted in CIOForbes and The Times of London. You can follow Stanton on Twitter: @stantonmjones.