In August 2011, the federal government announced plans to consolidate more than 100 different email systems used by over 300,000 employees into a single, outsourced email system. While the email transition is currently underway – Bell won the nearly $400 million contract last year – the decision quietly sparked a trade fight with the United States that placed the spotlight on the risks associated with hosting computer data outside the country.
At the heart of the dispute is the emergence of cloud computing services such as web-based email, online document storage, and photo sharing sites. These services are based on a computing infrastructure that relies on huge computer server farms and high-speed network connections that allow users to access their content from any device connected to the Internet.
My weekly technology law column (Toronto Star version, homepage version) notes that cloud computing services offer the promise of convenience and cost savings, but at a price of reduced control over your own content, reliance on third-party providers, and potential privacy risks should the data “hosted in the cloud” be disclosed to law enforcement agencies without appropriate disclosure or oversight.
The Canadian government was clearly concerned by dangers associated with storing potentially sensitive emails outside the country. Invoking a national security exception, one of its requirements for the single email system was that it be hosted in Canada on a secured server. As U.S. companies later noted, this effectively excluded them from bidding on the contract.
According to documents recently obtained by the B.C. Freedom of Information and Privacy Association, the companies escalated their concern to U.S. government officials, urging them to launch a trade complaint over the Canadian requirements. While the companies explored several alternatives that might address Canadian concerns, including encrypting all data and retaining the encryption key in Canada (thereby making it difficult to access the actual data outside the country), the government insisted on Canadian-based storage.
The reason? According to internal U.S. documents discussing the issue, Canadian officials pointed to privacy concerns stemming from the USA Patriot Act.
The privacy concerns raise a bigger question for millions of Canadians that use U.S. cloud services as well as organizations such as Canadian universities that are contemplating switching their email or document management services to U.S.-based alternatives. Simply put, if U.S. cloud services are not good enough for the Canadian government, why should they be good enough for individual Canadians?
In light of the Edward Snowden revelations of widespread surveillance by the National Security Agency, the answer for many Internet users will increasingly be that they are indeed uncomfortable with the loss of control over their data. In recent months, many countries have begun to explore mandating local cloud providers to ensure that domestic data stays in the country. In response, the U.S. has lobbied for inclusion of a provision in the Trans Pacific Partnership, a trade agreement currently being negotiated by more than a dozen countries including Canada, that would restrict the ability for countries to restrict data transfers and mandate local computer storage.
The Canadian government has said little about its position on the issue despite the fact that Canadians are already particularly vulnerable to potential disclosures to law enforcement or intelligence agencies. According to OECD data, the majority of Canadian dot-ca domain name websites are hosted outside the country, with Canada ranking among the lowest countries in the developed world for domestic website hosting. Moreover, Canadian Internet providers such as Bell exchange their Internet traffic in the U.S., ensuring that even simple domestic emails frequently enter the U.S. network before returning to Canada.
Mandating local cloud computing services will not address many of the privacy concerns associated with widespread surveillance and inadequate oversight, but when even the Canadian government insists on domestic computer servers for its information, it may be time for individual Canadians to think about doing the same.