Does it Matter Where Your Data Lives?

Does it matter where your computer data such as email, digital photos, personal videos, and documents resides? The Canadian Chamber of Commerce apparently doesn’t think so. It recently joined forces with its U.S. counterpart to argue for new rules in the Trans Pacific Partnership – a proposed new trade agreement that includes Canada, the U.S., Japan, Australia and many other Asian and South American countries – that would create barriers to privacy protections designed to require that personal data be stored locally.

My weekly technology law column (Toronto Star version, homepage version) notes that for many years, the issue was largely irrelevant to most computer users since their data was typically kept on computer hard drives within their own homes or offices. While there was always a security risk associated with malware or hackers, using reasonable security precautions provided some protection and there was little risk of warrantless access to the data.

More recently, Internet companies have promoted the benefits of the cloud computing, a reference to storing data online on giant computer server farms maintained by giants such as Google, Amazon, and Microsoft. Cloud-based services offer a host of advantages, including access any time from any device (provided you have Internet connectivity), the elimination of the need for software upgrades, seemingly infinite storage capacity, and state of the art security systems.

Yet for all the benefits, the recent disclosures of widespread Internet surveillance represents an enormous privacy risk that could tilt the balance away from cloud-based services altogether or increase demand for local providers that are less vulnerable to U.S.-based surveillance. In fact, the Information Technology and Innovation Foundation recently estimated that the U.S. cloud computing industry could lose tens of billions of dollars in the coming years should non-U.S. users withdraw their data.

Foreign cloud computing providers will undoubtedly try to seize this opportunity. Some European providers have already experienced a sharp increase in sales in the aftermath of the surveillance disclosures. Meanwhile, Canadian companies such as Bell have begun to tout their made-in-Canada data storage services, while Telus has emphasized the privacy risks associated with a Verizon entry into Canada.

Whether local providers can provide better safeguards is still unclear, however, since the full scope of Canadian-based surveillance remains shrouded in secrecy. Moreover, Canadian-based data often crosses the border into the U.S. during routine transmissions, which presumably allows for the communications to be captured by the expansive surveillance infrastructure that seemingly tracks all Internet communications.

Even if Canadian companies could provide privacy assurances that the data they collect and store is not subject to U.S. snooping, the plan from the Canadian and U.S. Chambers of Commerce would be to prohibit governments – both national and provincial – from creating legal requirements to store data domestically.

Their concern about legislative blocking of data transfers pre-dates the recent surveillance disclosures. In 2004, the British Columbia government responded to concerns that provincial health data could be subject to disclosure under the USA Patriot Act by enacting a law requiring public bodies to ensure that “personal information in its custody or under its control is stored only in Canada and accessed only in Canada.” The same law also requires those institutions and their service providers to notify the Minister if it receives a foreign demand for personal information. The B.C. law was soon after replicated in Nova Scotia.

While these laws are limited to governmental storage of data, the surveillance programs make no such distinction. The concerns associated with the USA Patriot Act may have been overstated, but as the scope of surveillance activities comes into focus, public concern appears to be well justified. This suggests that there may be mounting pressure for similar safeguards over private sector activities and that adopting the Canadian Chamber of Commerce proposal within the TPP would dangerously preclude the government from providing Canadians with much-needed privacy safeguards.


    Would this apply in this case?

  2. And people look at me like I`m some anti social idiot who hasn’t gotten with the times because I use my own Canadian web hosting account (Canadian company) for my own email and don’t use social medial for personal or business usage.

    Hosting your cloud server on US soil/US Companies is privacy suicide since you’ll have no warring if the NSA hooked up their black box to the service provider. With the Snowden leaks you can be sure you’re data has been compromised by the NSA.

    With coming into Canada with cheap servers/data there’s no reason for any Canadian company to have to use US based server/hosting now.

  3. Mutual Legal Assitance Treaties
    Don’t MLATs between Nations generally render borders irrelevant when it comes to the request to share data stored within one country with that of another?

  4. Why does it seem that whatever the Canadian Chamber of Commerce advocates is usually a bad idea for the average Canadian?

  5. RE: Crockett
    Probably the same reason why it’s not called the “Canadian Chamber of Commerce While Keeping Respect for the Rights of Citizens”. 😉

  6. It has mattered ever since the Patriot Act came into effect post 9/11

  7. @Eric L. “Probably the same reason why it’s not called the “Canadian Chamber of Commerce While Keeping Respect for the Rights of Citizens”.

    … or how about “The Canadian Chamber of Common Sense”

  8. Canadian hosts, Canadian servers, Canadian users, it doesn’t seem to matter a wiff. There is not a single packet or stream of data that moves on our public internet, land line, mobile or satellite-based networks without evaluation and inspection by our friends, the Five Eyes (US, UK, NZ, AU & CA). Furthermore, there are no networked devices, computers or cell phones beyond their access for targeted direct inspection and monitoring.

    Maybe their algorithms will ignore the vast majority of content for now. However more and more of it is getting stored, and more of it getting stored longer and longer. In time even encrypted data will be no protection when quantum computing makes its inevitable progress. In the meantime, encryption is simply a flag that raises government interest and cause for closer attention.

    Yes this information is being used for our so-called security. It is also being used for policing, a practice called parallel construction. It is being used for political, economic and industrial purposes. Those purposes will not always be in our so-called national interest, rather they will inevitably serve institutional and narrow but powerful self-interests. The hunt for and unjust prosecution of whistle-blowers is compelling evidence of this, as is the timely expose and character assassination of people legitimately challenging powerful interests. It is already being used to intimidate and suppress critical media attention.

    The Snowden revelations and developments certainly provide compelling evidence for most of what I claim. However, even before him, it was clear that motive, method and means were all line up:
    1) all of this has been technologically feasible for a long time,
    2) we have been warned for years that foreign powers like China and Russia were deeply surveilling us,
    3) we know the only legislative protections for privacy in the world (toothless and ignored as they may be) only claim to preclude domestic governments from directly spying on its own citizens while
    4) every country is completely free to spy indiscriminately on any international target, and
    5) that our country has wide-open access to the data gathered by the other “Four Eyes” including data on all of us.

    So, if the data is digital and networked, then no, the growing evidence seems to suggest it doesn’t matter where it “lives”.

  9. Devil's Advocate says:

    Bell’s a good one…
    “…companies such as Bell have begun to tout their made-in-Canada data storage services…”

    There was a time when providers ran their own mail/news servers for their subscribers to take advantage of.

    Bell was one of the first to dump all that and transfer all the customer e-mail accounts (from Sympatico, etc.) to Hotmail (hosted in California).

    You can’t trust any of them to care about your privacy, or your data.

  10. Russell McOrmond says:

    “Canadian” chamber of “Commerce”
    I’ve always questioned both the Canadian-ness of the chamber, as well as the narrowness of the businesses it lobbies in support of. Most of what they advocate when it comes to technology policy is against the interests of most businesses, domestic and foreign.

    I still have problems with the focus of this article, however, which is that the location of the hard disks data is stored on is a primary concern. The primary concern should be who controls the software authors who write the software that accesses and manipulates the data. While there are a narrow set of circumstances where geography matters, the reality is that we need to trust the vendors who write the software running on computers physically located here as much as we do cloud software services. Companies like Apple, Sony and Microsoft have lobbied hard for decades to transfer control of computers from owners to themselves, making data stored on computers which they control (Through iOS/MacOS, Windows, etc) susceptible to warrantless disclosure regardless of the physical location of CPU, RAM, disk.

  11. Francis Pinteric says:

    Software Origin Just as Important as Storage Location
    I agree with Russel McOrmond on this. The software running these clouds are perhaps even more significantly important than where these servers are physically located. Given the nature of the Internet it doesn’t really matter where a server is located if the system software it runs has been compromised. Much proprietary software have ‘back doors’ or spyware incorporated into them by design never mind the unintentional errors that inevitably occur which black hats love to exploit.

    That is why I always choose a Free Software, or at least an Open Source Software, version for whatever tasks I need to accomplish with software. With access to source code and an active development community the risks of getting spyware deliberately put into the design unnoticed is very much less reduced. With proprietary versions you can never truly know what you’ve got and, considering the recent and continuing revelations concerning government spy agencies, it is best to protect yourself as best you can.

  12. “In time even encrypted data will be no protection when quantum computing makes its inevitable progress.”
    A bit off topic, but the jury is still out on that. It’s a very deep & mathematical issue, but long story short is that it’s only really good for breaking certain types of encryption, while at the same time it opens up better encryption, leaving the same amount of overhead needed to crack as we have with conventional computers. See also “post-quantum cryptography”.

    Anyway, yeah, on topic. In the future, privacy will be read about in history books.

  13. It all in the pipes
    Regardless of where you choose to host/store your data, and for arguments sake, let’s say Switzerland, you still have to access it. TaTa comes has the biggest pipes with petabytes of data which can be accessed by the flip of a switch…all data has to go through Canadian pipes before it hits anywhere and as such can be snooped. Unfortunately for us we are so close to the US that we get sucked into its vortex, and have to deal with the harsh reality that privacy is on the brink of extinction.

    It is time to start using encryption, get an offshore email account and encrypt everything we send and ask to have everything received encrypted as well. It is a shame that one can count on human nature (say laziness) to throw privacy out the window I’m the name of convenience…

    Gmail, hotmail,etc. are wildly successful because of cloud computing and ease of access to emails from any place that you can connect from… Yet they all scan every email to tailer adverbs to each person… Why are we forsaking privacy? So google can make money and the various 3letter Government agencies can root through your data to search for pre-determined patterns…

    The questions begs to be asked: When will people wake up and demand privacy again? once it is gone, it is..gone.