Columns

If U.S. Cloud Computing Isn’t Good Enough for the Canadian Government, Why Should It Be for You?

In August 2011, the federal government announced plans to consolidate more than 100 different email systems used by over 300,000 employees into a single, outsourced email system. While the email transition is currently underway – Bell won the nearly $400 million contract last year – the decision quietly sparked a trade fight with the United States that placed the spotlight on the risks associated with hosting computer data outside the country.

At the heart of the dispute is the emergence of cloud computing services such as web-based email, online document storage, and photo sharing sites. These services are based on a computing infrastructure that relies on huge computer server farms and high-speed network connections that allow users to access their content from any device connected to the Internet.

My weekly technology law column (Toronto Star version, homepage version) notes that cloud computing services offer the promise of convenience and cost savings, but at a price of reduced control over your own content, reliance on third-party providers, and potential privacy risks should the data “hosted in the cloud” be disclosed to law enforcement agencies without appropriate disclosure or oversight.

The Canadian government was clearly concerned by dangers associated with storing potentially sensitive emails outside the country. Invoking a national security exception, one of its requirements for the single email system was that it be hosted in Canada on a secured server. As U.S. companies later noted, this effectively excluded them from bidding on the contract.

According to documents recently obtained by the B.C. Freedom of Information and Privacy Association, the companies escalated their concern to U.S. government officials, urging them to launch a trade complaint over the Canadian requirements. While the companies explored several alternatives that might address Canadian concerns, including encrypting all data and retaining the encryption key in Canada (thereby making it difficult to access the actual data outside the country), the government insisted on Canadian-based storage.

The reason? According to internal U.S. documents discussing the issue, Canadian officials pointed to privacy concerns stemming from the USA Patriot Act.

The privacy concerns raise a bigger question for millions of Canadians that use U.S. cloud services as well as organizations such as Canadian universities that are contemplating switching their email or document management services to U.S.-based alternatives. Simply put, if U.S. cloud services are not good enough for the Canadian government, why should they be good enough for individual Canadians?

In light of the Edward Snowden revelations of widespread surveillance by the National Security Agency, the answer for many Internet users will increasingly be that they are indeed uncomfortable with the loss of control over their data. In recent months, many countries have begun to explore mandating local cloud providers to ensure that domestic data stays in the country. In response, the U.S. has lobbied for inclusion of a provision in the Trans Pacific Partnership, a trade agreement currently being negotiated by more than a dozen countries including Canada, that would restrict the ability for countries to restrict data transfers and mandate local computer storage.  

The Canadian government has said little about its position on the issue despite the fact that Canadians are already particularly vulnerable to potential disclosures to law enforcement or intelligence agencies. According to OECD data, the majority of Canadian dot-ca domain name websites are hosted outside the country, with Canada ranking among the lowest countries in the developed world for domestic website hosting. Moreover, Canadian Internet providers such as Bell exchange their Internet traffic in the U.S., ensuring that even simple domestic emails frequently enter the U.S. network before returning to Canada.

Mandating local cloud computing services will not address many of the privacy concerns associated with widespread surveillance and inadequate oversight, but when even the Canadian government insists on domestic computer servers for its information, it may be time for individual Canadians to think about doing the same.

19 Comments

  1. Wait, $400 million to consolidate 100 different email systems into one for 300,000 some odd government employees?

    That alone should be criminal.

  2. Centralized Systems
    From the first time I saw the phrase “The Cloud” and got the gist of what it is/does, I’ve been flabbergasted that any business or individual would think that external, centralized control of one’s information could possibly be a good thing. It might work well with a centrally-managed style of government/culture, but transferring the storage and/or computing power into the hands of someone else, foreign or domestic, seems like one of the worst choices anyone with a modicum of independent spirit could make.

  3. @ Spike – but 300 million of that is for the fwench side.

  4. The Cloud
    Definition of the Cloud…”someone else’s computer”.

    If that someone else is a foreign government that has significantly weaker human rights and data protection laws…then the government should rightly require domestic hosting. Even if it provides a false sense of security given the revelations from the Snowden files.

  5. schultzter says:

    Data Sovereignty
    Here’s yet another example of how technology outpaces law. And I’m sure technology will solve this issue long before the politicians and lawyers and trade pact negotiators come up with their solution.

    The very nature of the internet, from it’s initial conception, makes it very difficult control where the data flows and quite pointless to worry about.

    Knowing which laws (privacy laws, disclosure laws, consumer laws, etc.) apply to your data is important. Very important for governments, but only slightly important for individuals. I don’t use Instagram because of Facebook’s habit of playing loose with my privacy. But I still use Google and Yahoo though my data is no longer Canada – the convenience of those services out-weighs my lack of Canadian legal oversight.

    The tinfoil hat crowd is of course crying “I told you so!”

    But the reality is services from Microsoft, Google, Yahoo, Amazon, Box.net, DropBox, etc. are more concerned with advancing their technology than pandering to the paranoid. And they’re banking on the fact their services are so appealing that people won’t be too concerned where their data is actually located.

  6. It can’t be stopped. Remember how universities used to lead on privacy, now they have gone cloud gaga. I think the university of alberta uses google docs for students, google mail is everywhere, and windsor is apparently putting their library records and student info into a cloud system. Nothing is sacred or protected anymore in the ivy tower.

  7. 400 Million?
    I could do it for half that…

  8. From the article: “the majority of Canadian dot-ca domain name websites are hosted outside the country, with Canada ranking among the lowest countries in the developed world for domestic website hosting.”

    I have a number of dot ca domains, as well as a number of others with Canadian content. I host them all in the US for the simple reason that I can’t afford the Canadian price of the high quality service, connectivity, and speed that I require.

    Interestingly, my hosting company originally had offices in Vancouver (that’s why I chose them at first), but moved to US because of our tax structure here. Perhaps the Canadian government needs to get involved with making Canada a better environment for these kinds of businesses. There are lots of things to consider, but I suggest that if dot ca domains are not being hosted here, it is because we don’t find Canadian services that are to our liking. Bear in mind that this is not a matter of taking advantages of lower wages in some third world country.

  9. Above I addressed the issue of individual Canadians using domestic servers and made it clear why low income people like myself are just not going to do that. Sorry, don’t have the money.

    However, for Government and large corporations, I do believe it should be mandated. The NSA scandal and associated problems is not the only thing to consider either. For example, I wouldn’t go to HR Block because account information is stored in the US and as such is legally available to the authorities there because Canadians are aliens in that country. Do people read the fine print when they get their taxes done at a place like that? If they did they’d go somewhere else. A similar case would be Facebook. Read the terms of service, they’re long, but you won’t be disappointed. Medical records, do you know where they’re stored? Perhaps in a country where you would not have any privacy rights as a Canadian (such as US)? Same problem with bank and credit information. Yes, anything privacy related should not be stored in another country.

  10. Canada and the U.S.A are part of the 5 eyes and they all have sharing agreement, and also the path to your data even when hosted in Canada renders it’s actual location moot in practice.

  11. national broadband
    These security issues sure provide a strong case for developing a national broadband initiative.
    Without having good resources here we can’t attract companies that want to setup shop.
    Without these companies and strong structure in Canada out data will be hosted elsewhere and fly out of Canada on the way to a domestic destination(path of least resistance).

    I’d love to see the great addressed more in depth.

  12. Universities
    @CL actually it depends on where you are. In BC, there’s provincial legislation in place that prevents any university or college from using cloud services based outside of Canada. It’s quite a pervasive theme in technology selection at higher ed institutions here.

  13. @CL – I believe both ON and AB require permission from the individual under provincial laws, it is unlikely these institutions are proceeding without acknowledgement from the students impacted.

  14. Hendrik Boom says:

    Is there any practical way of knowing when a service is implemented outside the country?

  15. Where it is stored doesn’t matter…
    The fact that the data may be stored in Canada doesn’t matter. If you have data in Canada, yet the routers and network it passes through is in the US, then it doesn’t matter as they can pick up your data anyway. There is a lot more to this than where the hard drive is physically located, the whole backbone needs to be 100% Canadian for any of this debate to have relevance.

  16. This cloud craze is a fad and nothing more.. People will eventually wake up out of their stupor to realize that their data is best kept close. I predict a peak of cloud popularity then a gradual decrease…

    I’m likely wrong.. But I hope not.

  17. @philippe
    5 eyes only refers to things such as military intelligence. Think about how difficult it would be during NAFTA discussions when one of the people you’re negotiating with knows all your positions because they had their NSA profile and intercept all the emails from you’re pmo’s office or departement of foreign affairs.

  18. Neil McEvoy says:

    No ICT investment
    Sure, if there were any Cloud services in Canada. The sector is wholly under-invested, as is the ICT sector overall.

    Canada lags the Cloud supply side as it lags everything else, so why expect customers to not use the more advanced USA-based services where they pump in the required $$ investment.

  19. *hooks everyone up to Gmail for free*
    *and parties with $400 million*