Creating the laws to build cloud confidence
Microsoft’s general counsel discusses the need for new legislation for cloud data protection
Microsoft may be best known as the company that dominated the desktop, but with the appointment of its new CEO at the start of last year, the software giant has set out a ‘cloud first’ strategy, which has seen it putting many of its major applications, such as Microsoft Office and Dynamics, into the cloud, coupled with considerable investment in new cloud services and capabilities. With so much resting on the uptake of cloud services, it is no surprise that the company is also investing heavily in building confidence in the security and privacy of data hosted in the cloud, including a push to convince governments to develop new legislation related to the cloud.
Brad Smith EVP and general counsel, Legal and Corporate Affairs, Microsoft, said that there is a global need for governments to improve or create legislation related to data protection, to increase comfort levels for businesses and consumers trusting their data to the cloud.
“This is a topic of interest, at this point, to virtually every government in the world. The number of countries that have broad laws in this space is relatively small, just as we saw in the 1990’s many countries around the world strengthened their copyright laws, because they knew that would bring more software investment and software technology, I think over the next decade we are going to see many countries adopt cloud-focused laws that will go far to strengthen security and privacy in the cloud. That will be a good thing for the public sector and the private sector.
“There are a number of countries that have strong laws that should give people confidence, but at the same time, virtually every country needs to update its law. The technology has changed rapidly, people’s understanding of the technology issues has changed as a result. I don’t think there is a single country in the world that has on its books today the law it will want to have on its books in 2020.”
Microsoft is currently working with governments to help develop new legal frameworks for the cloud, Smith said. At the same time, it has also put in place a number of measures to increase confidence in its own cloud services. The company has increased the strength of encryption of its cloud services, to 2048 bit key length, which is considered not to be “readily breakable,” Smith said. It has also certified the security of its cloud offerings to ISO/IEC standard 27018, which set out a uniform, international approach to protecting privacy for data stored in the cloud.
Last year, Microsoft also became the first company to win the approval of all of the data protection agencies in Europe, for its commitment to EU model clauses, which set out contractual obligations for privacy and security of data in the cloud, and the company is keen on using legal frameworks to convince users that they are safe using Microsoft cloud.
This emphasis on security and privacy of data also affects where it locates the data centres that host its cloud services. At present, Middle East cloud customers are normally served by Microsoft’s data centre in Dublin, Ireland, because of that country’s strong data protection laws.
“Ireland has become to data what Switzerland has long been to money. Ireland has a good law, a strong data protection authority and I think customers in this part of the world can have confidence in that as an approach,” Smith said. “We have chosen Ireland for this part of the world because we believe that it is a country that many other countries can look to and have confidence in.”
This commitment to cloud security is not just pushing Microsoft to lead the call for new legislation, but is also bringing it into conflict with government in some regions, in particular efforts by US security authorities to access data that is stored in Microsoft facilities outside of the United States. Smith explained: “We are the only company in our industry that is putting in our contracts, provisions that require us to resist through all proper legal means, the efforts by, for example, the US government to get at enterprise cloud data. We have lived up to that contractual provision, we have successfully fought an FBI subpoena aimed at enterprise cloud data; we have committed ourselves to resist US search warrants that try to reach data that is stored outside the United States. We are in court right now, because of a case that arises out of our data centre in Ireland.”
He added that the company would respect proper legal process to access data, and that the company has been in discussion with authorities in the US for several years to establish the proper principles and procedures for disclosure and to increase the role played by the courts in deciding how data is released or withheld.
“Clearly in the world today it is important to protect public safety, and it is also important to protect the privacy and security of people’s information. The only way to do that is to strike the right balance,” he said.
“In the US we are focused on the reform of the courts, we think that courts have an important role to play in these processes, we also think that governments everywhere need both to respect the sovereignty of other countries and to create the kinds of international processes to obtain information when the information is located outside their borders.
“In effect there are a number of questions that every government is going to need to consider, what does lawful process look like, what is the role of probable cause, what is the role of the courts, how does a government in one country work with a government elsewhere? Those are four big questions that we will need to work through as a planet really, over the next five to ten years. I think we are in early days, what I am sensing is that more and more government leaders appreciate that new international initiatives are needed.”
Smith added that Microsoft is emphasising transparency in its communication with government, and also in reporting to the public how it works with government, through publishing of regular reports on the kinds of law enforcement requests it receives in different countries around the world. The benefits that are offered by cloud computing means that its widespread uptake will be inevitable, he commented, meaning that there must be an ongoing global dialogue with governments and business to ensure that cloud is properly governed, and that there is also potential for a regional ‘first mover’ to become a trusted domain for cloud hosting.
“The need to build trust in the cloud is greater than ever, you see our investments in that space with respect to technology and our contracts, standards adoption and industry certification; and there is an opportunity for governments here, both with respect to hosting their own services in the cloud, and to improving the legal infrastructure. I think that the country that moves the fastest to move its services to the cloud and to put its legislative framework in place is likely to have a competitive advantage — more governments are starting to recognise that, and I think that recognition will spread even faster over the next few years.”