Microsoft lobbies to drown cloud stigma

Cloud laws continue to confuse.

Microsoft Australia has begun lobbying Australia's state and federal governments to direct conversation away from the stigma of off-shore cloud deployments.

The software giant hoped to allay the fears of regulators, privacy commissioners and auditors-general - along with potential customers - of moving data to Microsoft's data centres in Singapore, US and Ireland by reaching agreements on what was considered safe for a cloud deployment.

Despite mounting pressure from competitors with plans to open local facilities, Australian chief technology officer Greg Stone told media at the company's TechEd 2011 conference this week that the company would not build a local cloud facility.

It would instead continue to rely on third parties including Fujitsu and HP to deliver some variants of the public cloud offerings from Sydney data centres.

Those who signed up directly to Microsoft or through Telstra's resold T-Suite offering would be serviced specifically out of Singapore, with some local data cached in Sydney.

"We're not at the point now where the business can sustain us making a significant investment in Australia to put something like a public cloud of that nature in here," Stone said.

"It doesn't make any economic sense if we want to deliver it at the price point compared to what we do in Singapore."

Stone said Microsoft was exploring additional options to overcome "physical limitations" of serving out of Singapore but wouldn't say what they were.

Instead, the software giant hoped to convince users that a direct offering from Singapore or locally through a third party was a better option.

In a blog post to policy think tank Open Forum last week, Microsoft Australia's director of legal and corporate affairs Jeff Bullwinkel argued that fears around the restrictions placed by the US Patriot Act on cloud deployments in other jurisdictions were misplaced..

Bullwinkel said the Patriot Act provided no additional powers to the US Government to retrieve information held overseas "regardless of the physical location of the information – so long as the company retains custody or control over the data" and maintained a US presence.

The same was true of companies with a local presence, he said, citing a 1999 Australian Federal Court case in which Malta-based Bank of Valletta attempted to escape providing customer transaction data held in Malta to Australia's National Crime Authority.

The bank had claimed the request was a breach of Maltese bank secrecy laws, but failed in the case and subsequent appeal, requiring it to hand over the transaction evidence.

This, Bullwinkel argued, was reason to assume that no laws existed to prevent customers off-shoring their data.

"Commonly the understanding or the feeling is that the privacy laws in Australia from sending data off-shore but strictly speaking, that's just not the case in relation to any category of data that a private organisation is responsible for," he said..

However, Mark Vincent, partner at Shelston IP and one of the nation's foremost legal experts on cloud computing, told iTnews he had a different view to Bullwinkel on some arguments around the US Patriot Act.

While there is no law strictly prohibiting trans-border data flows for most types of data, Vincent said organisations needed to consider their obligations under Australia's National Privacy Principles – specifically those that concern consent for trans-border data flow and those around using and maintaining the security of data collected.

The Federal Government has proposed introduction of new principles - dubbed the Australian Privacy Principles - which would effectively make the owner of the data strictly liable for any action that infringed the rights of Australians, including access by a foreign government.

A Senate inquiry into the proposed amendments backed calls for the Department of Prime Minister and Cabinet to form a list of countries whose regimes complied with the principles.

Microsoft itself had also suggested mandating foreign cloud providers enter into agreements with the Office of the Privacy Commissioner that would see any privacy complaints handled under Australian circumstances, rather than those of the cloud provider's jurisdiction.

However, in submissions to the inquiry, local companies repeatedly expressed concerns an overseas cloud supplier could not be prevented from breaching the privacy principles.

Vincent said the principles should not be a concern for all organisations, but should weigh in to any due diligence around the use of public clouds.

“Organisations will look at this and say, it this an issue for my business?” he said. “For many, the answer is no.”

He said a subsidiary of a US company in Australia is still required to deliver up data to a US parent and US law enforcement on request.

“So the real question is putting it with a foreign-owned company in the first place - the issue is the geographic reach of US laws,” he said.

“Bullwinkel is correct in asserting that US subsidiaries in Australia have always complied with US subpoenas, and have always delivered data held overseas. So what is different about the cloud?

"One issue is that access to data is even easier than before when it is stored in an off-shore cloud. It’s a lot easier for law enforcement to access data there compared to the due process required before the Federal Police in Australia come knocking on your door for access to physical records. In fact, in the US there are laws to prevent you from being told your data has been accessed.”

James Hutchinson travelled to TechEd 2011 on the Gold Coast as a guest of Microsoft.