When a small or midsize business moves to the cloud, several expected risks come along for the ride. First is security: in a shared environment, what kinds of access controls are in place to prevent unauthorized use? Redundancy is also a concern: what happens in the event of a natural disaster or power outage? Amazon experienced this first-hand when its southern U.S. servers went down after a severe storm front, driving some users to seek new options.
But what many companies don’t consider when they make the move cloudward is who owns their information once it no longer resides on a local server. Although common sense says data remains yours no matter where it’s stored, who has access and what other companies are doing on a server all impact the doctrine of possession. So, who really owns your data?
The Provider Problem
Cloud providers are not about to advertise that they hold all the keys when it comes to the data on their networks – they understandably want customers to feel secure and in most cases, data possession is not an issue. But a look at the terms of service (ToS) for many providers shows a disturbing trend: they can do what they want, when they want with your data.
Take the June 2012 rollout of Cisco systems Connect Cloud services. Not only did routers shipped by the company come with an “automatic firmware update” option selected, but in some cases would override user settings and update anyway even if the customer wasn’t interested. According to an October 1st, 2012 article at ExtremeTech, the terms of service first released to users also included the more worrying detail that Cisco could cancel a user’s cloud account at any time – and at their own discretion. The company has since altered that position.
Similar agreements exist for all major providers: play by their rules or they will cancel your service. Nothing unfair there, but what happens when it comes time to get your data back? No universal standard or legal precedent exists that compels providers to keep your data intact, although some choose to adopt this practice. Unless specified in a midsize business’ contact with their provider at the outset, data use and return isn’t covered by most jurisdictions.
It’s the Fuzz!
While local laws don’t typically set out rights and responsibilities for data ownership in the cloud, law enforcement agencies may have rights to your data – or data that’s sitting nearby. In January of 2012, the FBI raided servers containing data owned by upload service Megaupload on suspicions of use for piracy. Other businesses also housed by the same cloud provider were unable to access their data while the FBI conducted their investigation. Similarly, social site Twitter has been ordered by a U.S. court to disclose the account and Tweet details of an accused Occupy Wall Street protestor. Twitter is fighting the warrant, claiming their user’s data is protected and cannot be made public knowledge.
Simply put, even if your data isn’t doing anything wrong it can be affected if businesses using the same public cloud run afoul of the law, or if user information stored in your database is pertinent to an investigation. Although the jury is still out on the legality of such search and seizure, companies must be aware of the risk.
Still Worth It
Worries about data ownership should ideally inform small and midsize businesses rather than stop their progression skyward. Providers have a vested interest in making clients feel secure, but assurances are no replacement for specific contract terms and – at the very least – a local backup.
This is a guest post by Doug Bonderud. Doug is a freelance writer, cloud proponent & business technology analyst.
