The downside of computing on the cloud
Trade agreement could create barriers to privacy protection
Does it matter where your computer data such as email, digital photos, personal videos, and documents resides? The Canadian Chamber of Commerce apparently doesn’t think so. It recently joined forces with its U.S. counterpart to argue for new rules in the Trans Pacific Partnership — a proposed new trade agreement that includes Canada, the United States, Japan, Australia and many other Asian and South American countries — that would create barriers to privacy protections designed to require that personal data be stored locally.
For years, the issue was largely irrelevant to most computer users since their data was typically kept on computer hard drives within their own homes or offices. While there was always a security risk associated with malware or hackers, using reasonable security precautions provided some protection and there was little risk of warrantless access to the data. More recently, Internet companies have promoted the benefits of cloud computing, a reference to storing data online on giant computer server farms maintained by companies such as Google, Amazon, and Microsoft. Cloud-based services offer a host of advantages, including access any time from any device (provided you have Internet connectivity), the elimination of the need for software upgrades, seemingly infinite storage capacity, and state of the art security systems.
Yet for all the benefits, the recent disclosures of widespread Internet surveillance represents an enormous privacy risk that could tilt the balance away from cloud-based services altogether or increase demand for local providers that are less vulnerable to U.S.-based surveillance. In fact, the Information Technology and Innovation Foundation recently estimated that the U.S. cloud computing industry could lose tens of billions of dollars in the coming years should non-U.S. users withdraw their data.
Foreign cloud computing providers will undoubtedly try to seize this opportunity. Some European providers have already experienced a sharp increase in sales in the aftermath of the surveillance disclosures. Meanwhile, Canadian companies such as Bell have begun to tout their made-in-Canada data storage services, while Telus has emphasized the privacy risks due to a Verizon entry into Canada.
Whether local providers can provide better safeguards is still unclear, however, since the full scope of Canadian-based surveillance remains shrouded in secrecy. Moreover, Canadian-based data often crosses the border into the U.S. during routine transmissions, which presumably allows for the communications to be captured by the expansive surveillance infrastructure that seemingly tracks all Internet communications.
Even if Canadian companies could provide privacy assurances that the data they store is not subject to U.S. snooping, the plan from the Canadian and U.S. chambers of commerce would be to prohibit governments — national and provincial — from creating legal requirements to store data domestically.
The plan from the chambers of commerce would be to prohibit governments from creating legal requirements to store data domestically.
Their concern about legislative blocking of data transfers predates the recent surveillance disclosures. In 2004, the British Columbia government, and later Nova Scotia, responded to concerns that provincial health data could be subject to disclosure under the USA Patriot Act by enacting a law requiring public bodies to ensure “personal information in its custody or under its control is stored only in Canada and accessed only in Canada.” The same law also requires those institutions and their service providers to notify the minister if they receive a foreign demand for personal information.
While these laws are limited to governmental storage of data, the surveillance programs make no such distinction. The concerns associated with the USA Patriot Act may have been overstated but, as the scope of surveillance activities comes into focus, public concern appears to be well justified. This suggests that there might be mounting pressure for similar safeguards over private-sector activities and that adopting the Canadian Chamber of Commerce proposal within the TPP would dangerously preclude the government from providing Canadians with much-needed privacy safeguards.