I store a copious amount of data in the cloud, and have encouraged countless others to do the same. Paradoxically (or perhaps naturally), I fret over this scenario at times. It’s unsurprising, then, that my interest was piqued by this tweet from Lisa Noble the other day:
— Lisa Noble (@nobleknits2) September 16, 2015
This led me to listen to the CBC’s interview with Heidi Bohaker (begin at 25:35), the principal investigator in a University of Toronto public report entitled “Seeing Through the Cloud”. The report’s findings and recommendations are a must-read for all Canadians, and a vital one for those of us in educational institutions.
According to Bohaker and her colleagues’ research, many Canadians don’t realize that the personal and institutional outsourcing of cloud storage to services such as Google Apps for Education and Microsoft Office 365 results in our data going across borders, mostly to the United States, but also to other, often unknown, locations. One of the main problems with our data being sent to foreign servers, they say, is that Canadians forsake their otherwise strong constitutional protections by doing so.
Canadians and Canadian organizations have significantly better legal privacy protection from state surveillance when their data are processed, stored, routed or more generally kept exclusively within Canadian jurisdiction than elsewhere. This protection extends to valuable intellectual property which is also vulnerable to industrial espionage from state surveillance in foreign jurisdictions. Canadians have significantly more options to address data protection concerns through their own courts, legal reform and the electoral process.
Based on the findings of their research, they strongly recommend that:
- Canadian organizations should not outsource eCommunications services beyond Canadian jurisdiction until adequate measures for ensuring legal and constitutional protections equivalent to those in Canada are in place.
- When considering eCommunications options, including outsourcing, organizations should conduct thorough and transparent Privacy Impact Assessments (PIAs) and Threat Risk Assessments (TRAs), taking into account constitutional and other protections provided under Canadian law, as well as the risks of using services hosted in foreign jurisdictions. The “similar risk” assertion should no longer be used in PIAs to support extra-national outsourcing.
- Organizations that have already outsourced to companies that place data outside Canadian jurisdiction should revisit these decisions in light of the deeply flawed “similar risk” assertion and what is now known about, for example, mass surveillance practices in the USA. Organizations should consider the risk of similar practices occurring in other countries.
Read the entire report here, encourage others to do the same.