Comment

Microsoft in front of the US Supreme Court: Why you shouldn’t make compromises when it comes to data sovereignty

The US juridiction is negotiating if national cloud providers with customers in Europe must give stored data to the government in case of an investigation. A verdict is expected in June, with far-reaching consequences for European data protection. Users should therefore rely early on solutions where maximum security is part of the standard – and […]

The US juridiction is negotiating if national cloud providers with customers in Europe must give stored data to the government in case of an investigation. A verdict is expected in June, with far-reaching consequences for European data protection. Users should therefore rely early on solutions where maximum security is part of the standard – and not has to be booked as an option.

The US Supreme Court is faced with a landmark ruling that touches no less than the foundations of European data protection. The so-called “New York Search Warrant Case” is currently in the process of negotiating whether Microsoft should hand over personal data to U. S. government agencies located in data centers within the EU (in this case Ireland). A negative outcome of the proceedings would have the potential to trigger massive legal uncertainty for the data protection of European companies. A broad alliance of tech companies, industry associations and EU parliamentarians is already warning against an end to the “Internet as we know it”.

Is the alarmism justified? The judgment is expected in the summer and, at present, supporters and opponents are still in the phase of appeals and reminders, but the debate has the potential to make the year 2018 – in which, as we all know, the new EU-GDPR will also come – the year of European data protection.

One thing can already be determined: The attempts by both foreign and domestic governmental organisations to obtain stored data in their own and other jurisdictions are a constant topic, which regularly and reliably appears on the agenda in bilateral agreements, court rulings or intelligence scandals.

Can data protection still be guaranteed?

Especially for US Cloud service providers, software or tech companies this means constant pressure to justify their data protection in front of a public audience. Companies such as Google, Amazon, Salesforce, Dropbox or, in this specific case, Microsoft must prove that they not only respect the data protection legislation in every country in which they operate, but also defend it with the utmost effort.

The paths of the competitors are very different. While Amazon relies on local data centers and optional encryption, for example, and – somewhat heroically – emphasizes that it wants to “spread German data protection into the world”, Microsoft favours alliances with local companies that act as “data trustee”. Since the data from abroad is not vulnerable here, this model, combined with a cloud infrastructure where the data is always under your own control, is the most secure solution to date. In Germany, Microsoft offers this service in cooperation with Deutsche Telekom (“Deutschland-Cloud”). This would have the advantage in this specific case that Microsoft would not be able to release data for which it would be requested by the US government, since the company itself has no access to it. However, the Germany Cloud is an optional extra service that causes additional costs.

One level lower, most other vendors rely on an optional use of local data centers. With this model, the data is stored on local servers managed by the European subsidiary of the company. AWS and IBM, for example, offer that data is hosted exclusively in their German data centers in Frankfurt.

This model still promises more security than the third variant where all data is stored uncontrolled, unsecured and unencrypted on a US server – a procedure that is unfortunately standard for many cloud solutions.

Security is not a commodity

However, what most providers have in common is the fact that they offer data protection separately. Additional encryption, the choice of a German data center or the trust model are by no means standard for public cloud services, but represent optional agreements that can be booked by companies from sectors with an increased need for security at a corresponding additional cost.

This way data protection and security – or the entire sovereignty over one’s own data – becomes a commodity, a bookable product that causes higher costs as required. But should data protection really be part of a cost-benefit analysis?

Full sovereignty over your own data, i. e. the decision as to which data, at which point in time, which person or institution is accessible, should be the sole responsibility of the owner of this data. Ensuring this data sovereignty should not be a “bonus”, but an absolute minimum standard. However, this can only be guaranteed if one’s own data is also under one’s own control – such as in the form of a hybrid cloud in which the data resides on a public server, but the encryptions on one’s own servers.

This is the idea behind Federated Cloud Sharing in conjunction with Universal File Access:

Public and private clouds, grouped under a single user interface. In this way, every company can decide for each data source where the data is located. In this way, everyone can participate in the opportunities offered by the technology market without having to disclose their data – without their knowledge – and certainly not to a foreign government without any legal protection.

ownCloud

March 1, 2018

Read now: