There was a recent article published in ITBusiness.ca entitled Worries over Patriot Act drives NDP to cloud encryption.
The article references how the National Canadian NDP party has used Salesforce.com to store contact data for over 123 million Canadians. Not a big issue? Lot's of Canadian organizations use hosted software applications for a variety of activities.
I wonder however how many of these organizations give any thought to the place where their data is being stored and whether this has any implications for their business.
Given the nature of concerns about privacy and security I think this is definately 
something that should be understood and considered. If you are based in a certain jurisdiction then seeking a source for your data storage within a similar jurisdiction may be safer. For Canadians I would suggest that you want to try to find the ability to store your data for Canadian operations in Canada, not overseas or in the US.
So what are the implications of the NDP decision to store their contact information in the US. As I understand the situation there are several pieces of legislation in the US which can permit governments to seek disclosure of data from a company which is deemed to have been doing business in the US. The Patriot Act pulls many of these pieces together and focuses them more aggressively in the interest of National Security, a very sensitive issue.
So is the data the NDP has stored at risk? Hard to say, but it certainly is more at risk than if they had stored it in a Canadian tool.
Did encrypting it give them more protection?
I find this solution somewhat suspect. It seems to me that if there is a reason for a government agency to seek the data from Salesforce.com, then the same request will be made for the data to be unencrypted so they can properly review it for whatever they are seeking. I'm not a lawyer but my common sense tells me that the encryption solution is not a very strong way to protect the 123 million people who now have their data stored in a US data base.
What does this discussion mean for your use of cloud based services?
I think the first piece to consider is what kind of use are you going to make? Will the application you choose house data subject to privacy laws in the jurisdiction where you operate? Is there an alternative that is less risky in choice of location for the data? Does the vendor disclose where the data will be stored? Do they give you a choice for where it will be stored? What other way could you accomplish the tasks you are considering?
I must admit that I have a biase towards keeping information in Canada if it relates to Canadian operations and transactions. My sense is it just becomes easier to protect your data from outside intrusion. Is this definate? Can't say, but I am just more comfortable recommending solutions to clients here that I know use Canadian resources.
Do you care where your data is stored? Is geographic location an issue for your data? Have you had any legislated impact affect your data storage?
Lee K
Photo credit: File adapted from wikimedia commons.
