Cloud and data sovereignty caught in a paradox

Summary

<p>Hyperscaler cloud is incompatible with <a href="https://www.techtarget.com/whatis/definition/data-sovereignty">data sovereignty</a>. That’s because, as US companies, the hyperscalers are potentially subject to US court orders that can compel them to exfiltrate overseas citizen data.</p> <p>The paradoxical situation for <a href="https://www.computerweekly.com/resources/Software-as-a-Service-SaaS">hyperscaler clouds</a> is that they are inherently global and connected because that’s how they gain their economies of scale.&nbsp;</p> <p>Those conclusions result from a <a href="https://www.computerweekly.com/feature/Is-cloud-data-sovereignty-all-just-a-case-of-Trust-me-bro">Computer Weekly investigation into data sovereignty</a>&nbsp;that asked the hyperscalers a set of questions aimed at discovering their ability – in technical terms – to withstand US court orders that compel eavesdropping on foreign citizens.</p> <p>We asked Amazon Web Services (AWS), Google Cloud, Microsoft, IBM and Oracle the following:</p> <ul class="default-list"> <li>How they would technically prevent a US court order that compelled them to access customer data.</li> <li>How they perform data-in-use functions on in-the-clear data if they say they don’t possess the keys to do so.</li> <li>Whether US-authored updates that contain US court-ordered “technical assistance” updates could bypass data controls and air gaps.</li> <li>Whether they could demonstrate they have a distinct UK region capable of operating all core services in total isolation from global infrastructure.</li> <li>Whether standard terms of service allow them to move customer data and metadata to other geographies.</li> </ul> <p>The context of the investigation is the heightened sense of risk in terms of <a href="https://www.computerweekly.com/feature/Go-big-or-go-home-Should-UK-IT-buyers-favour-US-clouds-or-homegrown-providers">data sovereignty in the current geopolitical situation</a>. In particular, it is focused on the powers of US courts to order US-headquartered companies to provide data held on their systems, wherever those systems are.</p> <p>Instruments for achieving this include the <a href="https://www.techtarget.com/searchsecurity/news/252437526/CLOUD-Act-stirs-tension-between-privacy-advocates-and-big-tech">US Cloud Act</a>, which compels US companies to provide to US law enforcement data in their “possession, custody, or control” even if that data is held overseas. US courts can also enact non-disclosure orders that prohibit a company from telling the data subject that their information has been requested or handed over.</p> <p>In addition, the <a href="https://www.computerweekly.com/news/252433611/New-controversies-upset-plans-for-US-Foreign-Intelligence-Surveillance-Act">Foreign Intelligence Surveillance Act (FISA)</a> Section 702 – due for renewal soon – can compel a service provider to provide “technical assistance” to facilitate a search, with no protection for foreign citizens targeted therewith.</p> <p>Hyperscaler responses to our questions seemed largely to avoid core issues. When we asked about cloud services in general, they responded as though we’d asked about air-gapped and on-premise offers. When we asked about the potential use of backdoor access via updates ordered by US courts, they talked about the use of local staff (or air-gapping again). And when we asked about the possibility of harvesting data, they pointed to encryption and customer-held keys, but did not address that, for the most part, data is processed unencrypted.&nbsp;</p> <p>There are several difficulties with these responses, which you can <a href="https://www.computerweekly.com/feature/Is-cloud-data-sovereignty-all-just-a-case-of-Trust-me-bro">read for yourself here</a>.</p> <p>One of these difficulties is that, ultimately, a US court can compel “technical assistance” to gain foreign citizen data held in its systems, and that can occur via a compiled software update that would be unreadable by humans and would not contain obvious clues about its function.</p> <p>Another is that even in the rare cases where expensive and resource-intensive data-in-use encryption is used, it is still possible to scrape data from memory.</p> <p>A further difficulty is that in standard terms of service, hyperscalers routinely transit data to other geographies as part of <a href="https://www.computerweekly.com/news/366589152/Microsoft-admits-no-guarantee-of-sovereignty-for-UK-policing-data">follow-the-sun support</a>.</p> <p>The reality is that to achieve anything approaching data sovereignty, customers must opt out of standard cloud terms of service, or use air-gapped services, though none of these is technically 100% proofed against intrusion.&nbsp;</p> <p>All this is a key issue for the UK, given that in the public sector alone, US hyperscale cloud providers have near-universal penetration and account for the bulk of technology spending.&nbsp;</p> <p>In the 2023-2024 financial year, 95% of central and local public sector organisations in the UK spent budget on hyperscale cloud services across more than 1,100 public sector bodies, according to <a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">data from analyst firm Tussell</a>.</p> <p>Notable examples include <a href="https://www.computerweekly.com/news/366630792/Ministry-of-Defence-signs-400m-sovereign-cloud-deal-with-Google">Google’s £400m contract signed last year to supply the Ministry of Defence with “sovereign cloud” capability</a> based on its Google Distributed Cloud air-gapped offer. But that’s just one example.&nbsp;</p> <p>The UK public sector is densely connected to US hyperscaler infrastructure, and the UK’s Department for Science, Innovation and Technology (DSIT) <a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">lacks a definition of data sovereignty</a>.&nbsp;&nbsp;</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Read more about data sovereignty</h3> <ul class="default-list"> <li><a href="https://www.computerweekly.com/feature/Breaking-the-stranglehold-Responses-to-data-sovereignty-risk">Breaking the stranglehold – responses to data sovereignty risk</a>: We look at the political and government responses to risks around data sovereignty and massive dependence on the three US hyperscalers – AWS, Azure and GCP – in the UK and Europe.</li> <li><a href="https://www.computerweekly.com/feature/This-rise-of-the-splinternet-Data-sovereignty-risks-and-responses">The rise of the splinternet? Data sovereignty risks and responses</a>: We look at the political, legal and economic risks around data sovereignty, the fears for digital dependency and massive hyperscaler penetration in the UK public sector.&nbsp;</li> </ul> </div> </div>