This isn't another post about locking down your data, auditing access, and generally taking data security seriously. All of that is important and has been rehashed ad nauseum elsewhere. This post is about the unseen security vulnerabilities that lurk in the physical location of your servers. Yesterday a magistrate judge ordered that Microsoft emails that are stored on servers in Dublin, Ireland must be surrendered to US government officials if a valid warrant is issued. MS has already appealed the ruling and a federal court is set to hear arguments as early as July 31.
This caused a bit of an outrage yesterday as people begin to realize
- you have no privacy in the US anymore
- the US government can seize your electronic data even if it resides in another country's jurisdiction ...or you can surrender your assets as punishment.
It's interesting to me that this causes a fuss. There is really nothing new here. The Stored Communications Act (SCA) that is the basis for all of this has been in place still 1986. It is worth reading the wikipedia article I linked to if you want to see just how far the Fourth Amendment is being twisted to make all of this "constitutional". Most of the rest of the world understands just how little privacy Americans have and have taken appropriate measures to secure their citizens' data from the long arm of the US government. Only Americans could be shocked by this.
Don't believe me? Here's a true story.
About 12 years ago I architected some software that tracked employee certifications and CEUs (continuing education units) for accountants and auditors. The company I worked for had a presence in about 70 countries but our initial rollout was for the US only. Being a good little architect I built the system such that it could support any country as well as any extended character sets. It was even "multi-tenant" in that one country could keep its data totally separate from another country's data just by changing some configuration values.
Nothing interesting so far.
We began rolling it out to other countries very quickly, because it was, well, awesome. But we got stopped dead in our tracks when we wanted to implement this in the EU. The EU values the privacy of its citizens' data far more than we Americans do and the fear was that if EU data was stored on US servers then laws like SCA could be used to snoop or steal that data by the US government. This was my intiation into SCA and extra-governmental/international jurisdictional data issues.
Our EU affiliated "member firms" (we were one BIG company but operated separate legal entities in every country) were, frankly, scared shitless regarding what the US could do with even relatively benign data like accountant certification histories. And, after I started reading the laws I was scared too.
I spent a few days with our legal team trying to determine if the EU member firms could even use my software. Where could we draw the line in the sand regarding data privacy? Could we just spin up an instance in a data center in Europe and run a copy of my application there? Could we share any data between EU and US...even lookup/master/system data like timezones, currencies, and ISO codes? That's very benign data. If we could, could we use replication because then the EU servers would still be accessed by a US application with a US user/password that might be compromised by the US government? Could our US Ops team still be operations for the EU instance or would that introduce a possible privacy conflict? The US government might coerce our Ops Guys into relinquishing passwords! The opened a new can of worms no one thought of...we used NT domains and accounts for everything Windows (including the servers for this application)...were the domains setup properly to provide the needed data security/privacy?
What was supposed to be the rollout of a simple certification tracker turned into a firm-wide data privacy initiative. Although this certification data was relatively benign if it fell into the wrong hands, how would we handle global finance and audit data? My company had an ethical duty to its customers, like a lawyer to her client, and we didn't take that lightly. We finally landed on using a separate application instance running in the UK (but there was still connectivity to our US servers) and some data was allowed to be shared. US Ops Guys were allowed to also administer the UK instance. But the legal team worked on some elearning courseware that many of us had to pass that tested us on exactly what we could do with EU data and how to handle jurisdictional requests for data.
I don't remember all of the rules and laws around this, but I do remember that IT persons (dev/ops/QA...it didn't matter) were forbidden to release EU data to any entity, regardless of warrant, without going through our Legal department first. Legal made a point of telling us know that they "had our backs" if anything were to happen to us for not complying immediately with a request for data. I did write about some of the things I learned in the training for a blog post I did regarding data retention.
PS...don't think that this stuff never happens to the average IT guy. I worked at this firm during the global financial implosion in 2008. You may remember that certain quasi-banks were accused of shifting money to/from the US/UK, possibly for nefarious reasons. I worked for a different team when that happened but I was part of the staff that was issued a subpoena to help reproduce some of those questionable transactions. Reading those subpoenas and warrants gets you scared, especially when individual staff persons are mentioned by name. Legal stepped in and put the brakes on the process until they could review the requests to ensure other jurisdictional laws were not being violated. Meanwhile I was sweating trying to determine if we had the necessary logging to reproduce those transactions...and how I was going to get it...and what would happen to me if I couldn't.
What's the point of all of this? You can be well-versed in security and auditing and theories of "least privilege"...but none of this means anything if all of those safeguards can be overridden by governmental fiat. It only takes one scared DBA to release the wrong data to a government agency and your entire business can be erased (it happened in 2008). If you care about your data then understanding the legal ramifications of your architectures is even more important then understanding the security features of your vendors' software.