In some ways, Google is a digital Rome. Instead of extending roads to connect its empire, it builds data centers worldwide and challenges local rule not with swords, but with tools and information. It is a company that probes the perimeters of censorship in China and tests the limits of privacy laws in Europe, sometimes with consequence, as it expands its cloud computing empire.
Google received a letter from 10 nations, including Canada, France and Britain, telling the company that the "privacy rights of the world's citizens are being forgotten as Google rolls out new technological applications." However, Rome answered its challenges as Google did; by telling of the universal right of "free expression" and announcing a new tool detailing the requests and orders it receives nation-by-nation for data and content removal.
Google's Rome-like worldview extends to how it will treat the location of customer data. Google is not offering US businesses any specific assurance that their data will be stored in a US-based data centre. It is making an exception for government customers, such as the City of Los Angeles, which, as part of its contract to move its 30,000 users over to Google Apps, will have its data housed in Google's US data centres.
From Google's perspective, "specifying data location made more sense when all data was within the organisation's firewall, Eran Feigenbaum, director of security at Google Apps, said by email. "In the world today where we have partners, vendors, multiple offices, employees working remotely, the Internet, email etc. 'Where is my data located?' should probably not be first question we ask," Feigenbaum said.
"When I send an email to my vendor or client, the way all email works, it can travel half way around the world before it gets to them, even if they work down the street," he said. "So the primary questions companies should ask are 'how is the data protected?' 'Who has access to it?', and 'How do I evaluate what my IT vendor is telling me about their practices?'"
Microsoft is telling its US customers that their personal data will remain in the US. "Our goal is to be as transparent as possible about our commitment to the security of our customer's data and we understand that today maintaining data in the US is an important requirement for many of our US customers," said Susie Adams, Microsoft's Federal CTO.
Legal experts say that all the questions raised by Feigenbaum are part of the due diligence process in working with a cloud provider, but that none of those questions are at the expense of location. "As a cloud computing client you lose an enormous amount of control, legally and jurisdictionally if the data gets outside of the United States," said Christopher Cain, an attorney in Foley & Lardner's IT and outsourcing practice. He said users need to ask as part of their due diligence process about the location of the data.
There are a number of laws that prevent some types of data from leaving the US, especially those connected with export controls. However, by and large, US companies don't face anywhere near the restrictions imposed by the Europeans under its privacy directive. "None of the US privacy laws would prevent you from shipping data to data centres all over the world or outsourcing it to India," said John Nicholson, an attorney at Pillsbury Winthrop Shaw Pittman's privacy and data protection practice.
A potential risk is that a government could want data on a particular server, but in the process take all of off the data, regardless of whether it is related. "That server (or hard drive) is theoretically subject to the law of the country in which it sitting," said Nicholson.
But there is also the risk-benefit aspect of it. "If somebody is going to be attacking your systems, the geographic location of your server probably doesn't necessarily make that big of a difference," said Nicholson. "What probably makes a difference is the entity that is hosting your server," he said.
Nicholson asks, instead, who is likely to have a better information security platform: the City of Los Angeles or Google? Google's business model "will go under if they significantly fail at information security," he said. Los Angeles may have a lot of resources "but it is operating under a different model than Google," he said.
Adam Smith, the chief legal officer at Terremark Worldwide Inc., an IT infrastructure provider, said his firm will honor location requests to keep data in the US. But the concern about data location isn't a US issue alone. One European customer who wanted a failover location in the US couldn't because of European privacy laws, Smith said.
Microsoft is building out global data centres and in the long run it doesn't want to be constrained in its ability to shift compute resources as needed globally. Indeed, the cloud computing industry wants an empire or federation-like view of cloud computing, with services that can be delivered globally under a uniformed set of rules.
Microsoft has been arguing for lawmakers to take action. The company's top legal officer, Brad Smith, argued in Washington earlier this year for Congress and governments, generally, to sort out the laws on cloud computing. Smith said multilateral agreement perhaps "a free trade zone, so to speak, for data packets" is needed.