Location, location, location: why data sovereignty still matters

Almost exactly a year ago the Director of Security for Google Apps, Eran Feigenbaum, was telling anyone who would listen that the geographical location of data in the cloud wasn't a priority issue and that people should focus their concerns on the privacy and security of that data instead. Feigenbaum even went as far in one online interview as to suggest that to do otherwise was an "old way of thinking" at the time.

Well I'm sorry Eran, but you were wrong then and you are wrong now.

It's easy to dismiss fears about data sovereignty as being very last century, especially when you consider that everything moved around across the Internet is broken down into packets of data which are routed all over the planet in order to arrive at their destination. That is, after all, how the Internet works and it would be a massive fail if your data could only travel within the boundaries of your national borders.

I have heard this 'how stuff works' argument used to support the case for borderless, universal storage within the cloud all too often. But that doesn't mean I think it is correct. Confusing the temporary movement of fragmented data with the permanent storage of the whole thing is quite ridiculous.

 It's quite one thing to send a file from one desktop to another via the Internet without having to worry unduly about it being intercepted by The Powers That Be as it travels through their jurisdiction. It is quite another to store that file on a server located in a country where it could be legally, and relatively simply, seized by law enforcement agencies for myriad reasons. Yes, United States of America, I am talking about you here. 

And it's not just some paranoid privacy freak sitting here saying this, data protection legislators say it as well. While the truth of the matter is that for many folk the location of their data is, indeed, no biggie the same is not true of certain industry sectors nor of businesses of a certain size. 

The bottom line being that any UK business holding data about third parties is legally responsible for that data under the terms of the Data Protection Act 1998. If that data, in the cloud, is stored outside of the UK then your business remains responsible for it. This is not so easy to ensure when the physical location of the data will be critical in determining who actually has control over it, and who has the right to access it.

Of course, data sovereignty is nothing new and has been an issue since the first cheap offshore data centres hit the scene many, many years ago. The thing is, that in the rush to jump on the cloud bandwagon the wheels seem to have fallen off the sovereignty argument for many organisations. Which is both weird and worrying when you consider how popular the cloud storage model has become in such a short time, and how bullish governments have become with regards to accessing all data under the guise of terrorism detection. 

Jurisdictional issues cannot be ignored, no matter how complex they become. This has not been lost on the UK government which understands that personal information held by the public sector must be hosted within national borders, and as it moves towards increased use of cloud services then so the drive in demand for in-country hosting amongst private sector companies could follow.

The argument being, and this one I agree with, that developers of such storage facilities will want to ensure that in-country hosting can be guaranteed in order to prevent losing business, or at least prevent certain types of data storage from being a no-go area. Already some of the biggest cloud providers are finding that they are excluded from bidding for services within the public sector as they don't have any data centres in the UK.

As services such as the HM Government CloudStore get established, and noticed, so the potential for private sector adoption of a UK-orientated cloud will emerge. Location has always been important, it remains important in the cloud and before long British business will start to have a real choice when it comes to determining the sovereignty of their cloud-based data stores.