untrusted computing base

Writing this as Microsoft has lost an appeal against a court ruling that it must hand over data stored in one of it’s overseas data centers to a US authority as stipulated by the search warrant issued by a US court.

This was likely to be the verdict for a while now, and will cause problems for other US based IT cloud vendors hoping to attract business outside the US. Not as much as some may fear, as most consumers of IT services are quite oblivious. But a few, and perhaps much more that a few will have concerns. Possibly decisive ones.

We implicitly trust our IT to do what we want it to, and nothing else. When all of the IT infrastructure was in-house this was easy enough. As more and more of our IT has moved to external vendors or to the cloud this trust has become more explicit. The trust was always there. Malicious insiders is a problem of long standing and moving IT away from the their grasp has reduced the risk they pose, but in exchange for other, less clear, risks. One of those risks has been made apparent by the Microsoft case.: External jurisdictions.

The case of an employee of a Swiss bank who stole information about account holders and sold that information to various countries tax authorities, is a notorious example of how IT insiders  can harm the business and extend foreign jurisdictions. That case involved a plethora of criminal behavior, most obviously theft and the buying of stolen property. With the Microsoft verdict the tax authorities can achieve the same results without resorting to enlisting the aid of criminals.

If the bank in question had used an external data center owned or controlled by an entity in a compliant jurisdiction, the tax authorities could have gotten a search warrant against the data center and obtained the desired data; a warrant  they would not have been able to obtain against the bank itself.

Clearly the legal waters have been muddied, and only thing that is clear is that we can not trust our computing infrastructure in quite the same way that we have become used to.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s