“It's 106 miles to Chicago, we got a full tank of gas, half a pack of cigarettes, it's dark, and we're wearing sunglasses.”
At SharePoint Saturday my session spawned a debate about access to your data if it’s in the Microsoft Cloud (e.g. SharePoint Online or BPOS), I made a reference to men in black suits and sunglasses, I wasn’t referring to Jake and Elwood ;)
More like the tall guy at the start of Half Life (G-man)…
Simon May (www.simon-may.com), an IT Pro evangelist at MS, and all-round nice guy, was of the opinion that as the data centres (for UK/EU clients) are here in the EU (Dublin and Amsterdam) the US agencies (the men in dark suits and sunglasses) have no rights to your data.
Matt Groves (www.mattgrovesblog.com), was of the opinion that as MS are a US based company they can be issued a closed subpoena that forces them to give the men in dark suits and sunglasses access to your data, and prevents MS telling you (the client) that they (MS) have granted access to your data.
This is a complex issue.
Simon has blogged a very good explanation of the issues here: http://simon-may.com/uncategorized/who-can-legally-get-to-your-data-in-the-cloud/
I am the speaker he refers to, and IMO [although a complex issue] it boils down to: can the men in dark suits get access to your data? To which the answer (with caveats, of course) is “yes, if they issue a lawful request” (and MS can’t tell you about it).
To be fair to MS, they will fight your corner, where they can, I think Simon covered their position quite well in his post:
Microsoft is sensitive to the fact that companies want to control the parties to whom their information is disclosed and believes that its customers should control their own information. Accordingly, if law enforcement approaches Microsoft directly for information hosted on its systems for its enterprise customers, Microsoft will unless prohibited by law redirect law enforcement to the customer.
Microsoft will only provide customer records where it is legally required to do so and will limit the production to only that information which it is required to disclose.
In the event that Microsoft received what it believed to be an unlawful or otherwise invalid request for data from the U.S. government, U.S. law provides mechanisms for a provider to challenge a subpoena, court order, or search warrant. If necessary, Microsoft’s legal compliance lawyers will directly contact the requesting law enforcement agency to explain the issue and seek a resolution that adequately addresses Microsoft’s concerns.
[source for above quote: http://simon-may.com/uncategorized/who-can-legally-get-to-your-data-in-the-cloud/]
Where does that leave us on the cloud debate?
Realistically, no further forward, but, no further back.
I’ll still be on my guard though, and if a man like the one below comes knocking, I’ll be running for my crowbar ;)