Is Google the new Rome?

Cloud computing may be leading to a federation-like worldview on data management, but national laws will be a major obstacle

In some ways, Google is a digital Rome. Instead of extending roads to connect its empire, it builds data centers worldwide and challenges local rule not with swords, but with tools and information.

It is a company that probes the perimeters of censorship in China and tests the limits of privacy laws in Europe, sometimes with consequence, as it expands its cloud computing empire.

[ Check out Bob Lewis's "Learning from Google's Chinese censorship decision." | InfoWorld's Robert X. Cringely has also been following the Google-China clash and reports on the fallout in "The Google-China plot thickens" ]

On Monday, Google received a letter from 10 nations, including Canada, France, and Britain, telling the company that the "privacy rights of the world's citizens are being forgotten as Google rolls out new technological applications."

Google's Rome-like worldview extends to how it will treat the location of customer data. Google is not offering U.S. businesses any specific assurance that their data will be stored in a U.S.-based data center.

It is making an exception for government customers, such as the City of Los Angeles, which, as part of its contract to move its 30,000 users over to Google Apps, will have its data housed in Google's U.S.-based data centers.

From Google's perspective, "specifying data location made more sense when all data was within the organization's firewall, Eran Feigenbaum, director of security at Google Apps, said by email.

"In the world today where we have partners, vendors, multiple offices, employees working remotely, the Internet, email etc. 'Where is my data located?' should probably not be first question we ask," Feigenbaum said.

"When I send an email to my vendor or client, the way all email works, it can travel half way around the world before it gets to them -- even if they work down the street," he said.

"So the primary questions companies should ask are 'how is the data protected?' 'Who has access to it?', and 'How do I evaluate what my IT vendor is telling me about their practices?'"

Microsoft is telling its U.S. customers that their personal data will remain in the United States. "Our goal is to be as transparent as possible about our commitment to the security of our customer's data and we understand that today maintaining data in the U.S. is an important requirement for many of our U.S. customers," said Susie Adams, Microsoft's federal CTO.

Legal experts say that all the questions raised by Feigenbaum are part of the due diligence process in working with a cloud provider, but that none of those questions are at the expense of location.

"As a cloud computing client you lose an enormous amount of control, legally and jurisdictionally if the data gets outside of the United States," said Christopher Cain, an attorney in Foley & Lardner's IT and outsourcing practice. He said users need to ask as part of their due diligence process about the location of the data.

There are a number of laws that prevent some types of data from leaving the United States, especially those connected with export controls. However, by and large, U.S. companies don't face anywhere near the restrictions imposed by the Europeans under its privacy directive.

"None of the U.S. privacy laws would prevent you from shipping data to data centers all over the world or outsourcing it India," said John Nicholson, an attorney at Pillsbury Winthrop Shaw Pittman's privacy and data protection practice.

A potential risk is that a government could want data on a particular server, but in the process take all of off the data, regardless of whether it is related. "That server (or hard drive) is theoretically subject to the law of the country in which it sitting," said Nicholson.

But there is also the risk-benefit aspect of it. "If somebody is going to be attacking your systems, the geographic location of your server probably doesn't necessarily make that big of a difference," said Nicholson. "What probably makes a difference is the entity that is hosting your server," he said.

Nicholson asks, instead, who is likely to have a better information security platform: the City of Los Angeles or Google? Google's business model "will go under if they significantly fail at information security," he said.

Los Angeles may have a lot of resources "but it is operating under a different model than Google," he said.

Adam Smith, the chief legal officer at Terremark Worldwide Inc., an IT infrastructure provider, said his firm will honor location requests to keep data in the U.S. But the concern about data location isn't a U.S. issue alone. One European customer who wanted a fail-over location in the United States couldn't because of European privacy laws, Smith said.

Microsoft is building out global data centers and in the long run it doesn't want to be constrained in its ability to shift compute resources as needed globally. Indeed, the cloud computing industry wants an empire or federation-like view of cloud computing, with services that can be delivered globally under a uniformed set of rules.

Microsoft has been arguing for lawmakers to take action. The company's top legal officer, Brad Smith, argued in Washington earlier this year for Congress and governments, generally, to sort out the laws on cloud computing. Smith said multilateral agreement perhaps "a free trade zone, so to speak, for data packets" is needed.

Patrick Thibodeau covers SaaS and enterprise applications, outsourcing, government IT policies, data centers and IT workforce issues for Computerworld. Follow Patrick on Twitter at ? @DCgov or subscribe to Patrick's RSS feed. His email address is pthibodeau@computerworld.com.

Read more about cloud computing in Computerworld's Cloud Computing Knowledge Center.

This story, "Is Google the new Rome?" was originally published by Computerworld.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies