purple cow media

Home >>> News >>> Is there a hidden export control issue the Cloud's yet to face?

Is there a hidden export control issue the Cloud's yet to face?

Here's a thought - could you be breaking export control regulations just by sending an email? That's the latest piece of (perhaps slightly paranoid thinking) to emerge from US think tank the Brookings Institution which has been pondering some of the less considered implications of the Cloud.

It all rocks back to data transfer and cross-boundary rules with the Brooking's Centre for Technology Innovation noting that the current lack of clarity about how Cloud Computing sits with legislation that was designed before mainstream Cloud adoption might cause some problems in the years ahead.

"There is an inherent tension between Cloud Computing and export control," worries John Villasenor, senior fellow in governance studies at the Center for Technology Innovation at the Institution.

"While the concept of the Cloud is centered on the premise of removing the need to track the details of data movement among various destinations, export control regulations are built largely around restrictions tied to those very movements. If Cloud Computing is to reach its full potential, it is critical for providers and users of cloud services to address its implications with respect to export control. It is equally important to adapt the export control regulations to reflect the increasing prevalence of Cloud Computing."

Of course, the cross-border issue is one that has already been on the agenda of Cloud services providers, typically US ones who want to trade in Europe. While Brookings approaches the matter from a US perspective - with a particular focus on how existing regulations might inhibit US economic growth - the European Commission is itself wrestling with how to deal with the hosting and transfer of sensitive data across international borders.

With public sector organisations around the world set to embrace the Cloud, the presence of a data centre within national borders is presumed to be a minimum requirement for hosting sensitive data. Hence the likes of Oracle have opened a UK-based CRM On Demand data centre in Scotland or the intentions of Dell and Salesforce.com (the latter still to be firmed up) to establish data centres in the UK in the near future.

The Brookings study does pose an interesting question: when does a user of a Cloud service become classed as an exporter and therefore subject to US Export Administration Regulations (EAR) controls? The answer it seems is 'remarkably easy', if typically inadvertently:  

"A US citizen, located in the United States, sends an e-mail containing EAR-restricted information in the body of the message to Person B, a US citizen who normally works at a location in the United States. Unbeknownst to Person A, Person B is on a short trip overseas. Person B logs onto his e-mail while overseas using a public computer in the lobby of his hotel, sees that he has an e-mail message from Person A, but since he does not have any reason to believe in advance that it will contain EAR-restricted information, proceeds to click on the message and read it. "

Gotcha, bang to rights!- even if that's not entirely fair, as the report suggests: 

"Person A sent the information that was received abroad, but she did so on the good faith belief that it would be delivered to a U.S. citizen recipient within the United States. Person B downloaded the information from an e-mail server onto the computer in the lobby of the foreign hotel, but did so without any advanced indication or notice that the downloaded message might contain restricted information."

OK, so there are inherent dangers in checking your email when you're abroad. But what about the wider business to business or enterprise implications? Hold onto your hats, this is going to be a bumpy ride. Brookings offers a couple of scenarios to illustrate the complexities involved.

Scenario One: A US user signed up for Cloud processing services with a US provider that initially has servers located only in the US. All fine. But then the provider opens up a data centre in Europe in order to pitch for European business. Now of course with two data centre operating in different time zones, the provider can optimise server usage and reduce infrastructure costs by shunting workload back and forth between data centres at times of high demand. Inevitably at some point, US data is likely to find itself in a European data centre and vice versa. Ooops!

Scenario Two: A company using Cloud-based infrastructure services runs a distributed computing application that includes EAR-restricted software. This software comprises a set of three different modules that run sequentially, and run on servers allocated by the Cloud services provider - which in some instances might be physically located outside national boundaries. OK, simple violation, surely? Er...maybe not. Villasenor notes: 

"Suppose that the first software module is run overseas and the second and third modules are run in the United States. Suppose, further, that the first software module does nothing more than partition non-export-controlled data into a series of identically sized blocks as a first step in an otherwise export controlled encryption algorithm. In this case an argument might be made that no export control violation has occurred. "

OK, so it's all ruddy complicated and fraught with the potential to make inadvertent mistakes as well as planned strategic ones. So what's to be done?

In Europe, the European Commission is exploring the situation and the need for potential changes to Europe-wide law, but the wheels of Euro-bureaucracy grind slowly and are frequently stuck in their tracks by nationalistic vested interests.

It's not going to be much easier in the US though where export control oversight authority is currently held by the Department of Commerce, Department of Defense, Department of State, the Treasury Department, the Department of Energy and Department of the Interior. Add to that, the Nuclear Regulatory Commission, the Environmental Protection Agency and the Food and Drug Administration among others, all with a finger in the regulatory pie, and the challenge of achieving a consensus becomes apparent.

That said, Brookings rises to the challenge and offers three sets of recommendations to make life a little easier - well, easier from the perspective of being a US citizen or business.

For Cloud services providers: 

  • Offer users the ability to exert some level of control over the physical location of Cloud resources
  • Potentially charge a slight premium to ensure the assignment of servers based in the United States (or other national boundaries presumably)
  • If a service provider offers users the option to restrict computations to servers within national boundaries, users may want assurances that they will not encounter deemed export problems in their routine customer support interactions with the service provider

For users of Cloud services:

  • IT professionals should ensure that all relevant stakeholders participate in any decisions to transition away from private Cloud environments, and that attention is paid to export control concerns
  • Any organisation planning to deploy software employing restricted forms of encryption, dynamic adaptive routing, or other processing subject to the EAR on resources in the Cloud should consider the associated export control implications
  • Update employee training and education programmes to address the implications of the Cloud with respect to export control
  • Buyer beware! Be prepared for the small possibility that a provider may violate a contractual obligation to avoid export, either inadvertently, or intentionally to save costs

For (US - but maybe for us, too?) regulators:

  • Get involved - but not too involved as "the tradeoffs at the intersection of Cloud Computing and export control are particularly nuanced"
  • Produce guidance on whether it is ever permissible, and if so under what conditions, to execute portions of EAR-restricted software that involve generic computations commonly found in non-EAR-restricted applications on servers abroad
  • Produce guidance on whether the inability in some Cloud service offerings to identify which individual computer server is being used for a particular computing function impacts the application of the EAR
  • Update export control regulations to support increased security of Cloud-based applications

Villasenor concludes with a suitably patriotic rallying cry: "Given the importance of export control in protecting American national security and foreign policy interests, it is incumbent on all participants in the Cloud Computing ecosystem to examine their use of the Cloud to ensure compliance with existing export control regulations, and to minimise the opportunities for Cloud-based systems to be exploited in violation of those regulations. Regulators can also play an important role in providing guidance and potentially in updating regulations to help American businesses benefit from Cloud Computing."

So while the study may be unashamedly American in its world view, the questions it raises are inherently global in nature and demand a global response. The chances of them getting such a response, however...