Microsoft Knows It Needs To Be ‘Explicit And Transparent’ With Customer Data
As Microsoft sues US gov for the right to alert customers when their data is snooped upon, its cloud director tells TechWeekEurope ‘trust’ is at heart of Azure strategy
Microsoft has told TechWeekEurope that it needs to be explicit and transparent in alerting customers to when their data may be handed over to any third parties, including “surveillance” agencies and the US government.
The company’s comments came two days before Microsoft sued the United States government for the right to tell its customers when a federal agency may be snooping on their emails and other data stored on cloud servers.
Microsoft filed its lawsuit on Thursday, and said authorities are breaking the US Constitution by stopping Microsoft from warning customers about government data requests.
On Tuesday, Microsoft director of cloud computing Ruediger Dorn told TechWeekEurope: “Our strategy is to be as transparent as possible. Where’s the data? How’s the data routed through the networks? When do we disclose any of the data to any party, any surveillance agency and under which circumstances?
“[We need to be] explicit and transparent to the customer.”
Dorn was outlining to TechWeekEurope Microsoft’s strategy of placing privacy and security at the heart of its Azure cloud in the hope of gaining more customers.
Microsoft’s official view on government data requests is as follows: “We do not offer direct access to customer data. We believe that you should control your own data. Microsoft does not give any third party (including law enforcement, other government entity, or civil litigant) direct or unfettered access to customer data except as you direct.”
But by taking advantage of the Electronic Communications Privacy Act (ECPA), the US government is routing an increasing number of investigations at the companies storing data on Azure cloud, Microsoft said in the lawsuit. The ECPA is 30 years old.
Fourth Amendment
Microsoft alleges that by blocking it from alerting customers when their data might be exposed, the government is breaking the fourth amendment – which gives the right for citizens to know if the government is searching their property.
“People do not give up their rights when they move their private information from physical storage to the cloud,” Microsoft said in the lawsuit.
Dorn said that trust is of the utmost importance to Microsoft. When it comes to compliance and data regulations, Microsoft wants to send a strong message to customers that their data is safe on its cloud platform Azure, where a large proportion of a customer’s sensitive data can reside in a data centre run by Microsoft.
“What should customers look for from cloud service providers? My statement is, from a Microsoft perspective, trust has always been a central piece of our cloud services,” Dorn said.
Privacy Shield
On this side of the Atlantic, Microsoft also got busy throwing its weight behind the new Privacy Shield framework, a revision of the Safe Harbour transatlantic data sharing treaty.
However, Privacy Shield has been sent back to the drawing board by a key European data protection group.
The Article 29 Working Party (WP29), composed of watchdogs from influential member states, was not happy with the new agreement as they considered it inadequate in a number of key areas.
But Dorn told TechWeekEurope: “Privacy Shield is something that is ongoing, and I would argue this is above Microsoft’s head, this is between Europe and the US. For us it’s more how can we make sure that our customers trust Microsoft Cloud.
“The first thing about Privacy Shield, we introduced the model clauses years ago. It is the only viable commercial vehicle at the moment until Privacy Shield comes into operation.”
The EU Model Clauses are contractual clauses used in agreements between service providers like Microsoft and its customers to ensure that any personal data leaving the European Economic Area will be transferred in compliance with EU data protection law and meet the requirements of the EU Data Protection Directive 95/46/EC.
“Of course we use the model clauses. We also adhere to upcoming standards. If there are cloud standards we work towards them,” said Dorn.
Dorn told TechWeekEurope that the US government has never obtained customer data from a Microsoft data centre unlawfully, but that doesn’t mean customers might not worry about it. Dorn said it’s human nature for people to worry about things that are unlikely to occur.,/p>
“We’re very concerned about very unlikely things,” he stressed. “Like, what are the chances that the US Government seizes disks in a data centre? That has never happened, and the chances are very, very low.”
Lawful
However, when Microsoft does receive so-called ‘lawful’ data requests from governments, the company offers up that data. Once such instance is in the aftermath of the Paris terrorist attacks last November.
Microsoft said it received 14 lawful requests for data related to terror suspects in France and Belgium, and responded to the government requests within 30 minutes. Issues of national security are obviously an exceptional circumstance.
Dorn sees value in Microsoft’s Platform-as-a-Service (PaaS) offerings such as artificial intelligence and machine learning to track down criminals.
“This is where the value comes, this is what allows you to track criminals and terrorists,” he said, discussing how Azure’s platform competes with public cloud rivals Google and Amazon.