agencies now must adopt cloud where it is fit for purpose, provides adequate protection of data and delivers value for money.
The government’s goal is to reduce the current spending of approximately A$6 billion on information and communications technology services annually “by eliminating duplication and fragmentation” and to “lead by example in using cloud services to reduce costs, lift productivity and develop better services”.
Cloud computing – where data is stored and managed on a network of remote servers hosted on the internet, instead of a local server – has several advantages, so there is little surprise in Australia’s move towards increased and smarter cloud computing use. But if we look abroad, we see that it’s not always smooth sailing.
Cloud first, security first(ish)
The government’s media release emphasised a significant structural change giving agency heads the power to approve proposals to place certain information in either offshore or domestically hosted clouds:
The removal of this unnecessary red tape will promote productivity and the efficient use of Government resources.
Cloud computing has the advantage of being more responsive to changing needs, it may increase efficiency and be a cost saver. Put simply, it may deliver a better service cheaper.
All of this sounds great, but cloud computing also has some not-so-good sides.
In some ways, cloud computing leads to a loss of control of data, and losing control of governmental data may have extremely harmful consequences.
The privacy implications of cloud computing are well documented. Indeed, five years ago, the Australian Privacy Foundation issued a policy statement identifying a range of important privacy considerations in the adoption of cloud computing, such as:
- transmission and storage of data
- reliable access and network connections
- adherence to privacy laws.
Importantly, the government’s 2013 paper Privacy and Cloud Computing for Australian Government Agencies acknowledges some of the privacy concerns involved.
But it obviously remains to be seen exactly how protected the privacy of Australia will be in practise. Examples such as the much-criticised cloud computing use of Salem Municipality in Sweden may serve as a reminder of the concerns involved.
In that case, the municipality’s careless adoption of Google App services received strong criticism from the Swedish Data Inspection Board.
The Data Inspection Board pointed to flaws in the arrangement between the municipality and Google in crucial areas such as data security, control of the personal information, the liability arrangement, and what country’s law was governing the relationship between Google and the municipality. The Board expressed the view that, since the municipality is bound to abide by Swedish law, it should have made sure that the data processing carried out by Google also was governed by Swedish law.
Location, location, location
One matter that deserves particular attention is the fact that location still matters, even though the Internet is often talked of as making geography irrelevant.
First of all, a key component of Australia’s data protection regime is restrictions placed on data leaving Australia.
Further, the importance of the location of physical infrastructure was highlighted when reports surfaced last year that the US National Security Agency (NSA) had tapped into main communications links that connected Yahoo and Google data centres.
On this matter it is also worth considering the value of data location when it comes to law enforcement. The removal of data is easily done if you have access to the one location the data is stored. It is precisely because of location – and more specifically the fact that data often exists in more than one place – that it is so difficult to remove Internet content, so location clearly matters.
Having said this, it must be remembered that physical location is only one consideration. As the ongoing dispute between Microsoft and the US government reminds us, wherever a company is subject to the laws of a foreign country, that foreign country may pressure the company to disclose information even where such a disclosure represents a violation of Australian law.
A LAN down under, no more
Here it is worth stressing the fact that most major cloud computing providers are based in the US and therefore subject to data requests by the US government.
The Australian move towards increased cloud computing use comes at a time when the European Union is discussing the possibility of creating an EU-only cloud.
Propelled by the fear of foreign law enforcement agencies, created by the so-called “Snowden revelations”, these discussions are gathering momentum.
The complexity of cloud computing is such that much remains to be clarified before we are likely to see an EU-only cloud. The question for Australia is how far similar discussions should be advanced also for us.
And regardless of whether Australian government agencies choose overseas or domestic providers, it will be interesting to see how “cloud first” will unfold – and what the Coalition has learnt from international lessons.
Professor Svantesson is the recipient of an Australian Research Council Future Fellowship (project number FT120100583). The views expressed herein are those of the author and are not necessarily those of the Australian Research Council.
Professor Svantesson was a Deputy-Chair of the Australian Privacy Foundation at the time the mentioned Policy Statement was written, and he contributed to its drafting.