Once again - US cloud service. Two words from Europe.
PATRIOT Act.
Thanks, but no thanks.
Amazon Web Services is touting a cloud-hosted email system to the world of big business. The web giant hopes to invade the enterprise email sector with a web-based service called WorkMail, and gobble up companies running Microsoft Exchange. AWS said the off-premises, cloud-based software will provide email and shared …
You don't get it. The can be no "air-gap" with the PATRIOT Act. It applies to any US owned company - and any companies they own - US or not.
A lot of people thought like you (because the PATRIOT act is thousands of pages and no one has ever admitted reading it in it's entirety). But a few corporate lawyers have quietly pointed out that it trumps any contract law.
'You don't get it. The can be no "air-gap" with the PATRIOT Act. It applies to any US owned company - and any companies they own - US or not.'
I think it's you who didn't get it.
Contract with a friendly non-US owned company to provide the service in a non-US country on that company's non-US-owned servers as a franchise with carefully chosen T&Cs under that non-US country's law. Note that: a company not owned by a US company; such things actually exist.
Any court in the US can bleat as much as it wants but the US-owned company has no access to the service provider's servers and can't have any court-mandated request fulfilled as the T&Cs prevent the service provider from doing so and the US court's jurisdiction doesn't cover those.
For Amazon, who presumably would be thinking in terms of running it on their own cloud, it might be a bitter pill to swallow, and it would mean sharing the profits with a franchise partner. But it would be doable.
You try it.
The PATRIOT Act empowers the security services to force Amazon* to provide the information they request (secretly - you'd never know about it). Wherever that information is held, and irrespective of any contract Amazon agreed to.
If Amazon don't comply - irrespective of why - it's serious jail time for the execs.
Hence no corporate lawyer would allow Amazon to operate such a setup.
That's the long and short of it (Microsoft admitted this http://www.zdnet.com/article/microsoft-admits-patriot-act-can-access-eu-based-cloud-data/ ) is that EU/Safe harbour is meaningless if Uncle Sam comes bounding over the horizon with a PATRIOT Act notice. Nothing has changed since then, so any EU firm trusting in safe harbour is playing with fire.
Incidentally, I was at an IBM get together before Xmas (they are a big supplier to us) and when our Information Security Officer explained that we wouldn't be interested in their *hosted* cloud offerings (no problem if we can host). From the response, this is a frequent occurrence, and over biscuits, we learned there was very high-level pressure going back to the US about it, since it was - demonstrably - costing dollars.
The PATRIOT Act empowers the security services to force Amazon* to provide the information they request (secretly - you'd never know about it). Wherever that information is held, and irrespective of any contract Amazon agreed to.
If Amazon don't comply - irrespective of why - it's serious jail time for the execs.
Did you even bother to read the comment you replied to? Amazon are in the clear if they fail to provide information they don't have access to, just as you are if they demand you hand over e.g. Russian nuclear launch codes. The current Microsoft case hinges on the extent to which access can be inherited from a wholly-owned subsidiary. If you can't see the difference I'd suggest steering clear of commenting on legal matters.