Evan Schuman's StorefrontBacktalk

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

As retailers embrace the cloud for its flexibility and convenience, they might want to also consider a very serious potential for loss of control. Legally, we’re talking three different types of control loss: Your loss of access to the data; your customers’ loss of the ability to access your services; and the potential for your confidential data to become government public records and to then find its way to your competitors.

Paranoid? Not any more. Recently, the U.S. Government, in cooperation with the Government of New Zealand, took down the copyright pirate site “MegaUpload” and had its founder arrested and detained awaiting extradition. Irrespective of the merits of the copyright infringement lawsuit, the government is now seeking to seize and possibly destroy all of the site’s content, including non-infringing content shared on the P2P site. Family photographs, video, documents or other records that merely reside on the site have already been subject to U.S. and N.Z. inspection, seizure and copying. Now it may be destroyed.

Add to this the fact that the U.S. Government may be introducing legislation allowing the government to “take over” companies’ IT infrastructure if it believes the company is not doing an adequate job of security, and we create just what merchants seeking to jump into the cloud don’t want—fear and uncertainty.

The MegaUpload case points out one of the problems with outsourcing, generally, and the cloud, in particular. As more content and activity migrates to the cloud, more unlawful activity will also migrate to the cloud. This is not just copyright infringement or botnets, but garden variety frauds, swindles and thefts.

In addition to illegal activity, other activities that governments may want to limit or suppress, such as online demonstrations, protests or political activity, will occur on cloud providers. A government may seek evidence from cloud providers, may seek to stifle or prevent activity or may seek to shut down or seize cloud providers or their customers’ data. If the government believes that the activity is systematic or, worse, that the cloud provider itself is engaged in unlawful conduct, the government may seek to seize all of the operations of the cloud provider.

The nature of cloud is such that it is likely to be subject to legal process and demand virtually (pun intended) anywhere. Thus, a U.S.-based entity, storing information or documents on a “cloud” provider with facilities in Denmark, Peoples Republic of China and South Africa may find its documents or records seized by law enforcement or other agents in any of these countries. With Mutual Assistance in Legal Affairs Treaties (MLATs), any country could ask the assistance of any other country to take down an offending cloud provider, seize the records and send them to the other country.

The problem is not always solved by geography. A U.S. customer of a U.S.-only cloud provider still runs the risk of either that provider or a user of that cloud running afoul of the laws in Bulgaria or Singapore, or that the U.S. Government on behalf of those requesting nations may take down that cloud provider and seize its “information assets.” Remember that the user may not have done anything wrong and may not be the subject or target of the seizure.

Years ago, I was involved in a case where a client wire-transferred funds from one bank to another, and the money travelled through the Bank of Credit and Commerce International (BCCI). Because BCCI was suspected of criminal activity, its assets were seized—and those assets included my client’s funds. The client lost their money, because the bank had committed an unrelated crime and the U.S. Government seized the bank’s funds. The same is true of the cloud.