Speaker Key: PB: Phil Brown, DW: David Whelan
PB: Hi, it's Phil Brown. I'm here with David Whelan and today we are going to talk about Cloud location.
DW: Location, location, location. We all know how important that is, but you may not think about it when you go to your Google website and log into your apps, or check your email, or when you go to your Microsoft One drive and upload or download a file. You may not think about where that Cloud actually is.
PB: It is not that easy, necessarily, to find out where that Cloud is. When we talk about the Cloud, we are talking about where those massive servers are kept by those thirds parties that are holding your information.
DW: The Cloud is a set of different layers and the layer that most of us interact with is called the software as a service layer, SAS, and so, in some cases, when you are dealing with Google or Microsoft or a really big company, you may be dealing with the company both at the software level and also at the platform level or the infrastructure level, which is the physical piece of the whole Cloud. If you are dealing with other smaller companies, you may actually only be dealing with the software piece of it, and so you may be dealing with, say, a Canadian company that has a software product in the Cloud who is using an Amazon or Windows as your Cloud platform that is based somewhere entirely differently in the east coast or west coast of the US or an entirely different continent.
PB: And they are often redundant as well. There may be an east coast and a west coast, and then maybe it is a server farm in Texas as well.
DW: That is a good sign, actually, because then if one of those goes down, your practice does not go down with it. But, yes, you really have no sense of knowing where those are and you can contact your vendor, Google or Microsoft, or certainly the smaller companies may be more amenable to telling you where their data centers are and how redundant they are, but it can be very tricky to know for sure. And the bigger the company, the more likely they are to say that they are really not going to disclose where their data centers are for the security of everybody.
PB: And even a company like Cleo, for instance, which does practice management software, they deal with a third party themselves: Amazon. So, somewhere there is an Amazon with Cleo information which, of course, is your information and it could be anywhere.
DW: We have sort of gotten past the point where lawyers in Canada are worried about the USA Patriot Act . They still may be worried about USA servers, US based servers, but it is not so much the Patriot Act that is the bug-a-boo. So, how much do you need to worry about where your Canadian client documents, the Canadian client confidential information, is being stored and what can you do about it?
DW: That is a good example, really, of two of the issues that you have. There are some faculty at the University of Windsor who have done a regular review of the terms of transmission that internet service providers in Canada have. You may have gone to the effort of finding a Canadian-based Cloud computing company, so that all of your information is being stored in Canada, but you may find that the transmission of your data is actually traversing into the United States and then back into Canada because most of the ISPs, internet service providers, in Canada do that. Most of them send your information across the border, even if you are going to a Canadian server.
PB: Sure, and I know I have exchanged information with the Law Society servers before and I live a few miles away or a few kilometers away, and I can track my information and know it has travelled through the US and other countries before it gets to the destination three kilometers away.
DW: It is one of the reasons you have to be really certain that you are sending your information in an encrypted format and having it stored in an encrypted format. It does not mean you actually have to apply encryption yourself, but you need to be using a web-browser and a secure connection and making sure that your Cloud provider is also secure. It does not get you away from the issue of where the location is, but at least the transmission then is being protected.
PB: And there has been some litigation already about Cloud locations.
DW: Yes, one of the interesting things that has come up, and it is interesting from a Canadian perspective, because the case does not involve Canada or the US directly. Microsoft was asked to divulge some emails of an Outlook or Hotmail user, but the user was based on Microsoft's servers in Ireland, and so Microsoft told the US government that it was not going to disclose it. You can follow the case, it is in New York and I think the latest briefs and things were filed at the Second Court of Appeals or Court of Appeals for the Second Circuit for the Federal level. But you will find that the EU data protection laws have essentially, Microsoft saying, they trump the ability of the American government to reach out to Ireland and pull that document out.
So, I think one of the interesting things is, in the past we have had the discussion with lawyers: do you place your content only in Canada or can you place it in the US or other places? And really, the other places option is becoming a viable alternative. You might find that putting your client confidential information in an EU data centre, Ireland or wherever, could be a better alternative than putting it onto an American server, and you could still use something like Microsoft's Windows or Amazon web services and the company that uses that, but use the data center in those locations. When you sign up for Office 365 from Microsoft, you can choose which data center you want too, so the location stops being a binary one of, "Do I put it in Canada or do I put it in the US?" You really can start to choose a little bit more because we are seeing more technology for lawyers being available in different jurisdictions with, in some cases, better laws.
PB: And, you know, people get a little fussed about information being in the Cloud and that sort of seeming lack of control over that information because it is in someone else's hands, but, of course, if it is supposed to be encrypted and it is encrypted from your point to their point, it should be somewhat safe.
DW: It should be and if you are really worried, you can always do the pre-encryption to encrypted getting up. That can be a hassle when you are trying to interact with it, but again, it really is a matter of what your clients are comfortable with and what you are comfortable with. I know that I have heard from one law firm here in Ontario that said that they had a client who said if you have my data, it has to be on a server that is physically located in Canada. You will have some clients or maybe some practice areas where that becomes a mandatory step, but I think the interesting thing is that the location option, you should know where your files are as much as possible and I think that is something that is one of those easy questions to ask and hopefully is an easy one to get an answer for, at least down to the continent. But, with companies like Open Text opening a data centre in Australia, and Microsoft having data centres in the EU, I think there really are other options that you can think about where you might find better protection than just leaving it in Canada or just leaving it in the US.
PB: Sure, and there are other options as well. I mean, you mentioned pre-encryption, which would be encrypting the information yourself at your desktop or mobile device before you upload it into the Cloud, so it is encrypted by you. Then it travels through an encrypted path to get to their server and then is encrypted there as well, so it is almost a double, if not triple, protection and, I suppose, one wonders is encryption safe or do the various governments have all the keys to all the encryption and some people would say yes, they do. But at least you are making the efforts to store that data safely and you have taken steps along the way to protect your clients.
DW: Right. I was at a Montana bar session and a fellow said, "But can you protect me from the NSA?" and this was before Snowden had brought it up, and I was, like, "Well, you know what, I'm not sure that being able to outdo the NSA is really your professional obligation. You may still want to do that, but I think it's different from your professional obligation."
PB: And we did talk about this in another podcast on retainer letters. It is probably not a bad idea to discuss with your client where you are going to store their confidential information because you probably will get clients who want to opt out of storing their confidential information in the USA, perhaps, if they have business interests there or maybe in the EU because they have some issues there.
DW: If you are able to get information from your vendor about the standards that it has for security for encryption and for the location of your data, that can be really useful information to share right up front with your clients or at least have, if the question comes up later on.
PB: Absolutely, and let your clients know what steps you take to store their information, if they are interested, and what it is going to cost them to recover that information at some point if that is necessary.
DW: So, now you know all you need to know about Cloud locations.
PB: And at least that's part one. Thank you, David.
DW: Thanks, Phil.