Media Releases

Outsourcing Canadian data to the ‘cloud’? Think again.

September 14, 2015

U of T researchers challenge faulty bases for previous outsourcing decisions

TORONTO, ON – Thinking of outsourcing Canadians’ personal data to the cloud? Finding the apparent cost savings and convenience of large US cloud service providers like Microsoft and Google increasingly irresistible? Already taken this step, believing that the privacy risks of doing so are comparable to the data remaining in Canada? Think again.

Researchers from the University of Toronto have found that if you are storing, processing and/or routing data in the cloud outside of Canadian jurisdiction, that data loses important Canadian legal and constitutional protections. Their findings raise serious concerns about the privacy of our data in the cloud, including children’s data, timely given yesterday’s announcement that Nova Scotia is moving its entire K-12 school system to Google Apps for Education.

The results of the yearlong study are reported in Seeing Through The Cloud: National Jurisdiction and Location of Data, Servers, and Networks Still Matter in a Digitally Interconnected World.

A press conference will be held tomorrow from 12-12:15 at the opening of the launch event for the report. The report will be released to the public at that time along with four supporting reports co-authored with contributing researchers on our public website: http://ecommoutsourcing.ischool.utoronto.ca/. The executive summary and table of contents are already available for download.

To receive an embargoed copy of the report in advance, please contact our event organizer, Ms. Susie Colbourn (susie.colbourn@utoronto.ca). For other inquiries, please contact the Principal Investigator, Heidi Bohaker at heidi.bohaker@utoronto.ca.

EVENT DETAILS:

WHAT: Press Conference, followed by launch and discussion of Seeing Through the Cloud, with brief introductions by Lisa Austin, Heidi Bohaker, Andrew Clement and Stephanie Perrin. Light lunch provided.

WHEN: PRESS CONFERENCE: Tuesday, September 15, 12-12:15 pm.

WHERE: Sidney Smith Hall Room 2098, 100 St. George St. University of Toronto.

WEBSITE: http://ecommoutsourcing.ischool.utoronto.ca/

QUOTES FROM AUTHORS AND COMMENTS FROM ADVANCE REVIEWERS:

The report’s findings are especially timely in light of the recent disclosures of the extraordinary scope and questionable lawfulness of the mass surveillance programs conducted by the US National Security Agency (NSA).

As Professor Andrew Clement notes “The Snowden revelations of mass government surveillance mean that Canadian organizations should not outsource the handling of our personnel, confidential or other sensitive information to US companies like Microsoft or Google. Instead, we should be strengthening Canadian internet infrastructure so we can keep domestic data more local, protecting it better while improving network efficiency and performance.”

Professor Heidi Bohaker says that, as a historian “I think of eCommunications systems as rich information archives of conversations and ideas that are internal to organizations and internal to schools. Why should this private data be stored outside of Canada?” In addition to personal information, these systems contain ideas in development, intellectual property, strategic planning, confidential educational, employee medical and performance issues and research and development data that deserve our highest standards of privacy protection.”

Professor Lisa Austin points out that “Under the Canadian Charter of Rights and Freedoms, the question is never whether the state can access personal information but rather what kinds of protections should govern the terms of that access (such as the requirement of a warrant on reasonable and probable grounds). This constitutional question needs to be asked when comparing privacy protections across jurisdictions.”

Ms. Stephanie Perrin, one of the report’s co-authors, notes that “we must exert more control over transborder dataflow if we hope to manage ubiquitous cloud computing and preserve our privacy rights… Those who studied this issue in the 1970s and 1980s not only predicted the development and growth of these new networked technologies, they also correctly identified the risks of data captured by foreign governments and other non-state actors.” Ms. Perrin is a doctoral candidate at the University of Toronto. She is also recognized as an international expert in privacy and data protection and has served in several positions in the Canadian Government, including as Director of Research and Policy in the Office of the Privacy Commissioner.

The Seeing Through the Cloud report is already garnering support and praise from independent legal, privacy and surveillance experts.

Heather Black, former Assistant Privacy Commissioner for Canada, and author of one of the early decisions used in justifying current outsourcing decisions: “In their excellent paper on Why Jurisdiction Still Matters, Lisa Austin and Daniel Carens-Nedelsky have argued that the “similar risk” analysis as applied in the CIBC Visa case is wrong and that it should not be relied upon by the universities… In light of the Snowden revelations I believe it would be foolish indeed to blindly follow the CIBC Visa “precedent” especially when the personal information at stake is something as sensitive as emails. ”

Professor Colin Bennett, a Political Scientist and privacy expert, University of Victoria: “The Report “Seeing through the Cloud” should remind us what a fundamentally misleading concept “cloud-computing” actually is… Based on detailed legal analysis, careful empirical investigation into outsourcing by Canadian universities, this report reminds us that jurisdiction matters, the routing of communications matters, and national laws still matter.”

Vincent Mosco, Professor Emeritus of Sociology and former Canada Research Chair in Communication and Society, Queen’s University: “This project makes an important contribution to Canadian research and policy analysis on a significant, but poorly understood, area of the online world. As it convincingly demonstrates, there are significant privacy implications in the movement of data to the Cloud and while it is sometimes less expensive to locate data outside Canada, there is considerably greater privacy protection for data that remains in Canada. In order to save money, institutions like universities are placing the records of employees and students at great risk by moving it to foreign servers.”

David Lyon, Professor, Sociology, Queen’s University: “This is a model of good report-writing… The key finding is that local jurisdictions do create different situations — the idea that ‘similar risks’ occur wherever you live is simply misleading…This is not an argument against using new digital communications but rather a plea that the policies that shape their use be recognized and reformed to offer genuine protections where they are most needed.”

This project has been funded by the Office of the Privacy Commissioner of Canada (OPC); the views expressed herein are those of the author(s) and do not necessarily reflect those of the OPC.

– 30 –

Available to media:
Heidi Bohaker, History, heidi.bohaker@utoronto.ca [will call back mediain response to emailed request]
Andrew Clement, Information, andrew.clement@utoronto.ca , 778-354-3000

Additional contacts:
Lisa Austin, Law,lisa.austin@utoronto.ca
Stephanie Perrin, Information, stephanie.perrin@mail.utoronto.ca
University of Toronto

External Reviewers

Heather Black, Former Assistant Privacy Commissioner for Canada, h_black@rogers.com

Prof. Colin Bennett, Political Science, cjb@uvic.ca
University of Victoria

Prof. Emer. Vincent Mosco, Sociology, moscov@mac.com
Prof. David Lyon, Sociology, lyond@queensu.ca
Queens University

To RSVP for the Seeing Through the Cloud launch event on September 15, please contact:
Susie.Colbourn@utoronto.ca