With all the revelations coming out of the surveillance programs implemented by the US government and widely used by their government and notable others (the UK but perhaps more?), it has brought to the fore the question where is my data and whose is looking after it? Or potentially who is looking at it?!
I don’t intend to outline some political position, we are a cloud company not a political party but that said we do have guiding principles in the way we go about our business and how we treat our customers’ data. They probably aren’t on the criteria list when most of our customers are choosing between using us and say AWS, Microsoft, Rackspace or Google (our four biggest competitors), perhaps going forward they might be more prevalent. It echoes an article written by my colleague Patrick Baillie in Forbes last year regarding the importance of legal structuring and jurisdiction – in short our position:
From the very beginning we aimed for our cloud to have customer privacy and security utmost in mind. That’s why customers in CloudSigma retain sole root/administrative access over their computing and we have no file system level access unlike many other public clouds. In addition we do lots of small things that have a big impact in the long term on your security. For example we use forward secrecy ECDHE for SSL used on all our HTTPS connections. Long story short, it means our customers accessing our services over HTTPS (we only accept HTTPS by the way) are not vulnerable to retrospective decryption using one master private key (see this great blog post for an overview of why that matters). Less than 0.3% of SSL usage is implemented in this significantly more secure way. We are proud to be part of the more secure 0.3%.
We are a service provider, the nature of hosting people’s computing infrastructure sometimes means we are in contact with law enforcement authorities; we however are not a law enforcement authority. That simple position has profound implications for how we behave and treat customers and their data. As such we take reasonable steps to prevent easy abuse of our system (such as those seeking to spam) but it is not our job to proactively monitor customer activity. In other words, we do not spy on our customers and we do not police them either.
Sadly, in these times of real or assumed threats, companies are acting as courts of law, judging who are doing lawful and unlawful things. We believe it to be a basic principle in our society that only a court of law can judge if a certain action is lawful or not and that is not for us to decide. Therefore we never judge our customers and we only act on the legal requests of courts of law.
Again, basic stuff but fundamental to how we treat customer data and requests by authorities. If we receive a complaint about abusive behaviour, spamming or whatever potentially unlawful activity against a customer, we presume the claim is false but verify. If subsequently it is proved correct then we take the necessary action to prevent such activity from continuing. Sadly many hosting providers seem to take the opposite approach requiring customers to prove their innocence. This is a violation of fundamental legal and moral principles to us.
Society in each country deems what is acceptable and what is not. We follow the law that subsequently results once a judge or equivalent entity asks us to under the law. These laws differ country by country and we comply with that framework in respect of the will of that country’s population.
We have set-up our corporate structure so that each cloud location is managed by a local company and therefore subject only to that jurisdiction (our holding company is Swiss and unlike US holding companies it has no concept of extra-territorial jurisdiction, if that were to change, we’d change holding company, it is that simple). That means our US company is subject to US law only, our Swiss cloud location is subject to Swiss law only etc. etc. As we add locations, we add new operational companies for each location. This is a fundamental tenant of how we operate our business and is part of our DNA. It is very important that we allow our customers to host their computing services where they like and have a very clear and transparent choice of jurisdictions. If nothing else we believe in healthy competition, jurisdictions that offer stability, sensible laws and respect for those laws will naturally attract hosting business. That is a healthy dynamic.
If and when we receive requests that we believe are not justified by law (and yes we have received them from multiple jurisdictions) we will refuse them and if necessary go to court to prove that position as correct. Thankfully that has never been required but we will, even as a small company, defend the rights of our customers with the general principle of innocence until a court of law proves differently.
Again, we are not the police and not a court of law. Authorities can and do require access to customer data from time to time in a way justified by local law; we comply with the law in those cases. That is however a far cry from default arrangements where law enforcement and other authorities are given routine access to data and asked to ‘police themselves’.
This has always and will continue to be our position. Debates will no doubt continue to rage on both sides of the Atlantic about what is and is not justified privacy intrusion. We believe our approach gives customers the appropriate level of protection within the rule of law that they deserve and offers ‘clear blue water’ between ourselves and some of the alternatives.