At the Office 365 launch, Gordon Frazer, managing director of Microsoft UK,
gave the first admission that cloud data
— regardless of where it is in the world —
is not protected against the USA PATRIOT Act.
[Skyscape has subsequently changed its name to UKCloud: "London – August 1, 2016 – Skyscape Cloud Services Limited, the easy to adopt, easy to use and easy to leave assured cloud services company, has today renamed and relaunched as UKCloud Ltd (www.ukcloud.com), to reinforce the company’s exclusive focus on supporting the UK public sector in the digital transformation of services".]
---------- o O o ----------
Whitehall's G-Cloud team have taken the baffling decision to include Skyscape Cloud Services Ltd in its Cloudstore.
Cloudstore is an on-line shop the team have set up to display the wares of approved suppliers and from which government departments are supposed to be able to buy with confidence.
That confidence must be limited in the case of Skyscape which has no track record in business, is so young a company that it has yet to file any accounts and has only one director, who is also the only shareholder.
What are the G-Cloud approval procedures? Is it possible to fail them?
HMRC have taken the baffling decision to stop storing data in their local offices and store it instead in the cloud with Skyscape. What data? PAYE and NI payments? VAT payments? Personal tax returns? Company tax returns? That's the kind of thing HMRC deal with.
In the name of efficiency and greenness, HMRC think it is wise to lose control of their data – more properly, our data – and hand it over to a company owned and directed by just one man?
The Government Digital Service (GDS) have taken the baffling decision to host GOV.UK on Skyscape's servers.
GDS are the people whose job it is to make all public services digital by default.
They don't have a lot of successes to their name. They're meant to have approved the suppliers of identity assurance services by now. Today's the deadline and they still haven't got round to it. As a result, DWP's Universal Credit scheme, among others, is left twisting in the wind, unable to proceed for lack of the necessary identity assurance.
But they have produced GOV.UK. It's still in testing, but at least there's something to show for their work. You'd think they'd look after it. But no, they're entrusting its care to a one-man business, Skyscape.
GOV.UK is only meant to replace every single central government website + Directgov + Businesslink + (this is a guess) the Government Gateway. But what the heck, let's stick it in the cloud, that's the modern way, that's where everything's heading, in a handcart ...
We're not just talking here about the businesslike behaviour of Whitehall, its responsible attitude and its grasp of reality. We're nibbling at Constitutional questions, including questions of sovereignty.
On their website, Skyscape say:
Let's sweep up some of the small stuff first:
Skyscape is a UK registered company owned exclusively by UK domiciled shareholders. All our secure operational centers and data centres for UK Public Sector clients are sited within the UK in highly secure IL6 data centres. A significant competitive differentiator is our focus on the integrity of our client’s data, including protection from potential access by overseas legislation including the US Patriot Act.
- Skyscape only has one shareholder, so what's all this about "UK domiciled shareholders" plural?
- Are Skyscape promising never to have any non-dom shareholders?
- Why can't they spell "centres" the same way twice in a single sentence?
- How secure are their data centres given that their "partner" ARK Continuity publishes a map of how to get to one of them on their website?
- Is a "focus on the integrity of our client’s data" a "significant competitive differentiator"? Don't other cloud service suppliers focus on exactly the same thing?
- And what do they mean by "integrity"?
The USA PATRIOT Act 2001
"USA PATRIOT" is an acronym standing for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism. The Act was passed in the aftermath of 9/11.
It's a long document and DMossEsq hasn't read it. Bits of it, but not all of it. Mayer Brown have. Mayer Brown are a US firm of lawyers and in their paper The USA Patriot Act and the Privacy of Data Stored in the Cloud they say:
You get the message.
In case you don't, Microsoft say the same thing more briefly, Microsoft admits Patriot Act can access EU-based cloud data:
So do Google, Web freedom faces greatest threat ever, warns Google's Sergey Brin:
At the Office 365 launch, Gordon Frazer, managing director of Microsoft UK, gave the first admission that cloud data — regardless of where it is in the world — is not protected against the USA PATRIOT Act.
Microsoft and Google are both themselves suppliers of cloud services. They're being straight with the public.
Brin acknowledged that some people were anxious about the amount of their data that was now in the reach of US authorities because it sits on Google's servers. He said the company was periodically forced to hand over data and sometimes prevented by legal restrictions from even notifying users that it had done so.
Skyscape can tell us till they're blue in the face that its one and only shareholder is domiciled in the UK. But as long as the company is somehow linked up in its mysterious partnership with QinetiQ, Cisco, VMware and EMC the claim to offer "protection from potential access by overseas legislation including the US Patriot Act" is arguably false.
Whitehall has a duty to keep control of the data we entrust to its custody. Sticking our data in the cloud is a breach of that duty.
If Whitehall, GDS, HMRC and/or the British public are relying on that claim of Skyscape's, they/we may be sadly mistaken.
What? Even QinetiQ? The dear old true blue DERA as was?
Yes, even QinetiQ, because of its "conduct of a systematic and continuous US business", viz. QinetiQ North America, 7918 Jones Branch Drive, McLean, VA 20165, Tel: 703-652-9595, www.QinetiQ-NA.com, firstname.lastname@example.org ...
U.S. Spy Law Authorizes Mass Surveillance of European Citizens
Yes, U.S. authorities can spy on EU cloud data. Here's how
National Security Letters ruled unconstitutional