Cloud and data sovereignty caught in a paradox

Hyperscaler cloud is incompatible with data sovereignty. That’s because, as US companies, the hyperscalers are potentially subject to US court orders that can compel them to exfiltrate overseas citizen data.

The paradoxical situation for hyperscaler clouds is that they are inherently global and connected because that’s how they gain their economies of scale. 

Those conclusions result from a Computer Weekly investigation into data sovereignty that asked the hyperscalers a set of questions aimed at discovering their ability – in technical terms – to withstand US court orders that compel eavesdropping on foreign citizens.

We asked Amazon Web Services (AWS), Google Cloud, Microsoft, IBM and Oracle the following:

• How they would technically prevent a US court order that compelled them to access customer data.
• How they perform data-in-use functions on in-the-clear data if they say they don’t possess the keys to do so.
• Whether US-authored updates that contain US court-ordered “technical assistance” updates could bypass data controls and air gaps.
• Whether they could demonstrate they have a distinct UK region capable of operating all core services in total isolation from global infrastructure.
• Whether standard terms of service allow them to move customer data and metadata to other geographies.

The context of the investigation is the heightened sense of risk in terms of data sovereignty in the current geopolitical situation. In particular, it is focused on the powers of US courts to order US-headquartered companies to provide data held on their systems, wherever those systems are.

Instruments for achieving this include the US Cloud Act, which compels US companies to provide to US law enforcement data in their “possession, custody, or control” even if that data is held overseas. US courts can also enact non-disclosure orders that prohibit a company from telling the data subject that their information has been requested or handed over.

In addition, the Foreign Intelligence Surveillance Act (FISA) Section 702 – due for renewal soon – can compel a service provider to provide “technical assistance” to facilitate a search, with no protection for foreign citizens targeted therewith.

Hyperscaler responses to our questions seemed largely to avoid core issues. When we asked about cloud services in general, they responded as though we’d asked about air-gapped and on-premise offers. When we asked about the potential use of backdoor access via updates ordered by US courts, they talked about the use of local staff (or air-gapping again). And when we asked about the possibility of harvesting data, they pointed to encryption and customer-held keys, but did not address that, for the most part, data is processed unencrypted. 

There are several difficulties with these responses, which you can read for yourself here.

One of these difficulties is that, ultimately, a US court can compel “technical assistance” to gain foreign citizen data held in its systems, and that can occur via a compiled software update that would be unreadable by humans and would not contain obvious clues about its function.

Another is that even in the rare cases where expensive and resource-intensive data-in-use encryption is used, it is still possible to scrape data from memory.

A further difficulty is that in standard terms of service, hyperscalers routinely transit data to other geographies as part of follow-the-sun support.

The reality is that to achieve anything approaching data sovereignty, customers must opt out of standard cloud terms of service, or use air-gapped services, though none of these is technically 100% proofed against intrusion. 

All this is a key issue for the UK, given that in the public sector alone, US hyperscale cloud providers have near-universal penetration and account for the bulk of technology spending. 

In the 2023-2024 financial year, 95% of central and local public sector organisations in the UK spent budget on hyperscale cloud services across more than 1,100 public sector bodies, according to data from analyst firm Tussell.

Notable examples include Google’s £400m contract signed last year to supply the Ministry of Defence with “sovereign cloud” capability based on its Google Distributed Cloud air-gapped offer. But that’s just one example. 

The UK public sector is densely connected to US hyperscaler infrastructure, and the UK’s Department for Science, Innovation and Technology (DSIT) lacks a definition of data sovereignty.