Are 'digital embassies' the answer?

Dividing the physical and virtual data-hosting dynamic could help overcome tricky jurisdictional issues.

The arrival of cloud delivery presents a substantial opportunity for all industries, but government adoption is often hampered by concerns regarding the physical whereabouts of the data, somewhat undermining the location independence benefit that is a cornerstone of cloud philosophy.

Over the past five years, almost every nation has placed limitations on the physical storage of its data — with some federal jurisdictions even going so far as to require data be stored ‘in state’, although thankfully that is now less common.

The jurisdiction issue highlights the difficulties in reconciling legal constructs based on clear physical boundaries to sovereignty, with a virtual world where such concepts make little sense. Nowhere is this more starkly illustrated than in the high-profile case between Microsoft and the US Department of Justice, where the US Government is attempting to obtain emails held by a Microsoft subsidiary in Ireland, an EU country, and in a facility staffed by EU citizens. While the legal arguments remain contested, Microsoft finds itself between a legal ‘rock and a hard place’ — where it could be in violation of US law if it does not provide the data, yet contravenes EU law if it does.

In anticipation of such issues, major technology players are taking steps to ensure that they don’t have the technical capability to extract users’ information — even when directed to by law enforcement agencies. Apple’s recent iPhone design changes means they no longer retain the encryption keys that can unlock a phone without an end user’s permission. Ensuring there are no back doors to circumvent security is fundamental, not only to protecting the data, but also to maintaining any credibility for their products in the marketplace, as Apple and others well know.

So how do these developments potentially affect the government adoption of cloud? A number of organisations have been discussing the potential to store data in the cloud yet retain the keys on-site — or, most importantly, at least in-country. Once this capability becomes widely available, concerns about jurisdiction will be more easily addressed, as without the keys, the data, wherever it is, will be essentially useless.

Of course, the real benefits of global digital infrastructure will be realised when legal frameworks realign with the realities of the virtual world. Estonia, the home of Skype and a country at the forefront of digital initiatives, has proposed the concept of ‘digital embassies’ — whereby data physically hosted in one country is legally regarded as being in another. Such virtual embassies would not only overcome the physical location issue but also “ensure the functioning of the state, regardless of Estonia’s territorial integrity”, providing a nation-state with its own business continuity plan. After 55 years, it seems time to revisit Article 22 of the Vienna Convention on Diplomatic Relations to ensure it encompasses a nation’s virtual assets as well its physical ones.

Image courtesy Paull Young under CC BY 2.0