Business continuity, Networking, Storage

Can Encryption Solve Cloud Data Subpoena Legal Headaches?


Amid reports that Hillary Clinton's personal email server may have been backed up into Datto's cloud, some managed services providers (MSPs) and cloud consultants are wondering how to respond if the government ever comes knocking on their doors looking for customer data.

According to an expert from the cloud storage market, one way for MSPs to sidestep the issue involves encryption. Specifically, MSPs and vendors can leave the encryption key in the customer's hands -- rather than having the MSP or cloud provider manage the encryption keys. The expert says:

"One of the reasons we always allowed customers to set their own encryption keys was so even if someone came knocking we truly couldn’t help," the cloud backup executive said. "In theory, yes, with the proper court order, we would’ve had to have turned over data. if we didn’t hold the encryption key, there's nothing we could do. I suppose the government could’ve gone after the customer for the key and us for the encrypted data."

Datto, by the way, apparently had that scenario in mind when it introduced encryption technology in 2013. At the time, MSPmentor reported:

"The company is making its new encryption system available this week in the SIRIS solution. It’s designed so that only the MSP or customer holds the decryption key. And since Datto doesn’t have this key, Datto cannot turn it over to the U.S. National Security Administration (NSA), even if ordered by a court of law."

However, ChannelE2E does not know if the scenario above applies in any way to Hillary Clinton's email server and associated backup services.

Cloud Services, Backup and Blind Subpoenas

Legal experts also suggest that MSPs become familiar with so-called blind subpoenas. To paraphrase Data on the Edge:

"Let’s assume an MSP (Data Controller) stores the data of its customers (Data Subjects) with a cloud service provider (Data Processor). Then, assume a blind subpoena is served on the Data Processor (the CSP) without notice to the Data Controller (MSP) or the Data Subject (End Customer). The Data Controller and/or Data Subject do not and may never have an opportunity to object or move to quash the subpoena. And most importantly, the Data Processor may be forbidden to notify the Data Controller or Subject of subpoena service."

For a deeper dive on how the government can subpoena data from a cloud services provider, check out IT Law Group's coverage -- which covers rules for government access to data; the stored communications act; privacy issues and international considerations.

ChannelE2E has reached out to Datto for comment about Hillary Clinton's email server. Disclosure: Datto is an Inaugural Sponsor of ChannelE2E, which launched Sept. 15, 2015.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.