No SaaS ‘Safe Harbor’?

Will US-owned vendors of collaboration services be shunned by clients wanting to keep their intellectual property safe from prying US eyes?

I recently had an email conversation with someone who was trying to choose between different SaaS construction collaboration technology vendors. His initial focus was on the functionality of the various platforms, but he then began to consider other service aspects, including licensing models and the availability of mobile tools, and then got particularly concerned about the location and security of providers’ hosting.

It is not unusual for SaaS collaboration customers to want their project data to be securely managed nearby. Middle Eastern clients, for example, might want their data hosted in the region, not in Europe or the USA (equally, some US businesses have not wanted their data hosted outside the US). Several of the vendors have therefore created hosting outposts to serve customers in particular regions, and to provide scalability, flexibility, increased redundancy, and more predictable uptime (in June, Viewpoint opened up an Australian hosting environment for Asia-Pacific customers of its 4Projects/ Viewpoint for Collaboration service, augmenting locations in the UK and US, the latter established in August 2013).

My correspondent, working on a sensitive UK infrastructure project, was particularly concerned that the US Patriot Act, Act of 2001 and Section 362 and others in place, might mean providers such as ViewPoint/4Projects information could be accessed by US Intelligence anywhere globally. (This para updated 1330hrs BST, 6 August)

Is he right to be that concerned? While the 2013 Edward Snowden US National Security Agency revelations have sent rippled round the world about the role of US intelligence, this Legal Week article by Neil Cameron suggests he could also have grounds for concern in civil court proceedings. Microsoft was recently ordered by a US Federal Court judge to provide details of emails, even though the data was hosted outside the US, in Ireland, by a Dutch-owned subsidiary. It seems that the Safe Harbor Privacy Principles created to extend the EU Data Protection Directive regarding data privacy,and so facilitate US-EU trade and commerce, may no longer be effective protection (though Cameron does point out it’s early days and the decision may well be appealed).

I would be interested to hear the comments of any vendors on these issues.

(Update: 7 August 2014) – Aconex joins Cloud Security Alliance

In an unrelated announcement, Melbourne-based construction collaboration technology provider Aconex has announced that is has joined the Cloud Security Alliance, a not-for-profit broad coalition promoting best practices for providing security assurance within cloud computing.

The CSA published a sponsored white paper – What Rules Regulate Government Access to Data Held by US Cloud Service Providers – in February 2013, followed by a July 2013 survey on Government Access to Data.

(Update: 18 August 2014) – In addition to some interesting comments on this post, I have received the following from Alun Baker, managing director EMEA, 4Projects by Viewpoint:

Alun Baker… Viewpoint has been (and still is) looking at implementing localised data centres in various geographies in accordance with our commitment to provide the best service possible for customers.  As you would expect, we have extensive data security protocols driven by both best practices and global privacy laws and in any case would be considered a low risk target for governmental data seizure given the minimal data we collect.  It’s worth noting that we have never actually had an official request for information and if one were served upon us we would expect, within the bounds of the law, to challenge such a request.   As far as disaster recovery is concerned these systems are kept in the same jurisdiction as the main data centre so if your project is using a UK data centre the information will never leave UK soil.

In terms of protecting information globally from the US, remember that the lack of any law such as the Patriot Act in the majority of non-western countries means that information can be seized without restriction or judicial oversight – meaning data could arguably be considered safer in the US or UK than most other geographies lacking specific protocols and judicial oversight.

We are growing rapidly and are seen as the market leader in the collaboration and BIM space across the globe.  As a result, such policies have been rigorously scrutinised by some of our most risk averse customers”.

Permanent link to this article:


Skip to comment form

    • Hamish on 6 August 2014 at 12:55 pm

    It is a definite concern, I currently work in the Middle East for a Government entity and we will not work Saas vendors that do not have a real presence in the region (not regional managers for EMEA that are based somewhere vague in Europe) and preferably with a data center in country and we will definitely not entertain approaches from Saas vendors who either host or have their disaster recovery in the US.

    • Robin Shipston on 6 August 2014 at 4:10 pm

    To those with any involvement in IT security I’m not sure there were any revelations made by Snowden. The Patriot Act has long been a concern with our Middle East clients. Clients in the region are happier with ePIN being British owned and licensed to a Qatar company, some are ok with hosting in the UK, but in-house hosting is often preferred, and USA hosting is always rejected.

    • Anon on 8 August 2014 at 4:01 pm

    (Posted as Anon as I work for one of the ‘Tier 1’ collaboration providers and these are my personal views rather than the official line – which is really not my area of expertise)

    The problem might not just confined to subsidiaries of US companies, but to any company with a US subsidiary or potentially even office.

    The Cloud Security Alliance mentioned in the edited article (in their doc ) states:

    “United States courts have held that a company with a presence in the United States is obligated to respond to a valid demand by the U.S. government for information (made under one of the applicable U.S. laws) so long as the company retains custody or control over the data. In this case, of course, the key question is whether and the extent to which the U.S. company does have the required level of “custody or control” to be forced to respond to the government request.”

    This means it would probably apply to all the ‘Tier 1’ SaaS Collaboration platforms, due to the fact they have satellite offices in the US (which is basically the inverse of the Microsoft case mentioned in the linked article).

    In addition to this, the Snowden revelations indicate that the US and it’s allies were (and probably still are) using rather insidious methods for spying on data without demanding the data from companies. The NSA and GCHQ were tapping into international undersea fiber and even private corporation fiber in between datacentres.

    The simple fact is the only way to ensure your data isn’t being spied on is to not use anything digital, but that’s not really feasible in the real world. We have to balance the risks with the rewards. All things being equal, self hosting data is potentially more secure than hosting it with a thirdparty, but not every organisation has the skills or budgets to hand roll their own infrastructure. When you add in the requirement to collaborate with a geographically dispersed, multi disciplinary and multi organisation project team, the only realistic way to go is SaaS.

    Once we’ve decided that SaaS is the only realistic way, we can split hairs over where the data is located and whether one location is more secure than another. Ultimately though, any reputable company is going to have to honour legitimate search warrants from the territories in which they operate.

    It’s also worth pointing out that despite being US owned, 4Projects host data for the UK MOJ – an organisation hardly likely to be laissez-faire when it comes to secure access to their infrastructure projects!

  1. At Newforma, we’ve heard these concerns expressed on projects in EMEA and Asia Pacific. Where data security or national sovereignty are priorities, projects that previously used cloud collaboration solutions now are leaning towards an “on-premise” solution like Newforma Project Center, where the owner or lead PM/CM has complete control of the project collaboration environment.

    • Hamish on 12 August 2014 at 11:25 am

    I find it very interesting (and probably very telling) that the majority of Saas vendors have chosen not comment on this topic yet. I wouldn’t surprised if a lot of them are just hoping that the topic will die away and drop off the page after you post some other updates.

Comments have been disabled.