Will US-owned vendors of collaboration services be shunned by clients wanting to keep their intellectual property safe from prying US eyes?
I recently had an email conversation with someone who was trying to choose between different SaaS construction collaboration technology vendors. His initial focus was on the functionality of the various platforms, but he then began to consider other service aspects, including licensing models and the availability of mobile tools, and then got particularly concerned about the location and security of providers’ hosting.
It is not unusual for SaaS collaboration customers to want their project data to be securely managed nearby. Middle Eastern clients, for example, might want their data hosted in the region, not in Europe or the USA (equally, some US businesses have not wanted their data hosted outside the US). Several of the vendors have therefore created hosting outposts to serve customers in particular regions, and to provide scalability, flexibility, increased redundancy, and more predictable uptime (in June, Viewpoint opened up an Australian hosting environment for Asia-Pacific customers of its 4Projects/ Viewpoint for Collaboration service, augmenting locations in the UK and US, the latter established in August 2013).
My correspondent, working on a sensitive UK infrastructure project, was particularly concerned that the US Patriot Act, Act of 2001 and Section 362 and others in place, might mean providers such as ViewPoint/4Projects information could be accessed by US Intelligence anywhere globally. (This para updated 1330hrs BST, 6 August)
Is he right to be that concerned? While the 2013 Edward Snowden US National Security Agency revelations have sent rippled round the world about the role of US intelligence, this Legal Week article by Neil Cameron suggests he could also have grounds for concern in civil court proceedings. Microsoft was recently ordered by a US Federal Court judge to provide details of emails, even though the data was hosted outside the US, in Ireland, by a Dutch-owned subsidiary. It seems that the Safe Harbor Privacy Principles created to extend the EU Data Protection Directive regarding data privacy,and so facilitate US-EU trade and commerce, may no longer be effective protection (though Cameron does point out it’s early days and the decision may well be appealed).
I would be interested to hear the comments of any vendors on these issues.
(Update: 7 August 2014) – Aconex joins Cloud Security Alliance
In an unrelated announcement, Melbourne-based construction collaboration technology provider Aconex has announced that is has joined the Cloud Security Alliance, a not-for-profit broad coalition promoting best practices for providing security assurance within cloud computing.
The CSA published a sponsored white paper – What Rules Regulate Government Access to Data Held by US Cloud Service Providers – in February 2013, followed by a July 2013 survey on Government Access to Data.
(Update: 18 August 2014) – In addition to some interesting comments on this post, I have received the following from Alun Baker, managing director EMEA, 4Projects by Viewpoint:
… Viewpoint has been (and still is) looking at implementing localised data centres in various geographies in accordance with our commitment to provide the best service possible for customers. As you would expect, we have extensive data security protocols driven by both best practices and global privacy laws and in any case would be considered a low risk target for governmental data seizure given the minimal data we collect. It’s worth noting that we have never actually had an official request for information and if one were served upon us we would expect, within the bounds of the law, to challenge such a request. As far as disaster recovery is concerned these systems are kept in the same jurisdiction as the main data centre so if your project is using a UK data centre the information will never leave UK soil.
In terms of protecting information globally from the US, remember that the lack of any law such as the Patriot Act in the majority of non-western countries means that information can be seized without restriction or judicial oversight – meaning data could arguably be considered safer in the US or UK than most other geographies lacking specific protocols and judicial oversight.
We are growing rapidly and are seen as the market leader in the collaboration and BIM space across the globe. As a result, such policies have been rigorously scrutinised by some of our most risk averse customers”.