Ed: You open your recent Policy and Internet article by noting that “the modern treasury of public institutions is where the wealth of public information is stored and processed” … what are the challenges of government use of cloud services?

Kristina: The public sector is a very large user of information technology but data handling policies, vendor accreditation and procurement often predate the era of cloud computing. Governments first have to put in place new internal policies to ensure the security and integrity of their information assets residing in the cloud. Through this process governments are discovering that their traditional notions of control are challenged because cloud services are virtual, dynamic, and operate across borders.

One central concern of those governments that are leading in the public sector’s migration to cloud computing is how to retain unconditional sovereignty over their data — after all, public sector information embodies the past, the present, and the future of a country. The ability to govern presupposes command and control over government information to the extent necessary to deliver public services, protect citizens’ personal data and to ensure the integrity of the state, among other considerations. One could even assert that in today’s interconnected world national sovereignty is conditional upon adequate data sovereignty.

Ed: A basic question: if a country’s health records (in the cloud) temporarily reside on / are processed on commercial servers in a different country: who is liable for the integrity and protection of that data, and under who’s legal scheme? ie can a country actually technically lose sovereignty over its data?

Kristina: There is always one line of responsibility flowing from the contract with the cloud service provider. However, when these health records cross borders they are effectively governed under a third country’s jurisdiction where disclosure authorities vis-à-vis the cloud service provider can likely be invoked. In some situations the geographical whereabouts of the public health records is not even that important because certain countries’ legislation has extra-territorial reach and it suffices that the cloud service provider is under an obligation to turn over data in its custody. In both situations countries’ exclusive sovereignty over public sector information would be contested. And service providers may find themselves in a Catch22 when they have to decide their legitimate course of action.

Ed: Is there a sense of how many government services are currently hosted “in the cloud”; and have there been any known problems so far about access and jurisdiction?

Kristina: The US has published some targets but otherwise we have no sense of the magnitude of government cloud computing. It is certainly an ever growing phenomenon in leading countries, for example both the US Federal Cloud Computing Strategy and the United Kingdom’s G-Cloud Framework leverage public sector cloud migration with a cloud-first strategy and they operate government application stores where public authorities can self-provision themselves with cloud-based IT services. Until now, the issues of access and jurisdiction have primarily been discussed in terms of risk (as I showed in my article) with governments adopting strategies to keep their public records within national territory, even if they are residing on a cloud service.

Ed: Is there anything about the cloud that is actually functionally novel; ie that calls for new regulation at national or international level, beyond existing data legislation?

Kristina: Cloud services are not meant to recognize national frontiers, but to thrive on economies of scale and scope globally. The legal risks arising from its transnationality won’t be solved by more legislation at the national level; even if this is a pragmatic solution, the resurrection of territoriality in cloud service contracts with the government conflicts with scalability. My article explores various avenues at the international level, for example extending diplomatic immunity, international agreements for cross-border data transfers, and reliance on mutual legal assistance treaties but in my opinion they do not satisfyingly restore a country’s quest for data sovereignty in the cloud context. In the EU a regional approach could be feasible and I am very much drawn by the idea of a European cloud environment where common information assurance principles prevail — also curtailing individual member states’ disclosure authorities.

Ed: As the economies of scale of cloud services kick in, do you think we will see increasing commercialisation of public record storing and processing (with a possible further erosion of national sovereignty)?

Kristina: Where governments have the capability they adopt a differentiated, risk-based approach corresponding to the information’s security classification: data in the public domain or that have low security markings are suitable for cloud services without further restrictions. Data that has medium security markings may still be processed on cloud services but are often confined to the national territory. Beyond this threshold, i.e. for sensitive and classified information, cloud services are not an option, judging from analysis of the emerging practice in the U.S., the UK, Canada and Australia. What we will increasingly see is IT-outsourcing that is labelled “cloud” despite not meeting the specifications of a true cloud service. Some governments are more inclined to introduce dedicated private “clouds” that are not fully scalable, in other words central data centres. For a vast number of countries, including developing ones, the options are further limited because there is no local cloud infrastructure and/or the public sector cannot afford to contract a dedicated government cloud. In this situation I could imagine an increasing reliance on transnational cloud services, with all the attendant pros and cons.

Ed: How do these sovereignty / jurisdiction / data protection questions relate to the revelations around the NSA’s PRISM surveillance programme?

Kristina: It only confirms that disclosure authorities are extensively used for intelligence gathering and that legal risks have to be taken as seriously as technical vulnerabilities. As a consequence of the Snowden revelations it is quite likely that the sensitivity of governments (as well as private sector organizations) to the impact of foreign jurisdictions will become even more pronounced. For example, there are reports estimating that the lack of trust in US-based cloud services is bound to affect the industry’s growth.

Ed: Could this usher in a whole new industry of ‘guaranteed’ national clouds..? ie how is the industry responding to these worries?

Kristina: This is already happening; in particular, European and Asian players are being very vocal in terms of marketing their regional or national cloud offerings as compatible with specific jurisdiction or national data protection frameworks.

Ed: And finally, who do you think is driving the debate about sovereignty and cloud services: government or industry?

Kristina: In the Western world it is government with its special security needs and buying power to which industry is responsive. As a nascent technology cloud services nonetheless thrive on business with governments because it opens new markets where previously in-house IT services dominated in the public sector.

Read the full paper: Kristina Irion (2013) Government Cloud Computing and National Data Sovereignty. Policy and Internet 4 (3/4) 40–71.

Kristina Irion was talking to blog editor David Sutcliffe.

POLICY: In December 2011, the European Parliament Directive on Combating the Sexual Abuse, Sexual Exploitation of Children and Child Pornography was adopted. The directive’s much-debated Article 25 requires Member States to ensure the prompt removal of child pornography websites hosted in their territory and to endeavor to obtain the removal of such websites hosted outside their territory. Member States are also given the option to block access to such websites to users within their territory. Both these policy choices have been highly controversial and much debated; Karel Demeyer, Eva Lievens, and Jos Dumortie analyse the technical and legal means of blocking and removing illegal child sexual content from the Internet, clarifying the advantages and drawbacks of the various policy options.

Another issue of jurisdiction surrounds government use of cloud services. While cloud services promise to render government service delivery more effective and efficient, they are also potentially stateless, triggering government concern over data sovereignty. Kristina Irion explores these issues, tracing the evolution of individual national strategies and international policy on data sovereignty. She concludes that data sovereignty presents national governments with a legal risk that can’t be addressed through technology or contractual arrangements alone, and recommends that governments retain sovereignty over their information.

While the Internet allows unprecedented freedom of expression, it also facilitates anonymity and facelessness, increasing the possibility of damage caused by harmful online behavior, including online bullying. Myoung-Jin Lee, Yu Jung Choi, and Setbyol Choi investigate the discourse surrounding the introduction of the Korean Government’s “Verification of Identity” policy, which aimed to foster a more responsible Internet culture by mandating registration of a user’s real identity before allowing them to post to online message boards. The authors find that although arguments about restrictions on freedom of expression continue, the policy has maintained public support in Korea.

A different theoretical approach to another controversy topic is offered by Sameer Hinduja, who applies Actor-Network Theory (ANT) to the phenomenon of music piracy, arguing that we should pay attention not only to the social aspects, but also to the technical, economic, political, organizational, and contextual aspects of piracy. He argues that each of these components merits attention and response by law enforcers if progress is to be made in understanding and responding to digital piracy.

GOVERNMENT: While many governments have been lauded for their success in the online delivery of services, fewer have been successful in employing the Internet for more democratic purposes. Tamara A. Small asks whether the Canadian government — with its well-established e-government strategy — fits the pattern of service delivery oriented (rather than democracy oriented) e-government. Based on a content analysis of Government of Canada tweets, she finds that they do indeed tend to focus on service delivery, and shows how nominal a commitment the Canadian government has made to the more interactive and conversational qualities of Twitter.

While political scientists have greatly benefitted from the increasing availability of online legislative data, data collections and search capabilities are not comprehensive, nor are they comparable across the different U.S. states. David L. Leal, Taofang Huang, Byung-Jae Lee, and Jill Strube review the availability and limitations of state online legislative resources in facilitating political research. They discuss levels of capacity and access, note changes over time, and note that their usability index could potentially be used as an independent variable for researchers seeking to measure the transparency of state legislatures.

RERESENTATION: An ongoing theme in the study of elected representatives is how they present themselves to their constituents in order to enhance their re-election prospects. Royce Koop and Alex Marland compare presentation of self by Canadian Members of Parliament on parliamentary websites and in the older medium of parliamentary newsletters. They find that MPs are likely to present themselves as outsiders on their websites, that this differs from patterns observed in newsletters, and that party affiliation plays an important role in shaping self-presentation online.

Many strategic, structural and individual factors can explain the use of online campaigning in elections; based on candidate surveys, Julia Metag and Frank Marcinkowski show that strategic and structural variables, such as party membership or the perceived share of indecisive voters, do most to explain online campaigning. Internet-related perceptions are explanatory in a few cases; if candidates think that other candidates campaign online they feel obliged to use online media during the election campaign.

ACTIVISM: Mainstream opinion at the time of the protests of the “Arab Spring” – and the earlier Iranian “Twitter Revolution” – was that use of social media would significantly affect the outcome of revolutionary collective action. Throughout the Libyan Civil War, Twitter users took the initiative to collect and process data for use in the rebellion against the Qadhafi regime, including map overlays depicting the situation on the ground. In an exploratory case study on crisis mapping of intelligence information, Steve Stottlemyre and Sonia Stottlemyre investigate whether the information collected and disseminated by Twitter users during the Libyan civil war met the minimum requirements to be considered tactical military intelligence.

Philipp S. Mueller and Sophie van Huellen focus on the 2009 post-election protests in Teheran in their analysis of the effect of many-to-many media on power structures in society. They offer two analytical approaches as possible ways to frame the complex interplay of media and revolutionary politics. While social media raised international awareness by transforming the agenda-setting process of the Western mass media, the authors conclude that, given the inability of protesters to overthrow the regime, a change in the “media-scape” does not automatically imply a changed “power-scape.”

A different theoretical approach is offered by Mark K. McBeth, Elizabeth A. Shanahan, Molly C. Arrandale Anderson, and Barbara Rose, who look at how interest groups increasingly turn to new media such as YouTube as tools for indirect lobbying, allowing them to enter into and have influence on public policy debates through wide dissemination of their policy preferences. They explore the use of policy narratives in new media, using a Narrative Policy Framework to analyze YouTube videos posted by the Buffalo Field Campaign, an environmental activist group.