Secret Government of Canada data stored on U.S. servers? Memo raises possibility

Two government agencies have been meeting with Microsoft Inc. to discuss ways to store secret Canadian data on American servers, a measure expressly forbidden by federal policy.

Microsoft's talks this year with Shared Services Canada and the Communications Security Establishment reviewed whether sensitive data about Canadians and other confidential matters could be securely encrypted on American "cloud" services.

A May 2017 memo to the chief operating officer of Shared Services Canada (SSC) says the discussions examined in part how to protect Canada's sovereignty by insulating the data from legal demands under the USAPatriot Act, which forces firms to turn over confidential information to American law enforcement if demanded.

"This memorandum is to provide you with an update on the feasibility of Microsoft or any other cloud vendor to hold Government of Canada encrypted data in such a manner that Shared Services Canada holds and owns the decryption keys and is able to access the data while the vendor is not able to access to the data," says the memo.

A copy of the heavily censored document was obtained by CBC News under the Access to Information Act.

A spokespersonfor Shared Services Canada, Monika Mazur, did not respond directly when asked whether the IT agency was still considering foreign cloud services for sensitive government data, but referredto a federal document that forbids it.

Reside in Canada

Ottawa's IT Strategic Plan 2016-2020 forbids storing secret data outside Canada's borders: "To ensure Canada's sovereign control over its data, departments and agencies will adopt the policy that all sensitive or protected data under government control will be stored on servers that reside in Canada."

Some low-risk Government of Canada data already reside on American and other non-Canadian "cloud" servers, including data for web pages with the Canada.ca suffix, which provide only general information. Amazon Web Services in the United States, for example, hosts such Canadian pages.

• Microsoft sues U.S. government over secret demands for customer data

• Amazon suffers partial cloud service outage

The previously undisclosed discussions with Microsoft are likely driven by a highly critical, $1.35-million report earlier this year on the repeated failures of Shared Services Canada since its creation in 2011 as Ottawa's IT department.

The Jan. 12 report by international experts, assembled by consultants Gartner Inc., said the struggling agency needs to find more cloud-based solutions: "There is universal agreement from the Expert Panel that the progression of cloud and its continuing trajectory make this approach a vital component of a going-forward strategy for SSC."

... no mechanism is entirely able to prevent foreign access to data ...- Shared Services Canada memo on using foreign-based cloud services for sensitive Canadian government data

Outsourcing data storage and processing to commercial cloud services eliminates the need for costly hardware or software, and can be expanded and contracted as needed. The Gartner report, among other things, advised using a cloud service for Ottawa's badly delayed transition to a single email service across government.

Ottawa has been reviewing cloud options since April 2014, when then-treasury board presidentTony Clementannounced the Conservative government was launching expert consultations to look for savings by switching to cloud storage and processing.

Consultations and reviews have been underway more or less continuously since then, including an endorsement of the approach in 2016 from Scott Brison, the Treasury Board president under the Liberals, who said cloud computing would "get better value for taxpayers' dollars."

The latest round of cloud consultations endedlast Sept. 30, and Treasury Board spokespersonAlain Belle-Isle said there's still no word on an updated cloud strategy.

The Gartner report in January cautioned against delays, calling on the government "to fast-track the development of cloud capabilities for the GC [Government of Canada]. The Expert Panel and Gartner believe this should be given the highest priority before examining managed service providers or other vendor supplied infrastructure service providers."

The May memo on discussions with Microsoft referred to several data-encryption options, including putting encrypted data on a U.S. cloud server but keeping the decoding key within Canada.

'Hold your own key'

However, the document outlines several daunting problems, including the cost, of such a "hold your own key" system, an option few Microsoft clients use.

Referring in part to the USA Patriot Act, the memo says Microsoft "always informs clients about any legal requests for access to information prior to releasing information. In some cases, Microsoft has sent the request through the client country's judicial system for the appropriate legal response."

"According to Microsoft, the company has never released the data of one country to a foreign government, including the United States."

But the memo also concludes with a warning that no data-storage cloud system is impervious to the USA Patriot Act or other legal challenges to Canada's data sovereignty.

The document by RajThuppal, of the Cyber and IT Security unit of Shared Services Canada, says " no mechanism is able to entirely prevent foreign access to data should legal requests be invoked."

Follow @DeanBeeby on Twitter