Secret Government of Canada data stored on U.S. servers? Memo raises possibility

Federal policy forbids the storage of sensitive government data on U.S. servers, to protect it from disclosure under the USA Patriot Act. But CBC News has obtained a document outlining federal discussions with Microsoft about using American `cloud` services with encryption to store and process highly confidential data.

Document shows Ottawa's IT department exploring options for sensitive data storage on U.S.-based servers

A document obtained by CBC News shows two federal agencies have been in talks with Microsoft about possible options for storing sensitive government data on American `cloud` servers. (Michel Euler/Associated Press)

Two government agencies have been meeting with Microsoft Inc. to discuss ways to store secret Canadian data on American servers, a measure expressly forbidden by federal policy.

Microsoft's talks this year with Shared Services Canada and the Communications Security Establishment reviewed whether sensitive data about Canadians and other confidential matters could be securely encrypted on American "cloud" services.

A May 2017 memo to the chief operating officer of Shared Services Canada (SSC) says the discussions examined in part how to protect Canada's sovereignty by insulating the data from legal demands under the USA Patriot Act, which forces firms to turn over confidential information to American law enforcement if demanded.

Treasury Board President Scott Brison has said a new policy on cloud computing is coming later this year. (Adrian Wyld/Canadian Press)

"This memorandum is to provide you with an update on the feasibility of Microsoft – or any other cloud vendor – to hold Government of Canada encrypted data in such a manner that Shared Services Canada holds and owns the decryption keys and is able to access the data while the vendor is not able to access to the data," says the memo.

A copy of the heavily censored document was obtained by CBC News under the Access to Information Act.

A spokesperson for Shared Services Canada, Monika Mazur, did not respond directly when asked whether the IT agency was still considering foreign cloud services for sensitive government data, but referred to a federal document that forbids it.

Reside in Canada

Ottawa's IT Strategic Plan 2016-2020 forbids storing secret data outside Canada's borders: "To ensure Canada's sovereign control over its data, departments and agencies will adopt the policy that all sensitive or protected data under government control will be stored on servers that reside in Canada."

Some low-risk Government of Canada data already reside on American and other non-Canadian "cloud" servers, including data for web pages with the Canada.ca suffix, which provide only general information. Amazon Web Services in the United States, for example, hosts such Canadian pages.

The previously undisclosed discussions with Microsoft are likely driven by a highly critical, $1.35-million report earlier this year on the repeated failures of Shared Services Canada since its creation in 2011 as Ottawa's IT department.

The Jan. 12 report by international experts, assembled by consultants Gartner Inc., said the struggling agency needs to find more cloud-based solutions: "There is universal agreement from the Expert Panel that the progression of cloud and its continuing trajectory make this approach a vital component of a going-forward strategy for SSC."

... no mechanism is entirely able to prevent foreign access to data ...- Shared Services Canada memo on using foreign-based cloud services for sensitive Canadian government data

Outsourcing data storage and processing to commercial cloud services eliminates the need for costly hardware or software, and can be expanded and contracted as needed. The Gartner report, among other things, advised using a cloud service for Ottawa's badly delayed transition to a single email service across government.

Ottawa has been reviewing cloud options since April 2014, when then-treasury board president Tony Clement announced the Conservative government was launching expert consultations to look for savings by switching to cloud storage and processing.

Consultations and reviews have been underway more or less continuously since then, including an endorsement of the approach in 2016 from Scott Brison, the Treasury Board president under the Liberals, who said cloud computing would "get better value for taxpayers' dollars."

The latest round of cloud consultations ended last Sept. 30, and Treasury Board spokesperson Alain Belle-Isle said there's still no word on an updated cloud strategy.

The Gartner report in January cautioned against delays, calling on the government "to fast-track the development of cloud capabilities for the GC [Government of Canada]. The Expert Panel and Gartner believe this should be given the highest priority — before examining managed service providers or other vendor supplied infrastructure service providers."

The May memo on discussions with Microsoft referred to several data-encryption options, including putting encrypted data on a U.S. cloud server but keeping the decoding key within Canada.

'Hold your own key'

However, the document outlines several daunting problems, including the cost, of such a "hold your own key" system, an option few Microsoft clients use.

Referring in part to the USA Patriot Act, the memo says Microsoft "always informs clients about any legal requests for access to information prior to releasing information. In some cases, Microsoft has sent the request through the client country's judicial system for the appropriate legal response."

Then-treasury board president Tony Clement launched consultations on cloud computing in 2014 and discussions have continued for more than three years. (Sean Kilpatrick/Canadian Press.)

"According to Microsoft, the company has never released the data of one country to a foreign government, including the United States."

But the memo also concludes with a warning that no data-storage cloud system is impervious to the USA Patriot Act or other legal challenges to Canada's data sovereignty.

The document by Raj Thuppal, of the Cyber and IT Security unit of Shared Services Canada, says " … no mechanism is able to entirely prevent foreign access to data should legal requests be invoked." 

Follow @DeanBeeby on Twitter

Mobile users: View the document
(Text KB)
CBC is not responsible for 3rd party content


Dean Beeby

Senior reporter, Parliamentary Bureau

Dean Beeby is a CBC journalist, author and specialist in freedom-of-information laws. Follow him on Twitter: @DeanBeeby