One of Canada's largest political parties is using cloud-based Salesforce.com in the U.S. to store information about voters and interact with them, but worries that U.S. government snoops could peek at sensitive information under U.S. law prompted the Canadian party to use a strong encryption approach.
Under the U.S. Patriot Act, the U.S. government can compel Salesforce.com to "hand over all data to them, and not tell us about it," says James Williamson, information technology coordinator for the Canadian New Democratic Party (NDP) in Ottawa, Ontario. The NDP is now the main opposition party to the ruling Conservatives in Canada and holds about 123 million records related to individuals.
Concerns about privacy prompted the NDP, which earlier this year began using cloud-based Salesforce.com as its platform for voter tracking, e-mail and call-center contact, to look for a strong encryption approach that it alone would control.
Salesforce is now a main warehouse for the party's donation and voter data, helping facilitate the flow of e-mail marketing and data use by call agents. Salesforce.com itself does offer an encryption service under which both Salesforce and the customer hold the encryption keys, Williamson says. But he decided he wanted an approach in which only the NDP itself would control the encryption keys to unlock scrambled data. If the U.S. government ever felt compelled to ask Saleforce.com for any data, the New Democratic Party would at least know about any request of this type, Williamson says."You'd be aware of it."
The political party selected start-up CipherCloud with its Unified Cloud Encryption Gateway to keep voter data stored at Saleforce.com private.
Varun Badhwar, CipherCloud's vice president of business development, says the firm provides cloud-based encryption services based on its open API for cloud providers, with the first being connectors specifically for Saleforce.com, Amazon and Box.net. Other CipherCloud security services include anti-malware and data tokenization.
"We're cloud-application agnostic," he adds, saying the start-up is looking at doing something similar for Oracle and Gmail as well. The idea is that only the CipherCloud customer has full control over any generated encryption key used to keep data private.
CipherCloud basically works as a "reverse-proxy" and back-end application with symmetric-key encryption schemes that can be applied on a granular basis field by field to data elements. The firm also has the intent to come up with a data-loss prevention service in the future.
CipherCloud, which has about 40 employees, was founded last year by CEO Pravin Kothari with funding from a variety of sources, including Index ventures and T-Ventures, according to the company.