This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
One of the lingering concerns companies have about cloud computing is having their data subpoenaed by a legally-authorized government agency. Cloud service providers are required to respond to legitimate requests, and many companies believe that puts their data at risk. (Frankly, some encryption vendors have incited this concern.)
Fears can be allayed, however, with a little bit of knowledge about how often, and for what purposes, these requests occur. The web hosting company DreamHost has just issued an insightful transparency report that details how they deal with requests for clients' information, and how often the requests are actually fulfilled. The report covers all of the requests put to DreamHost in 2014.
DreamHost hosts more than 1.3 million registered websites belonging to more than 400,000 customers (some customers own multiple domains). The company also offers a WHOIS service that protects the privacy of the domain holder by not publically identifying the holder's name and contact information.
According to DreamHost's report, the hosting provider dealt with just over 1,300 requests for information in 2014. This does not include national security letter (NSL) requests issued by the FBI or U.S. Department of Justice, or requests that fall under the purview of the Foreign Intelligence Surveillance Act of 1978 (FISA). FISA/NSL requests typically contain a restriction that prohibits any public communication about those requests, including discussion of how many requests are made by the government agencies.
Art Elizarov, VP of Legal Affairs at DreamHost, says 2014 was a relatively light year for requests. "When you consider how many websites we host, receiving just over a thousand requests for information really isn't much," says Elizarov. What's more, just because DreamHost received those requests does not mean they were fulfilled. The fact is, DreamHost employs a rigorous process to evaluate the completeness and legality of each request which allowed the company to legally reject 57% of combined information requests in 2014.
There are three common types of requests DreamHost receives: government requests to access data; requests to remove content; and copyright and Digital Millennium Copyright Act (DMCA) takedown notices. Let's take a look at each scenario.
Government requests are often seeking user account information. Because DreamHost offers WHOIS service, the account information is generally private. Government agencies may want to know the real owner of an account, along with his address and contact information. Typically this is part of a criminal investigation, and the hosting provider is often legally required to provide this information. Elizarov says his team of legal eagles scrutinizes every request to make sure it is complete and legally binding before turning over any information.
Requests to remove or censor content located on DreamHost servers often stem from defamation or invasion of privacy lawsuits. The hosting company analyzes every single complaint in order to decide whether compliance is necessary. Elizarov says that in more than 80% of the cases, they typically are able to reject the data removal request.
As for the third area of requests – those pertaining to copyright or trademark infringement – Elizarov says his company usually forwards those requests to the affected customers so they have an opportunity to contest the validity and respond on their own before DreamHost would actually take down a site. A complaint typically stems from a website that contains copyrighted materials, such as a video or a photo. If the website owner doesn't remove the contested material on his own, and there is proof of copyright ownership, DreamHost will comply with the request for takedown.
Elizarov says his company usually does inform customers when a request comes in, unless it is under a government gag order, such as in the case of a criminal investigation. Fortunately these types of requests are a very small fraction of the overall tally of requests.
If DreamHost is required by law to hand over data to a legally-authorized agency, the company ensures the data is encrypted – either by the data owner or by the hosting provider – before it is submitted over a secure server through an FTP connection.
For the majority of businesses that act in a legal manner, there is little concern that a government agency can request and actually obtain their data from a web hosting provider or cloud service provider. This should help to put some cloud concerns to rest.
Read the full DreamHost transparency report at http://legal-docs.objects.dreamhost.com/dh-transparency-report-2014.pdf.