[LINK] Microsoft slams local data centre edict
Philip Argy
pargy at argystar.com
Sun Nov 27 12:08:45 AEDT 2011
With Cocoon Data's Secure Objects technology, the access control list
for a file/directory/server etc can be kept in Australia and the
encrypted file stored anywhere on the planet. Because the
encryption/decryption keys and the access rights are totally
controlled from here, and have to be referenced each time a file is
sought to be opened, the paranoia about the location of the server on
which the information is stored becomes irrelevant. The encryption
mechanism can be as strong as you wish - 5,000+ bit keys if you're so
inclined! What's important is where access control is - not where the
data is.
But of course this is just innovative Aussie technology that no-one
here is interested in ...
Philip
-----Original Message-----
From: link-bounces at mailman.anu.edu.au
[mailto:link-bounces at mailman.anu.edu.au] On Behalf Of Jan Whitaker
Sent: Friday, November 25, 2011 9:36 AM
To: link
Subject: Re: [LINK] Microsoft slams local data centre edict
Re Karen Dearne's article about the submissions on the PCEHR
legislation
http://www.theaustralian.com.au/australian-it/microsoft-slams-local-da
ta-centre-edict/story-e6frgakx-1226205393994
MS says in their submission:
"Healthcare information stored in a PCEHR will not necessarily be
better secured and protected simply by virtue of data being held
within Australia's territorial boundaries, as compared to (offshore)
storage repositories and portals operated under world's best practice
security and privacy systems," it says in a just revealed submission
on the draft bill.
"By regulating the geography where the data is held rather than the
level of security under which it is held implicitly establishes
criteria for data protection that are not related to principles of
technology security."
Exactly right! There are more important things than the specific
technology, like accountability, right of action, law, little things
like that.
I went to a briefing on ehealth info with an APF colleauge about 3 or
4 years ago. We met the person from Microsoft at the time running
Healthvault or whatever it was called, the MS offering for storing
personal health information at the pleasure of the individual rather
than the government.
The key question I asked him was: Will MS guarantee the information is
stored in Australia to be under our legal jurisdiction? The answer was
an unequivocal, yes, it will be stored in Australia. It was that
simple.
The position MS takes about not focusing on the security misses the
governance problem: whose law will cover the screw ups? It's not just
about technical security or even privacy. It is about jurisdictional
accountability. IANAL, but the issue of server location has seemed to
be powerful enough for other actions where jurisdiction comes into
play. Why does Microsoft say in their submission (as quoted in the
article) that the government could contract them to meet the local
jurisdictional requirements? Is that accurate?
More information about the Link
mailing list