Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Canada Cloud Encryption Government Privacy Security Software News IT Technology

Canada Wants To Keep Federal Data Within National Borders (thestack.com) 104

An anonymous reader quotes a report from The Stack: Canada has released its latest federal cloud adoption strategy, now available for public comment, which includes policy concerning the storing of sensitive government information on Canadian citizens within national borders. The newly-published [Government of Canada Cloud Adoption Strategy] requires that only data which the government has categorized as "unclassified," or harmless to national and personal security, will be allowed outside of the country. This information will still be subject to strict encryption rules. The new strategy, which has been in development over the last year, stipulates that all personal data stored by the government on Canadian citizens, such as social insurance numbers and critical federal information, must be stored in Canada-based data centers in order to retain "sovereign control."
This discussion has been archived. No new comments can be posted.

Canada Wants To Keep Federal Data Within National Borders

Comments Filter:
  • sovereign control served here
  • Is somebody trying to make an argument against the idea?

    • Re:Seems logical (Score:5, Insightful)

      by Noah Haders ( 3621429 ) on Wednesday August 03, 2016 @09:00PM (#52641193)

      I think it is a good start, but you also need to be careful that your data doesn't pass through outside networks before getting to your home. For example, when I get a page from slashdot, it may travel around the world and back again to get into my computer. we need ways to keep control of which paths the datas take.

      • Re: (Score:3, Funny)

        That might be a bit more difficult, but maybe using traceroute can keep it on a domestic path.

      • Specifically for Canada this may well be impossible, reason being is that much of the Canadian population lives within 100Km of the US border and much of the fat pipes that take data between Canadian cities go via carriers in the US.

        BTW we talking US here as being the key aggressor of sovereign cybercrime.

        • They said nothing about "transport", just "storage".

          Nobody would store bytes passing through inter-web pipes for free, right?
          • by cdrudge ( 68377 )

            Nobody would store bytes passing through inter-web pipes for free, right?

            It cost $1.5b when built, but this place [wikipedia.org] will store your data for no additional costs.

          • They said nothing about "transport", just "storage". Nobody would store bytes passing through inter-web pipes for free, right?

            If you can "transport" it, you can "store" it. To prevent storage, the Canadian government would have to employ some sort layer 7 end-to-end security.

            • by Yvan256 ( 722131 )

              How about creating a new TCP/IP "do not copy" security bit, similar to the evil bit in RFC 3514?

              • Will bad actors respect the do not copy bit? Drats! Foiled again!

              • How about creating a new TCP/IP "do not copy" security bit, similar to the evil bit in RFC 3514?

                That's one hell of an Achilles' heel in that it assumes every single hop (intended or otherwise) will obey it. Without dedicated VPNs or air gaps, you cannot prevent copying. So the only alternative is end-to-end Layer 6/7 confidentiality, integrity and non-repudiation (and availability but only if the first three are met.)

      • by Lennie ( 16154 )

        Employing the correct encryption helps a lot.

      • I think it is a good start, but you also need to be careful that your data doesn't pass through outside networks before getting to your home. For example, when I get a page from slashdot, it may travel around the world and back again to get into my computer. we need ways to keep control of which paths the datas take.

        Without guaranteed air gaps, the required levels confidentiality or access control cannot be achieved by anything present in the OSI/IP model unless we start using VPNs, WS-Security or some other complex mechanism.

        That might be the way to go (the only way to go) for the Canadian government if it wants to implement such requirements. Talking about them and making the requirements available to the public is a good start. Better than trying to concoct the requirement in secret and come up with a shitty impl

      • by dmt0 ( 1295725 )

        I think it is a good start, but you also need to be careful that your data doesn't pass through outside networks before getting to your home. For example, when I get a page from slashdot, it may travel around the world and back again to get into my computer. we need ways to keep control of which paths the datas take.

        There is a tool that allows you to explore the travel paths. And from the stats that the tool has gathered so far it appears that most of the local/domestic Canadian traffic gets routed through a few very specific points in US. See here:
        https://www.ixmaps.ca/faq.php [ixmaps.ca]

        IX maps has been sending request recently through openmedia.ca asking people to download the tool and submit their stats. The tool is here:
        https://www.ixmaps.ca/contribu... [ixmaps.ca]

    • If TTP passes, you can rest assured that some foreign company will be crying foul and suing in private court because they weren't given a chance at the business due to unfair "protectionist" laws.

    • yes. literally EVERY cloud service that hosts data outside of Canada want in on the action, but without having to have a datacenter in Canada to store the data.

      This policy has basically given in on the subject, now it will be some bureaucrat with no understanding of how information pieces together deciding whether a given bit of data is "unclassified" or not.

      Is it really so hard to just say "Fuck you. You need to store all the data within Canada or you can't be a provider for the Canadian gov't."

      • The real problem is storing government and federal data outside the government and federal infrastructure. Why is that? All data should be stored encrypted, even if in a canadian cloud. But I still don't understand why the government need to store it in the cloud and not build its own cloud for this purpose. What are the advantages for the government to store it in the cloud instead of in-house?
        • The real problem is storing government and federal data outside the government and federal infrastructure. Why is that? All data should be stored encrypted, even if in a canadian cloud. But I still don't understand why the government need to store it in the cloud and not build its own cloud for this purpose. What are the advantages for the government to store it in the cloud instead of in-house?

          In a word, cost. The government can't compete with the likes of AWS.

    • Is somebody trying to make an argument against the idea?

      Only every cloud provider in the known universe that likes to replicate your data across at least three continents.

      I have to control my data under similar restrictions, so I've had quite a lot of experience hearing "Oh, wow. No, I'm afraid we can't do that."

      • In many ways what the government is doing here is no different from financial organisations. Due to the regulated nature of these organisations, any cloud service provider must be able to limit where the data is being stored or they won't being selected a vendor.

        For example, e-mails exchanged between employees in Switzerland may not be stored outside of the country, even if the company is a multinational and has other e-mail archives.

  • by Anonymous Coward

    this is actually a requirement in several Provincial Privacy acts. Nova Scotia for example is not allowed to store any personally identifiable information outside of Canada. The feds arnt bound to follow Provincial acts, but its not surprising they would follow what others are doing already.

    Its specifically the Patriot act that led to the NS Clause.

    • Re:yay patriot act (Score:5, Informative)

      by MightyMartian ( 840721 ) on Wednesday August 03, 2016 @10:22PM (#52641635) Journal

      I work for a contractor for a Provincial government, with a significant amount of the money for that contract actually flowing from the Federal government, and the contract language is explicit; no confidential or personal data is to be stored, or even accessed, outside of Canada.

      I actually talked to Google about three years ago and asked if they could guarantee the Google Docs (now Google Drive) cloud could be located on Canadian servers, and they said that couldn't and that they had no plans to. It's my understanding that Microsoft, on the other hand, has conceded to this for OneDrive, so I expect that if Google hasn't already moved in that direction, they will soon.

      As it is, we're getting requests from a lot of staff for some sort of Cloud solution, as usage scenarios grow beyond VPNs and RDP.

      • by swb ( 14022 )

        "Couldn't" probably means "don't want to". It seems hard to fathom that Google doesn't have some kind of regional controls in their system that can pin or exclude data or processes to specific geographic regions (transnational) or national regions. It seems like a basic management function for such a large clustered compute environment.

        Amazon *sells* regional availability zones as a feature, although I don't know to what extent this creates guarantees of regional isolation or anchoring of data.

        My guess is

      • Just try explaining that to a U.S. company. Anonymized conversation:

        Me - "How do I do [X] with our data?"
        U.S. - "I can do that for you, just send me a copy of the database."
        Me - "No, I can't ship our data to you. It's full of citizen's personal information."
        U.S. - "Oh, well we can sign an N.D.A."
        Me - "No, that won't work. The USA PATRIOT act allows the US government to compel you to give them that information. Our own privacy legislation prevents me from sharing that personal information with persons
      • Some governments think this kind of security is a bad thing, and and wrote in a clause of the Trans-Pacific Partnership treaty to prohibit it.

        TPP “prevents governments in TPP countries from requiring the use of local servers for data storage,” the Canadian government states on its website. This creates a privacy issue, suggested Guy Caron, NDP MP for Rimouski-Neigette-Témiscouata-Les Basques, in the House of Commons May 12.

        See also http://www.canadianunderwriter... [canadianunderwriter.ca]

  • Before the census was cancelled, the contract was given to Lockheed. [globalnews.ca]

    During the 2011 census, for instance, 89-year-old Ontario resident Audrey Tobias said she would not fill out the questionnaire because an information technology contract linked to it had been awarded to an American company, Lockheed Martin. Tobias was charged with violating the Statistics Act, but eventually acquitted.

    Now that it's back, time to make sure that your data stays your data.

  • by 110010001000 ( 697113 ) on Wednesday August 03, 2016 @09:04PM (#52641219) Homepage Journal
    ...Canada is buying another computer to go with the one they already have?
  • by Rob Bos ( 3399 ) on Wednesday August 03, 2016 @09:05PM (#52641231) Homepage

    British Columbia already has this rule; government data (including university data for researchers) must be kept on Canadian servers. There's some wiggle room for opting in to US storage, though.

    I think it's important legislation, and it motivates some good duplication of infrastructure within Canada. It makes it harder to abdicate our responsibility to data and makes it just a bit harder for US subpoenas to get a hold of it.

  • by Kernel Kurtz ( 182424 ) on Wednesday August 03, 2016 @09:07PM (#52641253) Homepage

    Nobody sane the world over wants their data exposed to the USA.

    Hard to protect against for sure, but still a worthwhile goal to shoot for.

    • This is most likely a question of protectionism (giving contracts to your own data centers) with a privacy smokscreen. It has a coincidental privacy benefit.

      • by Mashiki ( 184564 )

        No, it's more likely a point on the state of Canada's privacy laws which are incredibly stringent compared to the US and some parts of Europe. See here in Canada, there's sections in the privacy laws(both federal and provincial) that require storage of personally identifiable information to remain within the government agency. It's so stringent that unless there is written permission from you, one government agency can't transfer it to another.

      • Not at all, it is about jurisdiction and laws. A server outside of your country is essentially in the jurisdiction of the country it is hosted in and subjected to the laws of the hosting country. If said hosting country decides to confiscate said servers or make a copy of that data, then there is not much the owner of the data can do. Is it really spying when the data was stored outside the originating country?

        By having the data limited to being stored in the territory of the country it belongs to, you are

    • by dmt0 ( 1295725 )
      Not sure if anyone is trying to protect from that at all. Somehow most of local Canadian traffic (including the one between your PC and government sites) goes through US:
      https://www.ixmaps.ca/faq.php [ixmaps.ca]
  • This is data that should be nationally controlled and protected. Keeping it with borders makes sense.
    The US doesn't have a law. It has regulations the amount to the same. So do other countries.
    All the big brother conspiracists, please give the rest of us a break.
  • by whitroth ( 9367 ) <whitroth@@@5-cent...us> on Thursday August 04, 2016 @11:57AM (#52645241) Homepage

    This is the GOVERNMENT's data. For that reason, for you who's attention span is 15 minutes, a year or two ago, the UK government decided against the cloud, because they could not be assured that UK government data would remain on UK government soil.

    You disagree? Really? So it's ok if all of the personal and economic data, including your tax returns, winds up in a data center in China, or Russia, or, for those outside the US, in the US? And you're going to tell me that EVERY SINGLE PERSON who has login or physical access to *all* the servers and their storage has at least some minimal security clearance from your country?

    Give me a break.

                          mark

  • First I've heard of "sovereign control" which sounds like BS to me.

    Anyway this issue has been around for a very long time now and isn't really all that complicated. I've looked into a number of cloud based systems as possible solutions for government projects, but they all run into the same problem.

    Bottom line is that Canada has quite good Privacy Laws. The Government as custodian of a lot of personal information has a responsibility to ensure that that information is protected.

    The issue first came about re

  • Should be the policy of all nations, countries, states and unions.

Mathematicians stand on each other's shoulders. -- Gauss

Working...