Due to the broad data/information collection, review, and retention provisions of the USA Patriot Act, RIM professionals have expressed concern about the risks to privacy rights and confidentiality when Canadian organizations store e-mails (and other cloud-based data) on servers in the United States. Recent developments suggest the Government of Canada (GoC) shares their concern when it comes to the government’s e-mails.
As reported by Michael Geist in the Toronto Star (article available for purchase here), the GoC’s Email Transformation Initiative will consolidate “more than 100 different email systems used by more than 300,000 employees into a single, outsourced email system”. When defining the system requirements, the government invoked a national security exception to require secure storage of the e-mails on servers in Canada.
A Request for Proposal (RFP) was issued to four pre-qualified vendors: Bell Canada, Dell Canada, HP Canada, and IBM Canada. In June 2013, the $350+M contract was awarded to Bell Canada, in partnership with CGI Information Systems And Management Consultants Inc.
Documents recently obtained by the B.C. Freedom of Information and Privacy Association reveal that US companies who were shut out of this procurement urged US government officials to launch a trade complaint. As Mr. Geist reports, “While the companies explored several alternatives that might address Canadian concerns, including encrypting all data and retaining the encryption key in Canada (thereby making it difficult to access the actual data outside the country, the government insisted on Canadian-based storage” and “pointed to privacy concerns stemming from the USA Patriot Act” regarding that requirement.
This situation is interesting on a number of levels.
First, it reinforces the concerns RIM professionals have expressed for many years about the potential privacy risks that may arise from the provision in the USA Patriot Act to gather and disclose data/information to law enforcement without appropriate oversight or disclosure and to retain that data/information indefinitely.
Second, it illustrates the GoC’s commitment to protect its e-mails by ensuring their storage on Canadian servers despite the risk of upsetting its largest trade partner.
Third, and perhaps of most interest, it demonstrates that the GoC has secured a protection not available to the average consumer or to most organizations operating in Canada. As Mr. Geist reports, “. . . the majority of Canadian dot-ca domain name websites are hosted outside the country, with Canada ranking among the lowest countries in the developed world for domestic website hosting. Moreover, Canadian Internet providers such as Bell exchange their Internet traffic in the U.S., ensuring that even simple domestic emails frequently enter the U.S. network before returning to Canada.”