The truth about Microsoft Azure – and where your data will be kept
One piece of this confetti of documentation says that your contract is with Microsoft in Redmond, bound by the law of Washington State, but this revised document says that, “‘Microsoft’ means Microsoft Ireland Operations Limited and its Affiliates, as appropriate”.
So now the agreement is with Microsoft Ireland, which at least takes us inside the EU. But let’s look at that interesting phrase “and its Affiliates”. This is actually defined in the document too, thus: “‘Affiliate’ means any legal entity that owns, is owned by, or is under common ownership with Customer or Microsoft. ‘Ownership’ means, for purposes of this definition, more than 50% ownership. With regard to Microsoft, ‘Affiliate’ means any legal entity that Microsoft owns, that owns Microsoft, or that is under common ownership with Microsoft.”
Now, given that “Microsoft” is defined as being “Microsoft Ireland Operations Ltd”, which do we think falls into the category of “any legal entity… that owns Microsoft”? Ah, that will be Redmond again!
As if you needed any further proof that this is merely a veneer, it comes in section 10, which says that any notices to Microsoft must be sent to Microsoft Ireland Operations Ltd in Dublin. It then says that “Copies should be sent to Microsoft Corporation, Law and Corporate Affairs” in Redmond.
Why does this matter? Because I’ve been banging on about where your data might be kept, but Microsoft’s own, highly confusing documentation shows that it claims the right to move data anywhere within its Cloud, which means to the US or to its Singapore datacenter.
Ask the ICO
We asked the Information Commissioners Office what its view was, and a spokesperson for the ICO said: “All data controllers have a responsibility to securely store personal information on others and safeguard this data against loss, theft or misuse. Processing information ‘in the cloud’ does not remove this responsibility and any UK data controller that chooses to use cloud computing must do so in compliance with the Data Protection Act. Organisations that store personal information using cloud computing remain the data controller and must ensure they take every possible measure to store the information securely.”
It took a lot of pushing, and getting the right people to read my previous columns on this matter, but finally I got a phone conference with the right people inside Microsoft Redmond who are responsible for all of this, namely: Eron Kelly, senior director of Microsoft Online Services; Kore Koubourlis, senior director of Compliance and Privacy; Brendon Lynch, director of Trustworthy Computing; and Mike Ziock, senior director of Operations, Business Online Services.
It was, shall we say, a lively hour-long conversation. Some claims were made that frankly boggled my mind – for example, Eron Kelly claimed that he has corporate customers who are unable to achieve 99.9% uptime on their Exchange Server installations, and who view moving to the Microsoft Cloud service as a significant improvement in reliability.
My own simple server, hosted in a rack in a datacenter, manages better reliability than this, so I have to wonder about the design and implementation competence of some of these customers. For example, this Exchange Server log shows a very good level of uptime.