Thank you for visiting the Rackspace Community
The The Community is live! Post new content or topics so our teams can assist.

Please contact your support team if you have a question or need assistance for any Rackspace products, services, or articles.

Rackspace Cloud Privacy & Government Surveillance?

This question is answered.

Hello,

I'd like to start by saying that I am very pleased with Rackspace (and Slicehost before that!).  

In light of recent revelations regarding the participation by major tech/telecom firms in the U.S. government's vast and warrant-less surveillance of citizens I must ask to what extent, *if any*, does Rackspace or it's subsidiaries participate in or allow warrant-less access to user data including email by this (U.S.) or other governments?  I know that Rackspace values it's customer's privacy and seems to have an adequate Privacy Policy in place.  However, to be fair, so did Google, Microsoft, Apple, Verizon, and the many other companies who are now under scrutiny.

Verified Answer
  • By now practically everyone has heard about the so-called PRISM program run by the NSA and there has been a lot of discussion among lawyers, reporters, bloggers, academics and others about whether Internet companies can be forced by the government to access and disclose data which is stored by its customers in their cloud or dedicated hosted environments.  This statement is intended to explain Rackspace’s view of the law, and our approach to the issue.
     
    Rackspace has been in the hosting services business since 1998. We have a lot of experience with law enforcement requests for customer data, and we have an evolved approach to dealing with law enforcement requests for customer-owned content stored in the cloud at Rackspace.
     
    Our primary guiding principle for responding to requests from U.S. law enforcement agencies (“LEA”) is the Fourth Amendment to the United States Constitution which states that “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” Further, we are very familiar with the Electronic Communications Privacy Act (“ECPA”) which controls how stored data is treated by providers.
     
    Based on our interpretation of the Fourth Amendment and ECPA, we are of the view that Rackspace is prohibited from accessing and turning over customer data stored on a customer’s server or other storage device in a U.S. data center without a properly issued, lawful request ( e.g. search warrants, court orders, Foreign Intelligence Surveillance Orders) from a U.S. court with appropriate jurisdiction over Rackspace and the data sought. This view applies to all LEA requests, including those under the PATRIOT Act. Rackspace’s interpretation of the law is based on the specific relationship that Rackspace has with its customers. By contract and in practice, Rackspace’s customers have full control over their servers and any data that may be stored on those servers. Rackspace does not have that control.
     
    By agreement, our customers own and are responsible for the protection of data they store on their Rackspace servers against exposure and loss. This includes allowing them full control of the servers, including the ability to lock Rackspace out of the servers, control passwords used to access their data, and maintain the security of the data stored on those servers to the exclusion of others. Because of this, we take the view that, in legal terms, Rackspace has neither “possession” nor “care, custody and control” over customer stored data, and that we are legally prohibited from accessing that data on our own. It is also our position that we can’t give any customer data to third parties other than in compliance with a proper search warrant. Our experience over the past dozen or so years working with law enforcement, lawyers and our customers gives us a great deal of confidence in our position and approach. We have never been served with a blanket warrant, or anything close to it, that requires us to give data owned by multiple customers. This is true for all of our businesses. If we were served with such a warrant, we would fight it because it would be, by its very nature, overreaching and, given our business model and cloud architecture, nearly impossible to comply with. It just wouldn't make any sense.
     
    That takes us back to the Fourth Amendment.  A blanket warrant covering thousands of customers cannot possibly comply with the Fourth Amendment. Maybe that's why we have never seen one. We have seen a number of warrants over the years. All have been precise, directed at a particular, identifiable customer environment, and very clearly based on probable cause. Our dealings with LEA have been straight up and we have found them to be reasonable and respectful of privacy laws and our customer agreements. It has been distressing for us to read about the wholesale collection of data, because we think that stretches the Fourth Amendment in a particularly dangerous way.  We hope that the White House and Congress will take a hard look at what has happened and how data is collected to ensure that our constitutional rights are protected.


    Alan Schoenbaum

    SVP & General Counsel for Rackspace Hosting

All Replies
  • An excellent question.  We want to give you an official answer that's accurate and authoritative, but it will take a little time to put together.  I hope you don't mind the delay - we'll post a response as soon as we can.

  • By now practically everyone has heard about the so-called PRISM program run by the NSA and there has been a lot of discussion among lawyers, reporters, bloggers, academics and others about whether Internet companies can be forced by the government to access and disclose data which is stored by its customers in their cloud or dedicated hosted environments.  This statement is intended to explain Rackspace’s view of the law, and our approach to the issue.
     
    Rackspace has been in the hosting services business since 1998. We have a lot of experience with law enforcement requests for customer data, and we have an evolved approach to dealing with law enforcement requests for customer-owned content stored in the cloud at Rackspace.
     
    Our primary guiding principle for responding to requests from U.S. law enforcement agencies (“LEA”) is the Fourth Amendment to the United States Constitution which states that “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” Further, we are very familiar with the Electronic Communications Privacy Act (“ECPA”) which controls how stored data is treated by providers.
     
    Based on our interpretation of the Fourth Amendment and ECPA, we are of the view that Rackspace is prohibited from accessing and turning over customer data stored on a customer’s server or other storage device in a U.S. data center without a properly issued, lawful request ( e.g. search warrants, court orders, Foreign Intelligence Surveillance Orders) from a U.S. court with appropriate jurisdiction over Rackspace and the data sought. This view applies to all LEA requests, including those under the PATRIOT Act. Rackspace’s interpretation of the law is based on the specific relationship that Rackspace has with its customers. By contract and in practice, Rackspace’s customers have full control over their servers and any data that may be stored on those servers. Rackspace does not have that control.
     
    By agreement, our customers own and are responsible for the protection of data they store on their Rackspace servers against exposure and loss. This includes allowing them full control of the servers, including the ability to lock Rackspace out of the servers, control passwords used to access their data, and maintain the security of the data stored on those servers to the exclusion of others. Because of this, we take the view that, in legal terms, Rackspace has neither “possession” nor “care, custody and control” over customer stored data, and that we are legally prohibited from accessing that data on our own. It is also our position that we can’t give any customer data to third parties other than in compliance with a proper search warrant. Our experience over the past dozen or so years working with law enforcement, lawyers and our customers gives us a great deal of confidence in our position and approach. We have never been served with a blanket warrant, or anything close to it, that requires us to give data owned by multiple customers. This is true for all of our businesses. If we were served with such a warrant, we would fight it because it would be, by its very nature, overreaching and, given our business model and cloud architecture, nearly impossible to comply with. It just wouldn't make any sense.
     
    That takes us back to the Fourth Amendment.  A blanket warrant covering thousands of customers cannot possibly comply with the Fourth Amendment. Maybe that's why we have never seen one. We have seen a number of warrants over the years. All have been precise, directed at a particular, identifiable customer environment, and very clearly based on probable cause. Our dealings with LEA have been straight up and we have found them to be reasonable and respectful of privacy laws and our customer agreements. It has been distressing for us to read about the wholesale collection of data, because we think that stretches the Fourth Amendment in a particularly dangerous way.  We hope that the White House and Congress will take a hard look at what has happened and how data is collected to ensure that our constitutional rights are protected.


    Alan Schoenbaum

    SVP & General Counsel for Rackspace Hosting

  • Alan, thank you for the detailed answer.  Could you clarify a couple points?

    1. When you use the term "customer data" above, does that include so-called meta-data?  For example, while the contents of my e-mail are clearly customer data, the header contents of who I communicate with might be considered "meta-data".  Does Rackspace always require a warrant before sharing this meta-data with government agencies?
    2. Customers who use Rackspace's e-mail hosting do not have their communications stored on dedicated servers or storage devices.  Does Rackspace apply the same stringent policy above to customer data stored on shared servers?  (i.e. They do not turn over private customer communications without a verified warrant.)

    Thanks,

    Dmitry

  • Dmitry - I think I can confidently answer these questions for Alan.

    1) By "Customer data" we mean ALL customer data.

    2) Our policy above applies to email. And anything else we offer. It is pretty much our blanket promise to you.

    Hope that helps.

    Rob La Gesse

    ___________________

    Director of Social Media

    Rackspace Hosting.

    210-8450-4440

    "A true friend stabs you in the front" - Oscar Wilde

  • Thanks Rob but this is a very serious issue and I think the answer should come from the person that carries the responsibility. So an answer from Alan together with confirmation that he is the right guy would be appreciated. 

    You also mention the U.S and not EU - what happens in the EU? Does the same apply and can we confirm to our customers all over the world that their data, including email is safe with Rackspace.

    Thanks

    Regards

    Aubrey Davies

  • I've sent Alan and email regarding the above questions, I will have either Alan or someone else on his team update this post.

    Cheers,

    Eric L.

  • Great questions Dmitry and Aubrey.  To clarify Rob’s response, for any type of data, including metadata, stored anywhere in the world, Rackspace always requires a proper government request based on the statute applicable to such data.  For example, this could be a warrant, subpoena or court order.

    Alan Schoenbaum

  • "Based on our interpretation of the Fourth Amendment and ECPA, we are of the view that Rackspace is prohibited from accessing and turning over customer data stored on a customer’s server..."

    1. Can you confirm that Rackspace does not allow access to customer data without proper government requests, e.g., they do NOT have any back doors in place to where the government can gain access without getting Rackspace involved?

    2. Can you also confirm that the above-stated safeguards also apply to Rackspace dedicated and virtual servers, too?

  • Hi Alan,
                   Thanks for the very detailed reply.  Could I trouble you to extend your description of Rackspace's position on sharing data with respect to non-US citizens?

    In particular, Rackspace is just about to open its Sydney data centre for public cloud.  I'm an Australian, living in Australia and would like to store data on Australian users in your Australian datacenter.  Similar to this question asked of Microsoft in 2011:

    http://www.zdnet.com/blog/igeneration/microsoft-admits-patriot-act-can-access-eu-based-cloud-data/11225

    Can Rackspace guarantee that AU-stored data, held in AU based datacenters, will never leave Australia under any circumstances - even under a request by the Patriot Act, US warrant, NSL or FISA order?

    This has particular relevance to how Australian business and government view the Australian National Privacy Principals.  While the NPP don't forbid data being stored offshore, many government departments interpret the NPP this way and require their data to be held within Australia.

    Can you guarantee that no authority other than an Australian authority can ever compel you to share data from Rackspace servers in Sydney?

    Thanks in advance,

    Andrew

  • Hi Advantly. Confirmed for both.  Thanks for the questions. 

    Alan

  • Hi Andrew from Australia,

    When we launched Sydney I wrote a long piece on our approach to customer data. That piece formed the basis for my post here. Hopefully it will answer your questions. If not let us know. You can find it on our Australia website here: 

  • Thanks Alan, that's very helpful.

    Andrew

  • The "Security Now" podcast is hypothesizing that the NSA would not need to send security letters directly to large e-mail providers like Rackspace to access most of our mail. The theory being that the NSA has already placed fiber splitters (hence the name “Prism”) in the backbone providers near major data centers.  While we may be using TLS encryption when sending and pulling email, the mail exchange servers are exchanging mail with each other in the clear.

    Dmitry

  • As you guys are working on your writeup, can you also include how this affects non-US customers hosting in either A) a non-US server or; B) a US server

  • Noesac,

    I am not sure there is much more to add to my long post on this subject. The main point is that data is governed by the law of the country where the data is stored. Location or citizenship of the customer is not a determining fact.