Please contact your support team if you have a question or need assistance for any Rackspace products, services, or articles.
This question is answered.
I'd like to start by saying that I am very pleased with Rackspace (and Slicehost before that!).
By now practically everyone has heard about the so-called PRISM program run by the NSA and there has been a lot of discussion among lawyers, reporters, bloggers, academics and others about whether Internet companies can be forced by the government to access and disclose data which is stored by its customers in their cloud or dedicated hosted environments. This statement is intended to explain Rackspace’s view of the law, and our approach to the issue. Rackspace has been in the hosting services business since 1998. We have a lot of experience with law enforcement requests for customer data, and we have an evolved approach to dealing with law enforcement requests for customer-owned content stored in the cloud at Rackspace. Our primary guiding principle for responding to requests from U.S. law enforcement agencies (“LEA”) is the Fourth Amendment to the United States Constitution which states that “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” Further, we are very familiar with the Electronic Communications Privacy Act (“ECPA”) which controls how stored data is treated by providers. Based on our interpretation of the Fourth Amendment and ECPA, we are of the view that Rackspace is prohibited from accessing and turning over customer data stored on a customer’s server or other storage device in a U.S. data center without a properly issued, lawful request ( e.g. search warrants, court orders, Foreign Intelligence Surveillance Orders) from a U.S. court with appropriate jurisdiction over Rackspace and the data sought. This view applies to all LEA requests, including those under the PATRIOT Act. Rackspace’s interpretation of the law is based on the specific relationship that Rackspace has with its customers. By contract and in practice, Rackspace’s customers have full control over their servers and any data that may be stored on those servers. Rackspace does not have that control. By agreement, our customers own and are responsible for the protection of data they store on their Rackspace servers against exposure and loss. This includes allowing them full control of the servers, including the ability to lock Rackspace out of the servers, control passwords used to access their data, and maintain the security of the data stored on those servers to the exclusion of others. Because of this, we take the view that, in legal terms, Rackspace has neither “possession” nor “care, custody and control” over customer stored data, and that we are legally prohibited from accessing that data on our own. It is also our position that we can’t give any customer data to third parties other than in compliance with a proper search warrant. Our experience over the past dozen or so years working with law enforcement, lawyers and our customers gives us a great deal of confidence in our position and approach. We have never been served with a blanket warrant, or anything close to it, that requires us to give data owned by multiple customers. This is true for all of our businesses. If we were served with such a warrant, we would fight it because it would be, by its very nature, overreaching and, given our business model and cloud architecture, nearly impossible to comply with. It just wouldn't make any sense. That takes us back to the Fourth Amendment. A blanket warrant covering thousands of customers cannot possibly comply with the Fourth Amendment. Maybe that's why we have never seen one. We have seen a number of warrants over the years. All have been precise, directed at a particular, identifiable customer environment, and very clearly based on probable cause. Our dealings with LEA have been straight up and we have found them to be reasonable and respectful of privacy laws and our customer agreements. It has been distressing for us to read about the wholesale collection of data, because we think that stretches the Fourth Amendment in a particularly dangerous way. We hope that the White House and Congress will take a hard look at what has happened and how data is collected to ensure that our constitutional rights are protected.
SVP & General Counsel for Rackspace Hosting
An excellent question. We want to give you an official answer that's accurate and authoritative, but it will take a little time to put together. I hope you don't mind the delay - we'll post a response as soon as we can.
Alan, thank you for the detailed answer. Could you clarify a couple points?
Dmitry - I think I can confidently answer these questions for Alan.
1) By "Customer data" we mean ALL customer data.
2) Our policy above applies to email. And anything else we offer. It is pretty much our blanket promise to you.
Hope that helps.
Rob La Gesse
Director of Social Media
"A true friend stabs you in the front" - Oscar Wilde
Thanks Rob but this is a very serious issue and I think the answer should come from the person that carries the responsibility. So an answer from Alan together with confirmation that he is the right guy would be appreciated.
You also mention the U.S and not EU - what happens in the EU? Does the same apply and can we confirm to our customers all over the world that their data, including email is safe with Rackspace.
I've sent Alan and email regarding the above questions, I will have either Alan or someone else on his team update this post.
Great questions Dmitry and Aubrey. To clarify Rob’s response, for any type of data, including metadata, stored anywhere in the world, Rackspace always requires a proper government request based on the statute applicable to such data. For example, this could be a warrant, subpoena or court order.
"Based on our interpretation of the Fourth Amendment and ECPA, we are of the view that Rackspace is prohibited from accessing and turning over customer data stored on a customer’s server..."1. Can you confirm that Rackspace does not allow access to customer data without proper government requests, e.g., they do NOT have any back doors in place to where the government can gain access without getting Rackspace involved?2. Can you also confirm that the above-stated safeguards also apply to Rackspace dedicated and virtual servers, too?
Hi Alan, Thanks for the very detailed reply. Could I trouble you to extend your description of Rackspace's position on sharing data with respect to non-US citizens?
In particular, Rackspace is just about to open its Sydney data centre for public cloud. I'm an Australian, living in Australia and would like to store data on Australian users in your Australian datacenter. Similar to this question asked of Microsoft in 2011:
Can Rackspace guarantee that AU-stored data, held in AU based datacenters, will never leave Australia under any circumstances - even under a request by the Patriot Act, US warrant, NSL or FISA order?
This has particular relevance to how Australian business and government view the Australian National Privacy Principals. While the NPP don't forbid data being stored offshore, many government departments interpret the NPP this way and require their data to be held within Australia.
Can you guarantee that no authority other than an Australian authority can ever compel you to share data from Rackspace servers in Sydney?
Thanks in advance,
Hi Advantly. Confirmed for both. Thanks for the questions.
Hi Andrew from Australia,
When we launched Sydney I wrote a long piece on our approach to customer data. That piece formed the basis for my post here. Hopefully it will answer your questions. If not let us know. You can find it on our Australia website here:
Thanks Alan, that's very helpful.
The "Security Now" podcast is hypothesizing that the NSA would not need to send security letters directly to large e-mail providers like Rackspace to access most of our mail. The theory being that the NSA has already placed fiber splitters (hence the name “Prism”) in the backbone providers near major data centers. While we may be using TLS encryption when sending and pulling email, the mail exchange servers are exchanging mail with each other in the clear.
As you guys are working on your writeup, can you also include how this affects non-US customers hosting in either A) a non-US server or; B) a US server
I am not sure there is much more to add to my long post on this subject. The main point is that data is governed by the law of the country where the data is stored. Location or citizenship of the customer is not a determining fact.
The Rackspace Community (“Community”) is provided “AS IS” without warranty of any kind. The information on the Community sites is created by members of the Community and is intended for reference and general discussions only. Although some of the content may contain information provided by Rackspace employees, it does not represent an assessment of a particular customer environment or an assessment of any specific compliance with laws or regulations or constitute advice. We recommend that you engage additional expertise in order to further evaluate applicable requirements for your specific environment. For customer specific support issues please contact your Rackspace Support Team.READ MORE
RACKSPACE MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, AS TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THE RACKSPACE OPEN CLOUD COMMUNITY SITE. RACKSPACE RESERVES THE RIGHT TO DISCONTINUE OR MAKE CHANGES TO ITS SERVICES OFFERINGS AND SPECIFICATIONS AT ANY TIME WITHOUT NOTICE. USERS MUST TAKE FULL RESPONSIBILITY FOR APPLICATION OF ANY SERVICES AND/OR PROCESSES MENTIONED IN ANY COMMUNITY DISCUSSIONS. EXCEPT AS SET FORTH IN RACKSPACE GENERAL TERMS AND CONDITIONS, CLOUD TERMS OF SERVICE AND/OR OTHER AGREEMENT YOU SIGN WITH RACKSPACE, RACKSPACE ASSUMES NO LIABILITY WHATSOEVER, AND DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO ITS SERVICES INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT.
ALTHOUGH PART OF THE COMMUNITY GENERATED CONTENT MAY EXPLAIN HOW RACKSPACE SERVICES MAY WORK WITH THIRD PARTY PRODUCTS, THE INFORMATION CONTAINED IN THE COMMUNITY DISCUSSIONS IS NOT DESIGNED TO WORK WITH ALL SCENARIOS. ANY USE OR CHANGES TO THIRD PARTY PRODUCTS AND/OR CONFIGURATIONS SHOULD BE MADE AT THE DISCRETION OF YOUR ADMINISTRATORS AND SUBJECT TO THE APPLICABLE TERMS AND CONDITIONS OF SUCH THIRD PARTY. EVEN THOUGH RACKSPACE EMPLOYEES MAY PARTICIPATE IN THE COMMUNITY DISCUSSIONS, RACKSPACE DOES NOT PROVIDE TECHNICAL SUPPORT FOR THIRD PARTY PRODUCTS, OTHER THAN SPECIFIED IN YOUR HOSTING SERVICES AGREEMENT YOU HAVE SIGNED WITH RACKSPACE AND RACKSPACE ACCEPTS NO RESPONSIBILITY FOR THIRD-PARTY PRODUCTS.READ LESS