Please contact your support team if you have a question or need assistance for any Rackspace products, services, or articles.
I'd like to start by saying that I am very pleased with Rackspace (and Slicehost before that!).
By now practically everyone has heard about the so-called PRISM program run by the NSA and there has been a lot of discussion among lawyers, reporters, bloggers, academics and others about whether Internet companies can be forced by the government to access and disclose data which is stored by its customers in their cloud or dedicated hosted environments. This statement is intended to explain Rackspace’s view of the law, and our approach to the issue. Rackspace has been in the hosting services business since 1998. We have a lot of experience with law enforcement requests for customer data, and we have an evolved approach to dealing with law enforcement requests for customer-owned content stored in the cloud at Rackspace. Our primary guiding principle for responding to requests from U.S. law enforcement agencies (“LEA”) is the Fourth Amendment to the United States Constitution which states that “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” Further, we are very familiar with the Electronic Communications Privacy Act (“ECPA”) which controls how stored data is treated by providers. Based on our interpretation of the Fourth Amendment and ECPA, we are of the view that Rackspace is prohibited from accessing and turning over customer data stored on a customer’s server or other storage device in a U.S. data center without a properly issued, lawful request ( e.g. search warrants, court orders, Foreign Intelligence Surveillance Orders) from a U.S. court with appropriate jurisdiction over Rackspace and the data sought. This view applies to all LEA requests, including those under the PATRIOT Act. Rackspace’s interpretation of the law is based on the specific relationship that Rackspace has with its customers. By contract and in practice, Rackspace’s customers have full control over their servers and any data that may be stored on those servers. Rackspace does not have that control. By agreement, our customers own and are responsible for the protection of data they store on their Rackspace servers against exposure and loss. This includes allowing them full control of the servers, including the ability to lock Rackspace out of the servers, control passwords used to access their data, and maintain the security of the data stored on those servers to the exclusion of others. Because of this, we take the view that, in legal terms, Rackspace has neither “possession” nor “care, custody and control” over customer stored data, and that we are legally prohibited from accessing that data on our own. It is also our position that we can’t give any customer data to third parties other than in compliance with a proper search warrant. Our experience over the past dozen or so years working with law enforcement, lawyers and our customers gives us a great deal of confidence in our position and approach. We have never been served with a blanket warrant, or anything close to it, that requires us to give data owned by multiple customers. This is true for all of our businesses. If we were served with such a warrant, we would fight it because it would be, by its very nature, overreaching and, given our business model and cloud architecture, nearly impossible to comply with. It just wouldn't make any sense. That takes us back to the Fourth Amendment. A blanket warrant covering thousands of customers cannot possibly comply with the Fourth Amendment. Maybe that's why we have never seen one. We have seen a number of warrants over the years. All have been precise, directed at a particular, identifiable customer environment, and very clearly based on probable cause. Our dealings with LEA have been straight up and we have found them to be reasonable and respectful of privacy laws and our customer agreements. It has been distressing for us to read about the wholesale collection of data, because we think that stretches the Fourth Amendment in a particularly dangerous way. We hope that the White House and Congress will take a hard look at what has happened and how data is collected to ensure that our constitutional rights are protected.
SVP & General Counsel for Rackspace Hosting
Alan, thank you for the detailed answer. Could you clarify a couple points?
Hi Alan, Thanks for the very detailed reply. Could I trouble you to extend your description of Rackspace's position on sharing data with respect to non-US citizens?
In particular, Rackspace is just about to open its Sydney data centre for public cloud. I'm an Australian, living in Australia and would like to store data on Australian users in your Australian datacenter. Similar to this question asked of Microsoft in 2011:
Can Rackspace guarantee that AU-stored data, held in AU based datacenters, will never leave Australia under any circumstances - even under a request by the Patriot Act, US warrant, NSL or FISA order?
This has particular relevance to how Australian business and government view the Australian National Privacy Principals. While the NPP don't forbid data being stored offshore, many government departments interpret the NPP this way and require their data to be held within Australia.
Can you guarantee that no authority other than an Australian authority can ever compel you to share data from Rackspace servers in Sydney?
Thanks in advance,