Thank you for visiting the Rackspace Community
The The Community is live! Post new content or topics so our teams can assist.

Please contact your support team if you have a question or need assistance for any Rackspace products, services, or articles.

Rackspace Cloud Privacy & Government Surveillance?

Hello,

I'd like to start by saying that I am very pleased with Rackspace (and Slicehost before that!).  

In light of recent revelations regarding the participation by major tech/telecom firms in the U.S. government's vast and warrant-less surveillance of citizens I must ask to what extent, *if any*, does Rackspace or it's subsidiaries participate in or allow warrant-less access to user data including email by this (U.S.) or other governments?  I know that Rackspace values it's customer's privacy and seems to have an adequate Privacy Policy in place.  However, to be fair, so did Google, Microsoft, Apple, Verizon, and the many other companies who are now under scrutiny.

Parents
No Data
Reply
  • By now practically everyone has heard about the so-called PRISM program run by the NSA and there has been a lot of discussion among lawyers, reporters, bloggers, academics and others about whether Internet companies can be forced by the government to access and disclose data which is stored by its customers in their cloud or dedicated hosted environments.  This statement is intended to explain Rackspace’s view of the law, and our approach to the issue.
     
    Rackspace has been in the hosting services business since 1998. We have a lot of experience with law enforcement requests for customer data, and we have an evolved approach to dealing with law enforcement requests for customer-owned content stored in the cloud at Rackspace.
     
    Our primary guiding principle for responding to requests from U.S. law enforcement agencies (“LEA”) is the Fourth Amendment to the United States Constitution which states that “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” Further, we are very familiar with the Electronic Communications Privacy Act (“ECPA”) which controls how stored data is treated by providers.
     
    Based on our interpretation of the Fourth Amendment and ECPA, we are of the view that Rackspace is prohibited from accessing and turning over customer data stored on a customer’s server or other storage device in a U.S. data center without a properly issued, lawful request ( e.g. search warrants, court orders, Foreign Intelligence Surveillance Orders) from a U.S. court with appropriate jurisdiction over Rackspace and the data sought. This view applies to all LEA requests, including those under the PATRIOT Act. Rackspace’s interpretation of the law is based on the specific relationship that Rackspace has with its customers. By contract and in practice, Rackspace’s customers have full control over their servers and any data that may be stored on those servers. Rackspace does not have that control.
     
    By agreement, our customers own and are responsible for the protection of data they store on their Rackspace servers against exposure and loss. This includes allowing them full control of the servers, including the ability to lock Rackspace out of the servers, control passwords used to access their data, and maintain the security of the data stored on those servers to the exclusion of others. Because of this, we take the view that, in legal terms, Rackspace has neither “possession” nor “care, custody and control” over customer stored data, and that we are legally prohibited from accessing that data on our own. It is also our position that we can’t give any customer data to third parties other than in compliance with a proper search warrant. Our experience over the past dozen or so years working with law enforcement, lawyers and our customers gives us a great deal of confidence in our position and approach. We have never been served with a blanket warrant, or anything close to it, that requires us to give data owned by multiple customers. This is true for all of our businesses. If we were served with such a warrant, we would fight it because it would be, by its very nature, overreaching and, given our business model and cloud architecture, nearly impossible to comply with. It just wouldn't make any sense.
     
    That takes us back to the Fourth Amendment.  A blanket warrant covering thousands of customers cannot possibly comply with the Fourth Amendment. Maybe that's why we have never seen one. We have seen a number of warrants over the years. All have been precise, directed at a particular, identifiable customer environment, and very clearly based on probable cause. Our dealings with LEA have been straight up and we have found them to be reasonable and respectful of privacy laws and our customer agreements. It has been distressing for us to read about the wholesale collection of data, because we think that stretches the Fourth Amendment in a particularly dangerous way.  We hope that the White House and Congress will take a hard look at what has happened and how data is collected to ensure that our constitutional rights are protected.


    Alan Schoenbaum

    SVP & General Counsel for Rackspace Hosting

Children