Hi Un Thanks for your question. It is important to know that there isn't really a distinction between what we may be required to do in response to a government request if the data was on our own servers in a colocation facility or if we opted to store the data elsewhere (with a cloud provider like Amazon, Rackspace, or Microsoft) - in all cases we, and all other entities, have to comply with the law. The distinction would be whether a cloud storage provider (like AWS) would challenge a government request in the same way that we might. This isn't something that we can know going into the relationship, but it is something that we consider when we opt to store data elsewhere.
Any time that we opt to use a third party vendor for data storage, we analyze how that vendor has stated that they respond to governmental inquiries among other privacy and security issues. We also consider things such as how robust those vendor's systems are to third party intrusions, what certifications and standards are implemented, whether the vendor allows for encryption and ownership of the encryption keys, and how generally to balance security, privacy, usability and performance of the service. Also, when we negotiate agreements, we attempt to include language around security and privacy to bolster our analysis. We then compare the overall solution to our in house ones to see whether we can do a better job. The solutions you laid out were picked after this analysis and implemented to balance those interests. In our products, we also design user control mechanisms that allow users to manage how their data is sent to us (and others), including turning off or not interacting with the services you listed. We also limit what data we collect in the first place and discard data once we don't need it. Finally, we are always open to more ideas about how we might think about this problem. If you're interested in contributing your thoughts on this and other security and privacy problems around hosting data, we would value your contribution. Thanks and happy new year - Marshall Erwin _______________________________________________ governance mailing list [email protected] https://lists.mozilla.org/listinfo/governance
