Swedish municipality in the Cloud – Can the technology solve the legal requirements?
Sweden wants to be the best in the world in digitalization according to the government's digitalization goals. In order for this to be possible, Swedish authorities and the public sector need to be able to use modern technology. Cloud services is such a technology. The public cloud services market is today dominated by a couple of US companies. They offer all kinds of powerful services that make it easy for their customers to use advanced technology that otherwise would have been difficult to take advantage of.
At the same time the Swedish authorities are concerned about the processing and storage of information in US clouds due to the legal conditions that exist because of Cloud Act, where American courts can decide that the cloud suppliers must disclose the information they store. This means that there is a theoretical risk that information protected by the Public and Confidentiality Act (Offentlighets och sekretesslagen) or the Security Act (Säkerhetskyddslagen) might be exposed. Several cloud suppliers claim that they can dispute the court decisions and that they cannot read the information if the security mechanisms they offer are implemented correctly.
In our paper, an approach is made to sort out which laws are in conflict with each other, how the technical conditions for being able to use the US cloud services without risking information leakage to the US authorities looks like and what alternative consequences exist by setting the type of requirements that the eCooperate program(eSamverkansprogrammet) and the Legal, Financial and Administrative Services Agency (Kammarkollegiet) do.
Two use cases have been created to test how a client can use the cloud for storing data without risking information leakage. Since Cybercom is one of Amazon Web Services biggest partner in Sweden, AWS was chosen as cloud provider. These two use cases show a way forward for municipalities, authorities and the public sector that are required to follow the Confidentiality Act.
The two use cases created includes solutions like client-side encryption and the use of server-side encryption using CloudHSM(Cloud Hardware Security Module) to protect the data that is being uploaded.
Are these types of solutions enough? Like mentioned before, AWS claims that they have no possibility to read the data if the security mechanisms they offer are implemented correctly. Can we trust that? And if we can’t trust the cloud providers, what makes us trust other software and hardware producers?
Our conclusion is that we have to trust them because otherwise we’ll have to start to re-think our nations whole IT-infrastructure and probably produce our own software and hardware to minimize the risk of data leakage. And compared to how many municipalities store their data today, about anything else would be an improvement.
Feel free to contact us if you want to learn more about the topic!
Gustav Seffer & Sam Spjuth