The authors of this report first came together on the privacy implications of extra- national outsourcing in the fall of 2013, when our organization, the University of Toronto, proposed migrating faculty and staff eCommunications to the Microsoft Office 365 platform. Prior to the initial June 13, 2013 revelations of Edward Snowden about the extent of bulk surveillance capture and retention of digital data by the United States’ National Security Agency (NSA), we were like most people, using free web-based email services for personal communication, and other services for file-sharing, project- management, and social media. Such free services were certainly compelling and the productivity potential of the new platforms was enticing.
Then our University proposed outsourcing faculty and staff eCommunications to a US multi-national provider.48 Student email had been outsourced two years earlier and many of us were not even aware at the time that it was to an extra-national provider. We knew that other universities, corporations and provincial governments were outsourcing specific eCommunications and other web-based services to industry-giant multi-national cloud-based providers. But we had questions and concerns about the implications for the privacy of our data when stored extra-nationally. Was our privacy really better protected when our eCommunications archives were stored extra- nationally with either Microsoft or Google than with an in-house solution? Was the risk of state surveillance effectively the same when data was stored in or transiting, in the US, rather than in Canada? Was the USA PATRIOT Act a red herring?
In response, Andrew Clement organized a “teach-in” on the issue in November of 2013; invited speakers included the University of Toronto’s CIO, the president of the Canadian Association of University Teachers, and the late Caspar Bowden, Microsoft’s former Chief Privacy Strategist for Europe, among others. The day-long forum and presentations (now available as archived webcasts on our project website) all underscored the urgent need for more research. These questions led to this research project, funded by a 2014-2015 Contributions Program grant from the Office of the Privacy Commissioner of Canada, which has resulted in this report.
Our original application to 2014-2015 Office of the Privacy Commissioner of Canada (OPC) Contribution Program:
- “Assessing Privacy Risks When Considering Extra-National Outsourcing of eCommunications” application
More information about the project can be found below: