The National Security Agency and its PRISM initiative have prompted many Internet users to question when the government can see their data, and under what circumstances. We think this is a good time to reiterate how Rackspace handles customer data.
Our policy is simple: your data is your data. Period. We will not access, transfer or deliver data stored on servers by our customers except in response to a properly issued, lawful order (for example, search warrants, court orders, Foreign Intelligence Surveillance Orders) from a court with appropriate jurisdiction over Rackspace and the data sought.
That means that U.S. authorities can’t issue a warrant to obtain data stored by our customers on servers located in the U.K. British officials can’t obtain data stored by our customers in the U.S. without the involvement of a U.S. court. By contract and in practice, Rackspace’s customers have full control over their servers and any data that may be stored on those servers. Rackspace does not have that control.
There are times when we receive a proper, lawful order from authorities for the data of a specific customer. When that happens, you have every assurance that we will fight for our customers and take every possible legal route available to challenge it. Sometimes, however, the courts don’t side in our favor and we must comply.
Our policy and practice stems, in part, from a major misstep we made eight years ago. At the time, we were a small, young company and were asked by the FBI to turn over log files for a customer called Indymedia. We handed over that customer’s servers, even though those servers were located in the U.K. At the time, we thought we were doing the right thing. We quickly learned that we made a big mistake. We make no excuses –we were wrong. But the incident served as a critical inflection point for Rackspace.
Since then, we’ve grown a great deal, and we’ve learned a lot. We’ve hired key legal personnel, including specialists in digital property rights, and have the legal guidance necessary to ensure that we never repeat the mistake we made with Indymedia.
Transparency is one of our core values at Rackspace, which is why we’re sharing with you this experience, and what we learned from it. In the spirit of transparency, I can tell you that we at Rackspace have never been served with a blanket warrant that requires us to give data owned by more than a few specific customers. If we were served with such a warrant, we would fight it because it would be, by its very nature, overreaching.
We want to be as transparent with our customers as possible. That’s one reason we support the Surveillance Transparency Act of 2013 recently introduced by Sen. Al Franken. The bill urges transparency of government surveillance programs and helps Americans hold the government more accountable. The bill seeks to expand and improve ongoing government reporting about programs under the PATRIOT Act and Foreign intelligence Surveillance Act that have been the subject of controversy recently. The bill would also protect the ability of companies like Rackspace to voluntarily disclose information about the data the government requires them to turn over.
Through the Surveillance Transparency Act of 2013, or similar legislation, we can make clear what the NSA and other government agencies are and are not allowed to do with the digital data of law-abiding Americans.
In the meantime, at Rackspace our primary guiding principle for responding to requests from U.S. law enforcement agencies is the Fourth Amendment to the U.S. Constitution which states that “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
You can read Rackspace’s full position on cloud privacy and government surveillance in the Rackspace Open Cloud Community.