Who Owns Your Big Data?

What should have been a triumph for international anti-piracy efforts by national security agencies has turned into a series of embarrassing contretemps that prompted New Zealand judges hearing the case to criticize the behavior of nearly everyone involved.

Even the judges are being hoist by their own petard. Last week the chief judge hearing the case recused himself after a New Zealand newspaper printed evidence he called the U.S. government "the enemy" during a presentation on international copyright law at the NetHui Internet conference earlier this month. "We have met the enemy," Judge David Harvey said at the conference, paraphrasing the cartoonist Walt Kelly, "and he is [the] U.S."

U.S. prosecutors may not be the enemy, but they are the source of a lot of uncertainty about who owns data stored in third-party cloud services, big data gathered from a company's own customers, and rented from outside service providers--not to mention the question of how to even assess the risk to data whose physical location a company may not be able to pinpoint.

[ For more on big data and its future implications on the enterprise, government, healthcare, and more, see 10 Big Predictions About Big Data. ]

During the course of the high-profile prosecution of file locker and alleged copyright-piracy site Megaupload, N.Z. judges have slammed the FBI for sneaking copies of Megaupload's content out of the country after it had been classified as evidence. New Zealand authorities took their share of criticism for cooperating too closely with the U.S.-based bureau, especially after the New Zealand High Court ruled that raids on Megaupload's offices were conducted illegally, without sufficient evidence of wrongdoing or even a sufficiently detailed description of the alleged offense.

Meanwhile, legitimate customers of Megaupload's storage services have been in limbo: They hired either Megaupload or storage-service vendor Carpathia Hosting, Inc. to keep copies of their data safe in the cloud, but they haven't been able to touch it since the January indictment and raid that converted thousands of gigabytes of data into evidence.

Prosecutors told a U.S. judge content owners should have to file suit against Megaupload as unsecured creditors to demand the return of their data, even though legal data plays no part in the copyright infringement case the U.S. and New Zealand are trying to build against what had been the world's largest file locker. The judge, who has yet to rule on a June motion from Megaupload user Kyle Goodwin that his data be returned, made a point in court of differentiating between requests for the return of legitimate property (data) and demands that Megaupload's allegedly illegal file-copying service be restored.Prosecutors have insisted on handling Megaupload as an illegal service that has been shut down rather than an agent appointed to hold property for its customers. Police are not required to return property to customers or victims of illegal services such as the sale of crack or pirated content. They are required to return property impounded as part of the shutdown of other types of businesses, however.

The FBI has gone so far as to refuse to provide Megaupload founder Kim Dotcom and his lawyers copies of 22 million emails it captured along with the other Megaupload data; the bureau told a U.S. judge earlier this month it should be required to return copies of only a single 40-page document.

"We have a tradition since the '70s of data being a resource, a thing of value to organizations, and a whole series of procedures involving outsourcers or other third parties who have to back it up, secure it, and establish a risk-assessment framework companies can use to decide whether or not to purchase," according to Daniel Castro, cybersecurity and privacy expert at The Information Technology and Innovation Foundation (ITIF), a Washington, D.C. think tank.

While standards of ownership, behavior, responsiveness, and quality control are well established in traditional outsourcing and IT service contracts, public cloud storage is one of a host of new services to which law-enforcement agencies and data owners have not yet adapted. "Megaupload is a perfect example of where we are in the evolution of these new services; a lot about ownership and the ability to retrieve data when we want is up in the air," Castro said.

It is easy for companies to sign contracts with cloud storage companies like Megaupload without realizing how high a percentage of their content has been alleged to be illegal. Legitimate customers risk losing both service and data if they sign up without realizing their data is at risk, even if they are not involved with illegal content or file trading in any way.

"Really, it's about the due diligence right now," Castro said, "[and] making sure you're not using a Megaupload rather than a name service like Rackspace or Amazon."

There is a big difference between the risk of storing legitimate corporate data at Rackspace or another cloud-services company and using a file locker with a reputation as a content pirate as your public data-storage site, according to Frank Gillett, vice president and principal analyst at Forrester.

Commercial data-- especially digital movies, software, music, and other bits that can be easily stolen or copied--is much riskier both to the storage service and the end user than corporate data, which comes in different formats, smaller volumes, and is in much lower demand (despite its higher value) than pirated commercial content, Gillett said. "Corporate data might be the crown jewel of the company that owns it, but it's not for sale in the same way a movie or music file is, so that particular risk, at least, is much lower," Gillett said.

The risk may be lower, but the mechanisms CIOs and other corporate data masters use to determine that risk are undefined. "In a few years, after rigorous enforcement of the law by the DOJ, the situation will improve a lot because we won't have bad actors around that are large companies like Megaupload," Castro said. "By then the risk of hiring one will be much lower."

It's not clear how long it will take the FBI, New Zealand authorities, and Megaupload to thrash out all the issues surrounding the takedown of one high-profile data storage service and alleged content pirate. What is clear is that large companies are becoming more dependent on data--big data that provides unique insights on a business, and more traditional data that is broken up into smaller sets and distributed among various pools of cloud storage--in mobile devices as well as in traditional data center database servers.

The relatively unexplored legalities surrounding cloud, big data, and content piracy may not be holding most corporations back from using the new technologies, but they are certainly prompting decision makers to ask some pointed questions.

"It's a big change in risk assessment," Castro said. "These are very complex systems; there have to be equally complex ways to manage it all."

IT can't maintain absolute control over highly virtualized infrastructures. Instituting a smart role-based control strategy to decentralize management can empower business units to prioritize their own data assets while freeing IT to focus on the next big project. Download our Delegation Delivers Virtualization Savings report. (Free registration required.)