Amazon and Google Barred From UK Government Cloud

judgecorp writes "Amazon and Google both applied for a role in the U.K. government's 'G-Cloud' for public services, but were rejected, a FOI request has revealed. It is most likely this was because of concerns about where data was hosted and backed up. Amazon Web Services has a dedicated cloud service for the government in the U.S., but has not been able to duplicate that in Britain."

Gee...

[Black Parrot]

How could a government possibly turn down a chance to offshore a major chunk of its IT operations?

Apparently some governments have better sense than some businesses.

Re:

[zevans]

Apparently some governments have better sense than some businesses.

Indeed. I know it doesn't look like it sometimes, but the purpose of Government is to prevent Tragedy of the Commons, and to my mind "buy the lowest cost irrespective of value delivered" is very much Tragedy of the Commons when discussing tax dollars.

In a similar way, current stock market behaviour actively encourages "reduce cost at all cost" and there's yer problem. Many companies in the UK have begun moving services back onshore once the revenue impact of the customer backlash started to bite. It's a pit

Re:

[aug24]

Don't count your chickens... they've still got the option of MS Azure =:-/

Why cloud?

[fufufang]

Why don't they run their own datacenter and have centralised IT services, rather than relying on some third party private company? Is it because they want to have someone to blame if things do go wrong?

Re:

[Anonymous Coward]

Why don't they run their own datacenter and have centralised IT services, rather than relying on some third party private company? Is it because they want to have someone to blame if things do go wrong?

You'd be amazed at how often companies need someone to blame if something goes wrong.
I work for a datacenter which offers IT services solely to the government in the country I'm in (in Europe) and no, I'm not gonna mention the country because it'd be pretty obvious for whom I work*.

In any case, I often wonder why some decisions are made in terms of hiring external companies or consultants (we have plenty of in-house project managers, programmers, etc.) and sometimes I get the feeling that we need external g

Re:

[NoSleepDemon]

Is it Albania?

Re:

[Kugrian]

Hiring a company that already knows how to do this stuff is probably a hell of a lot cheaper in the short run than funding a new one.

Re:

[Aighearach]

You're an ignoramus, both companies already have Government-oriented versions of their services that use different servers and different data sharing requirements. And they can put those walls up wherever the regulations and contracts say they go. And so far without major blunder or scandal.

Re:

[Chatterton]

Why? It is something i see regularly in public services: When you get budgets cuts (generally on the workforce budget line), you spend more on external services/companies to do the same work with worst SLAs. As it is not the same budget line all is ok :(

Re:

[1s44c]

Why don't they run their own datacenter and have centralised IT services, rather than relying on some third party private company? Is it because they want to have someone to blame if things do go wrong?

That sounds perfectly sensible and it's exactly what most companies would do, however it doesn't work in practice for government organizations. Governments have a kind of corrosive ineptitude that creeps into everything they do. I think it's something to do with the fact that no matter how bad they screw up they can't go bust and they can't fire permanent staff.

In some cases it's better to let people who know what they are doing do the work. Even if they are making a fat profit they may still charge less th

Re:

[dontbgay]

I'm calling shenanigans on this one. Here in the US, KBR and Halliburton along with other defense contractors put out the lowest budget product with the largest profit margin possible... that does not make for responsible uses of our tax dollars. Hold your government accountable for its ineptitude and change the culture sounds like a pipe dream, but why go for the easy targets that give us short term roi and long term continued failings? I don't want my government perverted by a profit motive. Its been hap

Re:

[1s44c]

What do you suggest? Somehow changing governments who have historically been low performing sink-employers and by design can't go bust and by design are not really accountable to their customers?

What way can that be fixed except by taking as much as possible away from them and giving it to companies which can either perform or be replaced?

Re:

[Gordonjcp]

Governments have a kind of corrosive ineptitude that creeps into everything they do. I think it's something to do with the fact that no matter how bad they screw up they can't go bust and they can't fire permanent staff.

It's a problem with right-wing government, where the idea is to get everything making a profit, keep as many of your friends in highly-paid government jobs as much as possible, and keep making government bigger and bigger and keep makings taxes higher and higher.

Re:

[Custard Horse]

The UK Gov actually has the Government Gateway which is a secure system that was meant to be all encompassing.

Originally there was a large budget approved to set up a skeleton network which would eventually be extended to replace the many legacy systems in the NHS and all government departments. I seem to recall that there was a mirrored multi-petabyte storage array for records to begin with.

However, part way through the implementation someone pulled the plug and left a partly implemented system which

US Law Everywhere

[ebonum]

If a company has any operations in the US, they are expected to follow US law worldwide. Even if the parent is in Germany and the offense occurred by a subsidiary in the Philippines, the US government has no qualms about going after their US arm. If this wasn't bad enough, it isn't always the Federal government. If the NY State attorney general thinks a foreign company has some dealings with Iran, he will not hesitate to pursue legal action.

If I was the UK government, how would I feel about the possibility of some low level government guy in Seattle saying, I can get to everything in the UK cloud without a warrant?

Obama administration is "arguing that you lose your property rights by storing something on a cloud computing service"
Source: https://www.eff.org/deeplinks/2012/10/governments-attack-cloud-computing [eff.org]

If you use the cloud, only do it for data you are willing to openly publish.

Re:US Law Everywhere

[matunos]

Or, you know, encrypt it.

Re:

[ebonum]

Google can read your gmail. A lot of cloud services involve using someone's application.

Yes, if you view he cloud as nothing more than a remote hard drive you can TrueCrypt it. Make sure TrueCrypt is running locally. If it is running on the cloud machine, the machine's admin can log your keystrokes.

Anyone who has physical access to the machine can get root.

Google jizz data everywhere

[Anonymous Coward]

I stopped using Google search (switch to Duck Duck Go), because I'd search for one thing (Divorce lawyer) and they'd start showing adverts for divorce lawyers to me soon to be ex wife and every other computer on my NAT. At some point, you'll draw the line and say enough, and you'll divorce them too.

I know its not the same thing with their online office apps, but once they started down the Facebook route, you only need to look at FB and see where Google will end up.

If UK.gov has data on UK citizens, then it

Re:

[somersault]

I'd search for one thing (Divorce lawyer) and they'd start showing adverts for divorce lawyers to me soon to be ex wife and every other computer on my NAT

So use an actual Google account, and separate logins on your PC. I thought even fairly computer illiterate families preferred having separate logon accounts, so why don't you guys? You should also be using adblock everywhere you can too. And I'd think that if you're thinking of divorce, your wife would already have a pretty good idea anyway, unless it's because you're cheating..

Re:

[Hunter Shoptaw]

+1 I've never had a problem with Google, especially the one mentioned. I think to many see danger in shadows that aren't there to distract them from the real issues at hand.

Re:

[johanw]

and they'd start showing adverts for divorce lawyers to me soon to be ex wife

Use decent adblock software.

Re:

[Sabriel]

You know, "encrypt it" might work for an individual, but no amount of encryption can make storing your entire nation's digital infrastructure in a foreign country's server farms a reasonable idea.

Hey China, keep your mil stuff in the USA!

[fantomas]

I am sure national governments will be really happy about storing their private/ secret data in another country's territory "because it's encrypted so it will be safe".

Would the US government network be happy about a Chinese commercial provider supplying their network provision on Chinese territory? without auditing the network? From the article: "Amazon had concerns over the stipulation that the UK government could audit US data centres" - Amazon were asking the UK government to store their data on another country's territory, and not even be given permission to check how the centres were secured? Not surprised the UK government weren't too keen on this deal.

Re:

[Coisiche]

Would that mean if Liz (you know, the queen) ever visited the US, the border people would say "Right, hand over the encryption keys"?

Re:

[Anonymous Coward]

By US law, you have to hand over encryption keys on demand. US judges already show they have no respect for borders. No government should trust another country for anything more than simple trade.

Re:

[Anonymous Coward]

And the UK doesn't? RIPA gives people life sentences for not handing over encryption keys on request.

Just look at cases where an English judge asks a defendant 20-30 times for a key, and each refusal is three more years in the slammer.

At least in the US, there are court cases that consider that it is part of the Fifth Amendment about not divulging passwords.

Re:

[PeterBrett]

Last time I checked, a maximum of a two-year custodial sentence is not a life sentence.

Just look at cases where an English judge asks a defendant 20-30 times for a key, and each refusal is three more years in the slammer.

Yeah, that didn't happen.

But your unnecessary hyperbole aside, I entirely agree that RIPA is utter rubbish, and I wish it would go die in a fire.

Re:

[deniable]

US hosted or owned become subject to the Patriot act and friends as well. We're not allowed to use offshore hosting and we also exclude anything owned or run by US companies even if it's a local datacentre.

Re:

[Anonymous Coward]

And let's face it - why should British taxpayers money go to Google or Amazon when they do all they can not to pay tax in the UK...

Privacy/security/responsibility

[justsomecomputerguy]

I'll bet is was because both of them had unacceptable policies regarding privacy, security/integrity and/or what they are responsible to do if a breach does occur. I'll also bet that those same policies were/are acceptable to various branches of American government, because our standards for those issues here in The United States lag waaaaay behind European standards.

Re:

[matunos]

Yeah because I'm sure the companies would never negotiate separate data confidentiality policies when setting up services segmented specifically for a government.

Re:

[jonbryce]

Companies can't agree to ignore court judgements in their country.

The Patriot Act is the problem

[Dr La]

The problem is simply that Amazon and Google servers in the US fall under the US Patriot Act. This means that the US Government ALWAYS has access to the hosted files, if it wants. It is not possible for a company and foreign government to negotiate on this: Amazon and Google are bound by US law.

Of course, as a government you don't want another other government to have complete access to anything you put in the cloud. And in some countries (e.g. the Netherlands where I live) it is explicitly forbidden to

Re:

[deniable]

The US government DCs are hosted in the US and subject only to US law. See how far they'd get running a US government DC in Europe or Singapore.

Hey, U-K, get off of my cloud!

[theodp]

THE ROLLING STONES GET OFF MY CLOUD [youtube.com]
Hey, you, get off of my cloud
Hey, you, get off of my cloud
Hey, you, get off of my cloud
Don't hang around, baby two's a crowd
On my cloud

Imagine that...

[matunos]

Amazon doesn't have a dedicated cloud service for the government in the UK which has rejected Amazon's application to provide cloud services for the government.

Will wonders never cease?!

And um, regarding comments on off-shoring data/services, Amazon certainly does have cloud services that run on hosts in the UK... Dublin mostly. (There may be open questions about the parent company being US-based, but those wouldn't have to do with the geographic location of the services and data, which surely would be host

Re:Imagine that...

[isaac]

And um, regarding comments on off-shoring data/services, Amazon certainly does have cloud services that run on hosts in the UK... Dublin mostly. (There may be open questions about the parent company being US-based, but those wouldn't have to do with the geographic location of the services and data, which surely would be hosted from the Dublin data centers.)

I feel compelled to point out that Dublin, Republic of Ireland (where Amazon does indeed have datacenters) is most definitely not in the UK.

Re:

[matunos]

Oops, typing got ahead of brain. Right you are on that point.

Re:

[Zedrick]

At least you didn't say it in a pub in Dublin... that wouldn't have ended well :-)

Re:

[zevans]

A pub in Dublin does not strike me as a good way to SAVE money...

Re:

[martin]

Since when was Dublin in the UK??? Not since Irish independance in the early 1920s.

Eire is a soverign state and given rhe history I can see why CESG wont entertain this level of offshoring

Re:

[bloodhawk]

So when did the UK invade and seize Ireland?

Re:Imagine that...

[deniable]

16th century give or take.

Re:

[dkf]

Amazon certainly does have cloud services that run on hosts in the UK...

That's almost as misleading as saying that Havana is in the USA.

Re:

[jonbryce]

Dublin hasn't been part of the UK since 1922.

Current rules in data sovereignty

[martin]

All down to current CESG guidance on data soveriegnty. Until the new data classifications are fully launched (replacing the IL based system) this wont change, and event then its down to the accreditor to assess the risk so still doubtfull we'll be seeing any major offshoring

Re:

[zevans]

Unless the UK government say "yeah but money," as has already happened with DVLA.

Re:

[bloodhawk]

It is a serious problem all around the world, I don't blame the likes of Google, Amazon, Apple, Microsoft etc taking advantage of it as after all it is legal, but damn the countries affected need to wake up and change their tax laws to stop this crap happening. They don't even have to give them harsh treatment, just bring them into line with what the respective company tax rates are for each company, the best start is to block local government contracts if they are funnelling the proceeds through internatio

Re:

[xelah]

Suppose you have a substantially fixed cost factory in country A, a bunch of managers being paid in country B, salesmen in countries A, B and C, a call centre helpline in country D and customers in all of those and many more. How much profit are you making in each? Oh, and all of those countries have different rules on what's tax deductible and over what period, too. You can set up a different subsidiary in each country and have them charge each other, but even if you're trying to get the 'right' answer the

Re:

[bloodhawk]

Stop making excuses for them. No it isn't easy to get right, but when google can pay less than 100k tax on in excess of a billion dollars of profit their is something critically wrong. You can demand that they show fair costs of production and tax on the goods being sold in the country, rather than the current bullshit where they will charge a subsiderary $1000 on a $10 item to avoid tax in that country, There are a many many simple changes to tax systems that can be made that would go a long way to rectify

Re:

[91degrees]

Yes, and something that has been very much in the news in Britain as well - both those companies have come under substantial scrutiny.

With an internet company, it's even harder to establish where they're incorporated.

Patriot act?

[plankrwf]

Actually read the article (I know, against /. policy ;-0), read most of the comments, and nowhere read anything about it possible being related to the patriot act. I happen to know that the patriot act is (one of) the reason(s) the Dutch government will not enter into an agreement with American hosting providers, surely the British have similar reservations?
(And yes, the article is scarce on facts, so cannot check whether all American companies are excluded, but heck: so could none of the other people posting a reply).

So:
MY guess is that the patriot act played a mayor role in letting this business opportunity slip trough the fingers of american companies...

Re:

[Alain Williams]

Quite. I raised exactly that point in February [cabinetoffice.gov.uk]. I hope that my government does not give my data to the US government.

Re:

[1s44c]

Quite. I raised exactly that point in February [cabinetoffice.gov.uk]. I hope that my government does not give my data to the US government.

If you live in Europe and have a bank account they already have.

Re:

[rvw]

problem is that patriot act actually covers eg an ibm dataserver in brussels, no need fir the data to be on American soil...

If hosted by IBM, not made by IBM.

US companies can't be trusted

[thetoadwarrior]

I'm sure these companies would love to give them what they want but thanks to US laws they can't be trusted. Europeans should give preference to hosts with no ties to the US if they have sensitive information.

The Governments in particular should avoid big large corporations because of that and because they're avoiding tax.

I know how this works..

[1s44c]

It's a totally fair and free process, however all companies except for three will be eliminated from the process due to various concerns, sadly this will include all major industry players. Two the the last three will be clearly unable to provide this service and will be eliminated in the last round.

They already know who they are giving this deal too and the decision has nothing to do with common sense or sound financial management. They will award this contract to a low quality provider with a history of d

Important UK perspective...

[zevans]

Seeing several comments here that seem to be treating this as an either/or discussion. Thought I'd post for the benefit of US & global readers: the UK already outsources plenty to service providers, and many of those service providers either run their own data centres or in turn consume managed capacity in one form or another from their own suppliers in turn.

For instance:
DVLA (vehicle / driver licensing) - Capita
Many civil service departments, including Highways Agency and significant chunks of what is

Sounds about right

[dave562]

The organization that I work for is building up our data center presence in the UK specifically to target that market, and to some extend, the whole of the EU. They do not want their data kept in the States. I do not blame them. With a global network like the Internet, it still strikes me as odd that it matters where the servers are physically located and why that matters for law. I mean, I get it... physical presence, search and seizure and all of that. But when you are dealing with encrypted SAN arra