Who Owns Your Big Data?

Prosecutors have insisted on handling Megaupload as an illegal service that has been shut down rather than an agent appointed to hold property for its customers. Police are not required to return property to customers or victims of illegal services such as the sale of crack or pirated content. They are required to return property impounded as part of the shutdown of other types of businesses, however.

The FBI has gone so far as to refuse to provide Megaupload founder Kim Dotcom and his lawyers copies of 22 million emails it captured along with the other Megaupload data; the bureau told a U.S. judge earlier this month it should be required to return copies of only a single 40-page document.

"We have a tradition since the '70s of data being a resource, a thing of value to organizations, and a whole series of procedures involving outsourcers or other third parties who have to back it up, secure it, and establish a risk-assessment framework companies can use to decide whether or not to purchase," according to Daniel Castro, cybersecurity and privacy expert at The Information Technology and Innovation Foundation (ITIF), a Washington, D.C. think tank.

While standards of ownership, behavior, responsiveness, and quality control are well established in traditional outsourcing and IT service contracts, public cloud storage is one of a host of new services to which law-enforcement agencies and data owners have not yet adapted. "Megaupload is a perfect example of where we are in the evolution of these new services; a lot about ownership and the ability to retrieve data when we want is up in the air," Castro said.

It is easy for companies to sign contracts with cloud storage companies like Megaupload without realizing how high a percentage of their content has been alleged to be illegal. Legitimate customers risk losing both service and data if they sign up without realizing their data is at risk, even if they are not involved with illegal content or file trading in any way.

"Really, it's about the due diligence right now," Castro said, "[and] making sure you're not using a Megaupload rather than a name service like Rackspace or Amazon."

There is a big difference between the risk of storing legitimate corporate data at Rackspace or another cloud-services company and using a file locker with a reputation as a content pirate as your public data-storage site, according to Frank Gillett, vice president and principal analyst at Forrester.

Commercial data-- especially digital movies, software, music, and other bits that can be easily stolen or copied--is much riskier both to the storage service and the end user than corporate data, which comes in different formats, smaller volumes, and is in much lower demand (despite its higher value) than pirated commercial content, Gillett said. "Corporate data might be the crown jewel of the company that owns it, but it's not for sale in the same way a movie or music file is, so that particular risk, at least, is much lower," Gillett said.

The risk may be lower, but the mechanisms CIOs and other corporate data masters use to determine that risk are undefined. "In a few years, after rigorous enforcement of the law by the DOJ, the situation will improve a lot because we won't have bad actors around that are large companies like Megaupload," Castro said. "By then the risk of hiring one will be much lower."

It's not clear how long it will take the FBI, New Zealand authorities, and Megaupload to thrash out all the issues surrounding the takedown of one high-profile data storage service and alleged content pirate. What is clear is that large companies are becoming more dependent on data--big data that provides unique insights on a business, and more traditional data that is broken up into smaller sets and distributed among various pools of cloud storage--in mobile devices as well as in traditional data center database servers.

The relatively unexplored legalities surrounding cloud, big data, and content piracy may not be holding most corporations back from using the new technologies, but they are certainly prompting decision makers to ask some pointed questions.

"It's a big change in risk assessment," Castro said. "These are very complex systems; there have to be equally complex ways to manage it all."

IT can't maintain absolute control over highly virtualized infrastructures. Instituting a smart role-based control strategy to decentralize management can empower business units to prioritize their own data assets while freeing IT to focus on the next big project. Download our Delegation Delivers Virtualization Savings report. (Free registration required.)