Alan Harnum

Thinking About the Cloud for Canadian Libraries

05 Jun 2015

I'm a pretty big advocate of libraries using the public cloud, by which I broadly mean running some or all of your applications and/or infrastructure outside your own data centre via AWS, DigitalOcean, Heroku, whatever. In short form:

In Canada (where I work and live) in particular, a lot of library people I talk to have concerns about the cloud. I don't think these concerns are illegitimate, but I think if we want to have a coherent conversation about Canadian libraries making use of the cloud, we have to have a clearer articulation of what the concerns actually are.

I won't promise to go back at some point and fill the below in with links to more information, but I'd like to (especially for point #1).

1. It's Illegal to Store Identifiable Patron Data Outside Canada

Microsoft Azure coming to Canadian-located data centres may help to make this conversation more coherent and less FUD-filled, but my understanding is that outside of possibly BC (which has somewhat stricter data harbor laws than other provinces), there's nothing actually illegal about having confidential, identifiable data held in servers outside of Canada.

This is in contrast to the EU. If you've ever wondered why Amazon etc have EU-specific data centres but not Canadian ones, this is a factor in why.

2. It's Unethical to Store Identifiable Patron Data Outside Canada

This is a separate argument from #1 above, and I think addressing it requires a more rigourous understanding of what protecting patron privacy would really mean in the post-Snowden era. Specifically, I mean whether or not we are using things like:

The professional ethics of patron data security for libraries is a huge topic, but I have sometimes seen it in the discussion in Canada reduced to a simplistic binary about "where" the data is located. This is not a reflection of the post-Snowden reality, and I think libraries would best serve their patrons by focusing on getting strong encryption on everything than on anything else.

Anecdotally, I have also heard from lawyers specializing in the area that the 5 Eyes information-sharing agreements actually makes it easier for US intelligence agencies to access data on Canadian servers than on US servers, due to Canada's weaker legislation around law enforcement and intelligence agency access to data on Canadian servers.

3. The Public Cloud Encourages Vendor Lock-In

How locked in to a particular public cloud implementation you are varies depending on the choices you make in what you use the cloud for. There's also huge strides being made in the last several years (Docker and otherwise) in making applications portable in the cloud.

Also, I think if we're going to be really concerned about lock-in, it should be in the much longer-standing areas of vendor lock-in like the ILS and third-party services. :P

"Further Study Is Needed"

The above is just a quick stab at pulling out some of the main threads of concern I hear, not a comprehensive attempt to address them. Maybe later...