In March the Cloud Act came into force in the United States, a law that gives the American government access to the data of American companies, even if these data are held outside the United States. Had TU/e switched to Office 365 in July as planned, in theory the American security services could have gained access to our employees' email, personal data and research data.
One of the problems with the Cloud Act is that it clashes with the GDPR, the new European privacy law, explains Henny van Alphen, project leader at the CIO Office. “Under the latter law everyone is entitled to know what happens to their digital data. But the Cloud Act states explicitly that the user will not be informed if a party sees their data. We have engaged a legal firm to determine exactly what the consequences are of these conflicting European and American laws.”
In the meantime, TU/e has set up a Cloud Security Strategy task force. It is looking at security measures relating to all services using the cloud, says Chief Information Security Officer Martin Romijn. “That involves more than just Office 365. For example, we are already installing BitLocker on the computers and laptops of employees whose work often involves privacy-sensitive information. BitLocker automatically encrypts all the data on the hard drive, and thus all the data held in the cloud that is synchronized with the local drive. In addition, we are looking at internal security measures and we are examining the settings of the Microsoft software.”
Students at TU/e switched to Office 365 earlier this year. It has been decided not to rescind this decision, says Van Alphen. “In principle student have less sensitive data and that means the risk to them is also less great. An unavoidable question, of course, is why the American government should be interested in the data held by our employees. However, because we would rather play it safe, we have decided to postpone the introduction until we have identified all the risks.”
Not that the project has been halted – preparatory work is still going on. In addition, changes are already being made to bring us in line with the GDPR, explains Van Alphen. “Many secretariats, for example, work with a shared account. In this arrangement, the sender of an email isn't known. That's not actually allowed under the GDPR. In future, a secretary may only send mails on behalf of a professor, no longer as the professor. We will also ensure that access to OneDrive (the Microsoft cloud service) is restricted.”
Romijn and Van Alphen stress that the plan is still that employees will switch to Office 365 when the time is right. Van Alphen: “There isn't actually a user-friendly and affordable alternative. We currently have a very cheap license for the Microsoft software via SURF, which has concluded an agreement for all the universities and universities of applied sciences.”
In fact, some arrangement should be made at that level regarding the wording of the new contract with Microsoft, she believes. “The current contract states explicitly that American regulations apply. Perhaps that can be amended.” Romijn adds: “As far as we know, we are the first university due to switch its employees to Office 365. It seems that other universities are now waiting to see how we deal with this situation.”