I believe a similar risk is associated to foreign satellite networks such as Starlink and Oneweb.
Starlink, which is U.S.-owned, may be compelled to provide Canadian user data to U.S. authorities under FISA Section 702 and Section 2713 of the U.S. CLOUD Act —even if the data is transmitted or stored in Canada.
OneWeb is subject to UK laws that could impact Government of Canada data sovereignty, particularly the Investigatory Powers Act 2016 (IPA) and the UK-U.S. Data Access Agreement under the U.S. CLOUD Act
Telesat Lightspeed on the contrary is Canadian-owned and operated, and supports Government of Canada data security, residency and sovereignty. Telesat is a Canadian company, ensuring that the satellite network is governed by Canadian laws, policies, and oversight
Great points! There are many dimensions to this that extend beyond cloud providers. Telesat is already competing, but there are other Canadian companies trying to greatly expand their satellite networking as well, particularly in LEO, so I foresee Canadian firms being a major player in the next 5-10 years if played right. Where Canada struggles is with cloud hosting and infrastructure, which the big players have dominated, and I am unaware of any firms at the national level with the ability to compete as a Canadian brand.
Satellite communications and networking, in particular when integrated with the existing 4G/5G terrestrial networks and the upcoming 6G in 2030s, is one of the most important technology paradigms of the current times, with sovereignty, privacy, and other implications. Canada has been among the world leaders in both satellite and telecom sectors. The country has the potential to reemerge as among the leaders once again in 2030s with Telesat, MDA, and many other companies (small and big) which form a vibrant Canadian ecosystem.
This post raises an important issue, but it actually overstates the protection granted by encryption in this context.
Most Microsoft services (Outlook, Word, Excel, Teams, etc) do not offer full end-to-end encryption (E2EE) [0]. Instead, data is encrypted during storage ("at rest") and transmission ("in transit"), but ultimately Microsoft still controls the keys, meaning it could simply access the data if compelled under U.S. law - no cracking would be required. [1] [2]
Even if it was feasible to implement stronger models like "Hold Your Own Key," doing so for government systems could be incompatible with record-keeping legal requirements.
A system that truly splits control of infrastructure and encryption keys between two organizations doesn’t really exist for modern cloud-based productivity tools. As long as Microsoft either owns or effectively controls the keys, encryption is not a true barrier to access.
Agreed, great points! There are a lot of nuances to this not covered here, but I was having this exact conversation with some people early this week. Encryption gets you to a point, but a lack of control of infrastructure and the data in transit opens up many vulnerabilities. It is one reason I bring up the Apple case, there are overlapping technical, legal, and political aspects to this that cannot be ignored with US-based corporations.
I have assumed this to be the case - thank you for verifying it. Data sovereignty is now a major issue - as I have been saying for six months at least.
I believe a similar risk is associated to foreign satellite networks such as Starlink and Oneweb.
Starlink, which is U.S.-owned, may be compelled to provide Canadian user data to U.S. authorities under FISA Section 702 and Section 2713 of the U.S. CLOUD Act —even if the data is transmitted or stored in Canada.
OneWeb is subject to UK laws that could impact Government of Canada data sovereignty, particularly the Investigatory Powers Act 2016 (IPA) and the UK-U.S. Data Access Agreement under the U.S. CLOUD Act
Telesat Lightspeed on the contrary is Canadian-owned and operated, and supports Government of Canada data security, residency and sovereignty. Telesat is a Canadian company, ensuring that the satellite network is governed by Canadian laws, policies, and oversight
Great points! There are many dimensions to this that extend beyond cloud providers. Telesat is already competing, but there are other Canadian companies trying to greatly expand their satellite networking as well, particularly in LEO, so I foresee Canadian firms being a major player in the next 5-10 years if played right. Where Canada struggles is with cloud hosting and infrastructure, which the big players have dominated, and I am unaware of any firms at the national level with the ability to compete as a Canadian brand.
Satellite communications and networking, in particular when integrated with the existing 4G/5G terrestrial networks and the upcoming 6G in 2030s, is one of the most important technology paradigms of the current times, with sovereignty, privacy, and other implications. Canada has been among the world leaders in both satellite and telecom sectors. The country has the potential to reemerge as among the leaders once again in 2030s with Telesat, MDA, and many other companies (small and big) which form a vibrant Canadian ecosystem.
This post raises an important issue, but it actually overstates the protection granted by encryption in this context.
Most Microsoft services (Outlook, Word, Excel, Teams, etc) do not offer full end-to-end encryption (E2EE) [0]. Instead, data is encrypted during storage ("at rest") and transmission ("in transit"), but ultimately Microsoft still controls the keys, meaning it could simply access the data if compelled under U.S. law - no cracking would be required. [1] [2]
Even if it was feasible to implement stronger models like "Hold Your Own Key," doing so for government systems could be incompatible with record-keeping legal requirements.
A system that truly splits control of infrastructure and encryption keys between two organizations doesn’t really exist for modern cloud-based productivity tools. As long as Microsoft either owns or effectively controls the keys, encryption is not a true barrier to access.
[0] https://www.cloudflare.com/learning/privacy/what-is-end-to-end-encryption
[1] https://learn.microsoft.com/en-us/purview/customer-key-overview
[2] https://learn.microsoft.com/en-us/purview/ome-faq
Agreed, great points! There are a lot of nuances to this not covered here, but I was having this exact conversation with some people early this week. Encryption gets you to a point, but a lack of control of infrastructure and the data in transit opens up many vulnerabilities. It is one reason I bring up the Apple case, there are overlapping technical, legal, and political aspects to this that cannot be ignored with US-based corporations.
This is a major issue that has a very broad scope.
We built a tool for Canadians to determine a sites data sovereignty with links to the U.S CLOUD Act and Patriot act found here.
https://www.canhost.ca/is-it-hosted-in-canada/
5 maple leafs is the target.
I have assumed this to be the case - thank you for verifying it. Data sovereignty is now a major issue - as I have been saying for six months at least.