End-to-end encryption is next frontline in governments' data sovereignty war with hyperscalers

End-to-end encryption is next frontline in governments' data sovereignty war with hyperscalers

Briefly

"Data residency is no longer enough. As governments lose faith that storing data within their borders, but on someone else's servers, provides real sovereignty, regulators are demanding something more fundamental: control over the encryption keys for their data. Privatim, a collective of Swiss local government data protection officers, last week called on their employers to avoid the use of international software-as-a-service solutions for sensitive government data unless the agencies themselves implement end-to-end encryption."

""Most SaaS solutions do not yet offer true end-to-end encryption that would prevent the provider from accessing plaintext data," said the Swiss data protection officers' resolution. "The use of SaaS applications therefore entails a significant loss of control." Security analysts say this loss of control undermines the very concept of data sovereignty. "When a cloud provider has any ability to decrypt customer data, either through legal process or internal mechanisms, the data is no longer truly sovereign," said Sanchit Vir Gogia, chief analyst at Greyhound Research."

"The Swiss position isn't isolated, Gogia said. Across Europe, Germany, France, Denmark and the European Commission have each issued warnings or taken action, pointing to a loss of faith in the neutrality of foreign-owned hyperscalers, he said. "Switzerland distinguished itself by stating explicitly what others have implied: that the US CLOUD Act and foreign surveillance risk renders cloud solutions lacking end-to-end encryption unsuitable for high-sensitivity public sector use, according to the resolution.""