Zurich govern­ment coun­cil: green light for M365; Rosen­thal risk assess­ment model cano­ni­cal­i­zed; risk thres­hold at 10% over 5 years.

M365 appr­oval

The Zurich govern­ment coun­cil pas­sed a reso­lu­ti­on on March 30, 2022, published on April 14, 2022, entit­led “Use of cloud solu­ti­ons in the can­to­nal admi­ni­stra­ti­on, (Micro­soft 365), appr­oval” (RRB 542/2022).

This invol­ves the Use of M365 and in par­ti­cu­lar Exch­an­ge Online and Teams, which does not even exist as an on-pre­mi­se solu­ti­on and, as it beco­mes more wide­spread, is the­r­e­fo­re forced to move to the cloud. The can­ton of Zurich sees no alter­na­ti­ve to this move, which it descri­bes quite strikin­gly: Wit­hout the cloud, the can­ton would be “on the tech­no­lo­gi­cal side­lines” becau­se it would be “clo­sed to tech­no­lo­gi­cal pro­gress”. This is at the end of the text, but logi­cal­ly at the begin­ning of the reso­lu­ti­on (and is remi­nis­cent of the “sweat of the feet of pro­gress” accor­ding to Karl Kraus).

Lawful Access: Rosenthal’s Model

As far as the risks are con­cer­ned, the govern­ment coun­cil is pro­ba­b­ly right in assum­ing that the gene­ral secu­ri­ty risks are at least no hig­her than with an on-prem solu­ti­on. The­se risks (e.g., the sup­plier risk) were exami­ned sepa­ra­te­ly (refe­ren­ces to the legal basis can be found in the decis­i­on). In addi­ti­on, howe­ver, the­re is the Spe­ci­fic Lawful Access Risk, i.e., the risk of for­eign aut­ho­ri­ties gai­ning access to data.

The Govern­ment Coun­cil rela­tes this risk to US aut­ho­ri­ties. The con­tract, which the can­ton in 2021 and on the basis of the SIK con­tract with Micro­soft (with an adden­dum sup­port­ed by the data pro­tec­tion com­mis­sio­ner) is con­clu­ded with Microsoft’s Irish com­pa­ny, but this does not mean that U.S. aut­ho­ri­ties can­not pos­si­bly access Canton’s data via the Stored Com­mu­ni­ca­ti­ons Act – with the amend­ments made by the U.S. CLOUD Act. The risk of such access was the­r­e­fo­re exami­ned (the ana­log­ous risk for Ire­land is not men­tio­ned in the decis­i­on; whe­ther it was also exami­ned is the­r­e­fo­re not clear from the decision).

The can­ton has made a com­mit­ment to the Risk assess­ment on the Risk assess­ment model by David Rosen­thal supported:

For the risk assess­ment of a for­eign lawful access in the case of M365, the cal­cu­la­ti­on method of David Rosen­thal was used […]. The cal­cu­la­ti­on method for the struc­tu­red deter­mi­na­ti­on of the pro­ba­bi­li­ty of occur­rence of a suc­cessful lawful access by a for­eign aut­ho­ri­ty in a cloud pro­ject has been published under a free licen­se sin­ce 2020 and has been adopted by the Inter­na­tio­nal Asso­cia­ti­on of Pri­va­cy Pro­fes­sio­nals (IAPP). The cal­cu­la­ti­on method has estab­lished its­elf as a tool in the Swiss finan­cial sec­tor and is also used, among others, by the Zür­cher Kan­to­nal­bank in con­nec­tion with the intro­duc­tion of M365.

For this risk assess­ment, the can­ton has a Work­shop per­for­med:

The risk cal­cu­la­ti­on for M365 for the can­to­nal admi­ni­stra­ti­on was car­ri­ed out in a work­shop with legal and tech­ni­cal experts from the IT office, the public prosecutor’s office, the can­to­nal tax office, the sta­te chan­cel­lery and the can­to­nal poli­ce. For the sta­tis­ti­cal cal­cu­la­ti­ons, figu­res from US legal assi­stance were also coll­ec­ted by the Fede­ral Office of Justi­ce, sup­ple­men­ted with empi­ri­cal values from the spe­cia­lists the­re in con­nec­tion with rejec­ted and unsub­mit­ted requests from US authorities.

The risk of access by the aut­ho­ri­ties was esti­ma­ted to be very low (below 1% within an obser­va­ti­on peri­od of five years).

Risk limit: 10% in 5 years

On this basis, the Govern­ment Coun­cil deci­ded the fol­lo­wing points:

  • David Rosenthal’s risk assess­ment model will be in the can­to­nal admi­ni­stra­ti­on as a stan­dard model used to assess the lawful access risk of cloud solutions.
  • If the Pro­ba­bi­li­ty of occur­rence of suc­cessful lawful access is so low that a pro­ba­bi­li­ty of 90% is rea­ched only when the obser­va­ti­on peri­od exce­eds 100 years, the use of the cloud solu­ti­on is appro­ved from the per­spec­ti­ve of the govern­ment coun­cil (which does not mean that the respon­si­ble aut­ho­ri­ties do not have to make their own risk decis­i­on). This for­mu­la­ti­on of the pro­ba­bi­li­ty is per­haps not so intui­ti­ve, but this risk thres­hold is more than ten times the risk for M365. In an obser­va­ti­on peri­od of 5 years, it cor­re­sponds to an access risk of about 10%. The Govern­ment Coun­cil thus basi­cal­ly draws the line of its gene­ral appr­oval at a risk that is “very low” or “low” in the ter­mi­no­lo­gy of Hill­son, which Rosen­thal has adopted, but not yet “medi­um”. It is a risk that is con­sider­a­b­ly hig­her than the values gene­ral­ly achie­ved in practice.
  • Only if the risk is even hig­her does this result in the cor­re­spon­ding cloud solu­ti­on having to be appro­ved by the govern­ment coun­cil on a case-by-case basis.

Con­nec­tion remarks

This risk assess­ment and accep­tance by the govern­ment coun­cil is based on the Data pro­tec­tion law and the Offi­ci­al Secrets (even though this word is found only once in the reso­lu­ti­on). Appar­ent­ly, the govern­ment coun­cil assu­mes that a resi­du­al risk, which is ex ante and lege artis to 10% or less within a 5‑year peri­od may be accept­ed. This also means, among other things, that a lawful access that actual­ly occur­red would pos­si­bly mean a vio­la­ti­on of offi­ci­al secrets, but that this vio­la­ti­on would not be inten­tio­nal, not con­tin­gent inten­tio­nal, and not negli­gent if such a risk assess­ment were made. Against this back­ground, it is quite signi­fi­cant that the risk assess­ment was car­ri­ed out in the con­text of work­shops atten­ded by, among others. Repre­sen­ta­ti­ve of the public prosecutor’s office have par­ti­ci­pa­ted. Under the hea­ding of data pro­tec­tion law, the same stan­dard applies as a result – what mat­ters here is that the export­er has “no rea­son to belie­ve” that aut­ho­ri­ties access trans­mit­ted per­so­nal data on the basis of an ina­de­qua­te legal basis (this could be expan­ded upon – but that is what the stan­dard con­trac­tu­al clau­ses say).

As a result, the Govern­ment Coun­cil has given hig­her con­se­cra­ti­on to David Rosenthal’s risk assess­ment model, which has beco­me wide­spread and pro­ven in prac­ti­ce. It would be dif­fi­cult for a public prosecutor’s office or a court to oppo­se this model, even though the que­sti­on of the risk limit – i.e. the sub­jec­ti­ve ele­ment of the offen­se – is dif­fi­cult to objec­ti­fy and would ulti­m­ate­ly have to be asses­sed by the courts in each indi­vi­du­al case.

Ano­ther point is worth not­ing: in the risk assess­ment, the govern­ment coun­cil expli­ci­t­ly inclu­ded the Inte­rest of for­eign aut­ho­ri­ties on the data in que­sti­on con­side­red. As far as pri­va­tim should have assu­med a zero risk approach in the updated ver­si­on of the leaf­let “Cloud-spe­ci­fic risks and mea­su­res” for public bodies (which was not made clear, but the­re were indi­ca­ti­ons to that effect in the leaf­let; cf. our con­tri­bu­ti­on), this should be off the table.

The govern­ment coun­cil is awa­re that a risk assess­ment is not a mat­ter of “fire and for­get”. Rather, what is requi­red is “deter­mi­ned and con­ti­nuous moni­to­ring and con­stant assess­ment of the risks”. To this end, the govern­ment coun­cil is crea­ting the posi­ti­on of a Cloud Secu­ri­ty Offi­cer of the Can­ton of Zurich.




Rela­ted articles