A data dilemma of Megaupload proportions

On the 19th of January, US authorities shut down popular file sharing service Megaupload.com, impacting millions of users.  The whole sordid story, along with much of the backlash and legal discussion, can be found on Wikipedia, and there's a short version in a press release from the US Attorney's office.  A flurry of Jan 30 news reports suggest, probably erroneously,  that this customer data will be deleted on Thursday.

Like many file sharing services, Megaupload was merely the top link in a Chain of Providers.  According to AP  ”A letter filed in the case Friday by the US Attorney's Office for the Eastern District of Virginia said storage companies Carpathia Hosting Inc. and Cogent Communications Group Inc. may begin deleting data Thursday…..The letter said the government copied some data from the servers but did not physically take them. It said that now that it has executed its search warrants, it has no right to access the data. The servers are controlled by Carpathia and Cogent and issues about the future of the data must be resolved with them, prosecutors said.”  

The letter, which is not indexed on either the DOJ or Federal Court web site,  apparently allows the providers  to delete the data, but does not necessarily require them to do so.  Given that Megaupload's financial assets are frozen, their hosters certainly have strong financial incentive to reclaim all that floor space (Carpathia is reportedly storing 25 Petabytes for Mega, and it comes as no surprise that the DOJ didn't attempt to seize 1000 servers).

Without a running front end application, there's no mechanism allowing customers to log in and access their data. How else could anyone make any sense of the millions of files stored at Carpathia and Cogent?  Depending upon the support arrangement for the servers, hosting providers likely have no need to know what is stored or how to access it.

This was made clear in a press release that says ”Carpathia Hosting does not have, and has never had, access to the content on Megaupload servers and has no mechanism for returning any content residing on such servers to Megaupload's customers. ” They also explicitly denied awareness of any sort of instruction for a Feb 2 deletion.

I sincerely doubt that any Gartner clients have formally contracted with Megaupload (let alone some of their sleazier porn-related sites) as a cheap (no pun intended) form of collaboration or file backup.  But I am certain that individuals within thousands of organisations, having decided that it was a useful service that their own IT departments refused to provide them, had uploaded corporate data into Megaupload.  

If that data wasn't backed up, it is almost certainly gone for good. This is neither the first nor the last case in which a SaaS provider disappeared overnight, effectively taking all of its customer data with it, but it may well be the largest data loss from a SaaS provider.  The fact that the data is still extent, yet inaccessible, must be especially frustrating to those who have just lost their sole copy of family photos or corporate documents.

I was going to say that as a best practice, companies that store significant amounts of pirated or otherwise illegal content should be avoided.  Then I realised that this is virtually impossible. Carpathia and Cogent, like Amazon and any other hosting service provider, always have huge amounts of illegal and unsavory content within their infrastructures.  

At least in this case, it reportedly was stored on dedicated servers, not multi-tenanted ones. Let me be more precise and suggest avoiding multi-tenant SaaS offerings that are likely used by pirates.  Freebie web sites that provide public file sharing are almost certainly chock full of unsavoury content, and are obviously not suited for enterprise use.

This might be a good time to figure out  if your users have been uploading your corporate data to Megaupload or some other freebie file sharing site.  It should also serve as a reminder that accessibility to data within a SaaS provider is dependent upon the ongoing viability and competence of that provider. If you have important data within a service provider, you need a contingency plan in case that provider disappears.

Jay Heiser is a research vice president specialising in the areas of IT risk management and compliance, security policy and organisation, forensics, and investigation with Gartner.