Is Google the new Rome?

In some ways, Google is a digital Rome. Instead of extending roads to connect its empire, it builds data centers worldwide and challenges local rule not with swords, but with tools and information.

It is a company that probes the perimeters of censorship in China and tests the limits of privacy laws in Europe, sometimes with consequence, as it expands its cloud computing empire.

On Monday, Google received a letter from 10 nations , including Canada, France and Britain, telling the company that the "privacy rights of the world's citizens are being forgotten as Google rolls out new technological applications."

However, Rome answered its challenges as Google did on Tuesday by telling of the universal right of "free expression" and announcing a new tool detailing the requests and orders it receives nation-by-nation for data and content removal.

Google's Rome-like worldview extends to how it will treat the location of customer data. Google is not offering U.S. businesses any specific assurance that their data will be stored in a U.S.-based data center.

It is making an exception for government customers, such as the City of Los Angeles, which, as part of its contract to move its 30,000 users over to Google Apps , will have its data housed in Google's U.S.-based data centers.

From Google's perspective, "specifying data location made more sense when all data was within the organization's firewall, Eran Feigenbaum, director of security at Google Apps, said by e-mail.

"In the world today where we have partners, vendors, multiple offices, employees working remotely, the Internet, e-mail etc. 'Where is my data located?' should probably not be first question we ask," Feigenbaum said.

"When I send an e-mail to my vendor or client, the way all e-mail works, it can travel half way around the world before it gets to them -- even if they work down the street," he said.

"So the primary questions companies should ask are 'how is the data protected?' 'Who has access to it?', and 'How do I evaluate what my IT vendor is telling me about their practices?'"

Microsoft is telling its U.S. customers that their personal data will remain in the U.S. "Our goal is to be as transparent as possible about our commitment to the security of our customer's data and we understand that today maintaining data in the U.S. is an important requirement for many of our U.S. customers," said Susie Adams, Microsoft's Federal CTO.

Legal experts say that all the questions raised by Feigenbaum are part of the due diligence process in working with a cloud provider, but that none of those questions are at the expense of location.

"As a cloud computing client you lose an enormous amount of control, legally and jurisdictionally if the data gets outside of the United States," said Christopher Cain, an attorney in Foley & Lardner LLP.'s IT and outsourcing practice. He said users need to ask as part of their due diligence process about the location of the data.

There are a number of laws that prevent some types of data from leaving the U.S., especially those connected with export controls. However, by and large, U.S. companies don't face anywhere near the restrictions imposed by the Europeans under its privacy directive.

"None of the U.S. privacy laws would prevent you from shipping data to data centers all over the world or outsourcing it India," said John Nicholson, an attorney at Pillsbury Winthrop Shaw Pittman's privacy and data protection practice.

A potential risk is that a government could want data on a particular server, but in the process take all of off the data, regardless of whether it is related. "That server (or hard drive) is theoretically subject to the law of the country in which it sitting," said Nicholson.

But there is also the risk-benefit aspect of it. "If somebody is going to be attacking your systems, the geographic location of your server probably doesn't necessarily make that big of a difference," said Nicholson. "What probably makes a difference is the entity that is hosting your server," he said.

Nicholson asks, instead, who is likely to have a better information security platform: the City of Los Angeles or Google? Google's business model "will go under if they significantly fail at information security," he said.

Los Angeles may have a lot of resources "but it is operating under a different model than Google," he said.

Adam Smith, the chief legal officer at Terremark Worldwide Inc., an IT infrastructure provider, said his firm will honor location requests to keep data in the U.S. But the concern about data location isn't a U.S. issue alone. One European customer who wanted a fail-over location in the U.S. couldn't because of European privacy laws, Smith said.

Microsoft is building out global data centers and in the long run it doesn't want to be constrained in its ability to shift compute resources as needed globally. Indeed, the cloud computing industry wants an empire or federation-like view of cloud computing, with services that can be delivered globally under a uniformed set of rules.

Microsoft has been arguing for lawmakers to take action. The company's top legal officer, Brad Smith, argued in Washington earlier this year for Congress and governments, generally, to sort out the laws on cloud computing. Smith said multilateral agreement perhaps "a free trade zone, so to speak, for data packets" is needed.

Patrick Thibodeau covers SaaS and enterprise applications, outsourcing, government IT policies, data centers and IT workforce issues for Computerworld . Follow Patrick on Twitter at ? @DCgov or subscribe to Patrick's RSS feed ? . His e-mail address is pthibodeau@computerworld.com .

Read more about cloud computing in Computerworld's Cloud Computing Knowledge Center.