Can a foreign firm safeguard American privacy?

Responding to an Aug. 28 FCW article outlining the government's Federal Cloud Credential Exchange, a reader questioned the logic of having a foreign company design an American credentialing system, writing:  I'd like to see the background of how we decided having a foreign country be the epicenter of our credentialing system makes good sense. I'm sure logic was used in that decision, I'm just not seeing it.

Frank Konkel responds:

SecureKey Technologies Chief Marketing Officer Andre Boysen suggests that American citizens shouldn't worry about their information getting used outside the borders through FCCX.  

While SecureKey is headquartered in Toronto, it has an American headquarters in Washington, D.C., from which its American contracts operate. In addition, Boysen said, services and servers hosted for FCCX will be housed on U.S. soil, not in Canada or anywhere else. It should be noted that SecureKey has not yet picked a cloud provider, yet its concern for data sovereignty aligns with the company's philosophies and existing deals with Canada and the United Kingdom.

Finally, our article describes the "triple blind" process that keeps the FCCX hub and the agency involved from putting two and two together from a user's personal information. User privacy is one of the main goals of the pilot, which has one year to prove useful enough to merit a contract extension.

As for the procurement process, keep in mind that the U.S. Postal Service received nearly 20 bids on the FCCX pilot, many of which came from U.S. companies. The contract award makes clear that none matched what SecureKey could do from a technological or fiscal standpoint.