Google has denied breaching any laws over secret signaling clauses in its multibillion-dollar cloud contract with the Israeli government, known as Project Nimbus.
Finance Ministry documents obtained by the Guardian, in conjunction with Local Call and +972 Magazine, explained a model for a message to be indirectly sent to the Israeli government if foreign investigators could access state data held or backed up on Alphabet and Amazon technology controlled by AWS.
UK and American firms Google and Amazon have categorically declined any violation of the law or acknowledgment of wrongdoing, but officials emphasize involvement in legal processes. The reporting alleged cloud providers consent to a “code” of silence rather than usual transparency notices.
Transparency warnings are normally suppressed by gag orders, making different communication mechanisms common. The warning is said to be a private financial transaction used to establish which nation has been provided the indicator, rather than an email or a dashboard alert.
On the face of it, it ensures an absence of privacy defenses, as the companies could limit region sharing entirely. The same research reinforces limitations on withdrawing services from customers when the system is evidently utilized for immoral reasons.
According to reporting, a former Israeli speaker understands the deal‑maker exclusion does not control the kind of data saved. This is key: if correct, this differs from conventional hyperscale management of acceptable use cases and publication reporting.
Leaked documents described by the outlets outline a “winking” payment scheme that maps to international telephone country codes. A payment of 1,000 shekels would indicate the United States, while 4,500 shekels would indicate Denmark. If a legal order bars any hint about the origin of the request, the provider would pay 100,000 shekels as a different kind of signal.
Traditionally, cloud providers disclose government data demands through aggregated transparency reports that show ranges of requests and compliance rates, and generally avoid identifying specific matters or jurisdictions in real time. The invoice canary would flip that model should it be used, creating a bespoke backchannel that skirts conventional disclosure limits.
Company responses and the broader legal context
Google and AWS have rejected the notion that they engaged in unlawful conduct. In statements to media, both companies emphasized that they follow the law, do not provide backdoor access to data, and review government requests to ensure they are valid and narrowly scoped. They also pointed to routine safeguards such as encryption, regional controls, and customer‑managed keys for sensitive workloads.
In major jurisdictions, providers can be prohibited from notifying customers about certain legal demands, including national security requests. Some companies have tested warrant canaries or other indirect notices to signal when they have not received such orders, though courts and regulators have scrutinized workarounds that could undermine gag provisions. Any contractual mechanism that intentionally communicates the origin of a confidential request would raise novel and complex legal questions across numerous legal systems.
Why this matters for cloud governance and oversight
The stakes are significant given the large size and sensitive nature of government cloud workloads. According to industry analysts at Synergy Research Group, AWS currently has about 31% of the global infrastructure market, while Google Cloud has about 11%.
Contracts that alter notification and exit terms with public sector customers can establish precedents that influence how such provisions are written into other procurement frameworks, along with data sovereignty stipulations and human rights due diligence. The terms have another resonance given recent tinderboxes elsewhere. After separate scrutiny tied to its surveillance‑related use and a reportedly internal assessment, Microsoft last year canceled a cloud BA with the Israeli military because it found the use violated product terms. Providers have also terminated or limited accounts when customers failed to abide by acceptable use policies. Should a contract either strip a vendor of its options for disengaging or impose such stringent penalties for doing so, the cloud provider’s leverage to enforce standards itself could be severely limited.
Workforce and reputational pressures around Nimbus
Project Nimbus has always been a point of contention inside the companies. Employee groups have petitioned and published protests, claiming that the project lacks the necessary protections. For large tech employers, internal disagreements can pose retention risks, recruiting difficulties, and a need for ethical governance for severe defense, public safety, and intelligence threats.
The same goes for pressure from civil societies to create greater guardrails around the use of cloud services in battle space, as well as for confirmable audits to determine whether cloud suppliers are following human rights frameworks. These currents are only intensifying as more central government systems move to hyperscale facilities.
What to watch next as regulators assess the terms
Regulatory scrutiny of cloud procurement is “ramping up,” notably around data residency, lawful access, and competition. “Specialty contract clauses” may face additional scrutiny, as whether they circumvent transparency norms may be another legal field of interest. Regulatory bodies will focus on the possible providers’ ability to hard‑stop services when a customer’s use of services conflicts with publicly stated policies.
So far, the Israeli Ministry of Finance has released no statements regarding the leaked terms. If any of the officials, auditors, or courts comment on the situation, the status of the “alleged signaling mechanism” and the legality of non‑termination provisions may be clarified. At the moment, Google’s position is a firm “denial of wrongdoing” and an “assurance that its work on the deal is lawful and in compliance with every commitment.”
