The USA PATRIOT Act was signed into law on October 21, 2001 in response to the September 11 attacks. PATRIOT stands for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism. It law enforcement authorities in the US more power to collect information in cases that involve national security.
The issue
The concern raised by many is that this allows the US authorities to access the personal data of non-US citizens stored on US owned data centres. However what many informed sources show is that much of this was happening already. In particular the conclusions from legal based websites backed up this view, while technology based blogs and web articles tend to be more sensational. Interception of data has been on the statute book in the UK since 1663. Many countries have laws similar to the Patriot Act allowing them to do the same. So perhaps the discussion boils down to the long-running personal-privacy vs. civil protection debate.
Ironically the physical security of cloud data centres is likely much better than private enterprise data centres. As one observer put it, security for cloud providers (for which read Amazon, Google, Microsoft, RackSpace, and others) is as much a business priority as safety is for an airline. So the likelihood of criminal theft of data is probably lower using the cloud. Surely that should be the first priority for an enterprise IT system?
One law firm we spoke to noted a concern amongst enterprise IT officers that ranked above government intervention and data security. The regulatory need of many companies to know exactly where their data was stored, and conviction that it could be extracted efficiently on exit, is perceived to be the main risk of using a large public cloud by enterprise IT officers today in this firm’s opinion.
What the Patriot Act changed
According to law firm Olswang LLP the Patriot Act updated existing organised crime interception legislation to include terrorism. It also extended powers to defeat cross border money laundering and terrorism funding. The legislation was more re-brand than new regulation and provided no novel powers. It has checks, balances, and oversight as to when and why data is accessed.
Similar UK legislation passed in 2000 (the RIP (regulation of investigatory powers) Act) was also not novel. Interception had been on the British statute book since 1663. What is changing is the medium – the cloud. UK based cloud systems are within the RIP Act’s as are the Royal Mail and every mobile phone network.
In France, Act No 2001-1062 was enacted on November 15th 2001, significantly strengthening the powers of French law enforcement agencies. Similar EU legislation includes Act 12/2003 on March 21 2003 in Spain. [Linklaters].
How is legislation used?
In 2010 UK enforcement authorities issued almost 2000 intercept warrants. The same year UK public authorities submitted over half a million requests for communications data, two thirds of which were for subscriber data (usually to determine who owns a mobile phone).
View from the lawyers
IT Law Community /SCL – In Defence of the Cloud
http://www.scl.org/site.aspx?i=ed22541
First published in Data Protection Law & Policy in September 2011
Eduardo Ustaran writing for the UK IT law community SCL notes that European data protection law already allows justifiable disclosure of data across jurisdictions. It is not true that complying with a legal obligation to hand over data in a non-EU country will automatically breach EU data protection law. While cloud providers are unlikely to want to negotiate contract terms with all but the largest customers, a well drafted set of terms indicating the service boundary and level of security is likely to be acceptable to most European data controllers.
The tricky issue for European cloud users is the legal restriction on overseas transfer of personal data. The EC’s model clauses for data transfer are very inflexible and so who can blame a cloud vendor refusing to include them in a contract? This issue badly needs addressing and hopes rest on the forthcoming EU data protection legal framework, though this could take years to materialise. And don’t forget that is it the actual level of security in place is the most important factor for customers. Like safety for airlines, security for cloud providers is their top business priority.
Olswang – UK Cloud Computing Interception, Nothing New
http://www.olswang.com/pdfs/CloudComputingInterception_CQG.pdf
2011
The US, UK and most other EU countries have strong legislation allowing the state to intercept electronic communications including that stored in the cloud though the terminology differs. The US Patriot Act 2001 and UK RIP Act 2000 both aim at intercepting, across every system, the plotting and evidence of serious offences. These include interception of traffic passing through the territory, and the prevention of criminals hiding behind the firewalls of enterprise or cloud hosted computing services. Businesses have to accept (as mobile telecom companies already have: Editor) that criminals might want to squat on their systems and so law enforcement must have rights to intercept.
Looking at the UK RIP Act in particular, businesses must understand that shifting from a US Patriot Act regulated US cloud provider to a UK (or other EU) one will not escape law enforcement interception.
Linklaters – Law Enforcement and Cloud Computing, October 2011
http://www.linklaters.com/Publications/law-enforcement-cloud-computing/Pages/Index.aspx
Dutch MEP Sophie in ’t Veld has voiced her concern over the reach of the Patriot Act. Her worry is section 215 permitting the FBI to obtain an order for any “tangible thing” relevant to an authorised terrorism investigation and that this would allow US authorities access to personal data in the EU stored by US headquartered companies.
These concerns are based on the assumption that EU legislation is more protective of personal data than US legislation. However the EU’s Data Protection Directive enables member states to bypass privacy protections that would otherwise apply for a series of reasons including public security and state security. Linklaters compares similar UK, French and Spanish legislation to the US.
Another area of concern with the US Patriot Act is that requests for information can be accompanied by subpoenas, meaning the requestee has to pay a fine in the event of not providing the information. Linklaters notes this is not unique to the US, citing similar legislation in Belgium.
The ability of the US to extract data from the EU has reverse precedent. In 2009 Yahoo! was fined by a Belgian Criminal Court for failing to identify users of a number of email accounts. Yahoo! argued that that the prosecution should have used formal international treaty procedures to request the data. But the court considered Yahoo! to be and electronic communications services provider (ESP) which meant it had to cooperate like any other ESP in Belgian territory regardless of where it was established. The judgement was overturned in 2010 on the basis that email uses the internet, not telephony, but then in 2011 the Belgian Supreme court reversed that appeal decision.
So in both the US and EU cloud providers may have to disclose data to law enforcement agencies without the data owner being aware. Both can be sanctioned with criminal procedures if they fail to do so. These issues have existed in the context of computer data for several decades, since the outsourcing and off-shoring of IT services have existed.
Bird & Bird – Response to the EC consultation on Cloud Computing
http://www.twobirds.com/English/Documents/CloudComputingResponse_000347-01.pdf
This 4 page response to the EC consultation in August 2011 summarises the lack of legal harmony amongst EU member states on data issues, noting the impracticable German law seems to make cloud computing services hosted outside the EU/EEA illegal. Bird & Bird notes that the perception that data in the cloud can be anywhere leads to confusion on what legal jurisdiction it is in. Bird & Bird suggests the domicile of the service provider should be the jurisdiction, but nowhere mentions any concern about the Patriot Act or other country equivalents. Their list of key issues to address are:
Data protection (harmonisation of standards for access, location security, backup encryption, physical security)
- Interoperability
- Consumer protection
- Enforcement
- Export controls (knowing where data resides)
View from IT industry
V3 – Patriot Act Poses Major Obstacle to European Cloud Adoption
http://www.v3.co.uk/v3-uk/news/2112325/cloud-summit-patriot-act-poses-major-obstacle-european-cloud-adoption
September 27, 2011
CA Technologies cloud solutions president Chris Rae says the US Patriot Act is preventing many European businesses from adopting external cloud services. By forcing US cloud providers to share data with US authorities, European data protection regulations are over-ridden. Issues between the Data Protection Act and the Patriot Act need to be overcome. The Netherlands is considering preventing US cloud providers working on government contracts. Rae believes the US will modify the Patriot Act. Even if European cloud providers are chosen to avoid data protection issues, those cloud providers could end up being acquired by US companies, such as the UK’s Savvis, which was acquired by CenturyLink.
Editor: also ironically Netherlands data centre provider Interxion chose to list in the US rather than in the Netherlands.
ZDnet – 3 articles by British Criminologist Zack Whittaker
USA Patriot Act and the controversy in Canada
http://www.zdnet.com/blog/igeneration/usa-patriot-act-and-the-controversy-of-canada/8803?tag=content;siu-container
After a 10 week investigation into the Patriot Act, a Canadian commissioner came up with 16 recommended changes to the [Canadian] law including making it an offence to send personal information abroad in response to a foreign court order or equivalent. However others argue that the Canadian Anti-Terrorism Act 2001 is similar to the Patriot Act.
Why EU data needs protecting from US law
http://www.zdnet.com/blog/igeneration/safe-harbor-why-eu-data-needs-protecting-from-us-law/8801?tag=content;siu-container
Is there an inequality between US and European data protection? The 1995 European Data Protection Directive sought to allow data the same rights of movement across borders as goods and citizens across the EEA while maintaining appropriate secure and safe data storage.
With many US companies operating in Europe, legislation was required to allow data to flow across the Atlantic. The US did not accept the same principles as agreed in the EEA but instead the EEA and US worked on a common set of “Safe Harbor” principles such that without changing US law, companies that signed up to the Safe Harbor list would adhere to the EU rules. In the US, Safe Harbor is administered by the FTC which has taken legal action in the case of breaches by US corporates.
How the USA Patriot act can be used to access EU data
The article looks in detail at the provision of email, calendar, and other educational apps to UK universities by Google and Microsoft. Contract disclosure by these institutions is mixed, but there is evidence of some institutions contracting with US companies directly, and some with their UK subsidiaries. With the latter it was assumed by the institutions that this would mean UK law would apply, and in some cases the data was required to be held in the EU.
Some universities noted that post graduate research often required that data was not held in a cloud-provider system, but on internal networks (Editor – ironically this might mean the Patriot Act could not reach that data directly, but it might be less secure to theft).
The article also raised the question of geo-redundancy, the common practise of storing copies of data on sites around the word. Cloud providers were unwilling to discuss how or where data was stored in their various sites.
The article also raised the role of “data controller” vs. “data processor” and that according to UK ICO (information commissioner’s office) guidelines, it is the data controller that is responsible for data and answerable to any requests to provide that data. Cloud contracts do define who in the customer-provider relationship is controller or processor.
PCWorld – European Distrust of US Data Security
http://www.pcworld.com/businesscenter/article/245335/european_distrust_of_us_data_security_creates_market_for_local_cloud_service.html
December 2, 2011
Swedish providers Severalnines and City Network have begun promoting their services as a safe haven from the reaches of the US Patriot Act. Other European providers such as DNS Europe, Colt and MESH are following suit.
Contrary to other sources, PC World says the Safe Harbor legislation is seen to have failed, with little evidence of enforcement.
Conclusions and Observations
Based on the above discussion, here are some conclusions and observations:
1) Irrespective of regulation, by virtue of being in the Cloud, data is more secure.
2) There is a difference in reporting between legal sites and technical sites. The tech sites are more sensationalist
3) Governments have always had access to data for various law enforcement reasons. The patriot act formalises this access especially for terrorism related issues. In that sense, the patriot act does not bring anything new to the table
4) Various governments have also had similar regulations. While Governments want industry to be transparent, governments themselves are rarely transparent. Hence, an air of ambiguity will remain on all such data access regulations.
5) The two issues of privacy and national security are often mixed up.
6) Economies of scale are the foundation of Cloud computing and hence the discussion is important – but it is also important for governments to be more transparent on their objectives
7) There is a need for a rational discussion on the subject.
Fostering trust in the Cloud in the face of law enforcement access to data
No comments:
Post a Comment