By Frank Jennings, Cloud Lawyer
It is likely that, after Sarbanes-Oxley, the most widely feared and misunderstood piece of US legislation – at least in the cloud sector – is the Patriot Act. According to some, the Patriot Act is a good reason to avoid cloud computing altogether. Others say that the draft EU data protection regulation is the Commission’s defence against the Patriot Act. Others say it is a good reason to avoid using a US provider.
Certainly, there is a lot said about the Patriot Act but not all of it is accurate. Here is our myth buster.
1) The Patriot Act is anti European
No. The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act 2001, to use its full title, was passed following the tragic events of 9/11. It consolidated existing anti-terrorism laws and has wide surveillance and seizure powers, some without the need for a court order. However it applies to US cloud providers just as much as European providers. There’s also the lesser known Foreign Intelligence Surveillance Act Amendment Act which allows surveillance of activities which are unlawful or which are potentially against US interests, such as activist, protest or political groups.
2) If I store my data in a US data centre the FBI will access my data
Certainly the FBI could get access to your data but that doesn’t mean they will. Businesses should not worry unnecessarily. The US government is unlikely to want to get access to the data of the average business and will more likely target those engaging in activities which are unlawful or which are potentially against US interests.
3) If I store my data in the UK, the FBI can’t access it
No. In June 2011 the managing director of Microsoft UK admitted that the Patriot Act applies to them because they are a US headquartered business. So, even if you use a UK provider and store your data in Germany, if you have a US provider anywhere in your cloud supply chain which handles your data, the Patriot Act could still affect you.
4) If I avoid US providers, no one will see my data
It’s important to remember that each government has its own anti-terrorism and surveillance legislation – the UK government is no exception with it’s Regulation of Investigatory Powers Act (with the appropriate acronym RIPA). Powers under RIPA have been used widely and not just for surveillance in the cloud sector. Councils have used it to tackle dog fouling and to take sound recordings of noisy children. So each government can get access to data within their jurisdiction.
5) The UK won’t hand my data over to the FBI
Yes it will. Many countries – including the US and UK – have signed treaties and have in place processes to pass data – your data – to each other upon request. To keep your data safe from the UK government or the FBI, you would probably have to store your data in Iran or North Korea. Good luck with that.
6) The draft EU Data Protection Regulation will stop the Patriot Act
It’s true the new regulation will increase the level of protection of personal data – and is intended to apply to data about EU citizens held outside the EU. This is making US companies uneasy and there is a lot of lobbying going on to water this down. Even the UK information commissioner is not happy with the regulation. But don’t forget, there are two key limitations here. First, the regulation – in whatever its final form – will protect only data about individuals, not all information. Second, it includes exemptions for national security, just as the current law does.
7) If governments can get my data wherever I am, I should stay out of cloud
While it’s true that it will make it more difficult for governments to get access to your data, storing it on-premise and out of cloud is not necessarily the answer either. If you are the kind of organisation that the UK government, the FBI and other organisations want to investigate, then maybe you should stay out of cloud. If you are unlikely to attract the attention of law enforcement agencies, then why forego the benefits of cloud because of a misplaced fear that they will come after you? At least evaluate whether private cloud or hybrid cloud could work for you.
8) I’m not in cloud. I’m secure
Cloud providers place data security at the heart of their operation. If you stay with an on-premise solution, make sure you address data security – don’t assume that your security is adequate. Also, make sure your staff aren’t using their own devices for business purposes. Even if you don’t support BYOD, can you be sure that your staff aren’t using their own iPads or Android devices for business. And you’d better check whether they use Salesforce, Dropbox, Gmail and all those other excellent cloud tools.
What can you do to avoid scrutiny?
There are a number of steps you can take:
- Assess whether your business model or the data you collect is likely to attract the attention of UK and US governmental agencies
- Evaluate your data and identify the really important information
- Consider hybrid cloud where you keep your key data on premise and run everything else through public cloud
- Consider private cloud where your data is held by someone you can investigate and trust
- Consider encryption or tokenisation to protect your data
- Check whether staff are using their own devices or public cloud accounts
I agree that data security concerns are important: I’ve co-authored two reports on this subject and have co-authored a cloud contracts best practice whitepaper which addresses data concerns. Email me for copies.
FEATURED COMMENT: from this blog’s comments section below
With thanks to Verizon Terremark and Eoin Jennings: Some further information from our legal [department]:
The Patriot Act does not grant the US government access to customer records stored in the cloud.
The law only applies to business records of the cloud provider itself.
Therefore, if the US government wants access to a customer’s data stored outside the US, it must request assistance from local (in-country) law enforcement, just as other governments around the world do
Here is a more detailed explanation of how the Patriot Act ACTUALLY works:
1. The Patriot Act is a law of very limited application. The law applies only to national security (terrorism) investigations within the US. The law does not give the US government the power to act outside the US, and it does not apply at all to criminal or civil investigations outside the national security area.
2. The Patriot Act does not grant the US government access to a cloud customer’s data. The important fact about the Patriot Act that those commenting on the law in the media do not understand is that the law is a “business records” statute. What this means is that the US government can use the law to ask any company that does business in the US (this includes US subsidiaries of non-US companies) to provide the company’s own records (things like customer name, address or means of payment), but it cannot require a hosting provider to provide access to customer data stored in a non-US data center.
3. To access customer data stored outside the US, the US government uses established treaties. Because the Patriot Act in our view does not authorize the US government to “search” a server located outside the US, the US government must request assistance from local (in-country) law enforcement to conduct a “search”, just as other EU governments do.
4. The Patriot Act is not being used to access customer data stored in the EU. The Dutch government has recently confirmed in answers to parliamentary questions that it is not aware of any requests under the Patriot Act for personal data stored in the EU and that the US authorities have stated that if such a request were made it would be with the assistance of in-country law enforcement.