This is the first in a series of posts that examine the principles governing the transfer of data across borders between the European Union and the United States, and the effect that the USA PATRIOT Act has on businesses, citizens and governments outside the United States. Although this is a U.S.-oriented site and I am a British citizen, the issues I surface here affect all readers, whether living and working inside or outside the United States.
The USA PATRIOT Act held prominence in American society shortly after the September 11 terrorist attacks, and played a crucial role in enhancing the search capabilities of law enforcement.
But as the scales of justice sway toward the law itself, an erosion of civil liberties became apparent -- even to the U.S.'s closest neighbour, Canada.
Post-9/11 and the Patriot Act
The U.S. counter-terrorism strategy has been strengthened in light of the home grown and foreign terror threat to the mainland. However, the terrorist attacks against the U.S. on September 11, 2001, sparked a change in U.S. policy on gathering intelligence to prevent further attacks.
About a month after the attacks, the U.S. Congress passed a new counter-terrorism law, commonly abbreviated to the USA PATRIOT Act 2001.
The controversial USA PATRIOT Act, commonly known as the Patriot Act, revised and consolidated counter-terrorism laws post-9/11 to enhance domestic law enforcement investigatory authority, including sweeping surveillance and search powers; while some claim the elimination of judicial oversight to ensure these powers are not abused.
Most US citizens living in the U.S. are aware of the Patriot Act as the "counter-terrorism law". But the act consolidates, refreshes and bolsters existing laws to improve federal resources to enable those fighting the war on terror to intercept communications and acquire intelligence to prevent what is considered modern day terrorism.
For a brief overview of the Patriot Act, such as the amended legislation and the new provisions accepted by Congress in light of the September 11 attacks, the College of Law at the University of Arizona and the School of Psychology at Juniata College have more.
The 2001 Act, for example, takes into account new technologies which enable acts of cyber-terrorism, prohibit the act of knowingly harbouring a terrorist; and provide law enforcement with the ability to delay the notification of a court-approved search warrant in order to prevent a suspect from destroying evidence or fleeing. In some cases, the Act simply refreshes certain areas to make it current with the times of today.
However, the Act has been criticised by academics as a "knee-jerk reaction" to the September 11th attacks, suggesting that it infringes the constitutional rights of ordinary citizens and foreign nationals by authorising surveillance without the necessary requirement of a court order.
As a U.S. law, the Patriot Act applies to everyone living and visiting the country, including any foreign national who spends time on U.S. soil as part of a visa arrangement. The Act also applies to companies based in the U.S., whether they are headquartered there -- such as Apple, Google or Microsoft -- or are a subsidiary of a larger non-US company.
For example, although the BBC has its headquarters in London, it also has studios and offices in the U.S., making these U.S.-based offices vulnerable to the Act.
Many users of popular web services or cloud services are unclear of the laws in effect or even the jurisdiction under which users and service providers fall.
Yet, many services, products and websites, including those made available by the cloud, are provided by U.S.-based organisations. Cloud services are often sourced from localised companies (like Google UK or Microsoft UK) for citizens in the United Kingdom, instead of dealing directly with the U.S.-based corporations.
Because the Patriot Act legislation covers U.S. companies, data that is housed or passes through the United States is vulnerable to interception by authorities.
Arguably, one of the more controversial elements to the Patriot Act is the provision made available to U.S. law enforcement officials and intelligence agencies to demand that an organization or entity hand over stored records or data without a court order.
Using this provision of the Patriot Act has been challenged in court. An FBI-issued National Security Letter (NSL) prevented Nicholas Merrill, then ISP and now founder of the Calyx Institute, from disclosing to anyone his court challenge.
A U.S. District Court Judge struck down the 'gagging order' -- the National Security Letter -- ruling that it was "unconstitutional" as it violated the right of free speech under the First Amendment and the right to be free from unreasonable searches under the Fourth Amendment.
More information on the use of NSL's can be found in the ruling document, mirrored by the Electronic Frontier Foundation (EFF).
The controversy of Canada
Since being signed into law in 2001, the Patriot Act has been cited as a viable reason for Canadian companies, government departments and universities to avoid the cloud due to the close proximity to the United States.
Privacy and data protection and control laws are strict in Canada. Canadian officials are concerned with the level of protection the United States can provide with foreign data. The Canadian privacy commissioner, Jennifer Stoddard, said she hoped the Canadian government would introduce an updated form of the existing Canadian Privacy Act 1983, to counter the current government surveillance capability.
Last year, I reported on the small number of Canadian schools, colleges and universities adopting the outsourced email systems offered by both Google and Microsoft in comparison to the adoption rates by educational institutions in the U.S. and the EU. Microsoft had not published any case studies of users in Canada, and Google only appeared to have four schools in the region since mid-2010.
According to Kisluk and Gross in 2005:
"Prior to the passage of the Patriot Act, Canadians' personal information in the custody or control of US-linked organizations could be accessed by US authorities by other means, such as national security letters or grand jury subpoenas, or through governmental channels. The Patriot Act, it has been suggested, simply "broadened the scope and lowered the standard for the issuance of such orders."
As NSL's are used to gag organisations under the Patriot Act, the individual under suspicion or investigation may not be told as such. Canadian law says that when the individuals' data is moved, including across borders, the individual whose data is of interest must be informed. Therefore, the gagged organisation could be in breach of Canadian law if they uphold the gagging order under US law.
Following a 10-week investigation into the Patriot Act, David Loukidelis, then Information and Privacy Commissioner for British Columbia, put forward sixteen recommended changes to the law, including:
"Legislation should be passed to make it an offence for a public body or a contractor to disclose personal information or send it outside Canada in response to a foreign court order, subpoena or warrant, with violation being punished by a fine of up to $1 million or a term of imprisonment, or both;"
Yet some argue that Canadians are too quick to denounce the cloud because of the Patriot Act. David Fraser, a Halifax-based privacy lawyer, argues that the Canadian Anti-Terrorism Act 2001, which passed into law with Royal Assent shortly after the Patriot Act became law, performs similar functions for Canada's intelligence community.
Fraser goes on to highlight further similarities between the laws, summarising this by saying:
"Canadian authorities can get information in the U.S. without a warrant and American authorities can get information in Canada without a warrant" and this happens on a daily basis."
Opposing this view in the same article, one chief technology officer based in Montreal, advocated:
"[a] strategic value in having 'pure bred Canadian cloud providers' that fall into Canadian jurisdiction, which would also provide an option that Canadian government and military can use."
Nevertheless, the issue many Canadians face with the Patriot Act lies in their recognising it as a foreign piece of law which allows a foreign government to access their personal data for the benefit of the United States and, potentially, its overseas allies. Their argument is, "what right do they have?".
The Canadian government, through its Chief Information Officer's website, has provided a comprehensive list of frequently asked questions which explains the risks that the Canadian government perceives with the neighbouring Patriot Act.
In response to the concern over privacy and the protection of personal information for Canadian citizens, the FAQ also highlights that Canada is not the only country at risk from information interception:
"Under the [USA PATRIOT] Act, US officials could access information about citizens of other countries, including Canada, if that information is physically within the United States or accessible electronically. The potential exists, therefore, for law enforcement agencies to obtain information about Canadians whose information might be handled under a contract between the federal government and a US-based company."
Another point from the FAQ goes on to consider the private sector; notably the rise in outsourcing of Canadian operations and infrastructure to more protected and insulated firms and organisations:
"When a supplier is hired to administer personal information and any part of its operations, including subcontractors, are [sic] outside of Canada, then the laws of the other country (or countries) may be applicable to information stored or accessible electronically in the foreign country. If a company located in the United States or with U.S. connections is hired, then the USA PATRIOT Act may be applicable."
Though the Canadian federal government is not aware of any such case existing where personal information of one of its citizens was accessed under the Patriot Act, Canada maintains the risk remains.
Canada's domestic security service sparked controversy by using surveillance laws to gather information on its own citizens, including a major broadcaster, a religious organisation, and a political party.
The United Kingdom has intelligence gathering policies similar to Canada's. Not only a close ally of the United States in intelligence-sharing and military capability, the UK is also a fellow Commonwealth country to Canada by sharing the same monarch. The UK not only has laws in place to collect intelligence to bolster foreign policy, foreign relations and to prevent domestic terrorism, but also data protection legislation which applies the EU-prescribed 'Data Protection Directive.'
Citizens of all countries have largely come to accept that governments monitor our communications to a degree, in a bid to provide a state of national security to fight terrorism and minimise the threat to their countries. Our governments are after all accountable to the voting public.
But when a stronger entity like the United States uses its domestic policy to authorise the secret gathering of intelligence from another country, as seen with the Patriot Act vs Canadian privacy laws, the Canadian government has shown an obvious cause for concern.
Next up: An overview of the Safe Harbor principles, prescribed by the European Commission to protect European governments and citizens from breaches in privacy. Read more.
Leave your comments and thoughts below.