Bad assumptions about cloud computing and the Patriot Act

Bad assumptions about cloud computing and the Patriot Act

Summary: It's a common -- and dangerous -- assumption that the Patriot Act gives the U.S. government unprecedented access to your data. But where the data lives with regard to physical location of the cloud, service provider, or its facilities does not limit the government's access.

TOPICS: Cloud, Privacy, Security

Anyone reading about the Cloud has heard the common dangerous assumption that the Patriot Act gives the government unprecedented access to your data. The misconception is that the level of access that the government has in the cloud is beyond what they would have if the data were hosted elsewhere.

Recently the European Commission Vice-President Viviane Reding “spearheaded and vigorously advocated for the Commission's proposals to update and modernize the privacy framework in Europe through a detailed new Regulation.”

According to CSO Magazine, Commissioner Reding cried foul late last year when an EU Cloud Computing service suggested that there would be an advantage to its geographic location because it would protect customers from the reaches of the USA Patriot Act.

We live in a time, unfortunately, where many European countries have strict privacy laws which provide governments with “expedited access” to Cloud data. Reding notes that, indeed, France's anti-terrorism law has been said to make the Patriot Act look "namby-pamby" by comparison.

A recent study of the laws of Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, United Kingdom, and the United States showed that it is incorrect to make the assumption that the US government has more or less access to data in the cloud than have other advanced economies.

The bottom line is that where the data lives with regard to physical location of the cloud, service provider, or its facilities does not limit the government's access.

Notably the author writes, “...every single country that we examined vests authority in the government to require a Cloud service provider to disclose customer data in a range of situations. Moreover, some governments permit invasive investigatory measures of Cloud providers when the investigation  concerns national security.”

To underscore the reach of governments, an example was provided of the German Federal Office of Criminal Investigation (BKA); where the BKA suspects terrorism, a computer virus is employed to infiltrate and search a Cloud provider's servers. The 'Federal Trojan' is then left in the system to continue to covertly monitor traffic.

Additionally, the German intelligence services has the right, provided by the G10 act, to monitor and record telecommunications without a court order if they are investigating serious crime, terrorism or threat against their national security.

And the Patriot Act?

Well, although commonly, but erroneously, believed to have created  a new mechanism for the US government to get access to Cloud provider data, really The Patriot Act extended many of the methods which were already in place while retaining Constitutional and statutory checks on abuse.

Should protecting the privacy and security of data in the cloud be a priority for cloud operators?

Should National Security trump personal security?

You tell me. At the end of the day, knowing the facts helps.  

For more about cloud computing legal concerns please see Michael Overly's blog here.

See also:

Topics: Cloud, Privacy, Security

Gery Menegaz

About Gery Menegaz

Gery Menegaz is a Chief Architect for IBM with more than 20 years supporting technologies in the financial, medical, pharmaceutical, insurance, legal and education sectors. My Full-Time Employer is IBM. I write as a freelancer for ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Point is...

    ...the safest place to store your confidential data is on your own premeses; you might still be served with a search warrant, but at least you'll know about it. If you're going to store them off site, they should be encrypted.
    John L. Ries
    • Yes and no

      Keeping systems offline is the safest way to protect your privacy. The problem with any cloud service is that major backbones of the west are owned by US companies, which gives the US gov't access to the streams of data passing through those connections. If they want the data, they'll get access to it, regardless of where it's stored, or where your ISP operates.
  • Corruption Free For All

    The TSA was also created under the guise of "national security" and we hear about the abuse of power there (theft, groping, harassment, etc), just imagine when it's digitally anonymous with no accountability or recourse.

    Where government officials are permitted to insider trade and take "gifts", forget about any type of trade secret or intellectual property on the cloud. If you want your data safe, keep it offline and on paper in a locked safe whenever possible. Corruption is going to kill the cloud and I don't mean hard drive failures!
    • TSA


      Thanks for your comment!
    • Amen - unprecedented powers equals unprecedented abuse

      There have already been countless documented cases of Patriot Act abuse and those are only the ones we've heard about. For each time our government got caught abusing the Patriot Act, I guarantee there are dozens of abuses which didn't get caught. Then there is the fact that the NSA routinely monitors all forms of digital communication via high powered equipment installed in top secret rooms in the buildings belonging to every major communications company. Our government is simply out of control. We have less privacy in this country than the citizens in China. Any privacy (or security) you think you have is an illusion.
  • Fuzzy boundries

    One of the biggest problems I see are the vague definitions of who is allowed to look at what, and when. The service provider should provide a clear and concise statement (am I dreaming) about who can access my data and under what conditions. Governments should not have 'secret interpretations' of what a law means (still dreaming).

    If I put my data in 'secure' storage in the cloud it should be secured against anyone without a warrant.
  • That makes no sense at all...


    "The bottom line is that where the data lives with regard to physical location of the cloud, service provider, or its facilities does not limit the government's access."

    Um... Yes... It actually does...

    The US government doesn't have the authority to go to a foreign country and copy someone’s data... The idea that you would even suggest that is ridiculously stupid. Do you even think before you write?
    • I think you misunderstood

      What he is saying is that if your data is stored on a server in France, and the US government wants to access it, they can ask the French government to obtain that information for them.
      • not only that.

        If the company maintaining that data in France has a US entity, then that entity can be directed to turn the data over.
      • The Point

        Thank you for your comment. You are correct. That was the point.
      • In which case...

        ...the French government can decide whether or not they want to comply; or more likely, the French courts would decide for them. Uncle Sam has long arms, but his writ still doesn't extend beyond the borders of the U.S.A (but does extend to U.S. corporations).
        John L. Ries
        • It also extends to foreign companies.

          If they do business in the US.
      • Unless...

        the cloud company has a branch office in America, then the US can demand access to the data without going through "proper channnels", regardless of where the data is held.

        That is the big problem for people in Europe wanting to use cloud services. Not that a government can get access to the data, but HOW they get access to the data. Under EU law, if personal data is handed over to a third party outside the EU, the data owner needs to get written permission from each person affected, before they hand over the data.

        The Patriot Act bypasses that. The US Government asks the cloud provider to hand over the data; the cloud provider has no choice AND they are not allowed to inform the data owner that their data has been breached.

        The problem is, the US Government and the cloud provider are not liable for the data breach, the data owner is liable. If it comes out that their data was compromised and handed over to the US Government, without them getting the written permission of those affected, they are the ones open to prosecution.

        I am sure it would work the other way round as well, if an European Government pulled the data from an American company, because their cloud provider had offices in Europe, the American company whose data was pulled would be liable to prosecution, because they "allowed" a non-domestic entity access to the data.
    • Sense or not

      We can agree to disagree.
    • Think

      "Do you even think before you write?"

      Perhaps you should ask yourself that same question before jumping into the deep end....
  • Interesting Perspective

    Interesting article, Gery. It will be interesting to see how further developments of virtualization and cloud technologies will change our society as a whole. As a virtualization service provider, Mosaic Technology looks forward to witnessing these developments.

    Mosaic Technology
  • Missing the Point

    A well written article but almost completely missing the point.

    The bottom line is that where the data lives with regard to physical location of the cloud, service provider, or its facilities does not limit the government's access.

    But that is not the only, or possibly even the main, issue.

    For me (and I suspect many others around the world) it is one thing for *my* (duly elected) government (Australian) to snoop on my data but an entirely different thing for the US government to do so.
    Paul Waite
    • Agreeed

      And, with the Patriot Act, it is irrelevant where the data is stored, as long as the cloud provider has a single office or employee in America, they are subject to the Patriot Act and have to hand over the data upon request.
    • Stroll down to your local FBI office and ask about it.

      Didn't know that the US FBI had offices in Sydney and Melbourne, or that FBI agents have extraterritorial privileges in Australia? Don't worry, you're not alone.

      The sad fact is that most governments' police forces are happy to "cooperate" with the FBI and US DoJ because they get paid to do so. They get free training at US installations, free equipment, and even funding for pet projects of their own unrelated to any US investigation. The money for this runs into the hundreds of millions of dollars every year, which is still a drop in the bucket in the overall US budget.

      America operates over 600 different law enforcement offices outside of the US, from a dozen different Federal agencies and a number of state and local agencies as well. The NYPD has offices in Paris and Amsterdam, the Texas Rangers have offices in Mexico City and Bogota. Who knew?
      terry flores
  • Beware the Cloud

    It is not just the gov't spooks you need to worry about. What about the Cloud Provider? Do you really know who is accessing your data? Of course they will tell you it is private and protected, but there are always those who can get access - the same people who will give Big Brother access when requested. So Beware the Cloud. It is all the rage these days, but think twice before jumping in.