Bad assumptions about cloud computing and the Patriot Act
Anyone reading about the Cloud has heard the common dangerous assumption that the Patriot Act gives the government unprecedented access to your data. The misconception is that the level of access that the government has in the cloud is beyond what they would have if the data were hosted elsewhere.
Recently the European Commission Vice-President Viviane Reding, “spearheaded and vigorously advocated for the Commission's proposals to update and modernize the privacy framework in Europe through a detailed new Regulation.”
According to CSO Magazine, Commissioner Reding cried foul late last year when an EU Cloud Computing service suggested that there would be an advantage to its geographic location because it would protect customers from the reaches of the USA Patriot Act.
We live in a time, unfortunately, where many European countries have strict privacy laws which provide governments with “expedited access” to Cloud data. Reding notes that, indeed, France's anti-terrorism law has been said to make the Patriot Act look "namby-pamby" by comparison.
A recent study of the laws of Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, United Kingdom, and the United States showed that it is incorrect to make the assumption that the US government has more or less access to data in the cloud than have other advanced economies.
The bottom line is that where the data lives with regard to physical location of the cloud, service provider, or its facilities does not limit the government's access.
Notably the author writes, “...every single country that we examined vests authority in the government to require a Cloud service provider to disclose customer data in a range of situations. Moreover, some governments permit invasive investigatory measures of Cloud providers when the investigation concerns national security.”
To underscore the reach of governments, an example was provided of the German Federal Office of Criminal Investigation (BKA); where the BKA suspects terrorism, a computer virus is employed to infiltrate and search a Cloud provider's servers. The 'Federal Trojan' is then left in the system to continue to covertly monitor traffic.
Additionally, the German intelligence services has the right, provided by the G10 act, to monitor and record telecommunications without a court order if they are investigating serious crime, terrorism or threat against their national security.
And the Patriot Act?
Well, although commonly, but erroneously, believed to have created a new mechanism for the US government to get access to Cloud provider data, really The Patriot Act extended many of the methods which were already in place while retaining Constitutional and statutory checks on abuse.
Should protecting the privacy and security of data in the cloud be a priority for cloud operators?
Should National Security trump personal security?
You tell me. At the end of the day, knowing the facts helps.
For more about cloud computing legal concerns please see Michael Overly's blog here.
See also: