How universities got it so wrong over Patriot Act outsourcing

How universities got it so wrong over Patriot Act outsourcing

Summary: A look at the ripple effect of how leading UK colleges and universities got it so wrong over data sovereignty and the protection of cloud data.


I look back over the Patriot Act research carried out earlier this year and its aftermath, where the European Parliament extends its concerns over the Patriot Act's reach to EU governments, businesses, and universities. In this first post, we explore how naive universities in particular are -- seemingly the forefront of world leading and pioneering research -- and yet how these academic institutions got it so very wrong.

Universities, in the past year alone, have shown extreme naivety over the outsourcing of data to the insecure European cloud.

In short, just by the off chance you missed it, European law notwithstanding, the USA PATRIOT Act can be invoked to access cloud-stored data in Europe, for law enforcement purposes and the acquisition of intelligence. The European Parliament is investigating and seeks answers from Europe's upper house, to determine how at risk 800 million Europeans may be.

This revelation implicates all businesses, governments and schools, colleges and universities in Europe and further afield. Any data stored by a subsidiary of a U.S. headquartered company, like Microsoft, Google, Apple, or Amazon, risks having their data accessed and inspected under U.S. law.

Ironically, some of these universities are in the top fifty in the world and are at the top of their academic game, but still overlooked or simply did not recognise a major disparity in the law presented to them.

Or worse, they knowingly outsourced their data to the cloud, sacrificing student data protection, and even running the risk of breaking European laws.

These institutions frankly cannot play the ignorance card. With all due respect to them, if a then 22-year-old undergraduate student can highlight the extreme disparity between corresponding data protection laws, and all but negating European law in the process, this is not a defence.

- -

Over the course of the past year, when the recession was at its peak, universities were looking for cheaper, alternative solutions to their own internal communications infrastructure.

At the time, both Microsoft and Google presented their Live@edu and Apps for Education cloud solutions respectively; seemingly a cunning approach knowing how vastly publicly funded academic institutions were; suffering with capped tuition fees and rising IT implementation and maintenance costs.

Both Microsoft and Google, in particular, preyed on vulnerable institutions and made their cases for outsourcing clear. In doing so, they both avoided mention of U.S. law and its reach, knowing full well that their subsidiaries were vulnerable to the Patriot Act, instead opting to highlight firm promises they could make, such as the fact that data will be stored in European datacenters, and not in the U.S.

The Joint Information Systems Committee (JISC), the UK's educational support and digital technologies committee, explored outsourcing communications to the cloud. Its legal department said:

"The US Patriot Act is intended to assist terrorism prevention in the US and permits access to data by the US intelligence services in certain circumstances, including, but not limited to, in the interests of national security.

The US Patriot Act would allow the US intelligence services to obtain data belonging to an institution in the UK where the data is stored in the servers of a US cloud computing service provider. Prior to outsourcing services to the US, an institution should take into account the potential impact of the US Patriot Act as part of its risk assessment.

The Information Commissioner’s Office advises that UK organisations outsourcing to the US should make sure they have procedures and measures in place to deal with any requests for information that may be received under the US Patriot Act. Such measures may include a requirement for the cloud computing service provider to report requests from US authorities to the institution. Access the ICO outsourcing guidance for further information."

This legal advice focuses heavily on "outsourcing to the U.S.", rather than the complex nature of outsourcing to a U.S.-linked organisation.

Considering the JISC, an organisation funded by academic institutions around the United Kingdom, acts as a focal point for all academic institutions, it is clear where other universities have been led astray by this accurate, yet naive legal advice.

The Information Commissioner's Office (ICO), as mentioned in the JISC legal advice, highlights a crucial element to the UK's enactment of the European data protection laws:

"When you contract or arrange with someone to process personal information on your behalf you remain responsible for the processing. This means that you will be liable for breaches of the [Data Protection Act 1988]"

Though the Patriot Act is mentioned in the ICO's best practice guide, it highlights the act of U.S. law as an example should an institution outsource infrastructure directly to the U.S., but fails to recognise the connection between subsidiaries of larger U.S. entities and their own by-standard policies on government requests.

The JISC legal pages defined their own guidance only days before Microsoft UK managing director Gordon Frazer's admission that Microsoft's cloud and therefore others were not protected against U.S. authorities, even outside of U.S. jurisdiction.

Sometime before this, however, many universities were outsourcing to the cloud nonetheless, content in their own internal legal decisions, often coming to the same conclusions as the JISC committee did.

The University of Edinburgh did take into account the Patriot Act and U.S. law, considering how it would lawfully respond to such requests even if there was no direct connection to accessing data without the university's knowledge. The project wiki said:

"Even now, there are circumstances, such as terrorism-related investigations, when the US government could request access to our data via the UK authorities. Under these circumstances the University would be unlikely to not comply. This would not be any different if the data were stored by Microsoft. The data will remain under University control. UK and EU data privacy laws will apply."

Other institutions did not even consider the outward bounds of "the Dublin factor", where data is stored either by Google, Microsoft or Apple, more often than not on Irish soil in a Dublin datacenter -- glaciating over any seemingly external forces. Take the University of Warwick as an example:

"Email is stored at Microsoft's Data Centre in Dublin. It is important to us for legal reasons that email data is held within the EU rather than the US or elsewhere in the world, and Microsoft's service is the only one which is committed to this approach."

But from personal experience, the University of Kent [see disclosure] got it horrifically wrong. As one of the early adopters to Microsoft's educational outsourcing venture, Kent outsourced their email to Microsoft's Live@edu service long before many others did.

Though not a public case study for Microsoft's cloud services, other institutions looked at Kent to see how the logistics of transitioning panned out; on the most part successfully. This alone paved the way for others to follow suit. After speaking to Julia Goodfellow, the head of the University of Kent, before the contracts with Microsoft were signed, the university was fully aware of the risks.

I say that, because I was the one who told them. Though theory at the time, it was not an overriding factor to other pressures the university faced, such as financial difficulties the university may have been facing post-recession. Theory subsequently was proved correct.

It is clear from combined indirect efforts from early adopters of these institutions, motives to be discussed in tomorrow's article, as well as misguided and naive legal understanding of the wider implications of data sovereignty, that colleges and universities have on the most part been let down by other academic institutions.

The knock-on and ripple effect alone perpetuated outsourcing growth. It is clear that, while the European Parliament investigates Gordon Frazer's admission, that many EU university chiefs have knowingly or unknowingly broken European data protection law in the process.

Topics: Collaboration, Government, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: How universities got it so wrong over Patriot Act outsourcing

    Been interesting to see how deep this rabbit hole has been going - and how much people are realizing that the "Net" is not as what it has been hyped up to be.
    Matthew A. Sawtell
    • RE: How universities got it so wrong over Patriot Act outsourcing

      @Matthew A. Sawtell
      What is it that you think the "Net" has been hyped up to be?
      Every byte of data that is not encrypted end-to-end is subject to public scrutiny, and always has been.
      And despite what most of us would prefer, every government in the world consideres all of the data of it's citizens, and all of the data that passes it's borders, to be available to it on request.
      Yes, the EU has a few more rules than some, but ask Germany how much attention they pay to them.
      At least the US comes right out and tells everyone what they are going to do, and the circumstances that they will do it under.
  • RE: How universities got it so wrong over Patriot Act outsourcing

    The cloud resources are good, they make educational and business sense to implement. It is the laws and policies that need to catch up.
    • RE: How universities got it so wrong over Patriot Act outsourcing


      Actually, for most businesses they do NOT represent good business sense as they can place control of the daily operations at extreme risk and in the hands of others. Am internal cloud set up, similar to a thin client or server system does make sense, but not putting critical servcies or operations in another organisation's hands.

      Yes, cloud services like a word process can be useful to a student, so they can do assignments from any computer at the college or home without worrying about losing their USB drive or if it will work, and can save them the cost of the software (although there are free alternatives) - but it also increases the risk of the data not being available if their is a connectivity issue of some sort; say the cable from the college to the cloud server is down because some one dug it up (happens a lot).
      Deadly Ernest
  • The Cloud is used to Obscure

    This is also one reason why I'm not using the on-line health data repositories offered by Microsoft and the like.
    Patriot Act trumps HIPAA. And the U.S. Justice Department is more corrupt that the Mafia. At least the mob has a system of ethics.
    • RE: How universities got it so wrong over Patriot Act outsourcing


      Pointless. You think the U.S. won't send in jackboots to grab up the "shadowrecords" your physician has to keep just so he can keep the most basic referral data straight. I've been in the stacks of multiple departments. I've seen why you have to resubmit your history everywhere you go, and I've seen what the VA thinks their doing is safe. At least when you go with Google and Microsoft you provide a financial incentive for them to put lawyers in the path of the Patriot Act. You bury it in your basement, and they'll just run over you when they come to take it.
      • RE: How universities got it so wrong over Patriot Act outsourcing

        @tkejlboom <br><br>That's all true, right up to the point where it becomes financially viable for Google and microsoft to pay the fines and get a profit from who they sell your data to.
        Deadly Ernest
  • RE: How universities got it so wrong over Patriot Act outsourcing
  • RE: How universities got it so wrong over Patriot Act outsourcing

    Yawn. Take a pill, dude. But to the point, why are you so excited about the Patriot Act when you (the collective left wing you) are trying to use the International Criminal Court and/or the "Court of Human Rights" to prosecute George Bush, Dick Cheney, Donald Rumsfeld, George Tenet, Condoleezza Rice, and Alberto Gonzales even though the US isn't a party to the Rome Statute?
    • RE: How universities got it so wrong over Patriot Act outsourcing


      Because they broke international law, whether the United States is a party to that statute or not!

      Seriously dude.... try thinking outside of the damned box.
      • Re; try thinking outside of the damned box.

        It is for too comfortable inside the box.

        Just think about it: Nearly all thinking is done and finished with a long time ago.
  • So what

    There is no privacy and there will be no privacy. Get over it you are owned like a sheep is owned only so much more so. Everything you so say and do your friends relatives and countrymen, where you shop what you buy (cookies in your computer and credit reports) where you go who you talk to what you say and how long (cell phone records GPS), Commercial interests know you history better than you know it yourself. Combined that with you confidential records and you think privacy exists? I think privacy is a delusion, a mental illness to believe that such a thing exists.
    • RE: How universities got it so wrong over Patriot Act outsourcing

      Sorry, there is privacy, and there's a lot of it available, IF you take the time to utilise the resources available to ensure that. Mind you, I choose not to do that with a lot of stuff, but where I want privacy, I've got - but then, I'm not in the Jackboot state of the USA
      Deadly Ernest
    • RE: How universities got it so wrong over Patriot Act outsourcing


      The only mental illness here is what you have, where you believe that there is no such thing as privacy.
  • RE: How universities got it so wrong over Patriot Act outsourcing

    Hey, Did I miss something, since when has the USA had the legal right to tell other countries how they will store and secure their data? The USA government has no legal right to pass laws allowing them to do things in other countries, except where such laws are supported by existing International Law. Thus, any such law, like the Patriot Act has NO legal bearing outside the USA - and that's a starting point the author of this article seems to have missed.

    Another thing is there are some aspects of the Patriot Act, such as the examination of data stored in another country, where the action stated constitutes an indictable offence under the laws of the other country. Thus, an attempt by US officials to examine the data stored in that country would make them felons in that country, will the USA government then allow those people to be extradited and tried for their crimes? I doubt it.

    The author of this article needs to get over the fact that the USA government does NOT run the world. Then they may be able to have a realistic look at what's going on.
    Deadly Ernest
  • So the greatest and brightest minds... the supposedly smartest institutions in the world were duped by the clods at Microsoft & Google?

    <i>Both Microsoft and Google, in particular, preyed on vulnerable institutions and made their cases for outsourcing clear.</i>

    Come on.
  • It is called espionage...

    ... and it is always legal in the country that spies and illegal in the country that is spied upon, even if the second one is an ally. The cynics would say that spying on thy allies is the best way to keep them that. The case is clear. Irrelevant of the mother-company, if the data are stored in a subsidiary in another country, the laws of that country apply, not the one of the mother-company, specially if the physical storage is also there. The only legally proper way to access that data is for US authorities to request EU ones for legal access to the data, invoking any other approach by the US AT forces is a thin legal fig-leaf. Europe has had a much more intimate historical knowledge of political, civil and human rights abuses than the US (but America is not that far away - it just did not had such devastating consequences on its soil as Europe) - read: a World war - so its today dislike of the Patriotic act should be more than understandable; in an excessive reaction to the 9/11 incident the US Congress passed, with little opposition from the then shit-in-the-pants public, an overbearing and overreaching legal frame that would have made proud the jurists of any Nazi or hard commie state (this one is not mine, I took it from American commentators). As the author properly states, the EU universities were not that imbecilic (naive is a polite term) not to know what the Patriotic act means for the EU data protection, they just did not give a damn.
  • RE: How universities got it so wrong over Patriot Act outsourcing

    Get over the privacy already. If you don't do anything wrong it doesn't matter.
    • RE: How universities got it so wrong over Patriot Act outsourcing

      @hayneiii@... Many people get wrongly accused of things on minimal data. When it is espionage there is no requirement to have even done something wrong! Governmental interest is all that is required. When the email accounts contain the personal date of foreign (especially African and middle eastern) students American national interest may not accord with their families position in their country. All students are entitled under uk law to the protection of our law - which cannot be maintained in the face of the Patriot act. This incongruity cannot be allowed, I think it is time to petition to prevent any US registered company to be prevented from having the personal data of anyone in the UK.
  • RE: How universities got it so wrong over Patriot Act outsourcing

    Nothing you give to anyone ever is private - the very act of giving it renders privacy impossible. Get over it and on with your life.