How universities got it so wrong over Patriot Act outsourcing

I look back over the Patriot Act research carried out earlier this year and its aftermath, where the European Parliament extends its concerns over the Patriot Act's reach to EU governments, businesses, and universities. In this first post, we explore how naive universities in particular are -- seemingly the forefront of world leading and pioneering research -- and yet how these academic institutions got it so very wrong.

Universities, in the past year alone, have shown extreme naivety over the outsourcing of data to the insecure European cloud.

In short, just by the off chance you missed it, European law notwithstanding, the USA PATRIOT Act can be invoked to access cloud-stored data in Europe, for law enforcement purposes and the acquisition of intelligence. The European Parliament is investigating and seeks answers from Europe's upper house, to determine how at risk 800 million Europeans may be.

This revelation implicates all businesses, governments and schools, colleges and universities in Europe and further afield. Any data stored by a subsidiary of a U.S. headquartered company, like Microsoft, Google, Apple, or Amazon, risks having their data accessed and inspected under U.S. law.

Ironically, some of these universities are in the top fifty in the world and are at the top of their academic game, but still overlooked or simply did not recognise a major disparity in the law presented to them.

Or worse, they knowingly outsourced their data to the cloud, sacrificing student data protection, and even running the risk of breaking European laws.

These institutions frankly cannot play the ignorance card. With all due respect to them, if a then 22-year-old undergraduate student can highlight the extreme disparity between corresponding data protection laws, and all but negating European law in the process, this is not a defence.

- -

Over the course of the past year, when the recession was at its peak, universities were looking for cheaper, alternative solutions to their own internal communications infrastructure.

At the time, both Microsoft and Google presented their Live@edu and Apps for Education cloud solutions respectively; seemingly a cunning approach knowing how vastly publicly funded academic institutions were; suffering with capped tuition fees and rising IT implementation and maintenance costs.

Both Microsoft and Google, in particular, preyed on vulnerable institutions and made their cases for outsourcing clear. In doing so, they both avoided mention of U.S. law and its reach, knowing full well that their subsidiaries were vulnerable to the Patriot Act, instead opting to highlight firm promises they could make, such as the fact that data will be stored in European datacenters, and not in the U.S.

The Joint Information Systems Committee (JISC), the UK's educational support and digital technologies committee, explored outsourcing communications to the cloud. Its legal department said:

"The US Patriot Act is intended to assist terrorism prevention in the US and permits access to data by the US intelligence services in certain circumstances, including, but not limited to, in the interests of national security.

The US Patriot Act would allow the US intelligence services to obtain data belonging to an institution in the UK where the data is stored in the servers of a US cloud computing service provider. Prior to outsourcing services to the US, an institution should take into account the potential impact of the US Patriot Act as part of its risk assessment.

The Information Commissioner’s Office advises that UK organisations outsourcing to the US should make sure they have procedures and measures in place to deal with any requests for information that may be received under the US Patriot Act. Such measures may include a requirement for the cloud computing service provider to report requests from US authorities to the institution. Access the ICO outsourcing guidance for further information."

This legal advice focuses heavily on "outsourcing to the U.S.", rather than the complex nature of outsourcing to a U.S.-linked organisation.

Considering the JISC, an organisation funded by academic institutions around the United Kingdom, acts as a focal point for all academic institutions, it is clear where other universities have been led astray by this accurate, yet naive legal advice.

The Information Commissioner's Office (ICO), as mentioned in the JISC legal advice, highlights a crucial element to the UK's enactment of the European data protection laws:

"When you contract or arrange with someone to process personal information on your behalf you remain responsible for the processing. This means that you will be liable for breaches of the [Data Protection Act 1988]"

Though the Patriot Act is mentioned in the ICO's best practice guide, it highlights the act of U.S. law as an example should an institution outsource infrastructure directly to the U.S., but fails to recognise the connection between subsidiaries of larger U.S. entities and their own by-standard policies on government requests.

The JISC legal pages defined their own guidance only days before Microsoft UK managing director Gordon Frazer's admission that Microsoft's cloud and therefore others were not protected against U.S. authorities, even outside of U.S. jurisdiction.

Sometime before this, however, many universities were outsourcing to the cloud nonetheless, content in their own internal legal decisions, often coming to the same conclusions as the JISC committee did.

The University of Edinburgh did take into account the Patriot Act and U.S. law, considering how it would lawfully respond to such requests even if there was no direct connection to accessing data without the university's knowledge. The project wiki said:

"Even now, there are circumstances, such as terrorism-related investigations, when the US government could request access to our data via the UK authorities. Under these circumstances the University would be unlikely to not comply. This would not be any different if the data were stored by Microsoft. The data will remain under University control. UK and EU data privacy laws will apply."

Other institutions did not even consider the outward bounds of "the Dublin factor", where data is stored either by Google, Microsoft or Apple, more often than not on Irish soil in a Dublin datacenter -- glaciating over any seemingly external forces. Take the University of Warwick as an example:

"Email is stored at Microsoft's Data Centre in Dublin. It is important to us for legal reasons that email data is held within the EU rather than the US or elsewhere in the world, and Microsoft's service is the only one which is committed to this approach."

But from personal experience, the University of Kent [see disclosure] got it horrifically wrong. As one of the early adopters to Microsoft's educational outsourcing venture, Kent outsourced their email to Microsoft's Live@edu service long before many others did.

Though not a public case study for Microsoft's cloud services, other institutions looked at Kent to see how the logistics of transitioning panned out; on the most part successfully. This alone paved the way for others to follow suit. After speaking to Julia Goodfellow, the head of the University of Kent, before the contracts with Microsoft were signed, the university was fully aware of the risks.

I say that, because I was the one who told them. Though theory at the time, it was not an overriding factor to other pressures the university faced, such as financial difficulties the university may have been facing post-recession. Theory subsequently was proved correct.

It is clear from combined indirect efforts from early adopters of these institutions, motives to be discussed in tomorrow's article, as well as misguided and naive legal understanding of the wider implications of data sovereignty, that colleges and universities have on the most part been let down by other academic institutions.

The knock-on and ripple effect alone perpetuated outsourcing growth. It is clear that, while the European Parliament investigates Gordon Frazer's admission, that many EU university chiefs have knowingly or unknowingly broken European data protection law in the process.