It's 1 am - do you know where your data is?

If you're using a US-owned or hosted cloud service provider, then there's no way of knowing.That's because the US's PATRIOT Act means the US government can access and copy your data, without you knowing.
Written by Simon Bisson, Contributor and  Mary Branscombe, Contributor

If you're using a US-owned or hosted cloud service provider, then there's no way of knowing.

That's because the US's PATRIOT Act means the US government can access and copy your data, without you knowing. And it's not just data that's on disks in the US that can be requested - it can be data held anywhere in the world. National and EU data protection and privacy rules don't apply, and the Safe Harbour provisions turn out to be neither safe nor a haven.

A group of us had suspected that was the case for some time, and have been trying to get a straight answer from any cloud provider - getting bounced back and forth from PR to legal and back again, in the end it was our ZDNet US colleague Zack Whittaker who got the answer we'd been waiting for, from Microsoft UK's MD Gordon Frazer at the Office 365 launch event a couple of weeks ago. It was an answer that's opened an enormous can of worms, and sparked debate in the European Parliament, as Frazer confirmed that the US PATRIOT Act overruled European privacy directives and the Safe Harbour agreement, as well as the UK Data Protection Act for US owned organisations and US-situated subsidiaries of European companies.

That means that US government can (under the auspices of the act) request the data of any individual or company that's using US-owned or hosted services, no matter where that data is actually being held. It doesn't matter if you've geo-locked your data, and it only resides in European data centres, it can still be requisitioned and taken to the US. Yes, it's an issue of national security, but when results can be found by machine learning and trawling massive data sets (the larger the better), there's a temptation for governments to take all they can and more.

Microsoft's Frazer has said that the company would try to let data owners know if there's been a request for their data -but there are circumstances, a National Security Letter for example, which mean that data can be seized secretly. So there's no way of actually knowing if your data has been exported. It's not just Microsoft that's affected by this - it's nearly every major cloud provider, including Amazon, Google, Rackspace, and Salesforce.

That admission has understandably upset the European Parliament - which negotiated the current Safe Harbour agreement with the US government, understanding that it meant the data in the EU would remain in the EU. The first of what look likely to be several debates on the issue was held today, with a more substantive session due in September. It's unclear what the outcome of these debates will be - but it could be very bad for the nascent cloud computing industry.

The PATRIOT act isn't the only issue to consider when looking at the cloud. Things get more complex if you're using a .COM or similar top level domain, as the US department of Homeland Security is able to seize domains where it believes an illegal act has occurred - no matter where the server is hosted. That doesn't mean your data is gone, just the DNS records. With US law often at odds with the rest of the world it's clear that anyone wanting to use a .COM address or a US host needs to be familiar with US law as much as with British and European legislation.

I'm not blaming the US here - the UK government and police have similar powers and can use them in similar ways. The real cause of this collision of laws is the rapid growth of the Internet, and the even faster growth of cloud services. A law made a decade ago isn't fit for purpose in today's world of fluid data and workload computing. What used to sit on a 100GB hard disk on a Pentium server is now a multi-terabyte storage pool connected to a compute node that could be a fraction of a server, or many hundreds of machines distributed around the world, all served up on a massive content distribution network, with data replicated in massive data centres all round the world.

Legislators and law enforcement around the world need to work with ISPs and hosting providers, along with electronic civil liberties groups and transnational bodies to develop a better framework for international cooperation that can protect privacy and intellectual property, while at the same time recognising the legitimate need of governments to protect citizens and preserve the rule of law. It's a delicate tightrope that needs to be walked carefully, where checks and balances work to preserve liberties, protecting data everywhere. Otherwise the alternative will be governments using sledgehammers like PATRIOT, Sarbannes-Oxley, and RIPA to crack a very tiny nut indeed - leaving our innocent data collateral damage in a war between conflicting privacy and data security policies.

We're at a point where law and technology - and our expectations - are diverging. It's time for everyone to get around the table and discuss what an acceptable global privacy and information security regime may be, what circumstances will allow trans-national actions, and under whose auspices those actions are undertaken. If action isn't taken soon, the open and public Internet we've grown so used to will fragment and fall apart, trapped inside national borders like Prestel and Minitel.

And that is a really depressing thought.

Simon Bisson

Editorial standards