Summary: ZDNet's USA PATRIOT Act series

ZDNet's USA PATRIOT Act series: A summary of four extensively detailed posts, of how the Act can access data held outside the United States.
Written by Zack Whittaker, Contributor

This executive summary recaps a series of posts and a year's worth of research on how the USA PATRIOT ACT impacts cross-border clouds, and considers whether data is safe from the risk of interception or unwarranted searches by U.S. authorities; even European protected data.

Although this is a U.S.-oriented site and I am a British citizen, the issues I surface here affect all readers, whether living and working inside or outside the United States.


In short:

U.S. law enforcement could use the USA PATRIOT Act on a U.S.-based organisation -- like Microsoft, Google, Intel or Amazon, for example -- to force its local subsidiary companies across the world into handing over user data to U.S. authorities.

EU data once may have 'had to stay in Europe', but this is on the most part untrue. The Safe Harbor framework, designed to protect EU data in the United States, protects merely the transfer of data from Europe to U.S. soil. But as soon as it arrived on U.S. soil, Safe Harbor can be superseded by America's counter-terrorism law.

U.S. corporations survive by having subsidiary or smaller companies in foreign locations, to communicate and collaborate with their clients on the ground in their locale. These subsidiary companies are wholly owned and controlled by their U.S. parent. If a U.S. parent company receives a request from the U.S. government to inspect data held by a subsidiary company in a foreign location, the subsidiary would therefore have no choice but to hand over the data to their U.S.-based parent.

As a result, universities, businesses and organisations which hold vast quantities of student and citizen data in the European cloud, are not protected against the U.S. counter-terrorism laws, which arguably infringe the freedoms and liberties of non-U.S. citizens.

No company or organisation can wholly guarantee that data in European datacenters will under no circumstances leave European soil. Until a company comes forward and unequivocally states otherwise, then this series of posts stands true.

The 'cloud' is an abstract concept to newcomers: Access is granted from any device anywhere in the world. It stores files under your name, from photos to video and work documents. But in reality, these files are on a server in a datacenter -- on sovereign territory, somewhere, where a government's law applies.

Though the notion of 'privacy' in itself has become diluted with social networking settings and the loss or theft of mobile devices, privacy in itself relates directly back to the individual. As previously discussed, there is no such thing as "I have nothing to hide".

More often than not, this will be the United States; even if you live elsewhere in the world. The vast majority of ordinary citizens will think nothing of this conundrum. They should start paying attention along with the businesses that control vast quantities of citizen data.

Read the report:

Part 1: USA PATRIOT Act and the controversy of Canada The controversy of Canada, cloud computing and an act of law which holds America's closest neighbor to data protection ransom.

Part 2: Safe Harbor: Why EU data needs 'protecting' from US lawAn overview of the Safe Harbour principles, which allow data to flow freely between Europe and the US; but not without caution.

Part 3: Case study: How the USA PATRIOT Act can be used to access EU data A case study examining how European universities, and organisations even further afield, are risking their students' and customers security by outsourcing to the cloud.

Part 4: USA PATRIOT Act: The myth of a secure European cloud Concluding thoughts of the consequences of the USA PATRIOT Act on EU cloud data. And it's not good news.

Warm regards and personal thanks to my colleague and friend Jon Honeyball of PC Pro, who pointed me in the right direction over a year ago.

Editorial standards