Dangerous assumptions about clouds
Attorneys Christopher Wolf and Winston Maxwell debunk common assumptions about 'local clouds', the Patriot Act, and (many) governments' access to data
By Chris Wolf and Winston Maxwell | CSO | Published: 12:46, 01 August 2012
No one is more vigilant about protecting the data of EU citizens than European Commission vice-president Viviane Reding. She is spearheading and vigorously advocating for the Commission's proposals to update and modernise the privacy framework in Europe through a detailed new Regulation. She worries a lot about the privacy and security of EU citizens' data. And she can be a tough critic of the US privacy protection framework.
But even Commissioner Reding had to cry foul late last year when she saw the advertising of an EU Cloud Computing service suggesting that its geographic location would protect data from the reaches of the USA Patriot Act.
That episode prompted Mrs Reding to issue a reminder about the importance of the free flow of data between the continents. Her comments reflected an understanding that Europeans need access to the best cloud services regardless of geography and that to enjoy the full benefits of cloud computing, there cannot be a balkanised system of clouds around the world where as one commentator put it, "the fuzzy internet cloud becomes a series of neatly divided gas bubbles."
Mrs Reding no doubt was aware when she objected to the notion of an "EU cloud" that even European countries with strict privacy laws also have anti-terrorism laws that allow expedited government access to cloud data. Indeed, France's anti-terrorism law has been said to make the Patriot Act look "namby-pamby" by comparison.
While the Patriot Act continues to be invoked as a kind of shorthand to express the belief that the United States government has greater powers of access to personal data in the cloud than governments elsewhere, and that "local clouds" are the solution, a recent study we conducted of the laws of Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, United Kingdom and the United States shows that it is simply incorrect to assume that the United States government's access to data in the cloud is greater than that of the other advanced economies.
Law enforcement and national security officials have broad access to data stored locally with cloud service providers in the countries we investigated. Our research found that that it is not possible to isolate data in the cloud from governmental access based on the physical location of the cloud service provider or its facilities, and that Governments' ability to access data in the cloud extends across borders.
Notably, every single country that we examined vests authority in the government to require a cloud service provider to disclose customer data in a range of situations. Moreover, some governments permit invasive investigatory measures of cloud providers when the investigation concerns national security.
For example, the German Federal Office of Criminal Investigation (BKA) may, in investigations involving terrorism or national security, use a "Federal Trojan" (a government-issued computer virus) to search a cloud provider's servers, monitor ongoing communications, or collect communication traffic data without the knowledge of the target. In addition, the G10 Act provides German intelligence services with the authority to monitor and record telecommunications without a court order in investigation of a serious crime or a threat against national security, such as terrorism.
And certainly worth noting is the fact that in some of the jurisdictions we studied, there is the real potential of data relating to people being disclosed to governmental authorities voluntarily, without legal process and protections. In other words, governmental authorities can use their "influence" with cloud service providers who, it can be assumed, will be incentivised to cooperate since it is a governmental authority asking to hand over information outside of any legal framework. United States law specifically protects such data from that kind of voluntary turn-over to the government.
And the Patriot Act? It commonly, but erroneously, is believed to have created invasive new mechanisms for the United States government to get information. The reality is that most of the investigatory methods in the Patriot Act were available long before it was enacted. And those investigative tools had, and still have, limitations imposed by the United States Constitution and by statute.
It is more accurate to say that the Patriot Act did not create broad new investigatory powers but, rather, expanded existing investigative methods, and retained Constitutional and statutory checks on abuse. The most invasive mechanisms of the Patriot Act are limited to non-personal and non-content data.
Protecting the privacy and security of the data in the cloud should be a priority for cloud operators, for those entrusting their data into the cloud and for policymakers. But the desire to protect data in the cloud should not mean that decisions are made based on false assumptions about governmental access to cloud data.
One of Mrs Reding's colleagues at the European Commission, Neelie Kroes, is poised to release the Commission's Cloud Strategy for Europe very soon. Certainly, that document will recognise that at a critical time for the economy of countries within the EU, cloud computing has the potential to be an economic catalyst for the EU. False assumptions about "local clouds" to protect data will limit the power of the cloud model to help businesses innovate in a global economy. Knowing the facts helps.