How worried should UK data guardians be about the Patriot Act?
The Patriot Act is sowing fear, uncertainty and doubt over the security of data held by US-owned cloud providers
In June of this year the managing director for Microsoft UK, Gordon Frazer, sent a wave of panic through businesses across Europe when he told a room full of journalists at the Microsoft Office 365 launch in London that he could not guarantee that data stored in Microsoft's European datacentres would not end up in the hands of the US government.
The US Patriot Act is the source of this fear. In the aftermath of the September 11 attacks on the World Trade Center and the Pentagon, the US government implemented the Act to combat international terrorism, and since the legislation came in, Section 215 has been the focus of much attention from those engaging in cloud services in Europe. Section 215 reads as follows:
SEC. 215. ACCESS TO RECORDS AND OTHER ITEMS UNDER THE FOREIGN INTELLIGENCE SURVEILLANCE ACT:
(a)(1) The Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities.
Simply put, the FBI can obtain data from European companies that have their data stored in US-owned datacentres, even if the datacentres are on EU soil.
In addition, because any request for data would be part of a terrorist investigation, the company that owns the datacentre would be subject to a gagging order, and would also not be allowed to inform any customer that their information had been handed over to authorities.
This means that European businesses that store their data in US-owned datacentres could find their data ends up in the hands of the US government. These businesses would not know that their data had even left the country.
Some European companies are worried. Thibault Chevillotte, senior manager at UK business and technology service company Logica, says organisations in the European Economic Area should be concerned if their data is held in a datacentre owned by a US company.
"Businesses in the UK and Europe should definitely be worried about the US Patriot Act. US vendors have said that they can be requested to provide information back from European companies to US authorities," says Chevillotte.
Ulterior motive
Some industry watchers even believe the US could use the powers enshrined in the Patriot Act to gain information for purposes other than fighting terrorism.
"The Patriot Act is supposed to be linked with terrorism, but the truth of the matter is that we just don't know how it is being used. US companies [could] gain a competitive advantage against those in Europe," says Chevillotte. "We do not know that it is being used for these purposes, but we also cannot exclude the possibility."
Adding to this anxiety is an apparent determination on the part of US cloud technology providers to avoid discussing the issue of US government snooping. When asked for an interview on the subject, Microsoft declined. HP and Amazon did not respond to our request, while Dell and Salesforce said they did not have a spokesperson available to talk to us.
How worried should UK data guardians be about the Patriot Act?
The Patriot Act is sowing fear, uncertainty and doubt over the security of data held by US-owned cloud providers
However, at least one US vendor believes the kind of concerns expressed by Chevillotte are unfounded in the many instances where the legal status of an EU-based company impacts on the US government’s ability to access overseas data.
The only high-profile US cloud provider with operations in the UK and Europe we found willing to comment was server hosting provider Rackspace. Its legal counsel, both in the UK and the US, was clear in saying that there is no way that it would hand over data to the US because the US Patriot Act does not apply to its operations in Europe.
“We wouldn’t hand over data in the UK to our US operations because they are separate legal entities. If our US company was approached with a request for UK data under the US Patriot Act, it would say that the information was not within the US company’s control,” says Tiffany Lathe, vice president of legal for Rackspace.
“It’s within the control of our UK operations. I don’t have any issues with the US Patriot Act; it doesn’t affect us here in the UK,” she added.
Alternative access
However, focusing on the Patriot Act alone misses the fact that other legal processes exist that could see European data accessed by the US authorities. There are other ways the US government could access European data if it wanted to.
“Foreign intelligence officials could get information through other legal tools – the US Patriot Act is not the only one,” explains Jim Halpert, partner at law
firm DLA Piper.
The US government can use subpoenas, for example, to obtain information from EU companies. Subpoenas require companies to produce evidence upon request from a government agency.
How worried should UK data guardians be about the Patriot Act?
The Patriot Act is sowing fear, uncertainty and doubt over the security of data held by US-owned cloud providers
The difference is that it is harder to use these other legal tools as discreetly as the US Patriot Act. Typically, requests for information relating to a UK company would be done through the Mutual Legal Assistance Treaty, where an attaché to the US embassy in London would approach the government and discuss what the US wanted to do and how they wanted to do it. With this method there is typically no gagging order, which means that the company involved would be obliged to inform their customer that information had been provided to the government. This would not be the case with the US Patriot Act.
Data Protection Act
One source of legal protection that UK companies would expect to be able to turn to when looking to safeguard their information is the Data Protection Act (DPA). The DPA stipulates that a company cannot hand over data to other parties without the consent of the person or party that the information relates to.
So the DPA is in conflict with a request from the US under the Patriot Act. But expert legal opinion is that the US would win access to UK data in the end. Marc Dautlich, head of information law at Pinsent Masons, says that because the Patriot Act refers to terrorist activity, it would override the DPA.
“It [would] be considered that the sanctions under the Data Protection Act aren’t criminal, whereas the risks under the Patriot Act are very serious. It would be very bad if you were considered to be blocking an anti-terrorist operation in some way,” says Dautlich.
So where does this leave UK public data? Does the UK government trust foreign-owned datacentres for its government- wide cloud strategy, the G-Cloud?
According to Kate Craig-Wood, managing director of Memset, a UK-based cloud provider that is working closely with the government on its G-Cloud plans, it is unlikely that the UK government would place any sensitive data in a datacentre that wasn’t owned by a UK company.
“It has been made very clear from our dealings with the government and our involvement in the G-Cloud programme that sensitive data cannot be hosted outside UK territory,” says Craig-Wood.
“I doubt that [the government] would want any sensitive information to be stored in an American-owned Amazon or Microsoft cloud, even if it was based in Europe,” she adds.
All this is worrying for businesses in the UK, who are still unsure of the benefits of cloud computing and who continue to focus on the risks, especially when these risks are associated with the security of information and data.
According to a recent Computing survey, 32 per cent of IT decision makers still perceive the cloud to be insecure, and 26 per cent believe it is unproven and risky. This compares with just 16 per cent of respondents who believe it to be secure.
This lack of trust in the cloud will continue to prevail while customers do not know how their data is being handled and who is handling it. Legislation such as the US Patriot Act fuels this fear, and will continue to do so until all cloud vendors can say with certainty that placing data in the cloud is as safe as keeping it in your own datacentre.