The Cloud Privacy Illusion
Laws around the world allow governments free access to data in the cloud. What may come as a surprise is that Mutual Legal Assistance Treaties facilitate cooperation across international boundaries. Under these MLATs, the U.S. and EU member states allow law enforcement authorities to request data on servers of cloud providers located in any countries that are part of the MLATs.
Privacy in the cloud may be an illusion, given the known cybersecurity risks, not to mention the laws in the U.S. and around the world that permit government agencies relatively easy access to remote data including data stored in the cloud.
Of course, businesses have relied on storing data in the cloud for more than 50 years. While many companies take great pains to protect cloud data from cyberthreats, they have no way to prevent governments from freely accessing their cloud data. Companies using the cloud may not realize that cloud data is more vulnerable than other remotely stored data, including data held in disaster recovery locations.
Generally, IT security experts are alarmed that most businesses that use the cloud do not consider how vulnerable their data is from a cybersecurity standpoint. Oftentimes, cloud solutions are chosen by businesses to reduce IT infrastructure costs, with little regard for the actual security of cloud data from cybercriminal or government access.
Most will remember that in the aftermath of 9/11, the U.S. Patriot Act became law. The Patriot Act permits the U.S. government, without court orders, to have simplified access to telephone, email, and electronic records to gather intelligence in the name of national security.
The official name of the Patriot Act says a great deal about its purpose: "Uniting and Strengthening America by Providing Appropriate Tools Required To Intercept and Obstruct Terrorism Act of 2001."
Of course before there was a Patriot Act, law enforcement agencies had access to many types of data, including cloud data, by conventional means, such as obtaining court-issued search warrants. Another example is the Foreign Intelligence Surveillance Act (FISA), passed in 1978 and amended by the Patriot Act, which addresses other approaches to electronic surveillance and collection of foreign intelligence information.
Conclusions About Government Access
We are not alone. Laws around the world allow governments free access to data in the cloud. What may come as a surprise is that Mutual Legal Assistance Treaties (MLATs) facilitate cooperation across international boundaries. Under these MLATs, the U.S. and EU member states allow law enforcement authorities to request data on servers of cloud providers located in any countries that are part of the MLATs.
On May 23, 2012, international law firm Hogan Lovells published a white paper entitled " A Global Reality: Government Access to Data in the Cloud." Some of the white paper's conclusions:
On the fundamental question of governmental access to data in the Cloud, we conclude, based on the research underlying this White Paper, that it is not possible to isolate data in the Cloud from governmental access based on the physical location of the Cloud service provider or its facilities. Government's ability to access data in the Cloud extends across borders. And it is incorrect to assume that the United States government's access to data in the Cloud is greater than that of other advanced economies.The White Paper makes this additional observation when comparing the U.S. Patriot Act to comparable European laws:
... our survey finds that even European countries with strict privacy laws also have anti-terrorism laws that allow expedited government access to Cloud data. As one observer put it, France's anti-terrorism laws make the Patriot Act look "namby-pamby" by comparison.The analysis of the MLATs in the Hogan Lovells' white paper continues with details about the following countries: U.S., Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain and the United Kingdom. If your company does business in any of those countries, you may want to become more aware of the data privacy risks.
When Does the US Government Need a Warrant?
Prior to the enactment of the Patriot Act, search and seizure of Internet data was generally subject primarily to the protections afforded by the 4th Amendment of the Constitution:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.The decision by a judge to issue a warrant to permit a search and seizure includes balancing the need for the search against the protected interests of liberty, property and privacy.
In the context of electronic data, the diversity of data types and sources has led to a variety of approaches as to what constitutes a reasonable search and seizure. Depending on the jurisdiction, as well as the device or data sought or investigation pending, a court may require different levels of detail before issuing a warrant.
For this discussion, the term "devices" will broadly refer to desktops, laptops, cellphones, tablets, external hard drives or memory storage, or any other computer-related technologies that could store or transmit data.
One of the first distinctions to make is whether the data sought is "inside" or "outside" a device. "Inside" and "outside" helps to establish who possesses the data and what laws may regulate it. Another distinction is between personal or non-personal use. Further, the "expectation of privacy" is important to the evaluation of a reasonable search, and that expectation is impacted by the location of the data.
When data resides on a computer used strictly for personal matters, there is a greater expectation of privacy than if the data is stored on a device used for a business or government purpose. Similarly, where the data may be available for some public access, there is less or no expectation of privacy.
In a criminal matter, if the data are "inside" the device, there are issues of verifying who was using the device when the crime occurred, locating the device, obtaining the search warrant or consent to search, and forensic analysis of the device.
If the data is "outside" the device, then collecting the data probably invokes the 1986 Stored Communications Act, which law controls data posted by users on Internet hosts such as Facebook, Google, LinkedIn and other social media sites.
Based on Terms of Service (which very few people read), Internet hosts rarely provide any information in a civil lawsuit unless the owner of that data agrees in writing, relying on the Stored Communications Act in a civil proceeding -- but governments can get that same data in a criminal proceeding without the permission of the owner of the data.
Privacy Groups and Government Access to the Internet
Among the many privacy issues the Electronic Privacy Information Center (EPIC) focuses on are those implicated in the Patriot Act and relating to personal data stored on the cloud and remote Internet sites. EPIC's overview of the Patriot Act includes these statements:
The implications for online privacy are considerable. ... The Act also extends the government's ability to gain access to personal financial information and student information without any suspicion of wrongdoing, simply by certifying that the information likely to be obtained is relevant to an ongoing criminal investigation.The impact of the MLATS between the U.S. and EU is not discussed by EPIC, but EPIC does devote a great deal of resources to monitoring privacy in the EU. There, Directive 95/46 of the European Parliament and the Council of 24 October 1995 was established
... to provide a regulatory framework to guarantee secure and free movement of personal data across the national borders of the EU member countries, in addition to setting a baseline of security around personal information wherever it is stored, transmitted or processed.The Electronic Frontier Foundation (EFF) also dedicates a great deal of resources to protect privacy and specifically focuses on the Patriot Act. The EFF produced a white paper entitled "Patterns of Misconduct: FBI Intelligence Violations from 2001-2008" based on a review of about 2,500 pages of FBI documents secured from Freedom of Information Act requests. The EFF White Paper states the following:
The documents suggest that FBI intelligence investigations have compromised the civil liberties of American citizens far more frequently, and to a greater extent, than was previously assumed. ... From 2001 to 2008, the FBI engaged in a number of flagrant legal violations, including:
- submitting false or inaccurate declarations to courts.
- using improper evidence to obtain federal grand jury subpoenas.
- accessing password protected documents without a warrant.
Assuming the EFF's findings are accurate regarding the FBI's access to personal data on the Internet, the privacy expectation of Internet data in the U.S. should be of concern to the business community.
In ConclusionSecurity of data in the cloud should be of concern to all businesses, whether that concern is due to cybercriminals or governments.
In particular, businesses relying on the cloud should be mindful of these privacy risks of cloud data being captured by governments, foreign and domestic.