02 Nov 2011
In June of this year the managing director for Microsoft UK, Gordon Frazer, sent a wave of panic through businesses across Europe when he told a room full of journalists at the Microsoft Office 365 launch in London that he could not guarantee that data stored in Microsoft’s European datacentres would not end up in the hands of the US government.
The US Patriot Act is the source of this fear. In the aftermath of the September 11 attacks on the World Trade Center and the Pentagon, the US government implemented the Act to combat international terrorism, and since the legislation came in, Section 215 has been the focus of much attention from those engaging in cloud services in Europe. Section 215 reads as follows:
SEC. 215. ACCESS TO RECORDS AND OTHER ITEMS UNDER THE FOREIGN INTELLIGENCE SURVEILLANCE ACT:
(a)(1) The Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities.
Simply put, the FBI can obtain data from European companies that have their data stored in US-owned datacentres, even if the datacentres are on EU soil.
In addition, because any request for data would be part of a terrorist investigation, the company that owns the datacentre would be subject to a gagging order, and would also not be allowed to inform any customer that their information had been handed over to authorities.
This means that European businesses that store their data in US-owned datacentres could find their data ends up in the hands of the US government. These businesses would not know that their data had even left the country.
Some European companies are worried. Thibault Chevillotte, senior manager at UK business and technology service company Logica, says organisations in the European Economic Area should be concerned if their data is held in a datacentre owned by a US company.
“Businesses in the UK and Europe should definitely be worried about the US Patriot Act. US vendors have said that they can be requested to provide information back from European companies to US authorities,” says Chevillotte.
Ulterior motive
Some industry watchers even believe the US could use the powers enshrined in the Patriot Act to gain information for purposes other than fighting terrorism.
“The Patriot Act is supposed to be linked with terrorism, but the truth of the matter is that we just don’t know how it is being used. US companies [could] gain a competitive advantage against those in Europe,” says Chevillotte. “We do not know that it is being used for these purposes, but we also cannot exclude the possibility.”
Adding to this anxiety is an apparent determination on the part of US cloud technology providers to avoid discussing the issue of US government snooping. When asked for an interview on the subject, Microsoft declined. HP and Amazon did not respond to our request, while Dell and Salesforce said they did not have a spokesperson available to talk to us.
Under the guise of fighting terrorism, the Patriot Act was adopted WITHOUT public approval or vote just weeks after the events of 9/11. Such an unconstitutional set of laws should be abolished seeing as they violate human rights and due process. A mere 3 criminal charges of terrorism a year attributed to this act, which is mainly used for no-knock raids leading to drug-related arrests without proper cause for search and seizure. The laws are simply a means to spy on our own citizens and to detain and torture dissidents without trial or a right to council. You can read much more about living in this Orwellian society of fear and see my visual response to these measures on my artist’s blog at http://dregstudiosart.blogspot.com/2011/09/living-in-society-of-fear-ten-years.html
Posted by: Brandt Hardin 08 Nov 2011
Haven't you guys thought about encryption and its use within cloud services?
How are they not going to have to notify the company's whose data it is?
They need the encryption key to access the data (i know, this isn't as relevent to hosted servers) but would absolutely be the case if it was a professionally managed backup of the company data
Posted by: Liam 07 Nov 2011
Surely companies like Microsoft can get around the problem by using UK/European partner companies (who won't be subject to the Patriot Act) to host the data?
There is another, arguably bigger, issue here for the UK: the lack of a level European playing field when it comes to data security and compliance. European governments need to get their acts together and introduce some guidelines, otherwise they risk missing the economic opportunity that cloud computing represents.
Anyone got any thoughts on this?
Visit - http://linkd.in/td8og5
www.white-write.co.uk
Posted by: Caroline White 07 Nov 2011
The Patriot Act as Derek quite plainly points out in his article, allows low-grade US public employees access to UK company data. Millions of them.
Many such officials will be on low salaries. This poses three risks:
1. Bribes - low pay + access to highly valuable information is a dangerous combination. Access to information by this Act is routine, requires no court action, and even when logged is so commonplace investigations are not necessarily triggered.
2. Espionage. The deliberate infiltration of low grade US public sector jobs by foreign agents and those in the pay of foreign governments.
3. Data leakage through public sector officials - do police agents get trained in data leakage? I bet the same as other users they take discs home, or store info in dropbox, or place it on memory sticks and leave it in taxis.
All such laws are subject to 'mission creep'. You only has to look at the use of the Regulation of Investigatory Powers Act in the UK - also justified on the grounds of national security - fighting terrorism and organised crime. Our councils routinely use it to manage such well known risks as benefit fraud and antisocial behaviour - and FoI requests has shown its usage in the many, many thousands of instances.
Rather than 'Patriot Games', the headline should have been 'Clear and Present Danger'
Posted by: Lord Gaga 07 Nov 2011
In response to your points...
- Yes the UK Govnt does place data in US owned datacentres, but this is dependent on impact level. Perhaps I should have been clearer in my article, but the person I spoke to informed me that data that falls between impact level 0 and 2, which is data that is either publicly available or not very sensitive, could be stored in US owned datacentres. However, government data that is sensitive, so impact level 3 or above, is unlikely to end up on US owned kit. This is what I was informed.
- You are 100% correct in saying that the Patriot Act does not specifically relate to the cloud, but this does not mean that it is not relevant to the cloud. The Patriot Act would have no impact on a company that owned its own datacentre, but by putting information in the cloud you are potentially running a risk. By placing information in the cloud, the Patriot Act could impact your data.
- This article was not intended to make out that the US is the wild west, but is meant to highlight that the risk is there. Although it may be improbable that the US Patriot Act would be used to get hold of your data, it isn't impossible. It is to important highlight this.
Cheers,
Derek
Posted by: Derek du Preez 03 Nov 2011
Yet another article where no one knows what they are talking about reagarding patriot Act.
Here are some real facts:
- UK Gov places huge amounts of data in datacenters hosted in the UK and owned by US companies and have been doing so for years and years: e.g HP, IBM, CSC, THALES, EADS.
- Patriot Act is about enforcing requests to gain physical access to information and data. Patriot Act has nothing to do with "cloud" or technology per se.
- The US is not the wild west (any more) in terms of requesting data from companies resident in the UK. There is more liklihood of being run over by a bus on the way to work than anyone ever ever getting a Patriot Act request.
I could go on, but I won't... people need to get the facts and stop the hype.
Cheers,
Daniel.
Posted by: Daniel Matthews 02 Nov 2011
Have your say on this article
Newsletters
Latest stories from Security
You may also like
Security jobs
Technology Patent Wars
Magic software demonstrates the increasing utility of mobile mashups
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
