The Impact of the U.S. Patriot Act on Cloud Data Privacy: The Myths, the Rumors and the Reality

There’s a rumor circulating in Europe, igniting fear and paranoia among businesses and consumers alike: Big Brother is alive and well and living in a U.S.-based cloud. That is, cloud data privacy is in jeopardy. 

Allow us to explain.

Two European companies announced the creation of the first fully European “Database-as-a-Service” cloud offering – one that provided a “safe haven from the reaches of the U.S. Patriot Act.”

The press release goes on to say, “Under the Patriot Act, data from EU users of U.S.-owned cloud-based services can currently be shared with U.S. law enforcement agencies without the need to tell the user.”

Wait. Stop. Can what they’re saying be true? We all remember the Patriot Act – the post-9/11 legislation that was designed to help the U.S. government more efficiently track terrorists. 

We know it was created to help catch the bad guys, but does this act impact cloud data privacy for the rest of us in the cloud?

We went to our legal experts to get some real answers.

A Patriot Act Primer

The Patriot Act was signed into law by George W. Bush. It did not give U.S. law enforcement brand new ways to get data for its terrorist investigation. What it did do was expand the ways in which law enforcement could obtain that data.

“The common misperception is that the Patriot Act created new tools for data collection. In fact, it simply beefed up a few things to remove obstacles in following terrorist activity,” explained Alex Lakatos, partner with Mayer Brown LLP.

According to Lakatos, there are two expanded mechanisms that could directly relate to cloud data privacy: namely, the Foreign Intelligence Surveillance Act (FISA) and National Security Letters.

Let’s look at the “befores” and “afters.”

Before 9/11, the FISA Act required the FBI to get an approval from a special court to obtain the business records of suspected terrorists or terrorist groups. But, this data was limited to car rental, hotel, storage locker and common-carrier records.

Title II of the Patriot Act enabled the FBI to petition that same court to obtain books, records, papers, documents – including data in the cloud – to protect against international terrorism or clandestine intelligence activities. To get an order, the FBI has to specify what they’re looking for and explain why the documents are relevant to their investigation.

Under Section 215, it’s also true that the party receiving the FISA order (which could be a company or cloud provider) can’t disclose the fact to the individual under investigation, unless they contest that order after a one-year hiatus.

“The reality is the government rarely uses FISA orders […],” Lakatos said. “That’s a very minimal threat to cloud providers.”

National Security Letters are administrative subpoenas that enable the FBI and other government agencies, without court authorization, to obtain certain records relating to their terrorism investigations. Before the Patriot Act, the FBI and Secret Service already could get bank records, securities brokerages, and information from car dealers, pawn shops, casinos and realtors.

These agencies could also gain information from credit bureaus on the names and addresses of the financial institutions at which a suspected terrorist had an account; plus name, address and employment history of that person. The FBI could also use a National Security Letter to access subscriber information from service providers and electronic communications records.

The Patriot Act now enables the FBI, and other relevant agencies, to access full credit reports when conducting investigations related to international terrorism. It also imposes a gag order on persons receiving a National Security Letter. Again, that means that the provider can’t inform the individual under investigation that such a letter was submitted, nor the information provided to the agency.

“The types of data that the FBI and other authorities can gather through cloud providers with a National Security Letter are limited,” Lakatos said. “For example, they can request ‘envelope’ information from Internet providers but not actual message content. And again, I think it’s important to reiterate that what these government agencies are looking for is information to help them protect the U.S. against terrorists.”

The Reality Check

Although in recent months the topic is making a lot of headlines, in Lakatos’ perspective, it’s much ado about nothing.

“Those European providers are indicating that, through a U.S. cloud, our government has access to your data. But, guess what? It does anyway. If a suspected terrorist has pertinent data stored in a physical location or cloud in another country, if that country is an ally, that information can still be obtained,” Lakatos said.  “You can’t avoid the issue by avoiding U.S. service providers.”

Here’s the other key point: the United States isn’t any different than other countries when it comes to pursuing data for terrorism investigations. Meaning, if prosecutors in Europe need data held in the United States for the same kind of terrorism monitoring and tracking, they can probably get the U.S. to seize that data for them. That’s how governments work with their allies.

So, what about all that talk about providing a “safe haven” from the reaches of the U.S. Patriot Act?

“It’s marketing,” Lakatos said. “There is fear and ignorance in the market, and consumers may just avoid U.S. Cloud service providers without asking questions.”

It’s like putting a ‘no fructose’ label on a product that contains corn syrup. Both ingredients, and the risks associated with each, are virtually the same. But, by putting the right spin on it, the seller can change the buyer’s perception.

“The fact is, merely avoiding U.S. cloud service providers based on concerns about the Patriot Act provides no assurance that that cloud data is beyond the reach of the Patriot Act, nor does it provide protection against the risk that non-U.S. governments will access that data, either on their own initiative or in response to a request from the United States,” Lakatos said.

The net-net? Don’t make a vendor selection based on the home country of the provider alone.

“Look at all the relevant risk, review your cloud service contract, and consult your legal counsel,” Lakatos said. “And ask questions.”

You may find that the “safe haven” isn’t so safe after all. 

What are your thoughts on the effects of the Patriot Act on cloud data privacy? Let us know!

###

Source:

Alex C. Lakatos, partner in Mayer Brown LLP’s Financial Services Regulatory & Enforcement practice in Washington, DC.

 

Outsourcing Center, Patti Putnicki, Business Writer

Recent Posts

  • Business Challenge
  • Contract
  • Function
  • Governance
  • IT Applications
  • IT Infrastructure & Applications
  • Multisourcing
  • Service Level Agreement (SLA)
  • Time to Market
  • Transition
  • Vendor Management

The Meat and Potatoes of Multi-Vendors

While the glamorous multi-vendor deals are the ones garnering most of the attention in outsourcing,…

26 years ago
  • Contract
  • Function
  • Governance
  • IT Applications
  • Multisourcing
  • Procurement
  • Service Level Agreement (SLA)
  • Vendor Management

Teaming: Making Multi-Vendor Relationships Work

Since the late 1980's, outsourcing vendors have relied on subcontractors to perform part of the…

26 years ago
  • Business Challenge
  • Communication
  • Contract
  • Energy & Utilities
  • Financial Services & Insurance
  • Governance
  • Industry
  • Manufacturing
  • Time to Market
  • Vendor Management

Lateral Leadership For Organizations That Are Outsourcing

American firms continue their rapid expansion of service and product outsourcing. Companies signed major new…

26 years ago
  • Business Challenge
  • Communication
  • Contract
  • Financial Services & Insurance
  • Governance
  • Healthcare
  • Industry
  • Manufacturing
  • Pricing
  • Service Level Agreement (SLA)
  • Time to Market
  • Vendor Management

The Many Sides of a Re-Do

Outsourcing's maturation as an industry has created a substantial body of experience in 'renegotiating' and…

26 years ago
  • Business Challenge
  • Contract
  • Cost Reduction & Avoidance
  • CPG/Retail
  • Financial Services & Insurance
  • Government
  • Industry
  • Pricing
  • Risk-Reward
  • Service Level Agreement (SLA)
  • Time to Market
  • Transition
  • Vendor Management

EURO: Ready or Not, Here It Comes

On January 1, 1999, eleven member countries of the European Union (EU) will adopt the…

26 years ago
  • Business Challenge
  • Cost Reduction & Avoidance
  • Financial Services & Insurance
  • Function
  • Global Service Delivery
  • Industry
  • IT Applications
  • Manufacturing
  • Procurement

The Rise of Global Business Process Outsourcing

Business Process Outsourcing (BPO) is paving the way for leading companies to compete globally and…

26 years ago