Tuesday, August 9, 2011

The Cloud and the Asymmetric Patriot Act

USA PATRIOT Act of 2001
There have been numerous articles recently about cloud-based companies and their policies in regards to the Patriot Act. Most recently, Dropbox and Microsoft Office 365 have generated headlines when the press found out that their end user license agreement includes clauses that basically state that the company may have to hand the customer data over to the law enforcement authorities under certain circumstances – such as to comply with the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (in short USA PATRIOT Act).

Microsoft drew an additional dose of criticism as their policy apparently implies that they would repatriate and hand over data from European customers, even if the data resides on European soil. That, in turn, would be in violation with Europe’s data privacy and safe harbor laws which raised many eyebrows. Unlike the United States, the Europeans take personal privacy much more seriously. For example, an employee’s email belongs to the employee in many European countries and not to the company as it is the law in the US. By the way, am I the only one who finds the whole notion of cloud data residing on some country’s soil a little paradoxical? Since when do clouds care about borders?

My take is that the problem might not lie with the cloud based companies and their frivolous attitude towards their customers’ data. I believe that the challenge lies in the Patriot Act itself. The Patriot Act has been signed into law in October 2001 as a response to 9/11 and it was extended in May 2011. The Act grants the US government sweeping privileges to access private data in case of suspected terrorist threats. The US law enforcement agencies can apparently get your private data by requesting access to say Dropbox servers because suspected terrorists might be allegedly using Dropbox to plan their activities.

This kind of law would seem to violate the 4th Constitutional Amendment which protects citizens against unreasonable searches – law enforcement is supposed to get a court order and not many European courts would ever allow this. But the Patriot Act has been passed in the wake of 9/11 and anything to protect the US citizens from terrorists has a higher priority than protecting their civil liberties.

This reminds me of the speech that Sun co-founder and former Chief Scientist Bill Joy gave at TEDtalks back in 2006. Joy spoke about the asymmetric threats in the scary world we live in: “We can’t give up the rule of law to fight an asymmetric threat and we can’t fight the threat the stupid way we are doing because a million dollar act causes a billion dollar damage which causes a trillion dollar response which is largely ineffective and almost certainly has made the problem worse.”. If anything, Joy’s speech was understated as the 9/11 response has reached several trillions by now. The Patriot Act is part of that response and the cost keeps rising.

The effectiveness of the Patriot Act has been questioned many times but that’s not my point. The terrorists aren’t stupid and they know about it and they know about plenty of other data sharing services that are not run by American companies and are thus not subject to the Patriot Act. My point is that the generic and sweeping authority that the Patriot Act gave to the US government is scaring the good guys away from the Cloud.

At least 99.99% of people are not terrorists; they are people like you and me and we get all nervous about using online services that do not offer us sufficient privacy. Many countries have a culture and laws that demand a much higher privacy protection than the United States.  The customers are already worried about the hackers who could compromise their information. And now, even the government is snooping in my data?  Perhaps, my data is better protected if I use the online services of a company based in the Germany or Canada - countries that are not subject to the Patriot Act?

The US economy needs stimulation. We shouldn’t be scaring away the privacy-loving Europeans. The United States could easily be known as the country where your data is the safest – attracting business from the entire world. But that is not what people think today. Right now, the secure data hosting business is going elsewhere.

The press is crucifying US cloud companies for the alleged vagueness in their end user policies. But what if those companies just try to do business in an environment that effectively forces them to have such clauses in their policies? Is the media barking up the wrong tree?

I know that there is a lot of good that came out of the Patriot Act but I suggest that in the era of cloud computing, it may need to be reviewed and possibly amended.

1 comment:

  1. Thanks, this a very good summary of the situation. Let me add some European thoughts:

    The "safe harbor laws" are from a European perspective a self-commitment of US companies to align with certain rules and laws. I have seen many situations where is has just been forgotten to extend the safe harbor statement. For this reason lots of European companies don't see this as a plus to data privacy.

    Certifications like SAS 70 Level 2 or ISO 270001 are supposed to enforce data privacy in a data center world. At the end these certifications can be easily by passed by the patriot act. The certifications are a nice item on your RFI/RFP check list to persuade the legal guy, but nothing more.

    Data Privacy in Europe is split into two domains:
    1. Data Storage
    2. Data Computing

    A lot of US companies belief in the concept, their cloud business is safe, as long as an European data store is provided to European customers. If a file is consumed by an indexing services based out of the US, the data privacy laws are not enforced because the data is computed in the US. Button line, if US companies want to get into business in Europe, plans for a European data center is a must have.
    At the moment there is a strategy to store an compute European data outside Europe by an opt out agreement. From my understanding this is only a question of time until the Compliance Officer will disagree (e.g. see the ACC Conference in Berlin lately).
    Additionally it is good to understand, in a lot of European countries, data privacy is a part of the constitution. This means e.g. if a US cloud company wants to operate e.g. in Switzerland, the company needs to have a legal entity otherwise there will be no business. And also for this reason data privacy is not negotiable.
    Switzerland has the most strict data privacy laws in Europe and at the moment the country becomes the number one spot for data centers for could services. No surprise. I hope the US will pick up this challenge. This will require cloud services leave the technical geek discussions and move to a more legal discussion.