|USA PATRIOT Act of 2001|
Microsoft drew an additional dose of criticism as their policy apparently implies that they would repatriate and hand over data from European customers, even if the data resides on European soil. That, in turn, would be in violation with Europe’s data privacy and safe harbor laws which raised many eyebrows. Unlike the United States, the Europeans take personal privacy much more seriously. For example, an employee’s email belongs to the employee in many European countries and not to the company as it is the law in the US. By the way, am I the only one who finds the whole notion of cloud data residing on some country’s soil a little paradoxical? Since when do clouds care about borders?
My take is that the problem might not lie with the cloud based companies and their frivolous attitude towards their customers’ data. I believe that the challenge lies in the Patriot Act itself. The Patriot Act has been signed into law in October 2001 as a response to 9/11 and it was extended in May 2011. The Act grants the US government sweeping privileges to access private data in case of suspected terrorist threats. The US law enforcement agencies can apparently get your private data by requesting access to say Dropbox servers because suspected terrorists might be allegedly using Dropbox to plan their activities.
This kind of law would seem to violate the 4th Constitutional Amendment which protects citizens against unreasonable searches – law enforcement is supposed to get a court order and not many European courts would ever allow this. But the Patriot Act has been passed in the wake of 9/11 and anything to protect the US citizens from terrorists has a higher priority than protecting their civil liberties.
This reminds me of the speech that Sun co-founder and former Chief Scientist Bill Joy gave at TEDtalks back in 2006. Joy spoke about the asymmetric threats in the scary world we live in: “We can’t give up the rule of law to fight an asymmetric threat and we can’t fight the threat the stupid way we are doing because a million dollar act causes a billion dollar damage which causes a trillion dollar response which is largely ineffective and almost certainly has made the problem worse.”. If anything, Joy’s speech was understated as the 9/11 response has reached several trillions by now. The Patriot Act is part of that response and the cost keeps rising.
The effectiveness of the Patriot Act has been questioned many times but that’s not my point. The terrorists aren’t stupid and they know about it and they know about plenty of other data sharing services that are not run by American companies and are thus not subject to the Patriot Act. My point is that the generic and sweeping authority that the Patriot Act gave to the US government is scaring the good guys away from the Cloud.
At least 99.99% of people are not terrorists; they are people like you and me and we get all nervous about using online services that do not offer us sufficient privacy. Many countries have a culture and laws that demand a much higher privacy protection than the United States. The customers are already worried about the hackers who could compromise their information. And now, even the government is snooping in my data? Perhaps, my data is better protected if I use the online services of a company based in the Germany or Canada - countries that are not subject to the Patriot Act?
The US economy needs stimulation. We shouldn’t be scaring away the privacy-loving Europeans. The United States could easily be known as the country where your data is the safest – attracting business from the entire world. But that is not what people think today. Right now, the secure data hosting business is going elsewhere.
The press is crucifying US cloud companies for the alleged vagueness in their end user policies. But what if those companies just try to do business in an environment that effectively forces them to have such clauses in their policies? Is the media barking up the wrong tree?
I know that there is a lot of good that came out of the Patriot Act but I suggest that in the era of cloud computing, it may need to be reviewed and possibly amended.