The Cloud Privacy Illusion
By Peter S. Vogel
Part of the ECT News Network
08/08/12 5:00 AM PT
Laws around the globe allow governments free access to data within the cloud. What may come as a surprise is that Mutual Legal Assistance Treaties facilitate cooperation across international boundaries. Under these MLATs, the U.S. and EU member states allow law enforcement authorities to request data on servers of cloud providers located in any countries which are portion of the MLATs.
Privacy inside the cloud can be an illusion, given the known cybersecurity risks, let alone the laws within the U.S. and around the globe that let government agencies relatively easy accessibility to remote data including data stored within the cloud.
Of course, businesses have trusted storing data inside the cloud for greater than 50 years . While many companies take great pains to give protection to cloud data from cyberthreats, they’ve got no technique to prevent governments from freely accessing their cloud data. Companies using the cloud would possibly not realize that cloud data is more vulnerable than other remotely stored data, including data held in disaster recovery locations.
Generally, IT security experts are alarmed that almost all businesses that use the cloud don’t consider how vulnerable their data is from a cybersecurity standpoint. Oftentimes, cloud solutions are chosen by businesses to minimize IT infrastructure costs, with little regard for the true security of cloud data from cybercriminal or government access.
Most will keep in mind that within the aftermath of 9/11, the U.S. Patriot Act became law. The Patriot Act permits the U.S. government, without court orders, to have simplified access to telephone, email, and electronic records to collect intelligence within the name of national security.
The official name of the Patriot Act says very much about its purpose: “Uniting and Strengthening America by Providing Appropriate Tools Required To Intercept and Obstruct Terrorism Act of 2001.”
Of course before there has been a Patriot Act, law enforcement agencies had access to many sorts of information, including cloud data, by conventional means, consisting of obtaining court-issued search warrants. Another example is the Foreign Intelligence Surveillance Act (FISA), passed in 1978 and amended by the Patriot Act, which addresses other approaches to electronic surveillance and number of foreign intelligence information.
Conclusions About Government Access
We aren’t alone. Laws around the globe allow governments free access to data inside the cloud. What may come as a surprise is that Mutual Legal Assistance Treaties (MLATs) facilitate cooperation across international boundaries. Under these MLATs, the U.S. and EU member states allow law enforcement authorities to request data on servers of cloud providers located in any countries which can be a part of the MLATs.
On May 23, 2012, international law firm Hogan Lovells published a white paper entitled ” an international Reality: Government Access to Data inside the Cloud .” One of the most white paper’s conclusions:
On the basic question of governmental access to data inside the Cloud, we conclude, in line with the research underlying this White Paper, that it’s not possible to isolate data inside the Cloud from governmental access in response to the physical location of the Cloud corporation or its facilities. Government’s ability to access data inside the Cloud extends across borders. And it’s incorrect to imagine that the usa government’s access to data within the Cloud is bigger than that of different advanced economies.
The White Paper makes this extra observation when comparing the U.S. Patriot Act to comparable European laws:
… our survey finds that even European countries with strict privacy laws even have anti-terrorism laws that permit expedited government access to Cloud data. As one observer put it, France’s anti-terrorism laws make the Patriot Act look ” namby-pamby ” by comparison.
The analysis of the MLATs inside the Hogan Lovells’ white paper continues with information about here countries: U.S., Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain and the uk. In case your company does business in any of these countries, it’s your decision to become more responsive to the information privacy risks.
When Does the usa Government Want a Warrant?
Prior to the enactment of the Patriot Act, search and seizure of Internet data was generally subject primarily to the protections afforded by the 4th Amendment of the Constitution :
The right of the folks to be secure of their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and especially describing where to be searched, and the persons or things to be seized.
The call by a judge to issue a warrant to allow a search and seizure includes balancing the necessity for the quest against the protected interests of liberty, property and privacy.
In the context of electronic data, the variety of knowledge types and sources has caused a range of approaches as to what constitutes an affordable search and seizure. Counting on the jurisdiction, in addition to the device or data sought or investigation pending, a court may require different levels of detail before issuing a warrant.
For this discussion, the term “devices” will broadly confer with desktops, laptops, cellphones, tablets, external hard drives or memory storage, or some other computer-related technologies that may store or transmit data.
One of the primary distinctions to make is whether or not the info sought is “inside” or “outside” a tool. “Inside” and “outside” helps to determine who possesses the information and what laws may regulate it. Another distinction is between personal or non-personal use. Further, the “expectation of privacy” is significant to the evaluation of an affordable search, and that expectation is impacted by the position of the knowledge.
When data resides on a working laptop or computer used strictly for private matters, there’s a greater expectation of privacy than if the information is stored on a tool used for a business or government purpose. Similarly, where the info can be available for some public access, there’s less or no expectation of privacy.
In a criminal matter, if the knowledge are “inside” the device, there are problems with verifying who was using the device when the crime occurred, locating the device, obtaining the quest warrant or consent to go looking, and forensic analysis of the device.
If the information is “outside” the device, then collecting the information probably invokes the 1986 Stored Communications Act , which law controls data posted by users on Internet hosts comparable to Facebook, Google, LinkedIn and other social media sites.
Based on Terms of Service ( which only a few people read ), Internet hosts rarely provide any information in a civil lawsuit unless the landlord of that data agrees in writing, hoping on the Stored Communications Act in a civil proceeding — but governments can get that very same data in a criminal proceeding without the permission of the landlord of the information.
Privacy Groups and Government Access to the Internet
Among the various privacy issues the 0 Electronic Privacy Information Center 0 (EPIC) makes a speciality of are those implicated within the Patriot Act and with regards to personal data stored at the cloud and remote Websites. EPIC’s overview of the Patriot Act includes these statements:
The implications for online privacy are considerable. … The Act also extends the government’s ability to realize access to non-public financial information and student information with none suspicion of wrongdoing, with the aid of certifying that the data prone to be obtained is relevant to an ongoing criminal investigation.
The impact of the MLATS between the U.S. and EU seriously is not discussed by EPIC, but EPIC does devote a substantial amount of resources to monitoring privacy within the EU. There, 1 Directive 95/46 of the eu Parliament and the Council of 24 October 1995 1 was 2 established 2
… to offer a regulatory framework to assure secure and free movement of private data around the national borders of the ecu member countries, besides setting a baseline of security around personal information wherever it truly is stored, transmitted or processed.
The 3 Electronic Frontier Foundation 3 (EFF) also dedicates a lot of resources to give protection to privacy and specifically specializes in the Patriot Act. The EFF produced a white paper entitled ” 4 Patterns of Misconduct: FBI Intelligence Violations from 2001-2008 4 ” according to a review of about 2,500 pages of FBI documents secured from Freedom of knowledge Act requests. The EFF White Paper states the subsequent:
The documents suggest that FBI intelligence investigations have compromised the civil liberties of americans way more frequently, and to a better extent, than was previously assumed. … From 2001 to 2008, the FBI engaged in lots of flagrant legal violations, including:
- submitting false or inaccurate declarations to courts.
- using improper evidence to procure federal grand jury subpoenas.
- accessing password protected documents with no warrant.
Assuming the EFF’s findings are accurate concerning the FBI’s access to private data on the web, the privacy expectation of Internet data within the U.S. must be of shock to the business community.
Security of information within the cloud can be of outrage to all businesses, whether that concern is because of cybercriminals or governments.
In particular, businesses counting on the cloud need to be mindful of those privacy risks of cloud data being captured by governments, foreign and domestic.