Dangerous assumptions about clouds

No one is more vigilant about protecting the data of EU citizens than European Commission Vice-President Viviane Reding. She is spearheading and vigorously advocating for the Commission's proposals to update and modernize the privacy framework in Europe through a detailed new Regulation. She worries a lot about the privacy and security of EU citizens' data. And she can be a tough critic of the US privacy protection framework.

But even Commissioner Reding had to cry foul late last year when she saw the advertising of an EU Cloud Computing service suggesting that its geographic location would protect data from the reaches of the USA Patriot Act.

[Also read The pirate of Prague and the Foreign Corrupt Practices Act]

That episode prompted Mrs. Reding to issue a reminder about the importance of the free flow of data between the continents. Her comments reflected an understanding that Europeans need access to the best Cloud services regardless of geography and that to enjoy the full benefits of Cloud computing, there cannot be a balkanized system of Clouds around the world where as one commentator put it, "the fuzzy Internet cloud becomes a series of neatly divided gas bubbles."

Mrs. Reding no doubt was aware when she objected to the notion of an "EU Cloud" that even European countries with strict privacy laws also have anti-terrorism laws that allow expedited government access to Cloud data. Indeed, France's anti-terrorism law has been said to make the Patriot Act look "namby-pamby" by comparison.

While the Patriot Act continues to be invoked as a kind of shorthand to express the belief that the United States government has greater powers of access to personal data in the Cloud than governments elsewhere, and that "local clouds" are the solution, a recent study we conducted of the laws of Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, United Kingdomand the United Statesshows that it is simply incorrect to assume that the United States government's access to data in the Cloud is greater than that of the other advanced economies.

Law enforcement and national security officials have broad access to data stored locally with Cloud service providers in the countries we investigated. Our research found that that it is not possible to isolate data in the Cloud from governmental access based on the physical location of the Cloud service provider or its facilities, and that Governments' ability to access data in the Cloud extends across borders.

Notably, every single country that we examined vests authority in the government to require a Cloud service provider to disclose customer data in a range of situations. Moreover, some governments permit invasive investigatory measures of Cloud providers when the investigation concerns national security.

For example, the German Federal Office of Criminal Investigation (BKA) may, in investigations involving terrorism or national security, use a "Federal Trojan" (a government-issued computer virus) to search a Cloud provider's servers, monitor ongoing communications, or collect communication traffic data without the knowledge of the target. In addition, the G10 Act provides German intelligence services with the authority to monitor and record telecommunications without a court order in investigation of a serious crime or a threat against national security, such as terrorism.

And certainly worth noting is the fact that in some of the jurisdictions we studied, there is the real potential of data relating to people being disclosed to governmental authorities voluntarily, without legal process and protections. In other words, governmental authorities can use their "influence" with Cloud service providerswho, it can be assumed, will be incentivized to cooperate since it is a governmental authority askingto hand over information outside of any legal framework. United States law specifically protects such data from that kind of voluntary turn-over to the government.

And the Patriot Act? It commonly, but erroneously, is believed to have created invasive new mechanisms for the United States government to get information. The reality is that most of the investigatory methods in the Patriot Act were available long before it was enacted. And those investigative tools had, and still have, limitations imposed by the United States Constitution and by statute.

Much more about cloud computing legal concerns

Aggregated data and the threat of re-identification

When is a Limitation of Liability not a limitation?

SaaS, security and the cloud: It's all about the contract

It is more accurate to say that the Patriot Act did not create broad new investigatory powers but, rather, expanded existing investigative methods, and retained Constitutional and statutory checks on abuse. The most invasive mechanisms of the Patriot Act are limited to non-personal and non-content data.

Protecting the privacy and security of the data in the Cloud should be a priority for Cloud operators, for those entrusting their data into the Cloud and for policymakers. But the desire to protect data in the Cloud should not mean that decisions are made based on false assumptions about governmental access to Cloud data.

One of Mrs. Reding's colleagues at the European Commission, Neelie Kroes, is poised to release the Commission's Cloud Strategy for Europe very soon. Certainly, that document will recognize that at a critical time for the economy of countries within the EU, Cloud computing has the potential to be an economic catalyst for the EU. False assumptions about "local Clouds" to protect data will limit the power of the Cloud model to help businesses innovate in a global economy. Knowing the facts helps.

Chris Wolf leads the global Privacy and Information Management Practice at Hogan Lovells US LLP and Winston Maxwell is a partner in the Hogan Lovells International LLP Paris Office.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Chris Wolf and Winston Maxwell

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts