Think cloud, think Patriot Act
- — 17 October, 2012 16:23
In theory at least, there is the promise of saving money, faster turnaround time, no lengthy requirements gathering, purchasing of equipment, following project management life-cycle, no architects getting in the way debating good design, lengthy hardware and software procurement cycles just basic business requirements and a PO, in other words Credit Card IT. Sounds familiar, sounds easy, excellent.
Considering the dream sold, executives all on board, procurement about to commence and in comes "someone" maybe your resident security expert or just an informed business manager, and starts to mention data security, ownership of data, liabilities and responsibilities in case of a data breach, incident management and above all the 'Patriot Act'.
Well, there is no cloud sourcing discussion that I have been privy too that has not used these words, "so what about the Patriot Act" or "have we thought about the impact of the Patriot Act" it’s used like the Big Brother of all legislation, the Ace of Spades that everyone throws in when considering cloud sourcing.
Seriously is there anyone who has been in a cloud services conversation and has not heard about the Patriot Act? Well after a number of these discussions I thought what is the US Patriot Act, and how does it impact doing business down under, this is what I came up with.
From various law journals and Wikipedia definitions, which I am sure you have all read, the USA Patriot Act or just the Patriot Act stands for (The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act). It is a piece of United States legislation that was passed following the September 11, 2001, attacks on the World Trade Centre in New York City which made it easier for U.S. law enforcement officials to intercept electronic communications and business records. One of the controversial measures was that officials were granted the power to issue a National Security Letter to electronic communication service providers requiring them to hand over information without informing the affected parties (in some cases without any judicial oversight), this forms the basis of all discussions regards cloud sourcing and cloud computing when someone says "so what about the Patriot Act".
There is a lot more to it than just being a single act, for areas that impact the use of cloud services and cloud sourcing, there is a specific provision "s. 215" which deals with access to business records. Section 215 repealed and re-enacted provisions of the U.S. Foreign Intelligence Surveillance Act.2 Pursuant to s. 215 of the Patriot Act, the Federal Bureau of Investigation may apply to a federal judge for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities.
Now I am not a lawyer, or an expert in US law but have read enough material to say that even U.S. commentators agree that this definition covers electronic business records, which when applied to cloud services, means data assets stored and hosted by a cloud services provider in the US, which really means your organisations data if hosted through such a provider.
We will explore that that a bit further from a cloud computing and cloud services perspective, but whilst we are on the topic of laws and legislation, I would like to draw your attention to Statement on U.S.- Australia Legal Assistance Treaty from 1997 EPF309 04/30/1997, this treaty establishes modern framework for cooperation (410), where the United States and Australia signed a Mutual Legal Assistance Treaty (MLAT).
An extract from the U.S. Department of State Office of the Spokesman states that the types of legal assistance provided under the U.S.- Australia treaty include taking testimony or statements; providing documents, records and articles of evidence; transferring persons in custody for testimony or other purposes; locating or identifying persons; serving documents; executing requests for searches and seizures; freezing assets; assisting in proceedings related to seizure and restitution; and other forms of legal assistance. Now to non-legal practitioners this would seem that under the MLAT a U.S. Law Enforcement Agency (LEA) can invoke the Patriot Act and get access to an organisations data, however it is not as simple as it seems.
You must be wondering why not, there is a treaty in place and then if there is a treaty then the Patriot Act can be enforced.
Well I thought the same, and that got me even more curious on the underpinnings of the Patriot Act and if there was anything hidden somewhere within the sub-text and plethora of legal references regards the Fourth Amendment to the United States Constitution which states, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” The Electronic Communications Privacy Act of 1986 (ECPA), now the US Justice Information Sharing website suggests that ECPA was significantly amended by the Communications Assistance to Law Enforcement Act (CALEA) in 1994, the USA PATRIOT Act in 2001, the USA PATRIOT reauthorization acts in 2006, and the FISA Amendments Act of 2008. Other acts have made specific amendments of lesser significance, however what does that really mean to me as information security professional providing factual non emotive guidance to the business, well I thought the same and then referred to U.S. Dept. of Justice, Searching and Seizing Computers and Obtaining Electronic Evidence In Criminal Investigations (2009) paper which confused me even more.
I sat back and thought how a simple comment of "so what about the Patriot Act", has lead me to plethora of not only US regulation but a Mutual Legal Assistance Treaty (MLAT) between USA and Australia, all somehow linked to the discussion, can my organisations data be accessed by an LEA without my knowledge and also why is it hard for cloud service providers to answer this.
For those of us who understand "cloud", it’s not something that exists in the heavens; it is an array of interconnected systems where infrastructure, (IaaS), platforms (PaaS) and software (SaaS) are all offered as a service either independently or as a package. Where if the cloud service provider does not have a core competency across the domains will often have back-to-back agreements with other specialist providers that make up the packaged "cloud service", some or all of which may be originating out of the US.
So with the complexity and makeup of a cloud service and discussion around "so what about the PATRIOT Act", lead me to look at what established cloud service providers had to say or openly share and publish on their website and a good example I found that made sense and was written in plain enough English that provided a high level explanation was from Rackspace, I am in no shape or form endorsing or supporting Rackspace but found this to be a good example of what a "Cloud Services" organisation could do to explain to its customers who are concerned about data security as a first steps and above all the Patriot Act.
There are a number of other controls that an organisation would want to put into place when thinking about establishing cloud services that have been covered off in previous articles related to cloud or not to cloud, readiness for cloud services, governance of cloud services and once all of the above in place, ensuring cloud contracts are well structured and there is a robust auditing program for cloud services in place.
Now after all that, when someone says so "so what about the Patriot Act" or "have we thought about the impact of the Patriot Act" I reckon the discussion can be that we are aware of the Patriot Act and the responsibility to ensure that contractual instruments are in place to understand the cloud service providers approach on how best they would support the organisation, the service providers transparency and understanding and the explanation of the end to legal process if the organisations data was at risk to be accessed under either the MLAT or the Patriot Act will be the best course of action.
Please note that this is not legal advice, I am not a lawyer or an attorney, this is my independent view as an information security professional who wanted to understand the workings of the Patriot Act and my understanding is that if a US LEA is required to access an organisations data physically located in Australia by a cloud service provider they will have to undertake that through an Australian law enforcement agency under the Mutual Legal Assistance Treaty, however at the time of writing no clear guidance has been found on if the same process will be followed if the data is physically located within a US datacentre, as such the responsibility to ensure that contractual instruments are in place to understand the cloud service providers approach on how best they would support the organisation in the event of their data being accessed under the US Patriot Act.