Friday, May 25, 2012

A Global reality: don't put your data in the cloud, Mrs Worthington

Hogan Lovells have produced a very practical and succinct white paper, A Global Reality: Governmental Access to Data in the Cloud.

The authors examine government access to personal data in the cloud across ten jurisdictions and conclude that we're kidding ourselves if we believe controls on government access are tighter in the EU than the US.
"Businesses often assume knowledge of the laws regulating
governmental access to data in their home jurisdictions, and
they make further assumptions about the legal regimes
abroad where Cloud service providers may be located."
The authors mention the PATRIOT Act as a particular bogey man for critics of the US in this regard. Whereas the PATRIOT Act does give governmental authorities wide ranging powers equivalent anti- terrorism laws in other jurisdictions mean
"Every single country ... examined vests authority in the
government to require a Cloud service provider to disclose
customer data in certain situations, and in most instances
this authority enables the government to access data
physically stored outside the country’s borders, provided
there is some jurisdictional hook."
The result is that:
"Some erroneously believe the best way to limit governmental
access to data is to use Cloud service providers present only
in “safe” jurisdictions – places where data are thought to be
free from troublesome governmental access."
But even when particular jurisdictions don't seem to have nominally permissive access regimes,
"The existence of Mutual Legal Assistance Treaties greatly
diminishes any argument that data stored in one jurisdiction
is immune from access by governmental authorities in
another jurisdiction." 
Just as civil rights activists have been explaining for years, you can drive a coach and horses through the loopholes in the statutory protections for privacy in the EU.

The report points out that in terms of protection the EU could, by virtue of the existence of the data retention directive (Directive 2006/24/EC) be structurally weaker on personal data protection in theory than the US.
"a law that perpetuates the existence of data that might not otherwise be available to governmental authorities (because it would have been deleted) is a factor to be considered in evaluating the favorability of one jurisdiction over another as a service provider location."
Being a short overview of 10 jurisdictions the Hogan Lovells report doesn't have the capacity to go into the practical application of the various legal regimes. They clearly and succinctly outline the situation in each jurisdiction - the US, Canada, Australia, Denmark, France, Germany, Ireland, Japan, Spain and the UK and also note that "Proposals for reform of privacy rules in the EU do not contemplate altering the current environment in which law enforcement has significant access to data in the Cloud."  In the UK, for example,
"The government may intercept communications if doing so is
“necessary” in the interests of national security; for the
prevention or detection of a serious crime; to safeguard the
economic well-being of the UK; or in response to a request
under an international mutual legal assistance agreement.
There is no need for court approval and the details of such
an “interception warrant” must be kept secret."
The table at the end of the paper provides a neat summary indicating you can barely slip a cigarette paper between the access regimes across all 10 jurisdictions reviewed. The lesson?

For the foreseeable future, if you want to protect your data from essentially unrestrained government access, (without even thinking about private sector and criminal access and sharing), don't put your data in the cloud, Mrs Worthington.

Report authors, Winston Maxwell and Christopher Wolf, should be commended for condensing a complex subject in such an accessible way.

Update: One of the smartest thinkers/practitioners around on privacy and the Net, Caspar Bowden, has pointed out that the over-simplification in the report, as simplification often does, distorts the real story here. The claim that the EU might be structurally weaker than the US on privacy regulations, for example, does not stand up to any kind of close scrutiny. Caspar draws particular attention to the DOJ's belief that the PATRIOT Act is subject to secret government interpretation and additionally that such claims are unsustainable when the details of the PATRIOT Act and the FISA (Foreign Intelligence Surveillance Act) Amendment Act 2008 (s.1881a) are examined and compared to EU regulations.

Update 2

Caspar Bowden says:
"This paper, and several others of its kind over past few years, manage to avoid mentioning ... :

- the FISA Amendment Act 2008 s.1881a, which created a new power targeted only at non-US persons outside the US, to intercept communications and access "remote computing services" (i..e Cloud computing) from any company subject to US jurisdiction, which compels access, without any warrant, to...

- ...information which merely "relate" to "the conduct of the foreign affairs of the United States" or "with respect to" a "foreign territory" or "a foreign-based political organization". Isn't is strange how all US accounts of US laws seem to omit these limbs of the (enormous and rambling) definitions?

- s.215 of the Patriot Act, which is being interpreted according to some secret doctrine that is (possibly/probably) about grabbing arbitrary data stored on disk under powers designed for library records, thus avoiding a warrant. This will likely be worse if you are outside the US, because you will have no chance at all to get standing in a US court (assuming you ever found out about it).

All this is quite illegal in ECHR territories, which grant universal rights irrespective of nationality (within the jurisdiction of the 50 signatory states), with laws that are precise and foreseeable in their effect, for purposes which cannot include spying on ordinary lawful democratic political activities and beliefs"
He goes on to comment specifically on some of the detail:
"pp1. "As one observer put it, France's anti-terrorism laws make the Patriot Act look "namby-pamby" by comparison."
- following the footnotes, that 'observer' is one Gary Schmitt, former staff director of the US Senate Select Committee on Intelligence

pp2. - "it is incorrect to assume that the United States government’s access to data in the Cloud is greater than that of other advanced economies"
- Untrue: FISA explicitly discriminates both the protections and allowed purposes by nationality, given inferior (or zero) protection to foreigners, especially outside US

pp.2 - Kennard: "In a number of critical areas, the U.S. provides more restrictions to the access of personal data than do European Member States."
- Untrue: under no Cloud-relevant circumstances will the data of a European in Europe receive greater protection under US law than under European law

pp.2 - "Despite the procedural hurdles that may exist to request and obtain information pursuant to MLATs..."
Misleading - euphemism for fact EU law enforcement authorities may have to wait 6 months while their MLAT requests stack up in the US Department of Justice (thus discouraging sending very many)

pp2. - "The existence of Mutual Legal Assistance Treaties greatly diminishes any argument that data stored in one jurisdiction is immune from access by governmental authorities in another jurisdiction."
Wrong - unless the US wants to do any political spying (e.g. on the European Commission where apparently use of US cloud apps is rife for preparing official documents)

pp.4 - "The reality is that most of the investigatory methods in the Patriot Act were available long before it was enacted. And those investigative tools had, and still have, limitations imposed by the United States Constitution and by statute"
Misleading: - although the US Constitution is silent on the matter, the US mostly doesn't recognize (ask John Yoo) foreigners as having Constitutional rights, even those physically within US territory. Which is sort of the point in Cloud computing.

pp.4 "Under the ECPA, if a government body seeks disclosure of customer data from a Cloud service provider, it can only do so if a judge issues a search warrant or special ECPA court order, or if the government issues a valid subpoena to the provider"
Omission - which is why the secret interpretation malarkey of Patriot 215 is important, because it by-passes this law and then some (no probable cause, or reasonable grounds to believe etc.)

pp5. "FISA Orders and NSLs were available to the United States government even before the Patriot Act was enacted. The Patriot Act merely expanded some of the
provisions of these access methods. For example, it added “gag order” provisions"
- here's what that merely amounted to for one small ISP owner

pp.5 "A Cloud service provider also may petition the court to overturn the “gag order.”"
- only took Nick Merrill six years of life

pp5. "...relevant to the concerns of foreign countries about their nationals’ data, a recent ruling by a United States appeals court one level below the Supreme Court confirmed that statutory protections are extended to non-United States citizens for data physically maintained in the United States and stored in the Cloud"
Misleading & wrong: - there's no reference given, but they plainly mean the Suzlon case, which only applies to ECPA (Electronic Communications Privacy Act) not ways of getting at data under FISA or Patriot or relying on 4th Amendment protection, and isn't a Supreme Court decision anyhow. But well done Microsoft for litigating hard anyway, even if it is self-serving to reassure your foreign customers.
====

[...]

====
pp.12 "In short, the proposals for reform of privacy rules in the EU do not contemplate altering the current environment in which law enforcement has significant access to data in the Cloud."
Sadly true but also misleading: the draft of the proposed new EU DP Regulation which leaked in Dec 2011 contained an Article (42) which would have required Cloud providers to get the approval of data protection authorities before responding to direct US law enforcement authorities' requests (e.g. under Patriot/FISA), on pain of severe fines, and to notify the individual. Presumably after heavy lobbying, this Article was removed in the published proposal, replaced with a pathetically weak Recital 132 which says if the Commission finds out something naughty is going on they should jolly well do something about it quickly""
Caspar would be grateful for comments, corrections and refinements. Thanks to Caspar and to Peter Sommer who originally drew my attention to the report via the excellent FIPR alerts.