Policy —

PATRIOT Act and privacy laws take a bite out of US cloud business

European IT companies are using uncertainty about the US's surveillance laws …

PATRIOT Act and privacy laws take a bite out of US cloud business

While there are plenty of technical and functional concerns that have slowed adoption of public cloud computing and software-as-a-service, American companies trying to sell their cloud services outside the US or to large multinational organizations have another handicap to overcome: the USA PATRIOT Act. European, Asian, and Canadian data privacy rules and concern about US surveillance of data crossing international boundaries have even been used to market European data centers' services. Today, ComputerWeekly reported that BAE Systems had ditched Microsoft Office 365 over PATRIOT Act concerns, because Microsoft could not guarantee the company's data wouldn't leave Europe.

Microsoft's managing director in the UK, Gordon Frazer, made that admission in June at the Office 365 launch in London. After researching the PATRIOT act, Microsoft found that regardless of where data was stored, it could not ensure that data would not be turned over to the US government as the result of a National Security Letter or other government request, because the company is governed by US law.

"The PATRIOT Act has come to be a kind of label for [privacy] concerns," Ambassador Phillip Verveer, the State Department's coordinator for international communications and information policy, said in a recent interview with Politico. Verveer said that some European cloud providers are "taking advantage of a misperception" of PATRIOT to cut American companies out of potential business, "and we'd like to clear up that misperception." The "misperception" has become a big enough problem for major tech firms that the Obama administration is making a diplomatic effort to allay fears about US data surveillance.

Section 217 of the PATRIOT act permits government interception of the "communications of a computer trespasser" if the owner of a "protected computer" authorized that surveillance. The law's definition of "protected computer" includes systems "used in interstate or foreign commerce or communication." The Electronic Privacy Information Center's analysis of the provision found it is so broad that "protected computer" could be interpreted to mean any computer, essentially giving the government warrantless search authority if its owner—or a service provider—agrees. PATRIOT also authorizes warrantless interception of communication between or among "foreign powers," which includes foreign political organizations.

Using the PATRIOT Act as a counter-marketing tool to US data services isn't anything new. Starting in 2004, a series of laws were passed or amended in Canadian provinces, preventing Canadian citizens' personal data from being stored outside Canada. The changes came in the wake of protests over the outsourcing of British Columbia's health insurance system to Maximus by the British Columbia Government Employees Union. BCGEU campaigned against the deal on the grounds that if Maximus, a US-based company, took over Medicare, "British Columbians' personal medical records could be accessed by the Bush government under the U.S. Patriot Act."

One Canadian healthcare CIO told Ars that he wasn't even considering cloud solutions because it was widely assumed in Canada that any patient data put into cloud-based health IT systems from his US-based software provider would be scanned by the NSA.

Issues surrounding PATRIOT and other US laws—and how they conflict with European data privacy laws—"don't necessarily rule US cloud services out" for multinational organizations, Greg Mason, a partner at Forensic Risk Alliance, told Ars. But it does put serious restrictions and costs on the cloud provider, he said—"Where you actually collect, process, and store the data is a huge issue," both because customers don't want data brought back into the US and have it exposed to government surveillance, and storing it in the wrong jurisdiction could violate local privacy laws. Large public cloud services that provide email and other services—including Apple's iCloud—face the same issues.

European Commission Vice President and Justice Minister Viviane Reding made a point yesterday of calling out European cloud service providers for offering services that "shelter users from the US Patriot Act and other attempts by third countries to access personal data." In her speech at the European Data Protection and Privacy Conference in Brussels yesterday, Reding said, "We need a free flow of data between our continents, and it doesn't make much sense for us to retreat from each other." Reding is attempting to push forward an EU-wide set of regulations on data protection that would set a common standard across the continent, allowing data to be moved freely within the EU.

ZDNet's Zack Whitaker reports that the provisions of the new regulation will block PATRIOT Act provisions by revoking EU/US "safe harbor" regulations, forcing companies that do business in Europe to get "adequacy" statements from the data protection authority of the country where the data is primarily stored before transferring it. The rules would make it illegal for the US to invoke PATRIOT act measures to gain access to data stored in Europe. EU member states will be able to impose sanctions on companies that violated the rules up to a maximum of five percent of a company's total revenue.

But PATRIOT is just part of the problem—there's a wider mismatch between data protection standards in the US and Europe. Reding said that there still needed to be "substantial progress" to reach a data protection agreement between the EU and US that would ensure that Europeans' "rights are respected whenever their personal information is transmitted in Europe or over the Atlantic for law enforcement purposes." The Consumer Privacy Bill of Rights introduced in April by Senators John Kerry and John McCain raised hopes that there would be closer alignment between the EU and US on data privacy, but Reding said that it appears that the US will only put in place voluntary codes of conduct, and she is now worried that "US 'self-regulation' will not be sufficient" to allow data to move freely between Europe and the US.

Channel Ars Technica