Should I care about all this Snowden stuff and the Patriot Act?.

The answer is it depends.  If you are any one of the following; government entity (non-US), handle Intellectual Property, have commercially sensitive data, supply managed / communication / social networking services, involved in R&D then the answer is probably yes, if you are a company trading locally, most retail,  a home user then realistically no (unless your involved in illegal activities).

OK, so let’s assume I do care, what is the Patriot Act?

On October 26th 2001 the Patriot Act was signed into law by President Bush.  It stands for Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism.

On May 26, 2011, President Obama signed the PATRIOT Sunsets Extension Act of 2011, a four-year extension of three key provisions in the USA PATRIOT Act: roving wiretaps, searches of business records (the "library records provision"), and conducting surveillance of "lone wolves"—individuals suspected of terrorist-related activities not linked to terrorist groups.

There are 10 parts to the Patriot act and in this article I am only focussing on the parts pertaining to data.  The act gives permission for law enforcement officers to search a home or business without the owner’s or the occupant’s consent or knowledge; the expanded use of National Security Letters, which allows the Federal Bureau of Investigation (FBI) to search telephone, e-mail, and financial records without a court order; and the expanded access of law enforcement agencies to business records, including library and financial records

I don’t live or operate in the US so how can it apply to me?

After the Patriot Act powers had been expanded their use began to rise. The Department of Justice reported to Congress recently that FBI had made over 24k requests in 1 year (excluding requests for subscriber information only).  The FBI can issue NSLs on its own initiative, without the authorization of any court, on top of that the NSL statutes impose a gag requirement on persons receiving an NSL i.e. they don’t have to tell you and the kicker - US law enforcement authorities may serve FISA Orders, NSLs, warrants or subpoenas on any cloud service customer that is US based, has a US branch, or conducts systematic or continuous US business—even if the data is stored outside the United States. Many European entities have a US presence, and their US presence will allow them to be subject directly to the authority of US law enforcement, regardless of what company they use for cloud storage.

So basically if you have data residing with any company that has an incorporation in the US then that data is subject to the Patriot Act.  In fact former Microsoft UK managing director, Gordon Frazer, said that he could not guarantee data stored on Microsoft servers, wherever located, would not end up in the hands of the US government, because Microsoft, a company based in the United States, is subject to US laws, including the USA PATRIOT Act.

Ok, but what about ‘Safe Harbor’ – doesn’t that protect me?

The European Commission’s Directive on Data Protection generally prohibits the transfer of personal data to non‑European Union countries that do not meet the EU “adequacy” standard for privacy protection. 

Many cloud service providers are increasingly serving customers outside their home markets and using service delivery models that require the transmission of data across borders, which has led to a great deal of fear about the rights of access under the USA PATRIOT Act and the geographical extension of those.

To bridge these different privacy approaches, the Department of Commerce, in consultation with the European Commission, developed a “Safe Harbor” framework. By joining and adhering to the EU-US Safe Harbor Agreement, US companies can demonstrate that their data protection practices meet EU data protection requirements. European companies then can share data with US participants in the Safe Harbor agreement without violating their home country data protection laws.

Sounds good, however the Safe Harbor Agreement contains a provision that allows US companies to comply with applicable US laws compelling the production of data, including the Patriot Act.  So whilst you might be compliant with jurisdictional data protection legislation your data is still subject to the Patriot Act.

What can I do to protect my data?

If you are a company or individual who is worried about the Patriot Act then you still have plenty of opportunities to use Cloud Services.  The important thing is to ask the right questions.  Know where your provider is incorporated around the world and the implications of this.  Know what legal requirements your home country places on you in regards to data protection and ask the question as to where your data will reside even in DR scenarios.

For more information or to discuss this further please free to contact Niall Mackey on nmackey@topsectechnology.com.