The Patriot Act and where to store my data? A territorial war of political proportions

When I set out to write an article about the recent changes to the Patriot Act, I soon realized that when it comes to cloud computing and physical storage locations of data, the Patriot Act may not be as draconian as most EU Countries and Canada would have you believe. In fact some EU Countries have enacted counter laws to the Patriot Act (as it pertains to cloud services) that may be stunting or stagnating the growth of cloud based business abroad enabling cloud based businesses in the U.S. to grow exponentially.

So what is the Patriot Act really? It's an umbrella piece of legislation that makes ribs of all the past governmental surveillance laws and streamlines the bureaucratic red tape process. Some of the legislation the Patriot Act has assimilated are  Wiretap Act, Stored Communications Act, Pen Register Act, Foreign Intelligence Surveillance Act, Communications Assistance to Law Enforcement Act, or the Economic Espionage Act. These individual acts (in part) are the rules by which the Patriot Act can be enforced.

Rules for government to access data

At the federal level, the basic rule written in the 4th Amendment to the U.S. Constitution grants the right to be secure from unreasonable searches and seizures. So what does it take for the U.S. government to access data in a U.S based cloud service provider? The short answer? It depends.

These laws may depend on the nature of the data. For example, the Wiretap Act pertains to data in transit, whereas the Stored Communications Act pertains to data in storage. There are different provisions for access to content as opposed to access to non-content (i.e., identity of the sender, the recipient, time of the call or communication). The law may distinguish whether the person being investigated is a U.S. citizen or resident, or, instead an “agent of a foreign power” as is the case under the Foreign Intelligence Surveillance Act.

The laws described above define the specific rules and requirements that must be met for a federal or state investigator to have access to specific data, premises or equipment where the data is located. In most cases, the investigator is required to obtain a subpoena, a court order or a warrant. In rare cases, it may be possible to have access to data without a subpoena, court order or warrant; these circumstances are specifically identified in the applicable law, and are generally associated with extraordinary circumstances.

Stored Communications Act

The rules of the Stored Communications Act are usually used to determine access to data stored by cloud service providers. Enacted in 1986, the act governs access to wire, oral and electronic communications in storage (as opposed to communication in transit). The law contains general prohibitions against access to these communications and rules that allow disclosure of these communications by providers of electronic communications services. It also contains an exception for allowing the government to access data stored by communication and computing service providers. These rules are very complex and detailed.

The government may obtain access to content that has been held in storage for less than 180 days by an electronic communications service, after obtaining a warrant. The officer must show “probable cause” exists, based on his or her personal observation or hearsay information, to show evidence of a crime would be found in the requested search of data. Only then would the officer obtain a warrant.

Federal data access outside the U.S.

What would happen if an investigation would require access to data held abroad? Generally, a U.S. prosecutor or investigator will not be permitted to conduct an investigation or to interview witnesses abroad. In most cases, the help of the local government will be necessary. As a result of this hurdle, nations have agreed on a multitude of bilateral or multilateral treaties that define how they will cooperate in certain matters.

The U.S. is party to several Mutual Legal Assistance Treaties (MLAT). Their purpose is to gather and exchange information in an effort to enforce public laws or criminal laws. In addition, the U.S. is a member of the Council of Europe Convention on Cybercrime, which was ratified in 2007. The Convention governs electronic surveillance, sharing of evidence and computer crime. It allows governments to request and provide mutual assistance in the investigation and prosecution of a number of crimes, such as hacking, unauthorized access to computer systems, child pornography or copyright infringements.

Law enforcement may attempt to gain access to data held abroad by making the request from the U.S. affiliate of a company located abroad that may have custody or control over the documents or information at stake. In the U.S., courts have held that a company with a presence in the U.S. is obligated to respond to a valid demand by the U.S. government for information (made under one of the applicable U.S. laws) so long as the company retains custody or control over the data.  The key question is whether the U.S. company does have the required level of “custody or control” to be forced to respond to the government request. There are cases in recent past that the U.S. based company was required to produced documents that were held abroad. Similarly other countries have followed suit as it pertains to information held outside the physical boundaries of their jurisdiction.

Who's afraid of the big bad Patriot Act?

Cloud computing in the U.S. has been growing steadily since its introduction, primarily due to benefits like scalability, flexibility and cost-effectiveness. With this growth, American service providers have brought to market a number of customizable cloud environments, opening up possibilities for organizations of every size, shape and focus to host data or services in the cloud.

The EU and Canadian fear is that data hosted in the U.S. or by an American hosting provider will make it impossible to guarantee that data will not be shared. According to Gartner, the research firm, European sales of cloud computing trail those in the United States by at least two years, in part because of these concerns. As a result the North American market accounts for $17.4 billion, or 62 percent, of sales while Europe, the Middle East and Africa accounted for about $7 billion, according to I.D.C. This hesitation among European organizations is not unfounded, as the Patriot Act can be used by the U.S. government to collect personal or confidential data, but, as the cloud evolves, there are ways to ensure data will remain confidential outside of extenuating circumstances.

Meanwhile, many countries within Europe have instated conflicting policies surrounding data security. For example, Spain, France and Germany are notoriously tough on data processed in the cloud, requiring cloud service providers to know where information is being kept at all times. While Britain and Scandinavian countries tend to be more permissive, all European national governments are actually required by law to process any personal data within their own borders.