8 02 2012
Avoiding US-Based Clouds
The USA Patriot Act was created as an anti-terrorism measure in 2001, but is now creating challenges for American cloud companies attempting to serve international clients. Many foreign customers are concerned that the US government will have access to data that is stored on US soil. This has prompted a move to other non-US cloud providers. Non-US competitors seem to be fuelling this trend by increasing the perception of this threat, a relatively effective competitive tactic.
What is the USA Patriot Act?
The Patriot Act was enacted in a post-September 11 climate in order to assist the intelligence community in data collection on suspected terrorist actions. It has been leveraged against US cloud computing giants such as Google and Microsoft – the argument is that if you place your data in a US-based cloud, it might end up being accessed by the US government.
According to Ambassador Philip Verveer, US coordinator for International Communications and Information Policy at the State Department, “The PATRIOT Act has come to be a kind of label for this set of concerns. We think, to some extent, it’s taking advantage of a misperception, and we’d like to clear up that misperception.”
In the same vein, Phil Bond, an IT lobbyist and former CEO of TechAmerica, says,
“I’ve heard directly from EU leaders, from Canadian policymakers and from companies all around the world about problems, or perceived problems, with the [Patriot] act… There is no shortage of people who misapprehend the law. If some of these misperceptions harden or real problems [are] not addressed, it will cause companies and governments to hesitate in doing business with U.S. cloud companies.”
During September 2011, both the Dutch and Canadian governments pointed out that the Patriot Act was troubling in terms of the type of access the US federal government could potentially have. Both countries expressed concern about the security and privacy of public sector data that was being maintained by US-based cloud providers and the threat of disclosure of that data. Canadian government clients began insisting on locating the services on which data would reside in Canada, in order to avoid application of the Patriot Act. Shortly thereafter, the Dutch government followed suit.
Computer-automated mass surveillance has been floating in and out of the news, especially with regards to the cloud computing environment. Despite US lobbyists and government officials downplaying Patriot Act-related criticism, there are some worthwhile arguments and security issues that should be examined, particularly for anyone considering placing their data in an US-based cloud.
The following are issues which US cloud providers need to think about:
- Private sector policies regarding data sharing with law enforcement are typically different across cloud providers. Furthermore, they are often unclear in the way they are stated.
- There have been well-documented examples of large companies turning over customer data to federal law enforcement.
- The US government has a history of disregarding the law in the name of surveillance.
- US government agencies won’t trust sensitive data in non-US-based clouds. They will often require that such data be stored in a data center located in the US.
- The USA Patriot Act affords the US government broad powers to access sensitive or personal data without the knowledge of those concerned. For instance, federal law enforcement is permitted to subpoena data from providers and use gag orders in order to prevent providers from informing customers that their data has been accessed to authorities.
According to Wired blogger Jon Stokes:
“Ultimately, these PATRIOT act concerns around cloud computing are very real, and accusing the foreigners of FUD and ignorance isn’t going to overcome the twin forces of an American government that has repeatedly shown a willingness to act outside the law and a private sector that either actively cooperates or fails to put up much of a fight. American cloud providers are now caught between these two forces, and they’ll be squeezed to our economy’s detriment.”
This article takes a look at the trend of international customers rejecting US-based cloud service providers, due to concerns around the USA Patriot Act. Criticism of the Patriot Act includes the accusation that it permits – under various broad and relatively undefined circumstances – the US federal government access to records and data of cloud service providers, amongst other groups. As a result, the Canadian and Dutch governments began insisting that any data they had be stored on domestic servers, to avoid application of the Patriot Act. The article looks at some of the arguments on both sides of the debate.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Jurisdictions and data locations (Domain 3)
- Provider selection (Domain 8)
- Key management best practices (Domain 11)