Allow us to explain.
In November of 2011, two European companies announced the creation of the first fully European “Database-as-a-Service” cloud offering – one that provided a “safe haven from the reaches of the U.S. Patriot Act.” The press release goes on to say, “Under the Patriot Act, data from EU users of U.S.-owned cloud-based services can currently be shared with U.S. law enforcement agencies without the need to tell the user.”
Wait. Stop. Can what they’re saying be true? We all remember the Patriot Act – the post-9/11 legislation that was designed to help the U.S. government more efficiently track terrorists. Its “official” name is the “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001.” We know it was created to help catch the bad guys, but does this act impact data privacy for the rest of us in the cloud?
We went to our legal experts to get some real answers.
A Patriot Act Primer
The Patriot Act was signed into law by George W. Bush on October 26, 2001. It did not give U.S. law enforcement brand new ways to get data for its terrorist investigation. What it did do was expand the ways in which law enforcement could obtain that data.
“The common misperception is that the Patriot Act created new tools for data collection. In fact, it simply beefed up a few things to remove obstacles in following terrorist activity,” explained Alex Lakatos, partner with Mayer Brown LLP.
According to Lakatos, there are two expanded mechanisms that could directly relate to cloud data: namely, the Foreign Intelligence Surveillance Act (FISA) and National Security Letters.
Let’s look at the “befores” and “afters.”
Before 9/11, the FISA Act required the FBI to get an approval from a special court to obtain the business records of suspected terrorists or terrorist groups. But, this data was limited to car rental, hotel, storage locker and common-carrier records.
Title II of the Patriot Act enabled the FBI to petition that same court to obtain books, records, papers, documents – including data in the cloud – to protect against international terrorism or clandestine intelligence activities. To get an order, the FBI has to specify what they’re looking for and explain why the documents are relevant to their investigation.
Under Section 215, it’s also true that the party receiving the FISA order (which could be a company or cloud provider) can’t disclose the fact to the individual under investigation, unless they contest that order after a one-year hiatus.
“The reality is the government rarely uses FISA orders. In fact, only 96 of these applications were made for business records in 2010,” Lakatos said. “That’s a very minimal threat to cloud providers.”
National Security Letters are administrative subpoenas that enable the FBI and other government agencies, without court authorization, to obtain certain records relating to their terrorism investigations. Before the Patriot Act, the FBI and Secret Service already could get bank records, securities brokerages, and information from car dealers, pawn shops, casinos and realtors. These agencies could also gain information from credit bureaus on the names and addresses of the financial institutions at which a suspected terrorist had an account; plus name, address and employment history of that person. The FBI could also use a National Security Letter to access subscriber information from service providers and electronic communications records.
The Patriot Act now enables the FBI, and other relevant agencies, to access full credit reports when conducting investigations related to international terrorism. It also imposes a gag order on persons receiving a National Security Letter. Again, that means that the provider can’t inform the individual under investigation that such a letter was submitted, nor the information provided to the agency.
“The types of data that the FBI and other authorities can gather through cloud providers with a National Security Letter are limited,” Lakatos said. “For example, they can request ‘envelope’ information from Internet providers but not actual message content. And again, I think it’s important to reiterate that what these government agencies are looking for is information to help them protect the U.S. against terrorists.”
The Reality Check
Although in recent months the topic is making a lot of headlines, in Lakatos’ perspective, it’s much ado about nothing.
“Those European providers are indicating that, through a U.S. cloud, our government has access to your data. But, guess what? It does anyway. If a suspected terrorist has pertinent data stored in a physical location or cloud in another country, if that country is an ally, that information can still be obtained,” Lakatos said. “You can’t avoid the issue by avoiding U.S. service providers.”
Here’s the other key point: the United States isn’t any different than other countries when it comes to pursuing data for terrorism investigations. Meaning, if prosecutors in Europe need data held in the United States for the same kind of terrorism monitoring and tracking, they can probably get the U.S. to seize that data for them. That’s how governments work with their allies.
So, what about all that talk about providing a “safe haven” from the reaches of the U.S. Patriot Act?
“It’s marketing,” Lakatos said. “There is fear and ignorance in the market, and consumers may just avoid U.S. Cloud service providers without asking questions.”
It’s like putting a ‘no fructose’ label on a product that contains corn syrup. Both ingredients, and the risks associated with each, are virtually the same. But, by putting the right spin on it, the seller can change the buyer’s perception.
“The fact is, merely avoiding U.S. cloud service providers based on concerns about the Patriot Act provides no assurance that that cloud data is beyond the reach of the Patriot Act, nor does it provide protection against the risk that non-U.S. governments will access that data, either on their own initiative or in response to a request from the United States,” Lakatos said.
The net-net? Don’t make a vendor selection based on the home country of the provider alone.
“Look at all the relevant risk, review your cloud service contract, and consult your legal counsel,” Lakatos said. “And ask questions.”
You may find that that “safe haven” isn’t so safe after all.
Alex C. Lakatos, partner in Mayer Brown LLP’s Financial Services Regulatory & Enforcement practice in Washington, DC.