Worries have been steadily growing among European IT leaders that the USA Patriot Act would give the U.S. government unfettered access to their data if stored on the cloud servers of American providers—so much so that Obama administration officials this week held a press conference to quell international concern over the protection of data stored on U.S. soil.
Patriot Act Games
The unease over the reach of Patriot Act provision—which expands the discovery mechanisms law enforcement can use to access third-party data—has been amped up by the sales and marketing efforts of some European cloud providers, seeking to set apart their services as a way to keep corporate data out of the hands of the American government. The most blatant examples are two Swiss companies touting their cloud options as “a safe haven from the reaches of the U.S. Patriot Act,” but it’s become a popular topic at negotiating tables across the continent. “I don’t see how you have a pitch meeting with one of these European cloud providers and not have subject of the Patriot Act concerns come up,” says Alex Lakatos, a partner and cross-border litigation expert in the Washington, D.C. office of Mayer Brown.
Anxiety was heightened last year when a Microsoft UK managing director admitted that he could not guarantee that data stored on the company’s servers, even those outside the U.S., would not be seized by the U.S. government.
“Some of it certainly is companies trying to take advantage of the Patriot Act to market against U.S. competitors,” Lakatos says. “Some of it is just the general concern Europeans have about the Patriot Act.” While the 9/11-inspired legislation has been misused in a variety of ways, says Lakatos, some of those perceptions don’t necessarily mesh with reality.
Avoid the Patriot Act’s Reach, It’s Not Easy
Escaping the grasp of the Patriot Act, however, may be more difficult than the marketing suggests. “You have to fence yourself off and make sure that neither you or your cloud service provider has any operations in the United States,” explains Lakatos, “otherwise you’re vulnerable to U.S. jurisdiction.” Few large IT customers or cloud providers fit that description in today’s global business environment. And the cloud computing model is built on the argument data can and should reside anywhere around the world, freely passing between borders.
If a European company maintains an American presence, it’s likely amenable to U. S. jurisdiction, says Lakatos; likewise, a European customer storing data on European cloud servers of a company with operations in the U.S. may also be subject to Patriot Act discovery tools. “If an E.U. company has no U.S. presence and neither does its E.U. cloud company—which may happen from time to time—its data may be beyond the direct reach of the Patriot Act,” Lakatos says. “But even then, the same data may be accessible to the U.S. [government] via an MLAT [mutual legal assistance treaty] request.” (MLATs enable gathering and sharing of data between countries for law enforcement purposes.)
“Just thinking of avoiding U.S. providers does not solve anything,” says Lakatos, “the analysis is much more complex.”
Working With Cloud Providers
So, what’s a European cloud customer to do—or, for that matter, a U.S. customer anxious about how their cloud provider might respond to a government request for data under the Patriot Act? Cloud and other technology service providers have a mixed record when it comes to keeping customer data out of government hands. “For the cloud service providers, their life may be easier if they give the government whatever it’s asking for,” Lakatos says.
First, figure out what your concerns are. Many European cloud customers that have come to Lakatos for advice are not especially worried about whether the U.S. government knows with whom they do business—but their clients are. In that case, the solution is making clear to customers the risks are and what you and your cloud provider are doing to mitigate them. “A lot of it has to do with messaging,” says Lakatos. “What promises and assurances can I give them?” Others may have legitimate concerns about information the government might obtain and how it could affect their business going forward. They must determine what specific information is valuable, how likely the government would seek it out for a terrorism investigation, and whether it’s worth storing in the cloud. (Data kept in-house for those with a U.S. presence is still subject to Patriot Act discovery tools, but the feds will have to go through you, not the cloud provider, for access.)
Secondly, take some time to understand how the Patriot Act might play out with regard to data stored in the cloud. The legislation expanded certain discovery mechanisms already available to U.S. law enforcement. The two most likely to be used to access cloud-stored data are Foreign Intelligence Surveillance Act (FISA) Orders and National Security Letters, says Lakatos. Both forms of discovery may include gag orders, preventing the cloud provider from notifying its customers about the government request for data. (Lakatos provides a detailed analysis of the types of data the government is likely to seek via these mechanisms in this article: http://www.mayerbrown.com/publications/article.asp?id=12057&nid=6 .)
Thirdly, customizing your cloud contract to include a clause covering how the cloud provider is required to respond to government requests for data is also important. Of course, we all know how reticent cloud providers are to adjust their boilerplate agreements, but it’s worth a shot. “If you have the market power, you can reasonably ask that those terms be customized a bit so that they promise you that, to the extent that there’s not a gag order, they will immediately make you aware of requests for your data, or that they assume some obligations on themselves to not voluntarily provide more that they have to,” says Lakatos. “A lot of times when the government comes knocking on the door of the cloud service provider, there’s some room to negotiate or push back and say, ‘Look, you’re asking for more than the law requires.’ You have to decide what you want to ask them to do.”
Finally, advises Lakatos, get real about the most likely legal risks to your cloud-stored data. “Customers ought to be as concerned with traditional methods the government uses to obtain data. You may be more likely to see a grand jury subpoena or search warrant—that type of thing,” Lakatos says. “Consumers of cloud services often get distracted from the fact that often a lot of these investigations may occur in their home country. Even if they successfully fence themselves off from the United States, their country may have a concern about terrorism, and they can’t assume that [their own government] won’t be fairly aggressive about getting your documents through their own means.”
Stephanie Overby is regular contributor to CIO.com’s IT Outsourcing section.