Privacy law and cloud storage

, , , , ,

How private is your cloud data from legal copying? The issues and concerns about the law, privacy and cloud storage.

In this article we’ll try to set out some of the legal issues surrounding cloud storage. We’ll focus on the legal side, not the technical possibilities, and give links to source material where possible.


Location of the cloud storage

Mostly you don’t know where cloud servers are located and even when you do know (eg Office 365) it can change without notice.

Things get more complicated if the customer is based in one country, the server in another but the company providing the cloud service is based in yet another country. That’s before adding complications like subsidiaries of either the customer or provider, roaming customers, control of data links and so on.

The Privacy laws in some countries effectively require that data storage is kept within that country. When the data is stored in another country it can be hard to prove that privacy compliance is complete since the same rules may not apply in the country where the data is stored.

One myth is that when data is stored in a jurisdiction, it can’t be accessed directly by the laws of another country. Sadly that’s not true ….


Location doesn’t matter

Normally the cloud service providers don’t say where their servers are located. Your Gmail, Hotmail, SkyDrive or Google Drive emails and files can be stored anywhere that Microsoft or Google want. The location can change without you realizing it and there should be backups of the data stored at multiple locations. In some cases, like Office 365, the customer is told the broad location of the server but even that can change without notice.

In practice, the physical location of cloud servers doesn’t matter much. Laws have been written, in particular US laws, to have effect beyond the borders of a single country.

The far reaching laws of a single country can apply even to global companies that have a small subsidiary in that country.

The most prominent example is the US Patriot Act which allows the US government to compel US companies to hand over customer data regardless of where that data is stored or any privacy assurances the company has given. The data owner/customer is usually not informed due to a confidentiality requirement in the data request. The request should be in the form of a warrant or a less formal ‘National Security Letter’ (NSL) which doesn’t need a judge or even good cause. A US Department of Justice audit found that, in some cases, information had been handed over without even these minor formalities.

There’s plenty of gray area available in this topic. The laws themselves are complex and often haven’t been tested by courts. Actions taken under some ‘anti-terrorism’ laws are often kept secret, especially from the media and sometimes even from the owners of the data themselves.

There’s even a layer of ‘marketing spin’ as salespeople and even governments try to downplay the effects of their own laws while adding FUD (Fear Uncertainty and Doubt) about laws in other countries.

When companies outside the US raise legal and privacy concerns about US law and cloud storage they are accused by US officials and companies of a ‘red herring’ and using the Patriot Act as a ‘marketing proposition’. On the other hand many US companies and certainly US government agencies insist that their cloud storage be kept in the USA. Amazon has a specific service for US government agencies and contractors to cater for that requirement.

The US Patriot Act has been used to get data stored beyond America’s borders. Google has admitted they have complied with requests for data on European servers and copied it to the US Government.


“It doesn’t apply to us”

You can’t console yourself with the belief that none of your data could be related to ‘terrorism’ and thus immune from legal actions. So called ‘anti-terrorism’ laws usually are not limited to that area and can be applied to any situation a government sees fit.

It’s a global truth that when government agencies get new powers, they’ll use them and use them in ways not expected by lawmakers.

This isn’t theoretical; the British government froze the assets of a collapsing Iceland bank using the UK’s Anti-terrorism, Crime and Security Act 2001. This was never anticipated when the law was passed and no-one pretended there was a legitimate ‘anti-terrorism’ reason. It’s an action that the Icelandic people took as an insult.

The Patriot Act in the USA has had many uses beyond terrorism though it’s worth noting that some reports of misuse have been denied or criticized by the Justice Dept.

The broad powers in ‘anti-terrorism’ laws could be used for commercial advantage. There are plenty of cases of industrial espionage or at least suspicions of it. Government agencies have often spied on foreign companies to benefit rivals from the government’s country.


What’s really in the US Patriot Act?

We’re not going to pretend to give a definitive explanation of such a large and complex piece of legislation, or even a part of it. For those interested, the relevant part of the Act to this discussion is Section 217 “Interception of computer trespasser communications.”

That section is hard to follow because it consists of amendments to existing laws rather than a complete statement itself. So we’ve put together the relevant part of the US Patriot Act together with a more readable version at Office-Watch.com which includes links to source material.

Most of the talk is about the Patriot Act but there are also sections of the US Foreign Intelligence Surveillance Act and the Protect America Act to consider.


Beyond the USA

Again, it’s not just US law to consider. There are the laws of other countries that may have just as extensive a reach as the US Congress has created.

In Canada there’s the Privacy Act and The Personal Information Protection and Electronic Documents Act (aka PIPEDA).

The European Union has a Data Protection Directive that imposes requirements not just on EU based companies but also companies operating in the EU and also any foreign organization doing business with EU members.

These laws usually impose obligations on organizations to ensure that data is protected from unauthorized access. That includes access by the other governments that are legal by the law of the other jurisdiction. For example, there’s debate about whether the EU Directive is in conflict with US laws (eg can an EU company use US-sourced cloud services when the service could breach EU privacy laws via the Patriot Act). The Wikipedia article on the DPD has more with links.

Local legal requirements may not be limited to specific privacy laws. Consumer protection and industrial relations laws (to name just two) may have sections about ensuring data privacy. In Canada, a union expressed concerns about data privacy when using Gmail however an arbitrator found in favor of the employer.

Additionally there are countries where the rule of law is, shall we say, ‘flexible’. The names ‘China’ and ‘Russia’ spring to mind for starters.


Endnotes

The above is a lot to take in and it deliberately only covers broad legal issues – nothing technical. It’s not possible to come to any hard conclusions because a lot depends on your specific situation and your level of concern about possible legal and hidden hacks into your data.

By cloud storage we mean anything saved to some online data service. That includes email hosting (POP and IMAP) as well as webmail services like Gmail and Hotmail. Broader cloud services like Office 365, Evernote, SAP and Amazon Web Services. Of course there’s also the many file storage services like Skydrive, Google Drive and Dropbox.

A lot of the focus is on the US government and laws because most of the major cloud providers are based in the USA. It’s worth keeping in mind that other countries may also have far-reaching legal powers that can be applied to online storage beyond its borders. This isn’t ‘America bashing’, rather it’s a growing problem for global trade and commerce.

In writing this article we found a lot of guesswork and unsubstantiated accusations on web sites.  So we’ve tried to provide links to source material where possible. 

Many thanks to Peter, Greg, Claude and Phil for their help in polishing up this complex article.

Finally, we’re not lawyers so don’t, for heaven’s sake, take this as legal advice. Even knowledgeable lawyers should tell you that this is a murky and largely uncharted area.