190 likes | 280 Vues
Cloud Security and Privacy Laws in US. Foreign Cloud Providers Marketing Against Privacy Concerns.
E N D
Foreign Cloud Providers Marketing Against Privacy Concerns • Cloud computing services from outside the U.S. are trying to exploit perceived weaknesses in privacy laws to drive business away from U.S. providers, according to some representatives of the tech industry.
European Companies • European companies marketing their cloud as more private and beyond the reach of US privacy act. • Creating Fear that USA Patriot Act would give the U.S. government unfettered access to their data if stored on the cloud servers of American providers. • It's become a popular topic at negotiating tables across the continent. • Some nations are passing laws that require the resident data to be stored on servers within country.
Motive • Their Motive - as stated by Alex Lakatos, a partner and cross-border litigation expert in the Washington, D.C. office of Mayer Brown • Foreign cloud computing vendors are spreading "fear, uncertainty and doubt" about U.S. privacy standards to drive business away from US. • The fact, merely avoiding U.S. cloud service providers based on concerns about the Patriot Act provides no assurance that that cloud data is beyond the reach of the Patriot Act.
Acts • FISA Act. • National Security Letters. • Patriotic act. • Electronic Communications Privacy Act (ECPA)
FISA Act • The FISA Amendments Act of 2008 was signed into law by former U.S. President George W. Bush to enable intelligence agencies to conduct surveillance against terrorists overseas without having to obtain court approvals. • Practical Effect of Cloud Services – Because of public outcry FBI rarely uses FISA orders. In 2010, the US government made only 96 applications to the Foreign Intelligence Surveillance Courts for FISA Orders granting access to business records.
National Security Letter • National Security Letters are demand letters that enable the FBI and other government agencies, use to obtain certain records and data pertaining to various types of government investigations. • FBI may issue NSLs on its own initiative, without the authorization of any court. • Scope of National Security Letter was limited. • Title V Patriotic Acts allowed government to get actual message content.
ECPA • ECPA – Electronic communication Privacy Act. • The U.S. Electronic Communications Privacy Act (ECPA) allows law enforcement agencies easier access to information stored in the cloud than to information stored on a hard drive or in a file cabinet
Patriotic Act • The USA Patriot Act, passed in response to the Sept. 112001. • President Bush signed the USA Patriot Act, into law on Oct. 26, 2001, to help law enforcement to identify, to dismantle, to disrupt, and to punish terrorists before they strike. • Made for terrorists who operate by highly sophisticated methods and technologies, some of which were not even available when our existing laws were written. • The act gave the government broad new legal and investigative authority and increased power to sanction organizations and individuals who do not cooperate with investigations. It also provided some legal protections for those who assist law enforcement in its investigative work.
US Jurisdictional Limitations • Corporation based in the United States will be subject to US jurisdiction and, thus, can be subject to FISA Orders, NSLs, search warrants, or grand jury subpoenas. • Same is true for non-US corporation that has a location in the United States . • Any cloud service provider that is US based, has a US office, or conducts systematic or continuous US business is subjected to US jurisdiction—even if the data is stored outside the United States.
Avoid US Jurisdiction Reach • Fencing and make sure that neither you or your cloud service provider has any operations in the United States. • Fenced data accessible via MLAT. • EU-US Safe Harbor Agreement.
MLAT( Mutual Legal Assistance Treaties • Mutual Legal Assistance Treaties (MLATs) facilitate cooperation across international boundaries. • Germany also signed a Mutual Legal Assistance Treaty in Criminal Matters with the United States in 2003 and a Supplementary Treaty to the Mutual Legal Assistance Treaty in Criminal Matters in 2006. • Both treaties entered into force on October 18, 2009 and allow authorities in each country to request and receive information located in the other’s jurisdiction
EU-US Safe Harbor Agreement • Department of Commerce, in consultation with the European Commission, developed a “Safe Harbor” framework. • The Safe Harbor Agreement contains a provision that allows US companies to comply with applicable US laws compelling the production of data, including the Patriot Act.
Confession by U.S. Cloud providers • Microsoft UK managing director Gordon Frazer, admitted that he could not guarantee that data stored on the company's servers, even those outside the U.S., would not be seized by the U.S. government. • Google also confirmed to Germany’s WirtschaftsWoche that their servers in Europe have no protection from US privacy laws. • Computer Weekly reported that BAE Systems had ditched Microsoft Office 365 over PATRIOT Act.
European Privacy Challenges • ISPs in the European Union must retain telecom customer data for between six and 24 months. • The E.U. data-retention directive gives European investigators access to information that may be deleted in other countries. • The study surveyed the laws in 10 countries, and all 10 allow the government to require a cloud provider to turn over consumer data in the course of an investigation.
Conclusion and Concerns • Consumers of cloud services often get distracted from the fact that often a lot of these investigations may occur in their home country. Even if they successfully fence themselves off from the United States. • Even European countries with strict privacy laws also have anti-terrorism laws that allow expedited government access to Cloud data.
Conclusions and Concerns • More businesses should be aware of these privacy laws to avoid false expectations about privacy on the Cloud as imposed by few European cloud providers. • U.S. cloud companies are loosing business. • I think it’s important to reiterate that what these government agencies are looking for is information to help us protect against terrorists.
Conclusion and Concern • The Department of Justice reported to Congress that in 2010 the FBI made 24,287 NSL requests.