I’ve been watching, with more than a little bemusement, some of the commentary surrounding the implications of the US patriot act on the security and privacy of data that is held in the cloud. Here is my perspective (perspective being something rather lacking in some of the commentary).
Here’s the essence:
- Yup, the Patriot Act gives substantial powers to key law enforcement agencies
- Yup, the Patriot Act asserts jurisdiction over any US corporation, or any corporation having a business connection with the US…
- BUT, even if the patriot act doesn’t apply to you, it’s likely that US law enforcement could still get your data, by invoking a Mutual Legal Assistance Treaty with the government of whichever country your data is stored in
- The patriot act does not give US law enforcement agencies a right to roam freely through your data
- Other countries have almost identical laws
- For the paranoid among you, this means that none of your data, wherever it is held is safe…
- Of all the security risks you face when it comes to cloud computing, the patriot act comes very low down the list
- Some questions you should ask yourself
- Some questions you should ask your provider
- Sure… some data should never be exposed to any risk of seizure, but please use your common sense
- If you’re still paranoid, the only solution for you is to get off the net completely, live in a shack in the forest and make yourself a tinfoil hat
- ADVERT : If you’d like me to speak at your conference ask for a quote
Yup, the Patriot Act gives substantial powers to key law enforcement agencies
The US Patriot Act was passed by the US congress in October 2001 in response to the terrorist attack on the United States on the 11th of September of that same year. The Patriot Act sets out to consolidate the investigatory powers of the various security and law enforcement services in the USA and extends those powers in a number of key areas, most notably in the rights it gives law enforcement agencies to gain access to data.
The most contentious elements of the Patriot Act in the context of cloud computing are:
- The power it gives US law enforcement agencies to obtain data that is stored in other jurisdictions
- The power it gives to prevent cloud service providers from informing customers when data is seized
Yup, the Patriot Act asserts jurisdiction over any US corporation, or any corporation having a business connection with the US…
The Patriot act allows the US government to oblige any cloud service provider that is based in, or has a business connection with, the United States to hand over data wherever it is held.
This has led to much gnashing of teeth, and to claims that if you use a US-based cloud service provider you’ll have to put up with the US government constantly squirrelling though all of your private customer records.
It ought to be pointed out that Australia, Canada, Denmark, France, Ireland, Spain, and the UK take a similar stance. Japan and Germany do not, but can still rely on international agreements and treaties to get to data that is held overseas (see below).
BUT, even if the patriot act doesn’t apply to you, it’s likely that US law enforcement could still get your data, by invoking a Mutual Legal Assistance Treaty with the government of whichever country your data is stored in
Here’s kicker number 1. Even if the patriot act had never been passed, the US government would still be able to gain access to your data.
A host of countries have signed Mutual Legal Assistance Treaties (known as MLATs) that give the law enforcement agencies of the countries that have signed the MLAT the right to request that data be obtained from service providers in the other country’s jurisdiction.
To be clear, this means that lots of countries can get hold of your data if they need it for a criminal investigation.
The patriot act does not give US law enforcement agencies a right to roam freely through your data
Many commentators talk about the Patriot act as if anyone in the USA can freely rummage your data, browsing for interesting tid-bits. This is simply not the case.
Firstly, the powers granted to the Patriot Act only apply to US law enforcement agencies (Notably the FBI). Secondly, all warrants and orders either have to be approved by a judge or are subject to either appeal or judicial/congressional oversight. For example, the US Attorney general’s office has to report to the US senate annually on the number of requests for data made under the Foreign Intelligence Surveillance Act (FISA).
In order obtain a warrant to seize data under the bulk of the legislation investigators have to convince a judge that they have good reason to believe (“Probable cause”) that the data contains information that is relevant to their investigation.
Moreover, once they’ve got the data, they’re subject to severe limitations as to how they can use it and who they can share it with. They’re very unlikely (for example) to send it on over to Wikileaks.
Other countries have almost identical laws
This’ll be kicker number 2!
Recently an international law firm (Hogan Lovells) published a report entitled “A Global Reality: Governmental Access to Data in the Cloud” which you can download from here.
The report looks at the legal framework in the US, and then compares it with nine other countries (Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain and the UK) and concludes that all of the countries looked at have very similar frameworks in place.
Hogan Lovells aren’t the first to make the point that the US laws are more or less mirrored in other countries, but they are the first people I’ve seen conducting such a broad comparison. Other legal experts have made similar points though. In May of this year two legal experts presented at the IAPP Canada Privacy Symposium and concluded that most of the provisions of the Patriot Act are mirrored in Canadian Law. To take a look at the presentation you can look here.
For the paranoid among you, this means that none of your data, wherever it is held is safe…
At least not in Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, the UK, or the US.
Of all the security risks you face when it comes to cloud computing, the patriot act comes very low down the list
So, let’s take a deep, deep, breath and pause to consider the risks posed by the Patriot act and the similar legal frameworks that exist in all those other countries for a moment.
The situation is this:
- A number of countries have passed laws to enable their law enforcement services to conduct investigations into criminal and terrorist activity
- These laws give those agencies the power to gain access to data that is held by cloud providers
- One way or another many of these countries can gain access to data that is held overseas, either as a result of their own legal frameworks or via MLATs
- All of the countries have laws in place that limit these powers, require judicial oversight of their use, provide a mechanism for appealing search requests and severely limit what can be done with the data once it’s obtained
Clearly these laws raise serious issues, and it’s important that we continue to have a passionate debate about the balance between an individual or organisation’s right to privacy against the needs of governments and law enforcement agencies to uphold the law.
Personally speaking, I feel strongly that the laws in the US and the UK (about which I know the most) grant too much power to government to look at my data and that the erosion of our collective rights to privacy represents a victory for the bad guys rather than the good.
I’m also sure that there’ll be cases where, either as a result of a screw-up or a deliberate action, these laws are abused by the security services in one country or another. But I believe that in an age where mass communication tools are in the hands of all of us, when they occur these breaches will be hard to hide, and even harder to defend.
But that’s the situation we have, and it applies to many people in many countries.
Meanwhile, let’s look at some of the other privacy concerns implied by cloud computing.
Every day there are tens of million attempts to hack servers. Almost every other day we hear of a security breach as a result of some failure in security by one organisation or another. In the past couple of years there have been reports that Facebook, Twitter and Linked in have been hacked in one way or another.
People are right to be concerned about security generally. There are lots of people out there working their socks off to break into your systems.
But, we already have a boat load of technology available to us that will help us make our cloud-based (and indeed web-accessible) applications and data very secure indeed. Here’s a tiny selection:
- You can require SSL connections so all data is secure when it’s crossing the network
- You can enforce complex passwords (which alone would knock out the vast majority of hacking attempts)
- You can implement certificate based connections to your servers
- You can even encrypt data when it’s stored remotely
We have all the tools that are necessary, we just need to use them.
Cloud security is 90% Governance and 10% technology
Technology really isn’t the issue, the issue lies in how much we are prepared to move beyond “caring passionately about security” to “doing something about it”. 90% of cloud security depends on the policies you set, and the governance framework you’re willing to put into place to ensure that your policies are followed.
Some questions you should ask yourself
- Do you know where your data is physically stored?
While we think that geographical location is largely a red-herring in the context of the Patriot Act and similar legislation in place in other countries, you may be subject to regulation that bars the storage of certain data outside your national borders
- Do you have policies in place to ensure that passwords are sufficiently secure?
If a user has web access to sensitive data they should be required to use a password that is secure, whether they like it or not.
- Do you have policies in place that limit user and administrator access to data?
While having a single “ROOT” password is a convenience, it exposes you to significant risk in the event that it is compromised
- Are you satisfied that your cloud provider has sufficient expertise, and resource, to ensure that its core infrastructure is secure?
Some cloud providers maintain huge teams of security experts who monitor their infrastructure 24 hours a day, while others either lack the resources (or the will) to make the same investment
- Do you have policies in place to ensure that your developers are not inadvertently exposing your data or application source code to risk?
Application development frequently takes place under extreme time pressure, and it is a natural response to occasionally cut corners. It is essential that you apply the same levels of security discipline to your cloud-based development environments as you do your production environments.
- Are you satisfied that you have removed or locked down any unnecessary components in your server images that might represent a point of weakness
Your server images should only be running the components/applications they need in order to function, we would recommend not only that unnecessary components/applications are not started, but that they are removed from your server image completely
Some questions you should ask your cloud provider
- What steps have you taken to ensure the security of your infrastructure?
A competent cloud-services provider should be able to explain and demonstrate their approach to security.
- What guarantees can you offer with regard to data security (in terms of the privacy, integrity and availability of data)?
Some cloud-service providers expressly limit their liability/responsibility for security and availability in their terms and conditions.
- What additional services do you offer in order to enhance the security of your environment?
A competent cloud service provider should be able to offer a range of services from training and consulting to security management.
- What control do I have over security policies?
You should be able to define your own policies, over and above those that are already in place.
- What steps have you taken to limit the access that your own employees have to my data?
Access to your data by the employees of your cloud service provider should be strictly limited and heavily audited.
- How much resource (in terms of level of expertise and total headcount) do you dedicate to ensuring the security of your environment?
Some of the larger cloud services maintain very large teams of full-time security experts, working 24 hours a day to monitor their infrastructure and respond to security threats.
- What security standards and certifications do you hold?
While I’d always caution that “certification” only assures you that the organisation holding it was in compliance on the day the certification inspection took place, vendors that are willing to go through the process of obtaining certification are demonstrating a commitment to security. So look for adherence to key security standards and frameworks like FISMA, ISO 27001/2, and SSAE16
Sure… some data should never be exposed to any risk of seizure, but please use your common sense
I’m not about to argue that the cloud is the right place for all data, there are some bits of information that are best kept in a computer that doesn’t have any kind of network connection at all, for sure. And some data may be so sensitive that even if it does need to be connected to the internet you might prefer to (or be required to) manage its security yourself.
But for most of us, and for most data, it really is possible to deploy data into the cloud and be satisfied that it is as secure and safe as it needs to be.
The key is to use your common sense. In 2011 the US Government made just over 200 content requests under the provisions of FISA. Every request was reviewed by a judge, and three quarters of them were amended as a part of that process. Any data obtained under those orders will have been kept under strict conditions of privacy.
In the meantime some experts claim that in 2011 there were over a billion hacking attempts. If the hacker is successful, he or she isn’t going to bother with the red-tape that law enforcement officials have to deal with. The hacker is going to sell your credit card numbers to the highest bidder.
So which of these two scenarios should be most concerned about?
If you’re still paranoid, the only solution for you is to get off the net completely, live in a shack in the forest and make yourself a tinfoil hat
If your answer is still “The Patriot Act!” then perhaps the best route for you is to cancel all your internet services, close all your bank accounts, and find some wilderness to live in.
Don’t forget your tinfoil hat… the Americans are watching everything you do, you know!
And the Australians.
And the Brits.
And the Canadians.
And the Danish.
And the French.
And the Irish.
And the Spanish.