Dangerous assumptions about clouds
Attorneys Christopher Wolf and Winston Maxwell debunk common assumptions about 'local clouds', the Patriot Act, and (many) governments' access to data
By Christopher Wolf and Winston Maxwell, Hogan Lovells
July 31, 2012 — CSO —
No one is more vigilant about protecting the data of EU citizens than European Commission Vice-President Viviane Reding. She is spearheading and vigorously advocating for the Commission's proposals to update and modernize the privacy framework in Europe through a detailed new Regulation. She worries a lot about the privacy and security of EU citizens' data. And she can be a tough critic of the US privacy protection framework.
But even Commissioner Reding had to cry foul late last year when she saw the advertising of an EU Cloud Computing service suggesting that its geographic location would protect data from the reaches of the USA Patriot Act.
That episode prompted Mrs. Reding to issue a reminder about the importance of the free flow of data between the continents. Her comments reflected an understanding that Europeans need access to the best Cloud services regardless of geography and that to enjoy the full benefits of Cloud computing, there cannot be a balkanized system of Clouds around the world where as one commentator put it, "the fuzzy Internet cloud becomes a series of neatly divided gas bubbles."
Mrs. Reding no doubt was aware when she objected to the notion of an "EU Cloud" that even European countries with strict privacy laws also have anti-terrorism laws that allow expedited government access to Cloud data. Indeed, France's anti-terrorism law has been said to make the Patriot Act look "namby-pamby" by comparison.
While the Patriot Act continues to be invoked as a kind of shorthand to express the belief that the United States government has greater powers of access to personal data in the Cloud than governments elsewhere, and that "local clouds" are the solution, a recent study we conducted of the laws of Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, United Kingdom—and the United States—shows that it is simply incorrect to assume that the United States government's access to data in the Cloud is greater than that of the other advanced economies.
Law enforcement and national security officials have broad access to data stored locally with Cloud service providers in the countries we investigated. Our research found that that it is not possible to isolate data in the Cloud from governmental access based on the physical location of the Cloud service provider or its facilities, and that Governments' ability to access data in the Cloud extends across borders.
Notably, every single country that we examined vests authority in the government to require a Cloud service provider to disclose customer data in a range of situations. Moreover, some governments permit invasive investigatory measures of Cloud providers when the investigation concerns national security.
For example, the German Federal Office of Criminal Investigation (BKA) may, in investigations involving terrorism or national security, use a "Federal Trojan" (a government-issued computer virus) to search a Cloud provider's servers, monitor ongoing communications, or collect communication traffic data without the knowledge of the target. In addition, the G10 Act provides German intelligence services with the authority to monitor and record telecommunications without a court order in investigation of a serious crime or a threat against national security, such as terrorism.