In my discussions with end-user organizations around the world, the USA PATRIOT act often comes up as a concern for organizations when it comes to data security in a cloud world. The act, initially signed off by George W. Bush in 2001, is better looked at as its full name — the Uniting and Strengthening of America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act.
Quit a mouthful. However, note what the Act is there for. It is not to go out and willfully get business information: it is there as part of the reaction to the 9/11 terrorist attacks on the US.
The Act, however,includes some sections that worry many in the data security space. For example, it enables certain security forces to enter business premises and search through records — physical or electronic — without the agreement, or even knowledge, of the business owner. This has then been extrapolated to mean that data held on storage systems within a data center owned by a US-incorporated company could fall under these rules, i.e. even though a data center is physically in the UK, if the organization owning it is a US company, then the FBI can demand access to all the data in that facility — and the owning company will have to provide that access.
Firstly, this is not what the Act says, and as yet there is no precedence to show that such access would be allowed on another sovereign country’s soil.
Secondly, the Act is there for situations where there is distinct suspicions of terrorist links — it is not there for fishing expeditions against commercial organizations and their activities.
Thirdly — and herein lies the statement that will always be the bone of contention — what have you got to hide anyway? If all that your organization is doing is carrying out its day-to-day business, does it make much difference if the FBI, the CIA, or the NSA get hold of your company data? Is it likely that they will sell your strategy plans on to the competition? Are they going to take your customer details and place ads in the papers along the lines of, “The FBI — your one-stop-shop for email contact lists”?
Yes, I can hear the rumblings of the comments already: “It’s alright saying that you have nothing to hide until the Powers That Be descend on you, having had access to information about you that you were unaware was in the cloud, or that was incorrectly entered by someone.” OK… it’s a possibility. But as an organization, should I be losing sleep over the PATRIOT Act? I doubt it.
If you are reading this while wearing a tin-foil hat sitting under a reinforced table with the windows blocked out, then external data center facilities — cloud or co-locational — are probably not for you. If you have deep data security worries, then it may be that you need to choose a facility that is outside of the PATRIOT Act’s reach completely — non-US owned in a non-US location.
There could be one other solution: “Embassy” storage. In this scenario, the physical storage is placed within a specific cage in the data center facility. Preferably, the customer, not the facility owner, owns the physical storage. The cage is nominated as being part of whatever country the customer is headquartered in — so the storage can be deemed to be under the laws of Germany, France, the UK, or whatever. The PATRIOT Act then doesn’t reach the storage device itself — unless they want to get into the sort of issues that would be involved with entering another’s sovereign territory of an Embassy on US soil.
This needs agreement at a governmental level. It can be done — and Quocirca is aware of a couple of companies that have managed to take this approach — but it is not easy.
It may just be easier to be pragmatic and not worry… unless your business is a bit on the shady side?
Image credit: Wikimedia Commons