Politico is running a fantastic piece on the problems that the PATRIOT Act is raising for American cloud companies in the market for overseas customers. The piece details how foreign cloud customers are worried that the US government will use its expanded surveillance powers to snoop on any data that’s stored on US soil, so they’re eschewing US-based cloud providers in favor of the competition. Non-US competitors are explicitly feeding this trend by raising the specter of US government data snooping as part of their bids for business, a tactic that seems to be working in some cases.
The piece quotes a number of lobbyists and government officials to the effect that all of this PATRIOT-based fear is just so much FUD and misinformation, but I’m not so sure. I’ve been covering the growth of covering computer-automated mass surveillance for over a decade, and cloud for the past few years, and I see the following factors as a serious problem for stateside cloud providers:
- Private sector policies with respect to sharing data with law enforcement are not uniform across cloud providers, and they’re often not completely clear in how they’re stated.
- Nasty surprises routinely crop up in the press, where we learn that this or that company is turning over customer data to the feds.
- On a more general level, the US government has shown that when it comes to surveillance, it’s willing to ignore the law time and again.
- US government agencies don’t trust their own sensitive data to foreign clouds, and often require that such data be stored in a US-based datacenter.
- Contrary to what cloud companies and lobbyists would have you believe, the PATRIOT Act really does give the US government very broad powers to get their mitts on your data without you ever knowing about it.
With respect to number one above, the wide variation in different companies’ willingness to share customer data with law enforcement without putting up a fight is, fairly or unfairly, a black mark on the entire US cloud sector. Sprint, for instance, just loves to hand user data over to local, state, and federal law enforcement, so much so that it built a special portal that lets officials log in and pull down all kinds of info on millions of customers without any questioning or hand-holding from the carrier.
At the other end of spectrum is Google, which at least claims to put up a fight when the cops come snooping. But look at Google’s FAQ for Gmail security and privacy:
Like other technology and communications companies, we receive requests from government agencies around the world to provide information about users of our services and products. Like any law-abiding company, Google sometimes may be legally required to share information with law enforcement. However, before sharing any information we first scrutinize a request to make sure that it complies with both the spirit and the letter of the law—and we may refuse to produce information or try to narrow the request. When possible and legally permissible, we notify the user in order to give him or her the opportunity to object.
You’d need a team of psychic lawyers to ferret out the precise circumstances under which your data will get handed over without your knowledge. I say “psychic” lawyers, because your lawyers would have to know exactly how Google’s lawyers would interpret a specific law enforcement request so that they could give you some confidence about how likely our data is to end up in the government’s hands.
As for the drumbeat of nasty surprises, one of the earliest I recall was when Wired reported that AT&T had let the NSA build a secret room in one of its network facilities, for the purpose of snooping Internet traffic. These sorts of revelations have come out steadily over the past few years, up to and including the aforementioned Sprint law enforcement portal.
Then there’s the government’s generally cavalier attitude towards the law’s limits on surveillance, which was most prominently on display in the NSA wiretapping scandal. AT&T and Verizon broke the law in giving the government access to their traffic without a warrant, and then when the whistle was blown on the whole affair Congress retroactively legalized their actions so that they couldn’t be sued by customers. As part of this grant of retroactive immunity, Congress also explicitly granted the NSA a free hand to spy on foreigners on American soil without any warrant or oversight.
To the fourth point above, as the Politico itself points out, there are plenty of local, state, and federal agencies in the US that won’t permit their own data to be stored on foreign soil. This requirement is so widespread that Amazon has launched a whole cloud offering dedicated to serving agencies and contractors that have geographic requirements. So why shouldn’t foreign governments and companies reciprocate with similar homeland-only restrictions? If the US government doesn’t trust foreign cloud providers, then why should foreign customers trust US cloud providers?
Finally, the PATRIOT act gives the feds secret powers to subpoena data from providers and to use gag orders so that those providers can’t tell a customer that his or her data has been turned over to the authorities. The National Security Letters (NSLs) that the feds use to get data and impose gag orders were created by the PATRIOT Act, and a 2010 audit by the DoJ and OIG found that these letters have been massively, systemically abused by the FBI.
Ultimately, these PATRIOT act concerns around cloud computing are very real, and accusing the foreigners of FUD and ignorance isn’t going to overcome the twin forces of an American government that has repeatedly shown a willingness to act outside the law and a private sector that either actively cooperates or fails to put up much of a fight. American cloud providers are now caught between these two forces, and they’ll be squeezed to our economy’s detriment.
It pains me a great deal to say this, but anyone who is concerned about having their data handed over to the feds in secret (especially their email, which law enforcement can access without a warrant if it has been stored on a third-party server for at least six months) has absolutely no business using a US-based cloud.