This January 28 marks International Privacy Day. Different countries around the world are celebrating this day with their own events. This year, we are honoring the day by calling attention to recent international privacy threats and interviewing data protection authorities, government officials, and activists to gain insight into various aspects of privacy rights and related legislation in their own respective countries.
Does using cloud computing services based in the United States create a risk of US law enforcement access to people's data? The US Department of Justice (DOJ) seems to be trying to placate international concern by saying one thing in international fora; but it says something quite different in the US courts.
On January 18, a senior Justice Department official tried to reassure companies and people around the world that hosting their data in the United States creates no increased privacy risk for them from the US government. Deputy Assistant Attorney General Bruce Swartz noted: "Cloud computing has important advantages to consumers (but) doesn't present any issues that have not always been present. Certainly not regarding Internet service issues, but even before that."
Apparently, the DOJ is reacting to decisions by foreign entities to drop US-based services due to concerns about US government access, including British company BAE dropping Microsoft Office 365 and the Dutch government's hesitation about allowing its contractors to use US-based cloud services. In the past, Denmark and Canada have also voiced their concerns about the level of protection the United States can provide to their citizens’ data. EU public tenders of cloud services are also avoiding US cloud services for the same reasons. European-based companies, which have to comply with EU data protection law, see this opportunity as a competitive advantage, as do Australian cloud services.
Yet the DOJ's reassurances ring hollow. While the DOJ may spin its position one way to try to appease foreign audiences, its actual position is quite clear where it really matters: in US courts when it is trying to access subscriber information held by US-based cloud computing services. Indeed, the DOJ's position in its court filings is that very little, if any, privacy protection is available against US government access to the records of users of US-based cloud computing services.
EFF’s recent high-profile case involving DOJ access to Twitter customer records as part of the Wikileaks investigation demonstrates this. There, the DOJ has been unequivocal that cloud users have no right to challenge government access to the tremendous amount of "non-content" information held by these systems -- their location, their contacts, their communications patterns and more. In November 2011, the court agreed, holding that the Twitter users could not challenge the request for their information under the Stored Communications Act or under the constitution, chiefly on the grounds that having "given" their IP address and other information to Twitter in the US, they had no further privacy interest. The DOJ also stated that it has strong doubts about whether foreign users of US-based cloud services had any constitutional privacy rights at all.
In fact, Deputy Assistant Attorney General Swartz doesn't really say anything different. He says only that the issues predate the Internet. But that's no answer. The truth is that the Internet has made it much, much easier for companies and individuals to use services based in the United States for very sensitive activities. Before the Internet it was highly unlikely that a US company hosted personal conversations between loved ones in Germany, reports from medical providers in Israel, or sensitive business dealings like potential bids on a government project in the Netherlands. And with that ease comes a treasure trove of information now available to the DOJ about foreigners who use those services (and about Americans, too).
Perhaps the most disingenuous comment came when Swartz said, “the US government is as committed to privacy and civil liberties as much as or more so than any nation on the planet.” The reality is that other nations have adopted comprehensive data protection regulations that forbid companies to transfer their customers’ data to a third country without the customers’ consent, or if the country does not provide an adequate level of protection; the United States is considered to have a lower level of protection.
In the end, no amount of spin aimed at international audiences can hide the underlying facts. The US government believes that when you use a US-based cloud service, you have no ability to prevent the government from having access without a warrant under either the Stored Communications Act or the constitution. Lawyers call this the "third party problem" and we were heartened earlier this week when Supreme Court Justice Sotomayor strongly criticized the position that the government has been taking in cases across the US.
Until this problem is fixed, US DOJ officials' reassurances about the privacy protections of US cloud computing services should be met with strong skepticism, both internationally and here at home.
Update: We’ve had a few discussions about this post over the past few weeks, and based upon those, we wanted to issue a couple of clarifications:
First, it has been pointed out to us that the statement by the DOJ official about cloud computing was based not on the scenario in which data is stored in the US by US-based cloud computing companies, but instead about data physically stored overseas but in the care of US-based cloud computing companies. While the press reporting wasn’t all that clear, we think that is a fair point. The nuances of this distinction are subtle but worth discussion.
So we were correct that if data is hosted in the US by US companies (or hosted in the US by companies based overseas), the government has taken the position that it is subject to U.S. legal processes, including National Security Letters, 2703(d) Orders, Orders under section 215 of the Patriot Act and regular warrants and subpoenas, regardless of where the user is located. This was particularly troubling in the context of the Twitter case since our client, Birgitta Jonsdottir, likely had absolute immunity from this intrusion under Icelandic law as a member of Iceland’s Parliament.
But the issue the DOJ official was apparently addressing was whether the US can have access to information stored in the cloud with US-based companies but physically hosted overseas. And a related question is whether this it different for foreign-based corporations who store data overseas but who are otherwise subject to US law because they have branches or otherwise have sufficient contacts in the US. EFF is working on a broader analysis of that issue, which is somewhat complex, which we hope to publish soon. But for starters, the legal standard for production of information by a third party, including cloud computing services under US civil (http://www.law.cornell.edu/rules/frcp/rule_45) and criminal (http://www.law.cornell.edu/rules/frcrmp/rule_16) law is whether the information is under the "possession, custody or control" of a party that is subject to US jurisdiction. It doesn’t matter where the information is physically stored, where the company is headquartered or, importantly, where the person whose information is sought is located. The issue for users is whether the US has jurisdiction over the cloud computing service they use, and whether the cloud computing service has “possession, custody or control” of their data, wherever it rests physically. For example, one could imagine a situation in which a large US-based company was loosely related to a subsidiary overseas, but did not have “possession, custody, or control” of the data held by the subsidiary and thus the data wasn’t subject to US jurisdiction.
A second point of confusion that is worthy of clarification is the relationship between private companies that collect and share your information and the terms under which a government agency like the police can access that data. For data hosted within the EU by a provider located ('established') within the EU, the cloud provider -- whether based in the US or the EU -- would be subject to EU law. That means that all provisions of the European data protection legislation would apply, including the rules under the European Directive that require that companies collect personal data only for specified, explicit, and legitimate purposes and prevents them from further processing the data in a way incompatible with those purposes. This rule generally supports companies in collecting and keeping less data. Since we're talking about private companies collecting our personal information, the less data companies collect and keep, the less they have to hand over to the police, so this private sector rule has governmental access implications that favor the EU. Note that although the European Union has adopted a draconian Mandatory Data Retention Directive, which compels ISPs and telco providers to record traffic data, this directive does not cover cloud-related data.
Two smaller notes: first, while some reporting has asserted that the problem of US government access to data stored in the cloud was created by the Patriot Act, it's really not. It's much older, but as we noted previously it's a problem that is getting bigger because of the growth of cloud computing, now reaching ordinary people and small businesses that use cloud services, not just sophisticated companies. Second, our focus here is on the US DOJ's demands for cloud computing data, something that is particularly important since so many cloud providers are based here and the US government has been taking an aggressive stand on government access, but foreign jurisdictions also have the ability to demand disclosure of information stored within their borders. So anyone using cloud hosting that is concerned about government access has to decide which governments they are most concerned about accessing their data and records and choose their provider accordingly.