The case against cloud privacy

padlock on keyboard

Should you be worried about what you put in the cloud? There are some security and privacy issues that you do need to be aware of.

The issues around cloud computing range from security through to compliance to data privacy. Perhaps, the legal aspects surrounding cloud’s data privacy has already reached its peak when the Australian government declared deference against the use of public cloud.

For the prospective adopters of cloud computing, binding laws such as the US Patriot Act have brought risks to the table that most businesses are simply not comfortable dealing with. The USA Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (PATRIOT) or more commonly known as the US Patriot Act served as one of the major criticisms against the cloud movement – especially with organisations outside the United States.

The effect of the Patriot Act on Australian data

The Patriot Act does three things to customer data:

1. The Patriot Act, despite being an American law, still applies to customers residing outside the US such as Australia, due to the fact that their data is stored within US-based data centres (or owned by US organisations). For instance Office 365 customers in Australia have their data stored in Microsoft’s geographically scattered data centres, of which a majority reside in the US, hence making it within the scope of the Patriot Act.

2. The Patriot Act also has the capability to gain access to both individual and corporate data by virtue of a court order issued by the Chief Justice of the United States. This court order is issued to the FBI, allowing immediate access to data without necessarily getting an individual or business’ consent.

3. The Patriot Act allows immediate handover of data to American government authorities without notification to the concerned party. This policy actually prohibits the cloud hosting company to disclose such requests to its respective clients.

Other Laws Allowing Data Acquisition

The Patriot Act’s provisions concerning data privacy is not exclusive to it – in fact there are a number of American and even Australian laws that almost has the same binding principles. For instance, the Foreign Intelligence Surveillance Act (FISA) allows the FBI to acquire business records of third parties for foreign intelligence and international terrorism investigations. On the other hand, the Australia–United States Free Trade Agreement (AUSFTA) is another policy that actually permits the US to gain access to Australian business data regardless of where it is hosted (i.e. in the cloud using US servers or within Australian grounds, hosted on-premises). Other countries in Asia where Australian data in Office 365 is stored such as Singapore and Hong Kong also impose policies with the same principle. The Computer Misuse Act in Singapore allows both international and local entities to gain access to data for the purpose of inspection and investigation.

Personal Data Ordinance

Does this mean that there is no data privacy on the cloud?

With all these policies in place, is it valid for businesses to infer that there is no privacy in the cloud? The answer here is a bit tricky – yes the American government can request data access but in practice, it doesn’t really exercise that right all the time. Realistically, customer data can be left practically untouched almost as if there are no laws allowing the US government access to it.

In analysing the intricacies of the US Patriot Act and the AUSFTA in relation to long established business practices of Australian companies – both which maintain data locally and on-premises versus those hosted on the cloud – it appears that although the policies around data acquisition are already in place, these would pose little or no effect at all to businesses whose products or service portfolio doesn’t concern items that could be used for assault and terrorism. Furthermore, the US government’s power to gain data access is not a provision exclusive to the Patriot Act. In virtue of America’s mutual legal agreements to various countries across the globe, including Australia, such allowed them to exercise such right in a utilitarian sense.

Want to know more? A more detailed white paper on TheCloudMouth.com discusses the legal scope of the Patriot Act and other policies that allow data acquisition regardless of host or location. Understand for yourself how these policies can have little or no effect at all to data hosted on the cloud. This whitepaper also discusses why legal arguments against cloud adoption are generally the result of insufficient understanding of the relevant laws; and therefore not really a risk that can make or break a business direction in harnessing the tools that cloud computing has to offer.