Thursday, December 6, 2012
Cloud Computing in Higher Education and Research Institutions and the USA Patriot Act
While viewing the matter from a Dutch perspective, this paper, titled "Cloud Computing in Higher Education and Research Institutions and the USA Patriot Act", and written by legal experts at the University of Amsterdam's Institute for Information Law, outlines the privacy implications of Cloud based storage in this 'post 9/11 world'.
I found the following lines particularly striking: "The transition to cloud computing will, in principle, result in a lower degree of autonomy for higher education and research institutions in terms of requests for information of the type discussed above. In this light, the specific risks run in the case of certain categories of data need to be carefully examined. This should include the question whether there are data for which a lack of autonomy would be unacceptable."
In essence, the situation boils down to this: US law enforcement services can gain access to your Cloud data, even on a server outside of United States, if the data is hosted by a provider that conducts business with United States.
Another striking paragraph near the end of the paper states: "In general, this report brings to light that there are limits for institutions of higher education and research to legally safeguard the confidentiality and security of data once they engage cloud computing services from providers who ‘conduct business in the United States’. Neither contractual agreements nor general legal provisions in the Netherlands can change this undesirable situation for these institutions. In this specific sense the use of cloud computing services curtails the autonomy, control and the information position of the institutions, which may jeopardize the intellectual freedom of staff and students in higher education in the Netherlands. The fact that the confidentiality of information cannot be guaranteed may damage the reputation of these institutions. Additionally, the transition to cloud computing could create new opportunities for the U.S. government to access information in the future (function creep). The threat of actual access to data is permanent and may negatively affect the extent to which scholars are willing and able to communicate (chilling effect)."
A CBS News article, titled "Patriot Act can 'obtain' data in Europe, researchers say", which outlines the implications of this paper as well, can be read here.
In any case, the abstract of the paper follows. The full text is available here.
Institutions have started to move their data and ICT operations into the cloud. It is becoming clear that this is leading to a decrease of overview and control over government access to data for law enforcement and national security purposes. This report looks at the possibilities for the U.S. government to obtain access to information in the cloud from Dutch institutions on the basis of U.S. law and on the basis of Dutch law and international co-operation. It concludes that the U.S. legal state of affairs implies that the transition towards the cloud has important negative consequences for the possibility to manage information confidentiality, information security and the privacy of European end users in relation to foreign governments.
The Patriot Act from 2001 has started to play a symbolic role in the public debate. It is one important element in a larger, complex and dynamic legal framework for access to data for law enforcement and national security purposes. In particular, the FISA Amendments Act provision for access to data of non-U.S. persons outside the U.S. enacted in 2008 deserves attention. The report describes this and other legal powers for the U.S. government to obtain data of non-U.S. persons located outside of the U.S. from cloud providers that fall under its jurisdiction. Such jurisdiction applies widely, namely to cloud services that conduct systematic business in the United States and is not dependent on the location where the data are stored, as is often assumed. For non-U.S. persons located outside of the U.S., constitutional protection is not applicable and the statutory safeguards are minimal.
In the Netherlands and across the EU, government agencies have legal powers to obtain access to cloud data as well. These provisions can also be be used to assist the U.S. government, when it does not have jurisdiction for instance, but they must stay within the constitutional safeguards set by national constitutions, the European Convention on Human Rights and the EU Charter.
See the full paper here...