In Learning Tree’s Cloud Security Essentials course we talk about the USA PATRIOT Act and its chilling effects on use of U.S. cloud services, especially by would-be customers in the European Union. (and we’ve been doing this before the massive PRISM surveillance program was revealed).
U.S. cloud providers have made it clear since 2011 that they will hand over even data physically stored in the EU to U.S. authorities, and what’s more, they won’t inform the data subjects if the government tells them to keep it secret (which almost certainly will be the case).
General Petraeus’ not-so-secret affair turned epic fail has brought some public attention to the issue of heavy-handed government access to data stored in the cloud.
The Electronic Communications Privacy Act was passed in 1986, and it carries some provisions that today seem odd. For example, it allows authorities to access e-mail messages more than six months old without a warrant from a judge, just a subpoena. Back in 1986 when most e-mail was handled with /usr/ucb/mail, sure. But today? Cloud-based e-mail encourages users to utilize their in-box as a “to-do list”, keeping messages there as reminders of long-term projects.
Now there is pressure in both directions. The government doesn’t want to have to wait a tedious six months to have easy access to your e-mail, they want it immediately and without the inconvenience of a subpoena. The Justice Department has issued so-called “2511 letters” immunizing AT&T and other carriers from prosecution for their part in communications interception that would be illegal under the Wiretap Act in the federal statutes.
CISPA or the Cyber Information Sharing and Protection Act would have overridden the Wiretap Act and legalized the widespread monitoring. Major carriers predictably wrote letters supporting CISPA as it would have been a “keep out of jail card” for them.
The good news as I see it is that CISPA seems to be dead while the U.S. Senate is advancing the ECPA Amendments Act which would require government and law enforcement agencies to get warrants for all electronic communications regardless of their type, age, and whether or not they had already been read by the legitimate recipient.
The FBI and others are making ominous complaints about the advantage this will give the standard threats, the Terrorists and the Child Pornographers, if they are forced to “go dark”. But the thing is, law enforcement was born and grew up “in the dark”. They only recently gained this ability to easily vacuum up vast collections of data on subjects and innocent citizens alike. How quickly that power becomes addictive…
Some of the cloud providers are fighting to limit government access, but only to the limited extent they can. Bloomberg has reported on the Digital Due Process coalition including Google, Amazon, Microsoft, and others. Meanwhile, Forbes has reported how Microsoft and Google voluntarily revealed how often they turn over user data to U.S. and foreign governments (Microsoft turns it over less often within the U.S. but more often overseas).
We’ll see what happens. Meanwhile, I’ll have more on this next week.