The U.S. PATRIOT Act has a lot of non-U.S. companies wondering whether it is a sound practice to store data in a U.S. based cloud services organization. The concern is this: the cloud services provider may be obligated to turn over stored data on receipt of a National Security Letter, which is essentially a subpoena with a gag order.
But what if the customer is the legal owner of the data, and not the cloud services provider?
If legal contracts between the cloud services provider and its customers define customers as the owner of stored data, what happens when the cloud services provider receives a National Security Letter asking for that data? Can the provider say, “sorry – this is not our data, you need to ask the owner for it”?
I could see this going both ways. Using the precedent of wiretapping, the law enforcement agency issuing the subpoena might argue that data ownership is irrelevant.
* * *
While we’re on the topic of PATRIOT… I often wonder about non-U.S. companies’ concern about it. Rationale I sometimes hear is that storing data in the U.S. is riskier because of PATRIOT.
Let me assert this: in the interest of national security, any nation’s law enforcement or intelligence agencies are going to search and sieze data as needed, whether there are laws on the books or not. The fact that the U.S. has its PATRIOT Act only means that the U.S. is being more transparent about a practice that we all know is pervasive around the world. Taking this argument further, you could argue that storing data in the U.S. is safer, because at least the U.S. has laws governing the use of search and seizure in the name of national security. In countries without such laws, what will limit the reach of law enforcement and intelligence agencies?
* * *
Finally, I want to say that I am not expressing an opinion about PATRIOT – whether I agree with it or not. It is simply a fact to be dealt with.
* * *
References:
The Patriot Act and your data: Should you ask cloud providers about protection? – InfoWorld article, January 2012.
Patriot Act Threatens American Cloud Computing – Wall Street Cheat Sheet, January 2012.
Peter H. Gregory 