Law Enforcement Access To Data In The Cloud

Bank of England CIO Peter Finch issued a misinformed warning in a recent article, telling companies that if your cloud provider is an “American company, it is likely that your data and processing is now subject to the American Patriot Act. And, if it is integrated to your infrastructure, it is likely that all your services are subject to the Patriot Act.” Such advice not only misinterprets and misrepresents US law, it misleadingly implies that US cloud providers are somehow both unable and unwilling to protect the data entrusted with them by their customers from US law enforcement agencies.

Finch’s statement is inaccurate. Here, I’ll highlight what you need to know about your data and the Patriot Act:

Patriot Act

The USA Patriot Act, to give it its full acronym, was a measure that amended numerous other parts of US federal law, the majority of which have no relationship to, or impact on, the provision of cloud services. The amendments to law enforcement procedures did not, contrary to popular myth, create radically new means of law enforcement surveillance. Instead, the amendments expanded the reach of certain existing powers, while retaining the authorisation and oversight procedures and mechanisms designed to prevent abuse. It must also be noted that the powers granted to law enforcement under US law are not very different from those present in nearly every other major jurisdiction, especially the UK.

Requested data

Cloud providers, like any persons, are required to comply with all applicable laws and regulations. Sometimes cloud providers are approached by law enforcement agencies to supply data in the furtherance of a criminal or national security investigation. The request may concern information generated by use of the service by a customer, also known as “traffic data;” information about the identity of the customer, or “subscriber data,” and the content of the data held and processed on behalf of the customer. The first two categories are generally considered to be under the control of the cloud provider and, subject to compliance with the appropriate formalities, may be disclosed without further reference to the customer.

Customer data, is the property, and remains the property, of the customer throughout its processing under the cloud service. If a law enforcement agent wants to access such data, they need to obtain authorisation, usually from a court. Under US law, such an order will generally either require the provider to execute a search warrant and seizure request in respect of specified data, or deliver up specified data under “its possession, custody or control.”

Seizing and controlling data

The jurisdictional reach of a US search warrant is currently the subject of litigation in the US, brought by Microsoft and challenging a request for data held in their Irish data centre (In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, June 2014). Microsoft, with supporting submissions from Verizon, AT&T, Apple and Cisco, is arguing that US search warrants are limited to servers and infrastructure located in the US. While the outcome of this case is uncertain, a parallel legislative process is being actively pursued in Congress to enshrine such a jurisdictional limitation in US statute. The proposal has already received backing from the majority of the House of Representatives.

With a subpoena, the issue is whether customer data held by a cloud provider is under its “possession, custody or control.” In June 2013, former Rackspace General Counsel Alan Schoenbaum clearly and emphatically stating that Rackspace did not consider it to have such “control” over customer data, both legally and practically. Rackspace would therefore not hand-over customer data residing on infrastructure located in data centres outside the US. Similar declarations have since been issued by other providers, such as Verizon. In addition, the suggestion from Finch that these legal powers would also somehow extend to customer “integrated” infrastructure is completely erroneous.


Customer data would only ever be handed over in compliance with a formal inter-state mutual legal assistance (MLA) request, made through the domestic legal procedures of the foreign jurisdiction in which the data resides. Where customer data is the subject of a subpoena, the law enforcement agency is generally required to notify the customer. In addition, however, Rackspace is contractually committed to provide our customers with notification of any request, prior to any disclosure, to enable the customer to mount a legal challenge, where appropriate. Obviously, such notifications may not always be possible or permissible, depending on the nature of the investigation, but Rackspace will always push the requesting agency for such transparency wherever possible.

Rackspace offers customers an effective, efficient and robust processing environment for your data. Comprehensive data security measures to ensure the confidentiality, integrity and availability of your data lie at the heart of our service; protecting data from both accidental and deliberate loss or unauthorised disclosure. Disclosures to law enforcement agencies do inevitably occur, whether to US authorities or those of other nations including the UK, but this is infrequent and only under highly regulated procedures designed to safeguard the interests of our customers to the highest degree.

Tiffany has been a Racker since November 2007, when she became our first in-house counsel, bringing with her a pedigree of legal experience from Martineau Johnson Solicitors and over a decade of adventures in various international sales and marketing positions. Tiffany has been leading our International Legal Team for a number of years as VP Legal International, and is one of the longest serving members of our International Leadership Team (ILT). In February 2013 she added the International HR team to her legal role, being appointed as VP for both Legal and HR for the International Rackspace business. Tiffany is truly passionate about Rackspace culture and our mission to ensure that every Racker feels that they are a valued member of a winning team on an inspiring mission. She is particularly proud of our determined drive to achieve this by offering a world-class working environment that encourages each of us to give our very best every day. Tiffany believes that it is our fellow Rackers that make this a great company, and that we are fortunate in being able to attract the very best, smartest, and most interesting employees. She thrives on the high energy levels that drive and sustain us on the road to be the very best service company in the world. As a member of the ILT and our Global Senior Leadership Team, Tiffany has also played a huge part as a Rackspace culture warrior. With her significant help, the UK business achieved several great engagement results in 2013, rising to the No. 4 ranking in the Great Places to Work list and No. 7 ranking in the Sunday Times Best Companies to Work For survey. Above all else, Tiffany is a true Rackspace servant leader, living out our Core Values in all she does.


  1. Well this is a rather long-winded way to officially admit that Rackspace is willing to (and probably already has) handed over customer data to a third party. Thanks for the admission. I’ll be sure to steer clear of your services.

  2. The trick? Educate people as to how to properly protect their data (through strong encryption, proper disposal of sensitive data, etc.) *before* it even touches the wire, let alone enters the cloud. Job done. If your data is locally encrypted prior to transmission and storage on a cluster of remote servers, NO ONE CAN MESS WITH IT, Even criminal enterprises like the NSA, if properly done.


Please enter your comment!
Please enter your name here