Bank of England CIO Peter Finch issued a misinformed warning in a recent article, telling companies that if your cloud provider is an “American company, it is likely that your data and processing is now subject to the American Patriot Act. And, if it is integrated to your infrastructure, it is likely that all your services are subject to the Patriot Act.” Such advice not only misinterprets and misrepresents US law, it misleadingly implies that US cloud providers are somehow both unable and unwilling to protect the data entrusted with them by their customers from US law enforcement agencies.
Finch’s statement is inaccurate. Here, I’ll highlight what you need to know about your data and the Patriot Act:
The USA Patriot Act, to give it its full acronym, was a measure that amended numerous other parts of US federal law, the majority of which have no relationship to, or impact on, the provision of cloud services. The amendments to law enforcement procedures did not, contrary to popular myth, create radically new means of law enforcement surveillance. Instead, the amendments expanded the reach of certain existing powers, while retaining the authorisation and oversight procedures and mechanisms designed to prevent abuse. It must also be noted that the powers granted to law enforcement under US law are not very different from those present in nearly every other major jurisdiction, especially the UK.
Cloud providers, like any persons, are required to comply with all applicable laws and regulations. Sometimes cloud providers are approached by law enforcement agencies to supply data in the furtherance of a criminal or national security investigation. The request may concern information generated by use of the service by a customer, also known as “traffic data;” information about the identity of the customer, or “subscriber data,” and the content of the data held and processed on behalf of the customer. The first two categories are generally considered to be under the control of the cloud provider and, subject to compliance with the appropriate formalities, may be disclosed without further reference to the customer.
Customer data, is the property, and remains the property, of the customer throughout its processing under the cloud service. If a law enforcement agent wants to access such data, they need to obtain authorisation, usually from a court. Under US law, such an order will generally either require the provider to execute a search warrant and seizure request in respect of specified data, or deliver up specified data under “its possession, custody or control.”
Seizing and controlling data
The jurisdictional reach of a US search warrant is currently the subject of litigation in the US, brought by Microsoft and challenging a request for data held in their Irish data centre (In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, June 2014). Microsoft, with supporting submissions from Verizon, AT&T, Apple and Cisco, is arguing that US search warrants are limited to servers and infrastructure located in the US. While the outcome of this case is uncertain, a parallel legislative process is being actively pursued in Congress to enshrine such a jurisdictional limitation in US statute. The proposal has already received backing from the majority of the House of Representatives.
With a subpoena, the issue is whether customer data held by a cloud provider is under its “possession, custody or control.” In June 2013, former Rackspace General Counsel Alan Schoenbaum clearly and emphatically stating that Rackspace did not consider it to have such “control” over customer data, both legally and practically. Rackspace would therefore not hand-over customer data residing on infrastructure located in data centres outside the US. Similar declarations have since been issued by other providers, such as Verizon. In addition, the suggestion from Finch that these legal powers would also somehow extend to customer “integrated” infrastructure is completely erroneous.
Customer data would only ever be handed over in compliance with a formal inter-state mutual legal assistance (MLA) request, made through the domestic legal procedures of the foreign jurisdiction in which the data resides. Where customer data is the subject of a subpoena, the law enforcement agency is generally required to notify the customer. In addition, however, Rackspace is contractually committed to provide our customers with notification of any request, prior to any disclosure, to enable the customer to mount a legal challenge, where appropriate. Obviously, such notifications may not always be possible or permissible, depending on the nature of the investigation, but Rackspace will always push the requesting agency for such transparency wherever possible.
Rackspace offers customers an effective, efficient and robust processing environment for your data. Comprehensive data security measures to ensure the confidentiality, integrity and availability of your data lie at the heart of our service; protecting data from both accidental and deliberate loss or unauthorised disclosure. Disclosures to law enforcement agencies do inevitably occur, whether to US authorities or those of other nations including the UK, but this is infrequent and only under highly regulated procedures designed to safeguard the interests of our customers to the highest degree.