Department of Justice Misdirection on Cloud Computing

Wednesday, February 08, 2012

Article by Cindy Cohn

Does using cloud computing services based in the United States create a risk of US law enforcement access to people's data?  

The US Department of Justice (DOJ) seems to be trying to placate international concern by saying one thing in international fora; but it says something quite different in the US courts.

On January 18, a senior Justice Department official tried to reassure companies and people around the world that hosting their data in the United States creates no increased privacy risk for them from the US government.

Deputy Assistant Attorney General Bruce Swartz noted: "Cloud computing has important advantages to consumers (but) doesn't present any issues that have not always been present. Certainly not regarding Internet service issues, but even before that."

Apparently, the DOJ is reacting to decisions by foreign entities to drop US-based services due to concerns about US government access, including British company BAE dropping Microsoft Office 365 and the Dutch government's hesitation about allowing its contractors to use US-based cloud services.

In the past, Denmark and Canada have also voiced their concerns about the level of protection the United States can provide to their citizens’ data. EU public tenders of cloud services are also avoiding US cloud services for the same reasons. European-based companies, which have to comply with EU data protection law, see this opportunity as a competitive advantage, as do Australian cloud services.

Yet the DOJ's reassurances ring hollow. While the DOJ may spin its position one way to try to appease foreign audiences, its actual position is quite clear where it really matters: in US courts when it is trying to access subscriber information held by US-based cloud computing services.  Indeed, the DOJ's position in its court filings is that very little, if any, privacy protection is available against US government access to the records of users of US-based cloud computing services.

EFF’s recent high-profile case involving DOJ access to Twitter customer records as part of the Wikileaks investigation demonstrates this. There, the DOJ has been unequivocal that cloud users have no right to challenge government access to the tremendous amount of "non-content" information held by these systems -- their location, their contacts, their communications patterns and more.

In November 2011, the court agreed, holding that the Twitter users could not challenge the request for their information under the Stored Communications Act or under the constitution, chiefly on the grounds that having "given" their IP address and other information to Twitter in the US, they had no further privacy interest [1]. The DOJ also stated that it has strong doubts about whether foreign users of US-based cloud services had any constitutional privacy rights at all. 

In fact, Deputy Assistant Attorney General Swartz doesn't really say anything different. He says only that the issues predate the Internet.  But that's no answer.  The truth is that the Internet has made it much, much easier for companies and individuals to use services based in the United States for very sensitive activities.

Before the Internet it was highly unlikely that a US company hosted personal conversations between loved ones in Germany, reports from medical providers in Israel, or sensitive business dealings like potential bids on a government project in the Netherlands. And with that ease comes a treasure trove of information now available to the DOJ about foreigners who use those services (and about Americans, too).

Perhaps the most disingenuous comment came when Swartz said, “the US government is as committed to privacy and civil liberties as much as or more so than any nation on the planet.” The reality is that other nations have adopted comprehensive data protection regulations that forbid companies to transfer their customers’ data to a third country without the customers’ consent, or if the country does not provide an adequate level of protection; the United States is considered to have a lower level of protection.[2]

In the end, no amount of spin aimed at international audiences can hide the underlying facts. The US government believes that when you use a US-based cloud service, you have no ability to prevent the government from having access without a warrant under either the Stored Communications Act or the constitution.

Lawyers call this the "third party problem" and we were heartened recently when Supreme Court Justice Sotomayor strongly criticized the position that the government has been taking in cases across the US. 

Until this problem is fixed, US DOJ officials' reassurances about the privacy protections of US cloud computing services should be met with strong skepticism, both internationally and here at home.

[1] Technically, the court, at the urging of the DOJ, accomplished this in two steps: First, it decided that there was no statutory standing under the Stored Communications Act. Second, it found that there was no constitutional claim because there was no "reasonable expectation of privacy" in the Twitter users' information. And as to foriegners specifically, those "non-nationals, non-citizen, non-residents of the US" that the DOJ official is trying to convince to use cloud computing, the DOJ indicated in its Twitter briefs (on February 1, 2011, footnote 4) that it believed that no constitutional protections should ever reach them.

[2] General data protection laws are no longer a European phenomenon. A study done by Graham Greenleaf shows that there are now 29 legal frameworks that protect privacy outside Europe, 78 national data privacy laws in total.

Cross-posted from the Electronic Frontier Foundation

Possibly Related Articles:
Cloud Security
Legal Privacy Cloud Security Enterprise Security Storage Disclosure Government Cloud Computing Managed Services Third Party DOJ Law Enforcement Search Warrant Electronic Frontier Foundation EFF Cindy Cohn
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.