The signing into law of the Clarifying Lawful Overseas Use of Data Act earlier this year has not gone unnoticed among the privacy or law enforcement communities.
Its intention was to simplify the process for the U.S. government to gain access to potentially vital data in the interest of national security when held on foreign soil, without impinging on the privacy rights of the individual or the duties of the cloud service provider to protect those rights.
But what does this mean? And why was it necessary?
The U.S. government has repeatedly found itself in conflict with the cloud industry when trying to access data relevant to national security stored by U.S. CSPs. Despite these CSPs being U.S.-headquartered, the very nature of cloud computing often meant that the data itself would not be stored in the U.S. Which in turn meant that the data was subject to the privacy laws of the local territory, making a CSP’s obedience of a U.S. warrant to disclose the data illegal and also contrary to its duty to protect the privacy of its customers and subscribers. This is the exact situation highlighted in the U.S. government’s recent case with Microsoft and access to its data in Ireland.
In such a situation, the U.S. government’s main recourse would then be to pursue the diplomatic processes of either a local warrant or a Mutual Legal Assistance Treaty with the country in question. Although, these processes are inherently slower and typically politically sensitive, explaining why they were not employed in the Microsoft case resulted in a stalemate and legal conundrum.
In essence, the principal benefit of cloud computing – the fact that data is stored in multiple locations to improve access, resilience and performance – was too often in conflict with the U.S. government’s interests of ensuring national and international security.
The CLOUD Act was designed to solve these ethical and legal dilemmas facing both the cloud industry and the government.
At a basic level, the new legislation simultaneously gives the government the right to access data even when stored abroad and also gives the CSP the right to quash the warrant if complying would be contradictory to local privacy laws.
These rights have naturally spawned heated debate between law enforcement and privacy advocates over international security and personal privacy. The Electronic Frontier Foundation, for example, considers the lack of judicial review within the CLOUD Act to be a massive overreach on the part of the U.S. government that contravenes the norms of international law.
But there is another issue at stake that has received far fewer column inches, perhaps because it is less obvious.
How does the CLOUD Act impact CSPs?
CSPs will have welcomed the CLOUD Act, especially in light of the Microsoft case. Indeed, many of the largest ones, Microsoft and Apple included, supported its introduction.
Before the CLOUD Act, the cloud industry’s quiet fear was that if the U.S. government was allowed to access the Microsoft data in Ireland, it would show the international community that local privacy laws were not enough to deny requests for data relevant to a given country’s national security. This precedent would likely lead to various countries demanding access to data wherever it is stored, though most often in the U.S. These demands would naturally be challenged, leading to drawn-out legal battles, in turn leading to missed opportunities to prosecute or worse, prevent terrorist acts.
As Gregory Nojeim, director of the Freedom, Security, and Technology Project at the Center for Democracy & Technology, put it, “Countries around the world would be insisting that their legal process compels Microsoft and other providers to disclose data that they hold in the United States, which would result in chaos."
The feared response to this potential chaos was that to bypass the political difficulty of accessing data abroad, more and more countries would legislate that CSPs be required to guarantee that data on their citizens remained strictly within their own borders. Such guarantees would be a technologically difficult and expensive step for most CSPs, especially the largest ones, as brought into focus by legislation such as the EU General Data Protection Regulation.
But the CLOUD Act mitigated this danger. Because CSPs now have a legal right to quash warrants when disclosure is contrary to local laws, the indirect impact of the Act is that the MLATs will become more likely. This will encourage the U.S. to simplify the processes around them in order to make accessing data abroad easier. And because MLATs are bi-lateral, foreign countries will be simultaneously afforded the same ease of access to data stored in the U.S. (unless it is data on a U.S. citizen), removing the temptation to be protectionist about their citizens’ data, and in turn removing the danger of additional costs to CSPs.
What all this means is that on the face of it, the CLOUD Act preserves the status quo.
But I thought you said the CLOUD Act affects CSPs?
Well actually, it should. Fundamentally because privacy in the cloud is an increasingly complicated space, and the CLOUD Act, despite its intentions, has not simplified matters.
The CLOUD Act is by no means the only data privacy legislation at play here. The U.S. has many mechanisms available to it through which national security data may be demanded, including the USA FREEDOM Act and the FISA Amendments Act of 2008 (re-confirmed in January this year). How the CLOUD Act will interact with these remains to be seen.
Also, the very foundations of the CLOUD Act are MLATs, which the U.S. will now clearly pursue with as many countries as possible. It already has MLATs with many countries, and it is in the process of applying with others. There are then those countries with whom MLATs were rejected, or are being amended. For example, the potential MLAT between the U.S. and the U.K. was nullified by the EU last year but is now in motion again.
All in all, the CLOUD Act’s legislative landscape is blurry to say the least. But this ambiguity, peculiar to the CLOUD Act, is in fact systemic of a far wider problem for businesses relying on the cloud.
Privacy has become such a potent issue that the international community, individual governments and even various industry sectors have all deemed it important enough to create their own rules. This constantly growing variety means that businesses are likely to be obliged to conform with a huge number of privacy requirements – each with its own complications and many of which may conflict.
For example, a single international health insurer could need to be simultaneously watchful of the CLOUD Act, the GDPR, Canada’s PIPEDA, Singapore’s PDPA, HIPAA and the data privacy requirements of any number of financial services regulators. And that is by no means an exhaustive list.
The impact of this confusion on CSPs is not on the technology within their service, but on their duty to their customers.
A significant proportion – if not the majority – of any CSP’s customers will be highly conscious of where its data resides, or may end up. These businesses will naturally look to their CSP for advice on how best to store their data, and particularly how to ensure a balance between the practical considerations of access and availability alongside their privacy obligations, all while maintaining the ambition to innovate is not undermined. This will require a new breed of CSP, comfortable advising on both technical and legislative queries with impartiality, authority and accuracy.
In fact, despite the technical complexity of cloud service provisions, it is probably the privacy side of the equation that entails the most intricacy and even depth of knowledge.
This burden will surely become all the greater as society’s use of technology evolves. The GDPR was a direct response to the inadequacy of existing privacy regulations in the internet age. Similar realizations in the near future, such as how IoT data is used or how smart cities are lived in, will trigger comparable reactions and new legislation, and in faster timeframes than the GDPR.
At the center of all this is of course the way in which businesses collect, store and monetize their data, creating this firm duty for CSPs to be able to provide clients with practical and legally accurate advice on how best to preserve the ambition of innovation, alongside protecting the privacy rights of data subjects.
However, too few CSPs are currently equipped to do so. The focus on cloud service contracts is now less about latency, uptime and reliability, and infinitely more to do with supporting a client’s data privacy obligations. Most CSPs see privacy legislation as an obstacle that their terms and conditions need to circumvent, rather than a business issue that their clients need active input on.
Most CSPs will not – perhaps cannot – evolve to support their clients in this manner. A policy of "caveat emptor" will persist. But not for the more prudent CSPs, for whom ethics, privacy and the provision of appropriate cloud service are non-negotiable. These CSPs will inevitably be the future of the cloud industry.
photo credit: Hindrik S Heitelân - Homeland #54 via photopin (license)