The Cloud

How Government Snooping Threatens the Cloud

New information about intelligence gathering in the United States has sparked concerns about Cloud security.
Ed ZwirnAugust 13, 2013

Early concerns about data security may have been assuaged at this point, allowing for the exponential growth of the Cloud. But recent leaks about the U.S. National Security Agency’s PRISM program and other intelligence-gathering activities in the United States have heightened a new variety of concerns about data security in the Cloud, particularly in Europe, according to a University of Amsterdam working paper.

Even before the leaks gave them a higher profile, “non-U.S. persons” had been subject to a series of laws, starting with 2001’s Patri­ot Act and continuing through the 2008 up­date of the Foreign Intelligence Surveillance Act, that have given the U.S. government increasing legal authority to obtain bulk access to data with only cursory oversight. The 2008 FISA amendments, enacted in the wake of 2005 disclosures about warrantless communications interceptions, were not only a “codification and legalization of these practices” but also extended their reach to the Cloud, according to a working paper by Joris van Hoboken, Axel Arn­bak and Nijo van Eijk of the University of Amsterdam’s Institute for Information Law.

And while many media reports in the U.S. have centered on the threats posed by surveillance activities to civil liberties guar­anteed by the 4th amendment, legal prec­edent does not extend these protections against unreasonable search and seizure to foreigners.

“U.S. foreign intelligence law provides a wide and relatively unchecked possibility of access to data from Europeans and other foreigners,” the authors write.

“The amendments to the Foreign Intel­ligence Surveillance Act in 50 USC 1881a (section 702) are of particular concern” insofar as the Cloud is concerned, because they are “technology neutral.” This provi­sion allows the U.S. to gain bulk access to data on non-U.S. persons located abroad and its reach goes far beyond wiretaps into surveillance of different kinds of commu­nication service providers, including those based in the Cloud, they write.

Concern about U.S. surveillance of companies operating in the Cloud appears to be particularly pronounced in Europe, where several governments, including the United Kingdom and the Netherlands, have announced projects for localized Clouds. These national Clouds would be “Patriot Act-proof,” according to their proponents.

In addition, much of this localization is taking place at a company level in Europe. In September 2012, Dutch telecommunica­tions provider KPN launched its own “na­tional” cloud, being one of many European providers to bill their Clouds as “Patriot-Act proof.”

“These developments will affect market conditions and competition, notably for U.S.-based Cloud services,” they write. “In addition, the possibility of foreign govern­mental access impacts the privacy of Cloud end-users and can cause chilling effects with regard to cloud computing use.”

According to the paper, calls for regula­tory action and termination of Cloud con­tracts are already starting to emerge — such as in cases of medical data storage in elec­tronic patient record systems and biometric data processing in relation to passports in The Netherlands.

And this could prove the start of a trend, they argue, if the concerns about data secu­rity from U.S. government surveillance are not sorted out on a global level.

“If transnational intelligence remains ob­scured by the Cloud, the various promises of the cloud, and electronic communica­tions in general, might stall,” they write.

Of course, there are already a lot of people with skin in the Cloud game, and this could provide impetus for govern­ments and international businesses to work things out.

“It will be hard, but considering all the interests involved in the transition to the Cloud, it must be possible to come to some agreement about restrictions on transna­tional intelligence gathering and stronger protections for non-U.S. persons in U.S. clouds,” van Hoboken, Arnbak and van Eijk write in their working paper.