Early concerns about data security may have been assuaged at this point, allowing for the exponential growth of the Cloud. But recent leaks about the U.S. National Security Agency’s PRISM program and other intelligence-gathering activities in the United States have heightened a new variety of concerns about data security in the Cloud, particularly in Europe, according to a University of Amsterdam working paper.
Even before the leaks gave them a higher profile, “non-U.S. persons” had been subject to a series of laws, starting with 2001’s Patriot Act and continuing through the 2008 update of the Foreign Intelligence Surveillance Act, that have given the U.S. government increasing legal authority to obtain bulk access to data with only cursory oversight. The 2008 FISA amendments, enacted in the wake of 2005 disclosures about warrantless communications interceptions, were not only a “codification and legalization of these practices” but also extended their reach to the Cloud, according to a working paper by Joris van Hoboken, Axel Arnbak and Nijo van Eijk of the University of Amsterdam’s Institute for Information Law.
And while many media reports in the U.S. have centered on the threats posed by surveillance activities to civil liberties guaranteed by the 4th amendment, legal precedent does not extend these protections against unreasonable search and seizure to foreigners.
“U.S. foreign intelligence law provides a wide and relatively unchecked possibility of access to data from Europeans and other foreigners,” the authors write.
“The amendments to the Foreign Intelligence Surveillance Act in 50 USC 1881a (section 702) are of particular concern” insofar as the Cloud is concerned, because they are “technology neutral.” This provision allows the U.S. to gain bulk access to data on non-U.S. persons located abroad and its reach goes far beyond wiretaps into surveillance of different kinds of communication service providers, including those based in the Cloud, they write.
Concern about U.S. surveillance of companies operating in the Cloud appears to be particularly pronounced in Europe, where several governments, including the United Kingdom and the Netherlands, have announced projects for localized Clouds. These national Clouds would be “Patriot Act-proof,” according to their proponents.
In addition, much of this localization is taking place at a company level in Europe. In September 2012, Dutch telecommunications provider KPN launched its own “national” cloud, being one of many European providers to bill their Clouds as “Patriot-Act proof.”
“These developments will affect market conditions and competition, notably for U.S.-based Cloud services,” they write. “In addition, the possibility of foreign governmental access impacts the privacy of Cloud end-users and can cause chilling effects with regard to cloud computing use.”
According to the paper, calls for regulatory action and termination of Cloud contracts are already starting to emerge — such as in cases of medical data storage in electronic patient record systems and biometric data processing in relation to passports in The Netherlands.
And this could prove the start of a trend, they argue, if the concerns about data security from U.S. government surveillance are not sorted out on a global level.
“If transnational intelligence remains obscured by the Cloud, the various promises of the cloud, and electronic communications in general, might stall,” they write.
Of course, there are already a lot of people with skin in the Cloud game, and this could provide impetus for governments and international businesses to work things out.
“It will be hard, but considering all the interests involved in the transition to the Cloud, it must be possible to come to some agreement about restrictions on transnational intelligence gathering and stronger protections for non-U.S. persons in U.S. clouds,” van Hoboken, Arnbak and van Eijk write in their working paper.