In recent months, European purchasers of cloud services have expressed concern about the idea the U.S. government might be able to obtain access to data stored outside the United States by a cloud service provider that’s based in the U.S. or is a subsidiary of a U.S. company. They point to the USA Patriot Act as the magic wand that allows the U.S. government unrestricted access to any data, anywhere, anytime. In fact, the actual impact...
of the Patriot Act in this cloud context is negligible.
The Patriot Act was signed into law in 2001 after the September 11 attacks. The document is primarily a combination of amendments to existing laws from the 1970’s and 1980s, designed to make it easier for the U.S. government, in the context of criminal investigations, to conduct surveillance and access data with the purpose of preventing, detecting and investigating terrorist acts.
Consequently, investigations are not started lightly; having to prepare so many reports and statements would already be a deterrent.
For example, previously, if law enforcement needed to have access to data held by communication providers in multiple states, it would have to seek separate search warrants from separate judges. The Patriot Act allowed for this type of investigation to require only one search warrant obtained from one federal judge. This streamlined the process for U.S. government searches in certain cases, but did not change the underlying right of the government to access the data under applicable laws and prior court decisions.
To the extent the U.S. government can access data, it is not through the Patriot Act, but through decades-old laws and judicial decisions providing for extraterritorial power in limited circumstances. It’s not easy for the government to access data; many rules and requirements make it a complex process. An examination of these rules undercuts concerns involving the Patriot Act and cloud providers based in the U.S.
Rules for government access to data
In the U.S.,numerous laws govern the circumstances and manner in which a state or federal investigator may have access to data, information, documents or premises. At the federal level, the basic rule written in the 4th Amendment to the U.S. Constitution grants the right to be secure from unreasonable searches and seizures.
In addition, several laws, such as the Wiretap Act, Stored Communications Act, Pen Register Act, Foreign Intelligence Surveillance Act, Communications Assistance to Law Enforcement Act, or the Economic Espionage Act define the specific rules. A similar regime exists under state law. Most states have general surveillance laws and they also may have specific laws to govern the use of certain technologies that can be used for surveillance, such as RFID.
These laws may depend on the nature of the data. For example, the Wiretap Act pertains to data in transit, whereas the Stored Communications Act pertains to data in storage. There are different provisions for access to content as opposed to access to non-content (i.e., identity of the sender, the recipient, time of the call or communication). The law may distinguish whether the person being investigated is a U.S. citizen or resident, or, instead an “agent of a foreign power” as is the case under the Foreign Intelligence Surveillance Act.
The laws described above define the specific rules and requirements that must be met for a federal or state investigator to have access to specific data, premises or equipment where the data is located. In most cases, the investigator is required to obtain a subpoena, a court order or a warrant. In rare cases, it may be possible to have access to data without a subpoena, court order or warrant; these circumstances are specifically identified in the applicable law, and are generally associated with extraordinary circumstances.
Stored Communications Act
The rules of the Stored Communications Act are frequently used in the context of access to data stored by cloud service providers. Enacted in 1986, the act governs access to wire, oral and electronic communications in storage (as opposed to communication in transit). The law contains general prohibitions against access to these communications and rules that allow disclosure of these communications by providers of electronic communications services (e.g. Verizon, AT&T). It also contains an exception for allowing the government to access data stored by communication and computing service providers. These rules are very complex and detailed.
For example, the government may obtain access to content that has been held in storage for less than 180 days by an electronic communications service, after obtaining a warrant. The standard for obtaining a warrant is very high: The officer must show “probable cause” exists, based on his or her personal observation or hearsay information, to show evidence of a crime would be found in the requested search.
There are different requirements for obtaining access to the same information held by the same service provider for more than 180 days. In this case, a subpoena or court order would suffice. The requirements for a subpoena or a court order are less stringent. However, if the government opted to use a subpoena or a court order, then it would have to give prior notice to the subscriber or customer of that service. If the government wants to avoid providing notification, a warrant is required.
This is just an example of the complexity of these rules, which have numerous exceptions and nuances. For example, while the rules above would apply for access to “content” (i.e. what was said; what was the message), there are different rules for access to “non-content” (i.e., when the messages were sent, from whom, to whom).
The issuance of a search warrant or orders allowing access to or interception of communication is highly controlled. It is not enough that each investigator must provide substantial information to show why the search is needed, and provide the grounds for why the content is relevant or material. In addition, any judge who has issued an order for an interception or has denied the request must provide detailed reports on the approvals or denials annually to the Administrative Office of the United States Courts.
Concurrently, the U.S. Attorney General who made a request for access must also file a report to the courts’ administrative office. This report must also contain detailed information about each investigation, including, for example, the number of persons whose communications were intercepted, number of arrests resulting from the interception, or number of convictions. Based on the judge reports and the U.S. attorney general reports, a compilation is prepared annually, and a summary report is provided to Congress. These reports are publicly available for anyone to review and posted on the Internet.
Consequently, investigations are not started lightly; having to prepare so many reports and statements would already be a deterrent. In addition, each investigation is costly. According to the report of these investigations filed in 2010, the average cost of an “interception” ranges from $20,000 to over $100,000, with a median around $50,000.
Federal data access outside the U.S.
What happens when an investigation would require access to data held in a foreign country? Generally, a U.S. prosecutor or investigator will not be permitted to conduct an investigation or to interview witnesses abroad. In most cases, the help of the local government will be necessary. To this end, over the years, nations have agreed on a variety of bilateral or multilateral treaties that define how they will cooperate in certain matters.
There is an inherent opposition between governments’ requests for access in the context of criminal investigations or the fight against drugs or terrorism, and the basic rights of individuals to privacy in their home or their papers.
For example, the U.S.is party to several Mutual Legal Assistance Treaties (MLAT) for the purpose of gathering and exchanging information in an effort to enforce public laws or criminal laws. There are numerous MLATs related to police and law enforcement cooperation and MLATs with respect to tax evasion.
In addition, the U.S.is a member of the Council of Europe Convention on Cybercrime, which it ratified in 2007. The Convention governs electronic surveillance, sharing of evidence and computer crime. It allows governments to request and provide mutual assistance in the investigation and prosecution of a number of crimes, such as hacking, unauthorized access to computer systems, child pornography or copyright infringements.
In some cases, law enforcement may attempt to obtain access to information held abroad by making the request from the U.S. affiliate of a company located abroad that may have custody or control over the documents or information at stake. In the U.S., courts have held that a company with a presence in the U.S. is obligated to respond to a valid demand by the U.S. government for information (made under one of the applicable U.S. laws) so long as the company retains custody or control over the data. The key question is whether the U.S. company does have the required level of “custody or control” to be forced to respond to the government request.
The seminal case involves the Bank of Nova Scotia, where the court required the U.S. branch of the bank to produce documents that were held in the Cayman Islands for criminal proceedings in the U.S. This principle of extraterritorial reach has been followed elsewhere, for example in Australia. In the 1999 case of the Bank of Valletta PLC vs. National Crime Authority, the Australian branch of a Maltese bank was required to produce documents held in Malta for use in an Australian criminal proceeding.
Government investigations and privacy
There is an inherent opposition between governments’ requests for access in the context of criminal investigations or the fight against drugs or terrorism, and the basic rights of individuals to privacy in their home or their papers. The laws that govern government access to data and communications have attempted to provide a balance between the individual interest of a person and the community’s interest in fighting crime and terrorism, but have also recognized that national security trumps personal privacy.
In the European Union, for example, the basic document that defines the principles of privacy protection for all individuals -- Directive 95/46/EC -- recognizes there are cases where privacy rights have to defer to other rights. It has carved out from the blanket protection of individuals with respect to the processing of personal data, the ability for governments to have access to, or use of, personal information in connection with investigations that pertain to national security, defense and related areas.
A similar carve-out is provided in the EU-US Safe Harbor Principles, which states, “adherence to these principles may be limited to the extent necessary to meet national security, public interest, or the requirements of law enforcement”.
While the Patriot Act and other rules that pertain to government access to data and communications in the United States have received a lot of attention, most countries also have laws authorizing government investigations for national security and other purposes. We’ll examine these foreign laws in our next article.
About the author:
Francoise Gilbert focuses on information privacy and security, cloud computing, and data governance. She is the managing director of the IT Law Group and serves as the general counsel of the Cloud Security Alliance. She has been named one of the country’s top privacy advisors in a recent industry survey and, for several years, has been recognized by Chambers USA and Best Lawyers in America as a leading lawyer in the field of information privacy and security. Gilbert is the author and editor of the two-volume treatise Global Privacy & Security Law, which analyzes the data protection laws of 65 countries on all continents. She serves on the Technical Board of Advisors of the ALI-ABA and co-chairs the PLI Privacy & Security Law Institute. This article only reflects her personal opinion and not that of her clients or the Cloud Security Alliance.