Simply Security - News, Views, and Opinions from Trend Micro

Posted on May 31st, 2012 in Data Privacy, Privacy & Policy by Simply Security | Be the first to comment | Tags: Data Privacy, Privacy & Policy

Patriot Act and cloud stir up data privacy concerns.

The cloud is transforming IT and giving organizations the ability to improve efficiency and gather, store and analyze more information. This evolution is also bringing new concerns to the consumer landscape, however, as people think that government agencies will be able to gain greater visibility into personal information.

Essentially, federal and local agencies need some degree of access to confidential information if they want to be able to investigate and deter physical and cybercrime activities effectively. This introduces concerns over data privacy and whether law enforcement, for example, will be able to use cloud computing technologies to breach confidentiality rules in the name of pursuing justice, according to a whitepaper by international law firm Hogan Lovells.

"[Both] cloud users and providers of cloud services are struggling to understand when and how governments can access users' data," the report said.

Some of the concerns may be blown out of proportion, however, as there are a number of misconceptions about federal policies that give businesses and consumers fears over information privacy. Notably, many U.S. citizens think the Patriot Act gives U.S. law enforcement agencies greater liberty than other institutions around the world to gather confidential data on citizens through the cloud. Yet this is not always the case, as there are several European countries with more robust anti-terrorism policies than the Patriot Act, the study said.

The Patriot Act has also led some European cloud providers to use propaganda against U.S. vendors in an attempt to boost sales, which is inaccurate.

"While our systems may differ in approach, let me assure you that [the U.S. government has] in place protections that are fundamentally similar to those in Europe," U.S. European Ambassador William Kennard said, according to Hogan Lovells. "In a number of critical areas, the U.S. provides more restrictions to the access of personal data than do European Member States."

In addition to domestic data security concerns, business owners are also fearful of international investigations that extend the reach of government agencies beyond their natural borders. These worries were brought to the public with the emergence of mutual legal assistance treaties (MLAT), which provide investigative parties access to confidential data on potential criminals outside their normal jurisdiction, Hogan Lovells said. With the advent of cloud computing, MLATs diminish the borders between countries even more.

The cloud has introduced new trends like outsourcing information and applications to offshore data centers in an attempt to cut costs. Sometimes decision-makers believe they are immune to the offshore nation's data privacy laws since the organization itself is centralized in another country, which is simply not the case, according to Hogan Lovells. Of all the countries surveyed, only Germany and Japan, in some cases, limit outsider access to data stored on systems within their borders.

"[Every] single country that we examined vests authority in the government to require a cloud service provider to disclose customer data in certain situations and in most instances this authority enables the government to access data physically stored outside the country's borders, provided there is some jurisdictional hook, such as the presence of a business within the country's borders," Hogan Lovells said. "Even without that 'hook,' MLATs can be used to allow access to data across borders."

A separate report by the Financial Times cited KPMG consultant Denis Verdon, who told clients who outsource information that they should carry out their own risk assessment to ensure that country's privacy laws are not too invasive.

"They should seek greater transparency from their cloud provider on where the data [is] held," Verdon said, according to the Financial Times. "With traditional IT outsourcing deals it was clearer, but under the 'data anywhere' model, there has been a dumbing down of contracts."

Virtually all U.S. government data privacy discussions circle back to the Patriot Act. However, these so-called invasive qualities have been in existence long before the law was enacted. The emergence of the bill simply extended the investigative methods used by federal and local law enforcement agencies, Hogan Lovells said. This is especially true with the advent of cloud computing.

Still, there are limitations as to how much access government organizations have in the cloud. In many cases, service providers are protected by the Electronic Communications Privacy Act, which only requires vendors to disclose confidential information when a judge issues a search warrant. These are only issued if there is probable cause and if there are reasonable grounds to believe the data is relevant to the investigation, Hogan Lovells reported.

While there are still some concerns over data privacy in the cloud, many U.S. government conspiracy theories may be irrational. In the end, data protection comes down to the user, the service provider and implementing the proper tools to keep confidential information secure.

Data Security News from SimplySecurity.com by Trend Micro