Trend Cloud Security Blog – Cloud Computing Experts

Patriot Act is not the first (nor likely) last law of its kind

Posted by Jonathan Gershater in Cloud Jan 16th, 2012 | 4 responses

In response to my colleague Dave Asprey’s Patriot Act post:

  • Any law that is abused or misinterpreted is bad for society and business
  • There is a delicate balance between protecting citizens’ safety and violating civil liberties

First some history. The Patriot Act, passed in 2001, is not the first American law to provide law enforcement authorities with the powers to retrieve information.

  •  The Wiretap Act: Title III of The  Omnibus Crime Control and Safe Streets Act of 1968 permits authorities to obtain wiretaps
  • FISA: The  Foreign Intelligence Surveillance Act of 1978 is an Act of Congress, (signed by President Jimmy Carter), which describes procedures for the physical and electronic surveillance and collection of information

Both of the above laws have provisions to protect civil rights and liberties.

A careful reading of the Patriot Act does not give the Federal government, unfettered carte-blanche access to data stored in an organizations’ databases. Rather, the section quoted by Dave, specifies:

 ‘‘SEC. 501. ACCESS TO CERTAIN BUSINESS RECORDS FOR FOREIGN INTELLIGENCE AND INTERNATIONAL TERRORISM INVESTIGATION”

 The Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution.

 Request for information have to either fall under Executive order 12333 (1982) or a panel of judges.

Use of encryption:

Use of encryption in the United States is not regulated. If a cloud service provider encrypts information and has the encryption key, the service provider must decrypt the communications when served with a Federal wiretap order. But a service provider has no obligation to decrypt communication encrypted by the end user when the service provider does not have the encryption key.

Few if any wiretap orders have been hindered by encryption.

As Dave says “….you should consider using policy based key management with your keys stored away from your data…“, that way your  data is safeguarded, regardless of who attempts to access it, since you control the encryption keys.

  • Pingback: openstackAPI » Government Data Seizures is Only One Type of Data Loss » openstackAPI

  • matt

    Jonathan,

    From a non-US point of view though (i.e. whos civil rights and liberties are being protected?), its things like the Patriot Act that scare people away from cloud computing. Dave did clearly state “Whenever I am at a conference outside the US, the most frequent question I hear from IT executives…”

    Adopters of cloud computing do have to consider the implications of data going offshore (they ought to be familiar with regulation in their home country). Rogue operators and slack practices are an inherent risk but when local regulation means that your data can be taken away under a law that you aren’t familiar with you have to ask if it’s worth it.

    Which is why we’d all agree that encryption where the keys are held elsewhere is essential for putting data in the cloud.

    Matt