Collateral damage in the cloud - is your data at risk?
Don't think concerns over data jurisdiction affect you and your business? Some businesses take it very seriously, others treat it as scaremongering. After all, why would the US government or the FBI want to access their private data, right? Sadly, a combination of the US Constitution, the USA Patriot Act and the operating practices of the FBI have revealed a dangerous trend that sees innocent businesses at serious risk. And this isn't just theoretical legalese either - it's happening now to real businesses and real private data.
Today, Microsoft admitted that cloud data stored with any US-based provider is subject to The USA Patriot Act - even when the data centre is offshore in Europe, Singapore and even Australia.
According to ZDNet, Gordon Frazer, managing director of Microsoft UK, was asked at the Office 365 launch about whether data stored in European data centres would not leave the European Economic Area under any circumstances — even under a request by The Patriot Act.
Frazer admitted that - as a US-headquartered company - Microsoft has to comply with US law as well as any other local legal system where a subsidiary may be situated. He went on to suggest that there was no guarantee that the owner of the data would be informed by Microsoft if their data was accessed in this way.
“Microsoft cannot provide those guarantees. Neither can any other company“.
Ummm... not quite. This might be true for any US-headquartered company such as Microsoft, Rackspace and Amazon. But not all of us are US-based, thank goodness!
"So what?" you may be thinking. "My business doesn't carry out any activities that The USA Patriot Act would even vaguely be interested in. We're still safe hosting overseas, right?"
Enter the FBI and the US Constitution.
"Open up - we want your servers!"
Last week it was widely reported that, as part of an investigation, the FBI entered a data centre in the US to seize the data from a single shared account. Yet, instead of simply taking the server containing the account ‘of interest’, the agents removed three entire enclosures. Complete racks of servers were unplugged and wheeled out to investigate a single shared hosting account. You would hope that agents entrusted in investigating online criminality would know a little about how the internet actually worked - but it turns out that they either don't - or don't care.
Even when provided with the details to track the IP address 'of interest' to a specific server with pinpoint accuracy, they opted for a scorched earth approach.
And don’t think for one moment that this is the one and only time the FBI have taken this approach, as this report from 2009 shows. Rather than a one-off mistake, this seems to be how they actually prefer to handle data investigations. Bag it, tag it and let the guys in forensics sort it out.
The result was a lot – a LOT – of business websites suddenly became unplugged, including the website for the hosting provider, DigitalOne. Innocent businesses were dramatically impacted and lost data to an investigation that had nothing to do with them. Their only error was in storing their data on the same infrastructure as someone who was under investigation in a jurisdiction that sees mass website outages and lost data as acceptable collateral damage.
What is interesting about this particular incident is that the FBI has such seizure powers at all. DigitalOne wasn’t informed about the raid until three hours after it had begun, and then only because of a call from an employee at the data centre. If DigitalOne hadn't communicated with their customers, affected businesses would have had no idea that their website outage was not down to the usual suspects of technology or error, but instead due to their valuable data sitting in the back of an unmarked black van speeding away from the scene.
How is this even possible?
Surely there would have been a warrant of some kind, you ask? Surely they can’t just grab the servers without even clearing it with the hosting provider? Well, if Microsoft UK's admission above didn't give you enough reason to be concerned, we need to look at the Fourth Amendment to the US Constitution, as discussed in our recent white paper on The Cloud and Cross-Border Risks, produced in conjunction with legal services provider Freshfields Bruckhaus Deringer.
In the U.S., formal requests by government entities in the form of subpoenas and warrants generally compel the provision of data and information. Under the Fourth Amendment to the U.S. Federal Constitution, which guards against unreasonable searches and seizures by the state, a warrant is issued only when the request is supported by probable cause that a criminal offense has been or is being committed, a description of the place to be searched and items to be seized is provided, and notice is given to the subject of the search.
However, Fourth Amendment protection is afforded only to information in which one has a reasonable expectation of privacy. The rationale is that once information is shared with a third party, that expectation of privacy ceases to exist.
Almost by its very nature, website data falls outside the Fourth Amendment and can be accessed and/or seized without a warrant or due process.
Subpoenas may be issued without showing cause by administrative agencies as well as private litigants. In recent cases, U.S. government agencies have relied on the ‘Third Party Exception’ to gain warrantless access to personal information, including:
- the name, address, e-mail address and media access control address from Comcast Cable Communications of a person who used Comcast’s Internet services in the course of sharing movie files online;
- the information on an individual’s computer that was accessible by a peer-to-peer file sharing program;
- the chat account information from Yahoo! of a person who used Yahoo’s internet services to access chat boards;
- the log-in information, including the date, time and IP address of each log-in, from Microsoft of a person who used Microsoft’s MSN/Hotmail program; and
- the contents of an iTunes files library shared over an unsecured wireless network.
So the business data on those unfortunate servers didn’t stand a chance.
Of course, there is an argument that says – given the right circumstances – the Australian Federal Police or ASIO or whoever could possibly do the same here. But at least they, the data and you would then be within the same legal jurisdiction, making it a tad easier to unravel the mess. And we don't have such a loophole in our constitution either - requiring a bit more due process before cables get yanked out of walls.
Someday, Amazon AWS and Rackspace will probably open data centres here in Australia; rumours have abounded for months. But what we learn today is that even if they do, their data centres have no less risk to data jurisdictional concerns as a data centre in California or Singapore or Hong Kong.
If you're not careful where you put your data, it could all too easily become collateral damage.