The Patriot Act and Cloud Privacy:Busting the European FUD

Page 2

Agenda

• Introductions

• The FUD & The Fallout

• Patriot Act Reality

• Europe (Un-)Reality

• Q&A

Page 3

Introductions: Today’s Speakers

• Stewart Baker, Partner, Steptoe & Johnson LLP

• Michael Vatis, Partner, Steptoe & Johnson LLP

• Gant Redmon, Esq. CIPP/US, General Counsel, Co3 Systems

Page 4

The complete process – based on E.R. standards

PREPARE

Improve Organizational Readiness• Appoint team members• Fine-tune response SOPs • Link in legacy applications• Run simulations (firedrills / table

tops)

MITIGATE

Document Results & Improve Performance• Generate reports for management,

auditors, and authorities • Conduct post-mortem• Update SOPs• Track evidence• Evaluate historical performance• Educate the organization

ASSESS

Identify and Evaluate Incidents• Assign appropriate team members• Evaluate precursors and indicators• Automatically map intelligence• Track incidents, maintain logbook• Automatically prioritize activities

based on criticality• Generate assessment summaries

MANAGE

Contain, Eradicate, and Recover• Generate real-time IR plan• Coordinate team response• Choose appropriate containment

strategy• Isolate and remediate cause• Instruct evidence gathering and

handling• Log evidence

Page 5

The FUD

• Data stored with American cloud providers is easily accessible by the U.S. government, with no privacy protection

• U.S. law “enables the US government to snoop on Europeans’ data held with US cloud providers without needing to obtain a warrant.” (http://blog.teamdrive.com/2013_02_01_archive.html)

Page 6

The FUD (cont.)

• “It is lawful in the US to conduct purely political surveillance on foreigners’ data accessible in US clouds.”

• “[A]ny data-at-rest formerly processed ‘on premise’ within the EU, which becomes migrated into Clouds, becomes liable to mass-surveillance” by U.S.

• European Parliament, Directorate-General for Internal Policies, “Fighting cyber crime and protecting privacy in the cloud,” 2012

Page 7

Edward Snowden Didn’t Help

• “If European cloud customers cannot trust the United States government or their assurances, then maybe they won’t trust US cloud providers either. And if I am right then there are multi-billion euro consequences for American companies.”

• Neelie Kroes, Vice-President of the European Commission responsible for the Digital Agenda (http://www.businesscloudnews.com/2013/07/05/neelie-kroes-warns-cloud-may-suffer-from-prism-related-security-fears/)

• Media coverage of leaks has fostered impression that NSA has access to everything, everywhere

• And has caused the pile of FUD to grow

Page 8

And More FUD

• “The questions raised about the United States’ FISA act have focused the minds of Europeans keen to share, but only with those they chose. TeamDrive has confirmed that European cloud users want to have data stored under the EU banner, away from the prying eyes of the US government.” (http://blog.teamdrive.com/2013_02_01_archive.html)

• “[W]e comply with the highest German and European data privacy standards. And that is important when you consider the furor around the issue of unauthorised access in some third countries that don’t offer the same level of security. But we can deliver CLOUD SERVICES ‘MADE IN GERMANY’ - around the world.”

• T-Systems brochure (http://www.t-systems.com/umn/uti/796860_2/blobBinary/Complete_Edition-ps.pdf?ts_layoutId=804564

Page 9

…And Still More

• “We believe that a service owned and operated locally in the EU, and fully compliant with EU data protection laws, will be vary attractive for European companies.”• Johan Christenson, Chairman, City Network

(http://news.techworld.com/security/3322757/europe-cloud-vendors-cleaning-up-with-data-protection-fears/)

POLL

Has an international customer expressed concerns over US Patriot Act in relation to their information being stored in the US?

Page 11

The Legal Fallout in Europe

• Government• HLCG revival• EU Parliament• Commission• Impact on data protection proposals

• Companies• DPA investigations of cooperating companies• Efforts to discourage use of US cloud

Page 12

Are US Providers At Risk?

• The Models • PNR – holding air carriers hostage• SWIFT – criminal investigation

• The theory: No data export to “inadequate” jurisdictions• Determining adequacy of US data protection regime

includes scrutiny of security and law enforcement collection

Page 13

Private Sector Defenses

• Safe Harbor • Controversy over Safe Harbor

• Inapplicability of data protection rules• Safe Harbor and EU directives exclude public security

and law enforcement

• US rules protecting privacy vis-à-vis government match or exceed EU

Page 14

The Reality

• U.S. accords greater privacy protections than other countries• Fourth Amendment• Electronic Communications Privacy Act• Foreign Intelligence Surveillance Act• No voluntary disclosures of customer data by providers• No data retention requirements

Page 15

Patriot Games

• Europeans claim the Patriot Act allows USG to seize

customer records in bulk, from parent company in U.S.

• But Section 215 allows access, with a court order, only to business records

• Customer data is not a business record

• And Section 215 has apparently not been applied to information stored abroad

Page 16

Patriot Games II

• Section 702 of FISA Amendments Act (50 U.S.C. § 1881a)• Limited to collection of “foreign intelligence”

• Information to protect against• “potential attacks or other grave hostile acts of a foreign power”• “sabotage, international terrorism, or the international

proliferation of weapons of mass destruction”• “clandestine intelligence activities”

• Information with respect to foreign power or foreign territory that relates to• “national defense or…security” or• “the conduct of the foreign affairs of the United States”

Page 17

Patriot Games II (cont.)

• “The information must pertain to a foreign power or foreign territory; and thus it cannot simply be information about a citizen of a foreign country…unless the information would contribute to meeting intelligence requirements with respect to a foreign power or territory.”• H.R. Rep. No. 1283, Pt. I., 95th Cong. 2d Sess., 1978

U.S.C.C.A.N. 4048, at 50 (June 8, 1978)

Page 18

Patriot Games II (cont.)

• Judicial oversight• Minimization and targeting procedures• Cloud providers can object

• Congressional oversight• “[The] information obtained by the Committee demonstrate[s] that the

government implements the FAA surveillance authorities in a responsible manner with relatively few incidents of non-compliance. Where such incidents have arisen, they have been the inadvertent result of human error or technical defect and have been promptly reported and remedied. Through four years of oversight, the Committee has not identified a single case in which a government official engaged in a willful effort to circumvent or violate the law.”• S. Rep. No. 174, 112th Cong. 2d Sess. at 7 (June 7, 2012), available at

https://fas.org/irp/congress/2012_rpt/faa-extend.pdf.

POLL

Compared to the EU, are US protections from discovery of data: Better? Worse? The same?

Page 20

Glass Houses

• European governments have much freer access to data

• UK government can seize or intercept data without court approval where necessary to protect national security, the economic well-being of the UK, or to prevent or detect “serious crime”

• France Prime Minister’s office can order wiretap without court approval or oversight, not just for national security or terrorism but to protect economic and scientific assets or combat organized crime

• Spain government can enter providers’ premises without a warrant in national security matters

Page 21

Haus aus Glas

• Germany authorities can• intercept electronic communications without court

approval• not just for national security threats, but also “strategic

surveillance” including drug trafficking or to gather information about other countries important to foreign policy

• use a computer virus to infiltrate providers’ networks without providers’ or customers’ knowledge or opportunity to challenge (with court order)

• Regulated cloud providers may not disclose to customers that they gave information to government

Page 22

Which countries conduct the most surveillance of their citizens?

Page 23

Which countries allow providers to “volunteer” data to government?

Page 24

The Bottom Line

• Theory of EU interventions is open to question• Safe Harbor• Coverage of government practices

• Adequacy: U.S. privacy protections exceed other countries’

• Likely outcome: More threats, more drama, more talks

QUESTIONS

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“Co3…defines what software packages for privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and very well designed.”

PONEMON INSTITUTE

Stewart Bakersbaker@steptoe.com(202) 429-6402

Michael Vatismvatis@steptoe.com(212) 506-3927