The fog of law and cloud computing
Data sovereignty concerns should not stop Australian businesses considering cloud services, say legal experts. Photo: Orlando Chiodo
Data sovereignty and privacy concerns resulting from the extension of US-government mass-surveillance powers raised in an EU report publicised last week should not dissuade Australian businesses from actively considering and adopting cloud computing services, legal experts say.
The reach of the US Patriot Act – which essentially compels US companies to hand over data stored anywhere in the world – has been a major point of contention in debates over risk and the use of cloud computing services for some time.
So much so that vendors such as Rackspace and Google have publicly said they would fight any requests to hand over data – which is welcomed by those with data sovereignty concerns but of little practical effect in countering the risk posed by the law – and led others to invest heavily in data centre facilities or siting IT infrastructure in Australia.
However, in the EU report titled Fighting cyber crime and protecting privacy in the cloud, the authors claim section 1881a of the US Foreign Intelligence Surveillance Act Amendment Act of 2008 – or FISAAA – is potentially more concerning.
FISAAA, which operates in conjunction with the now 12-year-old Patriot Act, effectively allows for warrant-less surveillance (among other powers) including of data stored in cloud and other services, was renewed last year for another five years by US President Barack Obama.
"Most attention continues to be focused on the US Patriot Act of 2001, which certainly contains powers for direct access to EU data, but nothing like 1881a's heavy-calibre mass-surveillance firepower aimed at the Cloud," the report authors wrote.
One of the key conclusions drawn in the report is that privacy and data sovereignty of EU citizens are challenged by measures such as FISAAA, which allows the US to essentially "conduct purely political surveillance on foreigners' data accessible in US Clouds".
The authors additionally note that the US is or already has developed and deployed capabilities to conduct real-time surveillance on a scale never-before possible and point to developments such as new National Security Agency data centres constructed for storage and analysis.
Like the Australian government's controversial data retention plan, the extension to FISAAA has been touted as a risk to individual privacy rights in the US and elsewhere.
"In my opinion, the privacy and security of digital data is the most important matter that individuals and companies have to worry about today," said RMIT school of electrical and computer engineering senior lecturer, Mark Gregory.
FISAAA, Gregory says in echoing the EU report, is part of the "ever-expanding scope of legislation" being used to access data without adequate consideration to privacy and security.
Although the mass surveillance and warrant-less aspects of FISAAA are acknowledged by most as a clear threat to civil liberties, less commonly considered when it comes to cloud computing or any other type of IT outsourcing is that Australian authorities, like many of their peers internationally, also have several legal avenues to access data held offshore.
For example, the Anti-Terrorism Act (No 2) 2005 gives powers to the Australian Federal Police (AFP) and the Australian Security and Intelligence Organisation (ASIO) to obtain warrants to access electronic data.
In short, after amending the Crimes Act (1914) and the Australian Security Intelligence Organisation Act (1979) these agencies were allowed to access documents stored in Australia and offshore with a warrant.
ASIO can additionally take any steps to conceal the fact they have taken the documents under the warrant.
So any Australian organisation that falls under the jurisdiction of these laws would be bound to comply with ASIO requests, regardless of whether the data is hosted in Australia or overseas.
"Australian intelligence authorities have similar powers to those of the US authorities under the USA Patriot Act and FISAAA," Minter Ellison Lawyers partner, Paul Kallenbach, said.
"In fact, similar laws exist in Hong Kong, Singapore, Denmark, the UK, Ireland, Japan, France, Germany, Spain and Canada.
"The question for most organisations is how interested are foreign intelligence services going to be in their stored communications."
Further, Allens Partner Michael Pattison noted that mutual assistance treaties between countries also apply, whether the data is in a cloud service or any other kind of outsourcing arrangement.
"Under the mutual assistance treaties between Australia and various countries, such as the US, Malaysia, China, United Arab Emirates, India and Indonesia, each country agrees to assist the other in investigations or proceedings in respect of certain criminal matters," Pattison said.
"These include offences related to taxation and customs duties and include providing documents and other records."
Considering that authorities and spy agencies in most of the major cloud computing hubs have legal avenues to access data of interest to them, the service delivery model by itself should not be considered any more or less risky comparative to other outsourcing arrangements for Australian businesses.
While there will be specific legal and national security obligations that affect different industries – for example APRA and financial institutions - Corrs Chambers Westgarth partner James North said organisations should consider cloud-based options.
"Increasingly, the technology services are being delivered from offshore locations such as Bangalore in India," North said.
"This has a number of advantages including 24-7 support, access to the latest technology and skills and lower costs. This is as true for traditional IT outsourcing arrangements as it is for cloud computing services.
"The proper approach is to conduct due diligence on your cloud computing vendor and put in place appropriate disaster recovery and data back-up procedures, as you would for any outsourcing arrangement.
"You should also consider what data you are prepared to put into the cloud. For example, some organisations choose not to put personal data relating to their customers into the cloud."