The FBI, US Patriot Act & Prism – 5 ways to secure your cloud data

imageYou probably know that the Patriot act gives the US government easy access to your data whilst its in the cloud, without telling you or your government.
Here’s an overview, and 5 steps you can take to protect your cloud data.

Two ways the FBI get your data:

1- US owned data centres. They can obtain data from companies that store their data in any US-owned data centre – even those based in Europe! The data centre owner is not even allowed to inform their clients that their information has been handed over to the US authorities.

2- US owned firms. US firms that store or process European data are also obliged to hand over information to the FBI, even if that contravenes EU privacy laws. 

This can pose some tricky problems. Dutch Researcher Axel Arnbak gives a good example:

“In order to obtain a passport, all Dutch citizens need to provide fingerprints to the government. Morpho, a company that falls under U.S. jurisdiction, was contracted to process these fingerprints, which are thus stored somewhere in the cloud and within reach of U.S. authorities under the Patriot and FISA Acts.” 

The EU will come up with a new agreement at some point soon that may help things, but if you need more surety then here’s 5 ways to protect your cloud information.

  1. Ensure any cloud services you use are European owned*
  2. Ensure that data centres are European owned (if not then data encrypted at rest gives some protection)
  3. Check where any offsite backups are stored – if with a US firm like amazon, then make sure the backups are encrypted at rest as well as in transit.
  4. Check the ownership & server locations of any suppliers that are processing your sensitive data e.g. translation firms, OCR firms, law firms.
  5. Ideally ask your data centre provider to segregate any US clients data on different servers – that way if they have US client servers pulled out, your data will be secure.

What if you build your infrastructure and processes into a European provider, and then they get acquired by a US firm? If you’re integrating into cloud services, design apps to be portable, the platform looks promising, and should allow you to move providers should you have to.

If you are using a straight SAAS service, make sure there’s a clear off boarding policy, and that it will cope with the large data sets that invariably build up over a few years.  Then you can move your data easily.

How does this affect Projectfusion? As a European company we made the decision to switch from US owned data centres last year, and now host in the UK for our European clients. We’re working on segregating US client data onto different servers at the moment.

Are you worried about this? Or is it an overblown issue? We’d love to hear from you.

Angus Bradley.

“I’m afraid that Safe Harbor has very little value anymore, since it came out that it might be possible that U.S. companies that offer to keep data in a European cloud are still obliged to allow the U.S. government access to these data on basis of the Patriot Act..Europeans would be better to keep their data in Europe. If a European contract partner for a European cloud solution, offers the guarantee that data stays within the European Union, that is without a doubt the best choice, legally.”
Theo Bosboom, IT lawyer with Dirkzager Lawyers, 2011.

Further reading – 

NSA Prism program spied on Americans’ emails, searches

An evaluation of openstack

*European firms can of course also be forced to disclosed information under Mutual Legal Assistance Treaties, but an MLAT request would require international co-operation, and could not be done secretly.