Slashdot Mirror
Patriot Act Clouds Picture For Tech
Harperdog writes "Politico has a piece on how the Patriot Act is interfering with U.S. firms trying to do business overseas in the area of cloud computing. Here's a quote: 'The Sept. 11-era law was supposed to help the intelligence community gather data on suspected terrorists. But competitors overseas are using it as a way to discourage foreign countries from signing on with U.S. cloud computing providers like Google and Microsoft: Put your data on a U.S.-based cloud, they warn, and you may just put it in the hands of the U.S. government.'"
...you put it anywhere on the "cloud", and it's one mis-step away from being everywhere.
Doesn't matter if you comply with EU data protection rules, we still don't trust you.
No, this isn't new, it's an argument that's been used since the USAPATRIOT Act passed. Well, maybe they're saying 'cloud' instead of 'costing' or 'colocation'. The other good argument is 'the USA has no data protection laws so if you do business in the EU and host your data in the USA then you're opening yourself up to potential liability'.
I am TheRaven on Soylent News
Friends,
I don't understand these companies' hesitance when deciding to do business with US-based companies. Sure, the data may need to be seen by the government, but we aren't China; the data will be kept safe while our researchers are doing God's work by looking for pedophiles, rapists, and terrorists. Perhaps they could even insert biblical references into the cloud, in order to spread the Word to those who would not otherwise hear it.
Your Friend,
Jake
American companies are scared their data might land in china and copied. This is only news in that the US is turning into the same crazy police state that we've thought was limited to china and north korea.
do they even need to 'warn' ? previous incidents and documents that are in the open shows that u.s. govt, police, secret service, departments etc can wantonly request data from these services and get it. many of these, we discussed here.
Read radical news here
Four thoughts:
They may well be right in thinking their data will be more accessible to the US government.
If I were an overseas competitor, I'd certainly use this as a reason to not to use a US provider. In a heartbeat.
The law of unintended consequences bites the US yet again.
This wouldn't be an issue if the US government hadn't acted the way it has over the last 10 years. The US government has so little trust overseas that people have no trouble thinking the worst of it. Karma is a bitch.
If you put your data in the cloud, you put it in the hands of not just the US government, but every government the cloud company does business with. And also in the hands of every underpaid employee in the company; and while some companies may claim otherwise, their claims are unverifiable and unenforceable. "Cloud" services have their place - it is for data that is intrinsically public and ephemeral. Nobody should ever trust any cloud service with data that is proprietary or private or irreplaceable.
Most obviously, the "free" services are predicated on exploiting the value of their users as product to customers that are not the users. The model makes sense in some cases, for example a forum, where the shared public content is willing coproduced by users of the forum, exchanging their content creation efforts for use of the forum itself, the forum exploiting that content to attract eyeballs to advertisers that pay the bills.
While there are strong logical reasons why cloud services are intrinsically untrustable (ultimately, he who owns the hardware, owns the data), a simple thought experiment proves the folly: how hard is it to bribe an employee of a cloud service to give you inappropriate access to someone's data? Do you think you couldn't find one employee in one company somewhere? While one may be able to find companies that are currently resistant to easy attacks, cloud companies come and go like the .coms that they are are, and with inevitable waning economic optimism, so too wanes employee loyalty. In the eventual asset transactions that follow, acquiring companies of even trusted entities are unknowns and customers have no recourse and no authority.
At best, the loss of yet another fleeting cloud service means only the loss of the associated data and whatever codependent business line the cloud service customer bet on the serial risk of the success of the cloud company itself.
The premise of handing your proprietary data to another person for remote, invisible processing and care is fundamentally flawed. Your interests are not aligned and their interests will evolve and ultimately diverge or fail.
Foreign companies (and US as well) are well advised to be wary of cloud services.
But competitors overseas are using it as a way to discourage foreign countries from signing on with U.S. cloud computing providers like Google and Microsoft
It's not just competitors highlighting that important fact! As a European, I personally don't want my data to fall into the wrong hands, and the hands of the US corporation-state are most definitely wrong.
The "cloud" analogy always seemed like "newspeak" to me, designed to get the customer to NOT think about where their data is "Don't worry we will take care of it" while their data is sitting on some cheesy server with questionable security practices and the usual disgruntled suspects.
Seriously what next? A service to wipe your ass because you can't be bothered? (note to self research iPhone controlled bidet)
Since it still has to sit on a server somewhere it might as well be your own server then deploy software that makes it accessible to you on the road, in addition how many jobs does this destroy for IT personal, some of the few decent paying jobs left in the USA.
To me the "cloud" is as ridiculous as Facebook, if you're stupid enough to put your data on FB you deserve what you get.
"If any question why we died, Tell them because our fathers lied."
Salesman: "That's right, since we don't operate within the borders of those capitalist pig Americans, we're way more trustworthy then them... We absolutely promise that we'll never give away your data to the US government, no matter how many times they ask us. ............... Wait... what just happened?
Customer: That's great... but what about your own government? Do you ever give data up to them?
Salesman: Huh? Well, of course not! At least, not without a court order, anyway... or a law which says we have to for some reason.
Customer: Ah... So how is that different from the US based companies again?
Salesman: Ummm... but... capitalist pigs... ummm...
Customer: I see. Well, this has been very illuminating indeed. I'll get back to you on my decision real soon.
Salesman:
Except that said US court orders can be executed by a secret court with no oversight. Pretty much like China's.
Check your premises.
Because my data, that I do not willingly give to you, should not be accessed by you. It's really that simple. I put things out there so that I can access them easier while I am out and about, not for you, your government, my government, hackers or advertisers to access it. This goes the same with any business in the world. There may be cheap, reliable cloud systems for storing data that will benefit the business, but hinder or harm it if it gets out into the wild. The government should not be able to access the records of foreign business and or foreign citizens without the correct due process that is afforded not only by our constitution, but also by the laws of the business' / citizen's country of residence.
We deal with this on a daily basis. Our clients (large Fortune 500 corporations) are requesting that we do not store data in the US. I personally think it has more to do with the fact that they are up to shady financial maneuvers than terrorism, but the end result is the same. It is just another nail in the economic coffin of the United States. The oft claimed, "It is too expensive/risky to do business in the States" rears its ugly head again.
The article talks about "cloud" providers, which we are not. We are more of a SaaS shop, but the regulatory challenges are the same. It all comes down to the client wanting to feel like their data is safe, and that they will have some expectation of privacy. With the United States government declaring the right to come in and seize data (the life blood of any company in this day and age) without any form of real due process, corporations are deciding that they do not want to subject themselves to that unnecessary liability.
I work at a 2,000 person organization outside the US. The institution has formally adopted a policy that no sensitive data can be hosted in the US, precisely due to the Patriot Act.
Don't look for logic in this. They would rather we use a server sitting under some IT guy's desk than use, say, DropBox, which is based on encrypted S3 storage. But perceptions are everything.
This will show who's asleep at the wheel. All the services offering SaaS and Cloud-based services including anti-virus, mail storage, NAS, vulnerability management, the list grows - come at a cost. Namely who are the vendors and who are the customers? When a business had all their enterprise servers on-site there was no question who managed, maintained, and monitored the data at rest or in motion. Now, if a company (and what happens if the "company" is a hospital or retailer having to meet auditory compliance) used a cloud-based service offering they have no way of knowing who is managing, monitoring, maintaining or accessing their data. This is off-shore outsourcing gone awry. It may make sense briefly on the bottom-line, but the bean counters are not considering the extended costs of security and vulnerability. Put your trusted data in someone else's hands and you are assuming they are just as, if not more, safe as you would be.
I've noticed that you have cleaning products under your sinks. Didn't you know that in this state, it is a felony to have cleaning supplies in reach of children under the age of X? Oh, is that your 2 year old son. I'm sorry, I'll have to take you to jail now.
This is a hypothetical, but it is representative of how the government works. More often than not, they are coming in to look for things that will aid them in building a case against you even though they may seem completely benign. While searching your "nothing to hide stash" they come across a picture of you from 10 years ago with a college buddy who is now on a "watch" list, or a family member who speaks out just a little too much about the government.
Just because you think you have nothing to hide, does not actually mean that you have nothing to hide and shouldn't hide anything.
You miss the point. The point is the jurisdiction of the court. Both Europe(and Canada) have data protection laws that say that you cannot divulge certain classes of data without a court order. And it has to be a European (resp. Canadian) court that allows you to give up the information. If you store the data in another jurisdiction where another court can order the data to be divulged, then you have a problem. Because the moment that the cloud service obeys a court order from the other jurisdiction and discloses some of your data, you are in breach of the law in your jurisdiction. The sticking point in the case of the U.S. Patriot Act is that the US government can demand the data without any court oversight and in addition prevent the cloud service from notifying you that the data was disclosed. There have been several controversies here in Canada, specifically in the area of health and student information. One of the provincial governments wanted to outsource some of the government health plan data management to a U.S. company (the lowest bidder). It was effectively stopped because they could not guarantee that someone would not use a U.S. court to order the data management company to disclose the health information of a Canadian citizen in the US. As a result, the data had to remain in Canada, and the US company did not get the contract. Similarly, student information at Canadian Universities has been an issue. I am a professor, and I cannot legally put a spreadsheet with student marks or any other student information in dropbox or on any cloud service that stores the data in the U.S. Just this month, I was approached by a web based application provider that wanted me to use their web app in our classes. But the web app stored all of the data in Amazon EC2. I had to tell them that the best I could do is inform the students that the app existed and disclose the fact that their data would exist outside of Canadian jurisdiction, but under such circumstances, we could not formally adopt the software for the course. We can't require the student to student to store data outside of Canadian jurisdiction as a condition of getting the degree (i.e. completing assignments, and passing the course). Any European company is going to be in a similar bind. While the Data Safe Harbour is supposed to provide an out. But it depends on the extent to which the European governments want to make a stink if the US government goes after the European data held by US companies. Even if the government doesn't make a stink, the nightmare of a European company would be the PR disaster of client data being revealed because of court action in the US.
Atlas stands on the earth and carries the celestial sphere on his shoulders.
I don't see the issue. Unless your using the cloud to store kiddy porn, your terrorism plots, or other illegal shit why do you care? The lady doth protest too much, methinks.
Because my payroll records, confidential company databases/documents, strategic plans, company emails and other stuff isn't anyone else's business even if there's nothing illegal immoral or fattening about them.
Are you really a moron, or do you just play one on /.?
No, no, you're not thinking; you're just being logical. --Niels Bohr
This seems like trying to spin a general fact of life in terms of "the cloud" (a term I dislike) in to an anti-US thing.
Your data is subject to being looked at by whoever controls it. Doesn't matter if they are supposed to, they can. The idea that the US government is the only one that looks in on data in their country is quite silly.
Also to expand on your bribery note, this could well be done by the government too in any country, but not as direct bribery: Find an employee who is patriotic to your country at the service, recruit them, and use them to get access to data you want. Could be quite easy since even a very moral person might agree. The government sells them on the idea that they need this access for legit work and it is just much quicker and cheaper to do it back channel rather than via the courts.
Basically if you give up your data to someone else, you have to understand that means others can have access. That is going to include their government. Don't think this is unique to the US. Other countries participate in the intelligence game just as much. Look up some information on the British Security Service or Secret Intelligence Service, or the French DGSE.
The fascists rely on the Just World fallacy to back up their arguments.
The world is just. Shit happens to you because you did something wrong.
It's a load of horse-shit.
--
BMO
This has come up in the past. While dropbox uses S3 for the base encryption layer, the staff at dropbox have access to the encryption keys. In fact because of a FTC complaint dropbox had to change the terms of use as explained on their blog To clearly indicate that while the contents are encrypted, that dropbox staff still have access to be able to comply with the US justice system. And the US can order the dropbox to disclose the data without telling you that the data was disclosed. At least if the courts come after the data in the server sitting under some IT guy's desk, you will know about it.
Atlas stands on the earth and carries the celestial sphere on his shoulders.