PATRIOT Act clouds picture for tech
By: David Saleh Rauf
Cloud computing is a gold mine for the U.S. tech industry, but American firms are encountering resistance from an unexpected enemy overseas: the PATRIOT Act.
The Sept. 11-era law was supposed to help the intelligence community gather data on suspected terrorists. But competitors overseas are using it as a way to discourage foreign countries from signing on with U.S. cloud computing providers like Google and Microsoft: Put your data on a U.S.-based cloud, they warn, and you may just put it in the hands of the U.S. government.
“The PATRIOT Act has come to be a kind of label for this set of concerns,” Ambassador Philip Verveer, U.S. coordinator for International Communications and Information Policy at the State Department, told POLITICO. “We think, to some extent, it’s taking advantage of a misperception, and we’d like to clear up that misperception.”
Reacting to concerns raised by some of the country’s most influential tech firms, the Obama administration is engaging in diplomatic talks around the world to put to rest fears in foreign capitals about the controversial surveillance law’s power to give the U.S. government access to international data stored by American companies.
The PATRIOT Act, which had key provisions extended by President Barack Obama in May, has become a flash point in sales of cloud computing services to governments in parts of Europe, Asia and elsewhere around the globe because of fears that under the law, providers can be compelled to hand over data to U.S. authorities.
While no foreign governments have moved to block U.S. tech companies, authorities in the Netherlands as recently as September floated the idea of banning U.S.-based cloud firms from competing for government contracts. And Verveer said on a trip to Germany in October that technology firms based in that country were openly using the PATRIOT Act as a “marketing proposition” to raise questions about U.S. cloud firms.
It has created a high-stakes trade issue that’s become a top agenda item for U.S. firms already profiting in the cloud and for those eyeing the technology for the future. It also registers high on the list of international tech priorities for the White House because of the potential negative impact such fears could have on the U.S. cloud market.
“I’ve heard directly from EU leaders, from Canadian policymakers and from companies all around the world about problems, or perceived problems, with the act,” said Phil Bond, a tech lobbyist and the former CEO of TechAmerica. “There is no shortage of people who misapprehend the law. If some of these misperceptions harden or real problems [are] not addressed, it will cause companies and governments to hesitate in doing business with U.S. cloud companies.”
For their part, the domestic tech industry, academics and even administration officials argue the PATRIOT Act is being hoisted up by foreign entities as a red herring to ban U.S. cloud firms from competing overseas. Laws in some countries allow governments to request private information from companies — and the fear is that this information could be turned over to U.S. authorities under the anti-terrorist law.
“It’s not at this point, I think, entirely clear that governments are doing this. But it is clear that for competitive purposes, this sort of thing is being raised,” Verveer said. “It’s definitely a genuine issue.”
Now, Washington-based tech trade groups are increasingly hearing from their members that foreign governments engaging in cloud contract discussions are raising questions about data moving outside their respective borders.
And the concerns are not isolated to Europe.
In the Asia-Pacific region, where cloud computing is experiencing a boom similar to the U.S., tech industry observers are also seeing the same issues pop up during government cloud contract negotiations, said Mark MacCarthy, vice president for public policy at the Software and Information Industry Association.
Some of that tension in the region could be alleviated as the result of recent trade discussions.
Obama earlier this month laid the foundation for an agreement with eight Pacific nations to drop trade barriers. That deal, which is still being negotiated, included provisions to the bar requirements for local data centers as well as cross-border data flow restrictions.
“It would be dramatically helpful for the cloud industry,” MacCarthy said. “That can then become the precedent for future trade agreements, and it might be the basis for further action with the [World Trade Organization].”
The PATRIOT Act argument has implications that extend to any U.S. company peddling in data that travels across the world.
But it’s an especially acute concern for cloud firms, experts say, because the whole business model is predicated on the ability of data to travel freely. Foreign countries are now asking cloud firms to restrict data flow within their respective borders.
“There’s a feeling that there’s a risk we’ll end up with a Tower of Babel with cloud computing,” said Darrell West, founding director of the Center for Technology Innovation at the Brookings Institution. “Several nations are imposing restrictions on data sharing to prevent data from moving across their own national boundaries, and that’s very shortsighted. You end up losing much of the benefit of cloud computing if you end with 192 systems.”
Aside from data restrictions, foreign governments are also asking U.S. cloud firms to establish data centers in their respective countries to keep a better eye on where data is being stored, creating another potential roadblock for international cloud contracts.
The need for the Obama administration to take an international lead on the issue was highlighted in a cloud computing report this summer authored by a coalition of 71 experts from some of the largest hardware, software and Internet companies, including Microsoft, Amazon and Salesforce.
Aside from reforming antiquated U.S. digital privacy laws, the report urged the Commerce Department to conduct a study of the PATRIOT Act and national security laws in other countries to determine a company’s ability to deploy cloud computing services in the global marketplace.
“This action may provide insights into how best to address uncertainty and confusion caused by national security statutes … that are perceived as impediments to a global marketplace for cloud services,” the report said.
And if the U.S. and other countries don’t simplify the complex legal environment surrounding cloud computing soon, experts are warning the environment will become riddled with uncertainty and confusion that could dampen the competitive position of U.S. firms in the future.
And for now, Congress is taking a back seat because “the point of the sword is in the administration,” MacCarthy said, noting that agencies tasked with trade responsibilities are handling the bulk of the negotiations.
The concern over the PATRIOT Act also mirrors a broader worry for U.S. tech companies — that protectionist efforts here and abroad will put a damper on the international cloud market.
But Congress may not be a silent player in the long run. Tech associations caution that lawmakers should avoid following suit by taking restrictive actions that harm foreign tech companies. That could backfire.
Instead, lawmakers should craft policy to ensure “trade barriers don’t get adopted” that impinge on the ability of foreign cloud providers to land government contracts in the U.S., said Robert Holleyman, president and CEO of the Business Software Alliance.
“It’s absolutely essential that the U.S. gets this right as a policy matter,” Holleyman said. “The stakes around this are huge. If the U.S. gets this wrong, it’s going to be a field day for other countries to emulate a protectionist example.”
Top federal tech officials have laid out guidance for how agencies should categorize data and what type of data should be kept within U.S. borders. Verveer, a lead official in the State Department’s efforts to establish an international framework for cloud computing, said agencies are supposed to peg only “high-sensitivity” data for cross-border restrictions.
But several recent cloud contracts point in the direction of federal agencies increasingly requiring providers to maintain domestic data centers and restrict the flow of data within U.S. borders.
For example, a General Services Administration solicitation for a governmentwide procurement vehicle for cloud-based email contained an element to restrict where data centers could be located. The federal government’s top watchdog shot down that part of the contract last month as part of a bid protest because the GSA could not provide a justifiable reason for the location requirement.
And the Department of the Interior recently reissued a request for information for cloud computing services with several location requirements. According to procurement documents, the agency wants its cloud provider to keep software development inside the U.S. to the “maximum extent practical,” and the physical data centers housing cloud data must also be located in the U.S.
“There’s an important role for the federal [chief technology officer] and federal [chief information officer] to play in helping define this,” Holleyman said. “When the CTO and CIO speak out on this issue, they need to know words matter. Other countries will look for signals.”
PATRIOT Act Gives Foreigners Good Reason to Avoid US Clouds
Politico is running a fantastic piece on the problems that the PATRIOT Act is raising for American cloud companies in the market for overseas customers. The piece details how foreign cloud customers are worried that the US government will use its expanded surveillance powers to snoop on any data that’s stored on US soil, so they’re eschewing US-based cloud providers in favor of the competition. Non-US competitors are explicitly feeding this trend by raising the specter of US government data snooping as part of their bids for business, a tactic that seems to be working in some cases.
The piece quotes a number of lobbyists and government officials to the effect that all of this PATRIOT-based fear is just so much FUD and misinformation, but I’m not so sure. I’ve been covering the growth of covering computer-automated mass surveillance for over a decade, and cloud for the past few years, and I see the following factors as a serious problem for stateside cloud providers:
- Private sector policies with respect to sharing data with law enforcement are not uniform across cloud providers, and they’re often not completely clear in how they’re stated.
- Nasty surprises routinely crop up in the press, where we learn that this or that company is turning over customer data to the feds.
- On a more general level, the US government has shown that when it comes to surveillance, it’s willing to ignore the law time and again.
- US government agencies don’t trust their own sensitive data to foreign clouds, and often require that such data be stored in a US-based datacenter.
- Contrary to what cloud companies and lobbyists would have you believe, the PATRIOT Act really does give the US government very broad powers to get their mitts on your data without you ever knowing about it.
With respect to number one above, the wide variation in different companies’ willingness to share customer data with law enforcement without putting up a fight is, fairly or unfairly, a black mark on the entire US cloud sector. Sprint, for instance, just loves to hand user data over to local, state, and federal law enforcement, so much so that it built a special portal that lets officials log in and pull down all kinds of info on millions of customers without any questioning or hand-holding from the carrier.
At the other end of spectrum is Google, which at least claims to put up a fight when the cops come snooping. But look at Google’s FAQ for Gmail security and privacy:
Like other technology and communications companies, we receive requests from government agencies around the world to provide information about users of our services and products. Like any law-abiding company, Google sometimes may be legally required to share information with law enforcement. However, before sharing any information we first scrutinize a request to make sure that it complies with both the spirit and the letter of the law—and we may refuse to produce information or try to narrow the request. When possible and legally permissible, we notify the user in order to give him or her the opportunity to object.
You’d need a team of psychic lawyers to ferret out the precise circumstances under which your data will get handed over without your knowledge. I say “psychic” lawyers, because your lawyers would have to know exactly how Google’s lawyers would interpret a specific law enforcement request so that they could give you some confidence about how likely our data is to end up in the government’s hands.
As for the drumbeat of nasty surprises, one of the earliest I recall was when Wired reported that AT&T had let the NSA build a secret room in one of its network facilities, for the purpose of snooping Internet traffic. These sorts of revelations have come out steadily over the past few years, up to and including the aforementioned Sprint law enforcement portal.
Then there’s the government’s generally cavalier attitude towards the law’s limits on surveillance, which was most prominently on display in the NSA wiretapping scandal. AT&T and Verizon broke the law in giving the government access to their traffic without a warrant, and then when the whistle was blown on the whole affair Congress retroactively legalized their actions so that they couldn’t be sued by customers. As part of this grant of retroactive immunity, Congress also explicitly granted the NSA a free hand to spy on foreigners on American soil without any warrant or oversight.
To the fourth point above, as the Politico itself points out, there are plenty of local, state, and federal agencies in the US that won’t permit their own data to be stored on foreign soil. This requirement is so widespread that Amazon has launched a whole cloud offering dedicated to serving agencies and contractors that have geographic requirements. So why shouldn’t foreign governments and companies reciprocate with similar homeland-only restrictions? If the US government doesn’t trust foreign cloud providers, then why should foreign customers trust US cloud providers?
Finally, the PATRIOT act gives the feds secret powers to subpoena data from providers and to use gag orders so that those providers can’t tell a customer that his or her data has been turned over to the authorities. The National Security Letters (NSLs) that the feds use to get data and impose gag orders were created by the PATRIOT Act, and a 2010 audit by the DoJ and OIG found that these letters have been massively, systemically abused by the FBI.
Ultimately, these PATRIOT act concerns around cloud computing are very real, and accusing the foreigners of FUD and ignorance isn’t going to overcome the twin forces of an American government that has repeatedly shown a willingness to act outside the law and a private sector that either actively cooperates or fails to put up much of a fight. American cloud providers are now caught between these two forces, and they’ll be squeezed to our economy’s detriment.
It pains me a great deal to say this, but anyone who is concerned about having their data handed over to the feds in secret (especially their email, which law enforcement can access without a warrant if it has been stored on a third-party server for at least six months) has absolutely no business using a US-based cloud.
No comments:
Post a Comment