Obscured by CloudsNico van EijkIntug Meeting, Schiphol Rijk, 26 November 2013
Institute for Information Law (IViR) 2 2
Institute for Information Law (IViR) 3Institute for Information Law (IViR)
‘Obscured by Clouds or How to Address Governmental Access to Cloud Data From Abroad’
Study by Joris van Hoboken, Axel Arnbak, Nico van Eijk, Institute for Information Law (IViR)
http://www.ivir.nl/publications/vanhoboken/obscured_by_clouds.pdfhttp://ssrn.com/abstract=2276103
3
Institute for Information Law (IViR) 4Institute for Information Law (IViR)
Reasons for the study
Unrest amongst users of cloud services (board level concerns)
Continuous news reporting on Patriot Act
Institute for Information Law (IViR) 5
Institute for Information Law (IViR) 6Institute for Information Law (IViR)
No Freedom of expression for foreigners
“ non-U.S. persons located outside the United States […] lack Fourth Amendment rights altogether.”
“Because the Fourth Amendment does not protect such persons in the first instance, perforce it does not prevent the Government from subjecting them to surveillance without a warrant.”
Institute for Information Law (IViR) 7Institute for Information Law (IViR)
Patriot Act
The ‘Patriot Act’ from 2001 amends various laws (including FISA en ECPA)
Mainly protects American citizens Five year extension (per 31/12/12) by Obama
government
Institute for Information Law (IViR) 8Institute for Information Law (IViR)
Broad Jurisdiction
The United States [...] takes the position that it can use its own legal mechanisms to request data from any Cloud server located anywhere around the world so long as the Cloud service provider is subject U.S. jurisdiction: that is, when the entity is based in the United States, has a subsidiary or office in the United States, or otherwise conducts continuous and systematic business in the United States. (Hogan Lovells 2012, p. 5.)
Institute for Information Law (IViR) 9Institute for Information Law (IViR)
Just to be clear
The location of the cloud data storage is not relevant (extraterritorial jurisdiction)
No physical presence needed
No reporting ‘we tell our clients everything, unless we’re not allowed to’
Institute for Information Law (IViR) 10Institute for Information Law (IViR)
Risks
Most cloud services fall under US jurisdiction (intransparent market, take overs, value chain/back up providers, etc.)
Security agencies have a broad info-interest Intransparency creates chilling effects Risk factor unknown
Institute for Information Law (IViR) 11Institute for Information Law (IViR)
Effect on the market
“[…] is a US-based hosting company that has recently lost a number of potential customers in Europe due to the Patriot Act. We are wondering if there is any way we could structure services that would be “safe” from the Act.”
“[Potential customers] go through the whole process of auditing our security, working out redlines to our agreement, etc. Then at the last minute, they realize that they are "in danger" because of the Patriot Act, so they dump everything [...]”
Institute for Information Law (IViR) 12
Institute for Information Law (IViR) 13Institute for Information Law (IViR)
Dutch Incidents
Biometric data in passport (Morpho/Safran Group) Digital patient records (CSC) AMS-IX goes US
Institute for Information Law (IViR) 14Institute for Information Law (IViR)
How do we respond:
Institute for Information Law (IViR) 15
NSA/Snowden (including the Netherlands?)
Institute for Information Law (IViR) 16
Institute for Information Law (IViR) 17Institute for Information Law (IViR)
Solutions
‘New dialogue’ between Europe and the US Expert group meetings Bilateral negotiations
Amendments to the draft Privacy Regulation Article 43a prohibits the transfer of personal data required
by a third country court decision or administrative authority if this is not compliant with a mutual legal assistance treaty or an international agreement
Institute for Information Law (IViR) 18Institute for Information Law (IViR)
Towards national/European clouds
European Commission, new strategy: Support for EU-wide certification schemes for trustworthy
cloud providers Model ‘safe and fair’ contract terms European cloud partnership (boost changes for European
cloud providers Building national clouds
Institute for Information Law (IViR) 19Institute for Information Law (IViR)
No 100% security possible, network effects, etc.
Institute for Information Law (IViR) 20
Institute for Information Law (IViR) 21Institute for Information Law (IViR)
National/International
True awareness and willingness to act Get your own house in order
Behaviour of national security agencies (quid quo pro) National regulatory safeguards (Telegraaf/AIVD-case) Oversight (CTIVD)
Institute for Information Law (IViR) 22Institute for Information Law (IViR)
Taking responsibility
Better data management From basement to board room Analysis of critical/non-critical data Tailor made solutions
Encryption Encryption of data Encrypted transport and storage
Institute for Information Law (IViR) 23Institute for Information Law (IViR)
Educate yourself
Post-Graduate Legal Education:Privacy Law and Policy
IViR-Summer Course (July 7-11, 2014)http://www.ivir.nl/courses/plp/plp.html
Institute for Information Law (IViR) 24Institute for Information Law (IViR)
Prof. Dr. N.A.N.M. van EijkInstitute for Information Law (IViR, University of Amsterdam)http://www.ivir.nl/staff/[email protected]