the patriot act and cloud security - busting the european fud
DESCRIPTION
In the wake of Edward Snowden's allegations of NSA cyber spying, we are honored to have a former General Counsel of the NSA as one of our panelists. This is sure to be an especially interesting webinar. European hosting companies have cited the USA Patriot Act of 2001 as the boogieman that would leave information free for plunder by the dark and clandestine US Government. And NSA activity as described by Edward Snowden has provided a convenient, timely, and high profile case study. But are these concerns well founded? Learn more about the Patriot Act, ways other countries combat terrorism, and how these relate to privacy. Our featured speakers for this timely webinar will be: -Stewart Baker, Partner, Steptoe & Johnson LLP; Former Assistant Secretary for Policy at the Department of Homeland Security and General Counsel of the NSA -Michael Vatis, Partner, Steptoe & Johnson LLP -Gant Redmon, Esq. CIPP/US General Counsel, Co3 SystemsTRANSCRIPT
The Patriot Act and Cloud Privacy:Busting the European FUD
Page 2
Agenda
• Introductions
• The FUD & The Fallout
• Patriot Act Reality
• Europe (Un-)Reality
• Q&A
Page 3
Introductions: Today’s Speakers
• Stewart Baker, Partner, Steptoe & Johnson LLP
• Michael Vatis, Partner, Steptoe & Johnson LLP
• Gant Redmon, Esq. CIPP/US, General Counsel, Co3 Systems
Page 4
The complete process – based on E.R. standards
PREPARE
Improve Organizational Readiness• Appoint team members• Fine-tune response SOPs • Link in legacy applications• Run simulations (firedrills / table
tops)
MITIGATE
Document Results & Improve Performance• Generate reports for management,
auditors, and authorities • Conduct post-mortem• Update SOPs• Track evidence• Evaluate historical performance• Educate the organization
ASSESS
Identify and Evaluate Incidents• Assign appropriate team members• Evaluate precursors and indicators• Automatically map intelligence• Track incidents, maintain logbook• Automatically prioritize activities
based on criticality• Generate assessment summaries
MANAGE
Contain, Eradicate, and Recover• Generate real-time IR plan• Coordinate team response• Choose appropriate containment
strategy• Isolate and remediate cause• Instruct evidence gathering and
handling• Log evidence
Page 5
The FUD
• Data stored with American cloud providers is easily accessible by the U.S. government, with no privacy protection
• U.S. law “enables the US government to snoop on Europeans’ data held with US cloud providers without needing to obtain a warrant.” (http://blog.teamdrive.com/2013_02_01_archive.html)
Page 6
The FUD (cont.)
• “It is lawful in the US to conduct purely political surveillance on foreigners’ data accessible in US clouds.”
• “[A]ny data-at-rest formerly processed ‘on premise’ within the EU, which becomes migrated into Clouds, becomes liable to mass-surveillance” by U.S.
• European Parliament, Directorate-General for Internal Policies, “Fighting cyber crime and protecting privacy in the cloud,” 2012
Page 7
Edward Snowden Didn’t Help
• “If European cloud customers cannot trust the United States government or their assurances, then maybe they won’t trust US cloud providers either. And if I am right then there are multi-billion euro consequences for American companies.”
• Neelie Kroes, Vice-President of the European Commission responsible for the Digital Agenda (http://www.businesscloudnews.com/2013/07/05/neelie-kroes-warns-cloud-may-suffer-from-prism-related-security-fears/)
• Media coverage of leaks has fostered impression that NSA has access to everything, everywhere
• And has caused the pile of FUD to grow
Page 8
And More FUD
• “The questions raised about the United States’ FISA act have focused the minds of Europeans keen to share, but only with those they chose. TeamDrive has confirmed that European cloud users want to have data stored under the EU banner, away from the prying eyes of the US government.” (http://blog.teamdrive.com/2013_02_01_archive.html)
• “[W]e comply with the highest German and European data privacy standards. And that is important when you consider the furor around the issue of unauthorised access in some third countries that don’t offer the same level of security. But we can deliver CLOUD SERVICES ‘MADE IN GERMANY’ - around the world.”
• T-Systems brochure (http://www.t-systems.com/umn/uti/796860_2/blobBinary/Complete_Edition-ps.pdf?ts_layoutId=804564
Page 9
…And Still More
• “We believe that a service owned and operated locally in the EU, and fully compliant with EU data protection laws, will be vary attractive for European companies.”• Johan Christenson, Chairman, City Network
(http://news.techworld.com/security/3322757/europe-cloud-vendors-cleaning-up-with-data-protection-fears/)
POLL
Has an international customer expressed concerns over US Patriot Act in relation to their information being stored in the US?
Page 11
The Legal Fallout in Europe
• Government• HLCG revival• EU Parliament• Commission• Impact on data protection proposals
• Companies• DPA investigations of cooperating companies• Efforts to discourage use of US cloud
Page 12
Are US Providers At Risk?
• The Models • PNR – holding air carriers hostage• SWIFT – criminal investigation
• The theory: No data export to “inadequate” jurisdictions• Determining adequacy of US data protection regime
includes scrutiny of security and law enforcement collection
Page 13
Private Sector Defenses
• Safe Harbor • Controversy over Safe Harbor
• Inapplicability of data protection rules• Safe Harbor and EU directives exclude public security
and law enforcement
• US rules protecting privacy vis-à-vis government match or exceed EU
Page 14
The Reality
• U.S. accords greater privacy protections than other countries• Fourth Amendment• Electronic Communications Privacy Act• Foreign Intelligence Surveillance Act• No voluntary disclosures of customer data by providers• No data retention requirements
Page 15
Patriot Games
• Europeans claim the Patriot Act allows USG to seize
customer records in bulk, from parent company in U.S.
• But Section 215 allows access, with a court order, only to business records
• Customer data is not a business record
• And Section 215 has apparently not been applied to information stored abroad
Page 16
Patriot Games II
• Section 702 of FISA Amendments Act (50 U.S.C. § 1881a)• Limited to collection of “foreign intelligence”
• Information to protect against• “potential attacks or other grave hostile acts of a foreign power”• “sabotage, international terrorism, or the international
proliferation of weapons of mass destruction”• “clandestine intelligence activities”
• Information with respect to foreign power or foreign territory that relates to• “national defense or…security” or• “the conduct of the foreign affairs of the United States”
Page 17
Patriot Games II (cont.)
• “The information must pertain to a foreign power or foreign territory; and thus it cannot simply be information about a citizen of a foreign country…unless the information would contribute to meeting intelligence requirements with respect to a foreign power or territory.”• H.R. Rep. No. 1283, Pt. I., 95th Cong. 2d Sess., 1978
U.S.C.C.A.N. 4048, at 50 (June 8, 1978)
Page 18
Patriot Games II (cont.)
• Judicial oversight• Minimization and targeting procedures• Cloud providers can object
• Congressional oversight• “[The] information obtained by the Committee demonstrate[s] that the
government implements the FAA surveillance authorities in a responsible manner with relatively few incidents of non-compliance. Where such incidents have arisen, they have been the inadvertent result of human error or technical defect and have been promptly reported and remedied. Through four years of oversight, the Committee has not identified a single case in which a government official engaged in a willful effort to circumvent or violate the law.”• S. Rep. No. 174, 112th Cong. 2d Sess. at 7 (June 7, 2012), available at
https://fas.org/irp/congress/2012_rpt/faa-extend.pdf.
POLL
Compared to the EU, are US protections from discovery of data: Better? Worse? The same?
Page 20
Glass Houses
• European governments have much freer access to data
• UK government can seize or intercept data without court approval where necessary to protect national security, the economic well-being of the UK, or to prevent or detect “serious crime”
• France Prime Minister’s office can order wiretap without court approval or oversight, not just for national security or terrorism but to protect economic and scientific assets or combat organized crime
• Spain government can enter providers’ premises without a warrant in national security matters
Page 21
Haus aus Glas
• Germany authorities can• intercept electronic communications without court
approval• not just for national security threats, but also “strategic
surveillance” including drug trafficking or to gather information about other countries important to foreign policy
• use a computer virus to infiltrate providers’ networks without providers’ or customers’ knowledge or opportunity to challenge (with court order)
• Regulated cloud providers may not disclose to customers that they gave information to government
Page 22
Which countries conduct the most surveillance of their citizens?
Page 23
Which countries allow providers to “volunteer” data to government?
Page 24
The Bottom Line
• Theory of EU interventions is open to question• Safe Harbor• Coverage of government practices
• Adequacy: U.S. privacy protections exceed other countries’
• Likely outcome: More threats, more drama, more talks
QUESTIONS
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages for privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and very well designed.”
PONEMON INSTITUTE
Stewart [email protected](202) 429-6402
Michael [email protected](212) 506-3927