From time to time, organizations are asked to provide access to data for legal reasons. Those requests can be more complicated when the data is in the cloud. But a new report sheds some light on one critical aspect of such requests.
One risk with cloud computing is that the customer has less control over who can access its data. When customer data is stored on and processed by the cloud vendor's data center instead of in-house, what's to stop a third party, such as the government, from going directly to the cloud vendor to obtain access to that data without the customer's permission or knowledge? And if that happens, will the cloud vendor's priority be to protect its customer's rights and data or to protect itself?
With the April 30, 2013, release of its third "Who Has Your Back?" report, the Electronic Frontier Foundation (EFF) has tried to answer these questions. The report reflects that, as with most things in the cloud, vendors vary widely on how they handle third-party requests for access to data. For the 2013 report, the EFF used six criteria to assess cloud vendors, and awarded a star for good performance in each category. The six criteria are:
Does the cloud vendor publish transparency reports?
Google was the first out of the gate when it began issuing its Google Transparency Report three years ago. Since then, more cloud vendors, including Twitter, Dropbox and, most recently, Microsoft have followed suit by issuing their own transparency reports. These reports typically provide statistics regarding how often the vendor receives and fulfills government requests to provide access to customer data. In response to the changing technological and legal landscape, these reports continue to evolve. Effective March 5, 2013, Google announced that it will begin including data about National Security Letters (NSL) in its transparency report.
Does the cloud vendor notify customers?
Does the vendor tell customers about government data requests, unless prohibited by law? Doing so provides customers with the opportunity to protest or defend against overreaching government demands for their data.
The caveat "unless prohibited by law" is directly connected to NSLs. Five different federal statutes enable the FBI to obtain records for foreign intelligence or international terrorism investigations via an NSL that the FBI can issue on its own authority and without court approval. The Patriot Act expanded on this to include a "gag" provision prohibiting the vendor recipient of an NSL from revealing anything about the NSL, including that it has been received. This prevents the vendor from notifying anyone, including the owner of the data requested, that such a demand has been made. NSLs have understandably been controversial.
On March 14, 2013, Judge Susan Illston of the Federal District Court for the Northern District of California ruled that the NSL provisions in federal law violate the First Amendment and the separation of powers principle, and ordered that the FBI stop issuing NSLs and cease enforcing associated gag provisions. This ruling is stayed for 90 days to allow the government to appeal. The appeal is still pending.
Does the cloud vendor defend customer rights in court?
Has the vendor defended its customer's rights by contesting government access requests in court?
Google earned its EFF star for fighting for customers' privacy in court, in part, for its recent efforts to push back on an NSL. According to a March 29, 2013, filing in the case of "In Re Google Inc. (GOOG)'s Petition to Set Aside Legal Process, 13-80063, U.S. District Court, Northern District of California (San Francisco)", Google is challenging a government demand for access to customer data in a national security probe. The results of Google's efforts are still pending.
Twitter earned its EFF star for fighting for customers' privacy in court, in part, for its efforts last year in the case of New York v. Harris. In this case, Twitter was subpoenaed for the records of Twitter user Malcolm Harris who was involved in Occupy Wall Street protests. These Twitter records identify not only the content of the user's tweets, but the date they were sent, and the location of user at the time they were sent. The court ruled Harris had no right to contest this subpoena, so Twitter contested, but lost and then appealed. After waiting on the appeal ruling for seven months, Twitter was forced to provide records on Sept. 14, 2012, prior to results of appeal.
Does the cloud vendor require a warrant?
Does the vendor require the government to produce a warrant supported by probable cause before handing over customer data? The following Facebook policy was cited as being exemplary in this area:
A search warrant issued under the procedures described in the Federal Rules of Criminal Procedure or equivalent state warrant procedures upon a showing of probable cause is required to compel the disclosure of the stored contents of any account, which may include messages, photos, videos, wall posts, and location information.
Does the cloud vendor publish law enforcement guidelines?
Does the vendor have established policies or guidelines regarding how they respond to data demands from the government? If so, does it make those publicly available? Thirteen of the 18 vendors evaluated received stars in this category.
Does the cloud vendor fight for customer rights in Congress?
Does the vendor support efforts to modernize electronic privacy laws to defend users in the digital age by joining the Digital Due Process Coalition?
Customers concerned about their data need to be aware of their cloud vendors' policies in this area. When the vendor does have appropriate policies regarding how it responds to government data access requests, a customer should incorporate those policies into its cloud contract to reduce the risk that the policies might be diminished going forward.
Interested in learning more about cloud computing contract issues? Then please register for my seminar Cloud Computing Risk Mitigation Via Contract Negotiation and Vendor Management. By special invitation, the next session of my seminar will be held in concert with the SAM Summit 2013 conference, June 25, in Chicago. I look forward to seeing you there.
Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit thomastrappler.com.