Thursday, July 26, 2012

US cloud vendors complain to Congress about foreign privacy FUD

The United States House of Representatives Judiciary Committee (through its Internet subcommittee) this past week held a hearing to discuss issues related to cloud computing. Specifically, the hearing highlighted how fear, uncertainty and doubt is being spread regarding US privacy protections to discourage the use of American cloud vendors. The hearing included representatives of the Business Software Alliance, Rackspace, IBM and ITIF.

Principally, hysteria about the USA Patriot Act is being used by some non-US vendors to market their services. This ignores the fact that most countries have legal regimes very similar to the USA Patriot Act.

Check it out:

US Groups: Foreign Cloud Providers Marketing Against Privacy Concerns CIO.com

IDG News Service (Washington, D.C., Bureau) — Cloud computing services from outside the U.S. are trying to exploit perceived weaknesses in privacy laws to drive business away from U.S. providers, according to some representatives of the tech industry.

Deutsche Telekom and other companies are marketing their cloud products as more private than those from U.S. vendors because of the Patriot Act and other laws, representatives of the Business Software Alliance and Rackspace told a U.S. House of Representatives subcommittee during a hearing Wednesday.

Foreign cloud computing vendors are spreading "fear, uncertainty and doubt" about U.S. privacy standards, Justin Freeman, corporate counsel for Rackspace, told members of the House Judiciary Committee's Internet subcommittee.

"We commonly see almost absurd positioning of what the Patriot Act permits, to the extent that it allows almost any U.S. government agency to, without notice or warrant, access any private data that's on a server contained within the United States," Freeman said.

"That's totally false," said Representative Bob Goodlatte, a Virginia Republican.
Witnesses from the U.S. tech industry and some lawmakers complained that some of the privacy problems are more perceived than actual, but some also called for Congress to change U.S. privacy laws to better protect data stored in the cloud.

The U.S. Electronic Communications Privacy Act (ECPA) allows law enforcement agencies easier access to information stored in the cloud than to information stored on a hard drive or in a file cabinet, noted Representatives Zoe Lofgren, a California Democrat, and Jerrold Nadler, a New York Democrat.

Some countries have "legitimate concerns, honestly, about the lack of standards in American law," Lofgren said. "We have a lot of work to in this area."

In addition to marketing campaigns, several nations have passed or are considering laws that require their residents' data to be stored on servers within the country, said Daniel Castro, senior analyst with the Information Technology and Innovation Foundation (ITIF), a tech-focused think tank. Many countries are using privacy and security concerns to pass domestic storage laws, he said.

"Some countries are using unfair policies to intentionally disadvantage foreign competitors and grow their domestic cloud computing industry," Castro said. "The rise of cloud mercantilism is an emerging threat to global trade and information technology."

Greece, China, Russia and Venezuela are among the countries that have passed data localization requirements, Castro said. He called on the U.S. government to push against such laws.

Castro and Robert Holleyman, the BSA's president and CEO, also asked Congress to update ECPA to better protect stored data.

Congress also needs to consider ways to better protect stored information on cloud services, Lofgren said. The U.S. Department of Justice, when it shuttered the Megaupload file-sharing site in January, left the data of many innocent users in limbo, she said.

Holleyman, whose trade group supports strong law enforcement actions against file sharing sites, said he didn't have a suggestion for how to protect innocent users.

"Nobody seems to feel any responsibility toward people who are completely innocent here," Lofgren said. "There seems to be no interest or obligation to innocent bystanders to this action."

Wednesday, July 25, 2012

Economist editorial: spot-on about cloud privacy and law enforcement

The Economist has an absolutely spot-on editorial on privacy in the age of cloud computing:

Data privacy: Out of shape | The Economist

The rules on what data governments can demand from communications companies need tightening
Jul 21st 2012 | from the print edition

SNOOPING, like so many things in life, is going mobile and online. In 2011 Google received 12,271 requests for data from the American government and acceded to all but a few of them. American mobile-phone carriers together fielded more than 1.3m such requests. Some covered multiple subscribers. Some were for “tower dumps”, which reveal the phone numbers of everyone—criminal suspects or not—in range of a certain mobile-phone tower at a certain time.

The rate of government requests has been growing: Verizon, America’s biggest mobile-service provider, says it has gone up by 15% in each of the past five years. Large mobile companies now have teams of employees that do nothing other than respond to government requests for data (see article).

This is happening partly because technology makes snooping easier, and partly because the law has not caught up with the technology. In the offline world, governments generally need a judge to sign a warrant to put a wire-tap in place; the same goes for a physical search of property. In the online world, most data—concerning who called or e-mailed whom, or visited what website, though not the content of a communication—is handed over without any such judicial review.

This is not just an American issue; European states are at least as careless of their citizens’ privacy as America. The European Union’s Data Retention Directive requires telecoms firms to store vast amounts of data about their customers’ activities, which may then be provided to law-enforcement agencies. In Britain, a draft Communications Data bill gives intelligence agencies even wider powers to intercept and store such data.

There are decent arguments in favour of giving governments such powers. Criminals, as well as law-enforcement agencies, make effective use of digital communications, so states need to be able to respond in kind. Rescue services sometimes need phone data to locate someone who needs urgent help. And where such information can help catch criminals, it should be made available. But there are also arguments for greater restraint. Communications technology these days compromises people’s privacy more than it used to. Mobile-phone records can reveal where people are, what websites they visit, what they are interested in and what they buy. Law-enforcement agencies should not be allowed unrestricted access to such complete, and intrusive, pictures of people’s lives.

Rewind, please

There is, at least, some kickback. The European law has been found unconstitutional in several member states, and the European Commission intends to revise it. But Britain’s bill seems likely to become law, despite much criticism. In America, the main federal law on the subject was written in 1986, when the internet barely existed. It badly needs an overhaul.

A good general principle would be to afford data stored in a private e-mail account as much protection as letters stored in a locked desk drawer—that is, law-enforcement agencies wanting to get a look at them should need a warrant. Internet and mobile-phone companies, and the agencies that get data from them, must be subject to proper reporting requirements. Only if people know more clearly what information is being collected about whom, and to what uses it is being put, can they judge whether the benefits of greater safety the surveillance state has brought them are worth the huge loss of privacy they have suffered as a result.