The Patriot Act and the Cloud

Many of the apprehensions about the Patriot Act and how it affects data sovereignty are based on misconceptions and it's time to set the record straight.

US Ambassador Jeffrey Bleich's opinion piece last year on cloud computing focusing on the perceived risk that the legal system and the Patriot Act pose to the privacy and security of data stored in clouds elicited a fierce response from some quarters.

Many of these blithely mischaracterise the Patriot Act in particular and the American legal system in general, making the United States out to be a country that is dismissive of the right to privacy. This is simply not true, and let's just set the record straight. 

First and foremost, let’s not forget that the reason the United States, Australia, and other democratic countries, under carefully controlled circumstances, give their law enforcement agencies access to private communications is to give the good guys the information they need to protect us from the bad guys, whether drug traffickers, child pornographers, or the hackers, cyber pirates and terrorists who pose real threats to our sensitive data. 

Next, let’s put the legal system and the patriot act into context.  Privacy protections limiting law enforcement access to electronic communications, a key area of modern data privacy concern, are among the highest in the world.  They provide protections that are at least equivalent to—and often superior to—those provided by the laws and practices in many countries around the world, including Australia. The stringent  statutes protecting the privacy of e-mail and voice communications apply equally to foreign nationals and  citizens.  Our Constitution, laws, and procedures ensure that  law enforcement officials use the tools needed to do their job in a way that adequately safeguards individual privacy.  Consider the following facts:

Before the contents of stored e-mail communications can be divulged, law enforcement authorities must, at a minimum, obtain a court order or grand jury subpoena.  In most cases, however, authorities obtain a search warrant from an independent judicial authority authorising the seizure.  To obtain such a warrant, the agents must present specific evidence establishing probable cause to believe that the particular e-mail account will contain evidence of the crime under investigation (and not just that the account is under the control of a suspected criminal).  Moreover, if a warrant is constitutionally required, defects in applying for one, or failure to obtain one, may result in a ban on the prosecution’s use of the evidence, no matter how incriminating it is.  We are not aware of any other country in the world that employs a more stringent evidentiary standard in this context. 

American law enforcement officials may be prosecuted criminally or sued civilly for illegally intercepting voice or e-mail communications, a clear demonstration of our seriousness in protecting privacy from unwarranted government intrusion. Few other countries can boast a similar record of prosecuting and jailing those who abuse government power to illegally snoop on individuals.

Service providers are barred from voluntarily providing traffic or subscriber data or the content of stored e-mail communications to law enforcement agents in response to informal requests, on pain of civil suits and penalties.  This is a protection offered in few other jurisdictions.

What about the NSLs?

One concern frequently raised about the Patriot Act is the government’s ability to issue National Security Letters (NSLs) requiring service providers to turn over non-content data without a court order.  The authority to issue NSLs is available only where the records sought are relevant to an authorised investigation to protect against international terrorism or clandestine intelligence activities.  Furthermore, the law specifically limits the type of information that may be obtained with an NSL. For example, NSLs may be issued to wire or electronic communications service providers only to obtain limited, non-content information (e.g., names, addresses, length of service, and billing records).  NSLs do not permit the government to obtain the content of communications.  Although an NSL may require that the recipient not disclose the NSL to the subscriber or account holder, the provider that receives the letter may challenge that requirement in court.

Critics should be aware that law enforcement authorities in Australia and elsewhere have powers to confidentially access user data, including content, without court approval in cases that could affect national security. 

There are several  laws that specifically provide judicial redress options for individuals who suffer damages pertaining to data protection and privacy violations, including in the context of law enforcement operations.  These include the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Federal Tort Claims Act, and the Mandatory Victims Restitution Act.  The judicial redress options under these laws are equally available to foreign nationals and  citizens.

 The United States also places stringent restrictions on the extraterritorial collection of data by law enforcement.  The issue of when an entity present in a jurisdiction can be compelled to produce data that is in its possession or control—but which is stored in another jurisdiction—predates not only the “cloud,” but computers themselves.  As a result, the United States has restricted such law enforcement requests since long before the advent of the Internet.  Such requests are vetted at high levels within the  Department of Justice and can be challenged in court.

The  approach is consistent with internationally agreed upon rules in this context.  In 2001, the Council of Europe Cybercrime Convention, which the United States, Australia, Japan, and 34 European states have ratified, set out a legal framework for law enforcement and judicial access to computer data.  The procedural law provisions of the Convention obligate each party to enact legislation enabling its authorities to search or similarly access a computer system in its territory in order to seize data stored therein. 

In addition, the Convention requires each party to enact legislation enabling its authorities to compel production, from any individual person or legal person (typically a corporation) in its territory, of computer data that is stored in a computer system or storage medium that is in the person’s possession or control.  The geographic scope of this rule is left to domestic law to define; countries may choose to limit it to data in the party’s territory, but the Convention does not prohibit a party from applying it to data in the possession or control of a person within the party’s territory even where the data itself is located outside the party’s territory.  

 Furthermore, Australia and the United States have a Mutual Legal Assistance Treaty (MLAT) in place and years of extremely close international law enforcement collaboration.  Under our MLAT, the  Department of Justice and the Australian Attorney General’s Department routinely request, and provide, information held on servers located in the other’s jurisdiction to aid in a targeted and rigorously supervised fashion with ongoing investigations. 

Ironclad privacy protection

In summary, the United States has a privacy protection regime applicable to both citizens and foreigners that is as strong, if not stronger, than anywhere else in the world.  Neither the United States nor Australia are unique in being able to go after data located overseas, and under our MLAT with Australia we cooperate closely to combat terrorism and international crime, including by sharing data stored in our respective jurisdictions.

To bring this back to trade policy, I’d like to quote Matt Healy of OzHub, who has written that people want to be able to choose where to place their personal information.  We couldn’t agree more, which is why we favour free trade in the e-commerce sector. But people should be able to make their choices based on the facts.  Consumers who would otherwise select a -based cloud service but don’t because of misperceptions about the legal system are effectively being denied the power to choose.

Jonathan Fritz is the Australian US Embassy's counselor for Economic Affairs