Snowden, privacy and cloud services
Edward Snowden was until most recently an unknown entity. But now, he is being heralded in various circles as a whistleblower who has undertaken a ‘magnificent act of civil disobedience’ by sharing details of the PRISM electronic surveillance program operated by the United States National Security Agency (NSA).
To bring all onto the same page, PRISM is a government codename for a data collection effort operated under the supervision of the United States Foreign Intelligence Surveillance Court pursuant to the Foreign Intelligence Surveillance Act (FISA). Further information is available here.
There are multiple facets of the PRISM program that civil libertarians are arguing about, in the same manner that they were arguing about the Patriot Act and multiple others, but I want to focus on what the business impact and awareness of programs like this means for organisations that are looking to embrace the cloud.
There has been a lot written about the Patriot Act and how the PRISM program is an implementation instrument of the Patriot Act. However, from a cloud services perspective, I believe that a program like PRISM will have limited impact on organisations looking to onboard cloud services hosted in the US, Australia or Europe.
There are numerous US legal instruments in play, including but not limited to:
- Patriot Act
- US Patriot Act National Security Letter (NSL) power under 18 U.S.C. 2709 Section 505
- US Foreign Intelligence Surveillance Act.2 Pursuant to s. 215 of the Patriot Act
- US-Australia Legal Assistance Treaty from 1997 EPF309 04/30/1997, modern framework for cooperation (410), where the United States and Australia have signed a Mutual Legal Assistance Treaty (MLAT)
- Electronic Communications Privacy Act of 1986 (ECPA)
- Communications Assistance to Law Enforcement Act 1994 (CALEA)
- FISA Amendments Act of 2008
The Fourth Amendment of the US Constitution and common principles derived from the International Covenant on Civil and Political Rights (ICCPR) prohibit cloud service organisations voluntarily releasing customer data to government agencies.
However, where a US government agency requires access to your organisation’s data and it is hosted in a US-based cloud, they will get it.
What organisations are required to do is:
- Carefully consult your terms of service with all cloud service providers to ensure that security, transparency and legal certainty are the key drivers supporting your cloud computing services.
- Select a cloud provider that guarantees compliance with your own policies and the data protection legislation of the country where the cloud service is based.
- Understand and verify how the cloud services provider will guarantee the lawfulness of any cross-border international data transfers.
The above represents the personal views of Puneet Kukreja and not necessarily those of AISA, CSA-AU or any organisation Kukreja works for or is on the board of.
Staying ahead: business resilience in the hybrid cloud era
The rise of cloud computing and advancements in virtualisation have revolutionised how businesses...
Taming cloud costs and carbon footprint with a FinOps mindset
In today's business environment, where cloud is at the centre of many organisations' IT...
The power of AI: chatbots are learning to understand your emotions
How AI is levelling up and can now read between the lines.