European consumers have expressed concern that the USA Patriot Act (the “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001” or “Patriot Act”) will afford the US government undue and unfettered access to their data if they choose to store it on the cloud servers of US providers (e.g., Microsoft or IBM). A recent survey found that 70 percent of Europeans have concerns about their online data and how well it is secured. For many, these fears were exacerbated by an announcement by Gordon Frazer, the managing director of Microsoft UK, that he could not guarantee that data stored on Microsoft servers, wherever located, would not end up in the hands of the US government, because Microsoft, a company based in the United States, is subject to US laws, including the Patriot Act. Aware of these concerns, some EU data centers have gone so far as to advertise that they provide “a safe haven from the reaches of the Patriot Act.”
To evaluate the validity of these concerns, several questions must be considered.First, exactly what information does the Patriot Act reach? Second, how likely is it, as a practical matter, that the Patriot Act will ever be used to reach a European company’s data stored in the cloud? Finally, how does that risk compare with exposure that European companies already face, such as the prospect of their home-country governments accessing their cloud-stored data? As Ambassador Phillip Verveer, the US State Department’s Coordinator for International Communications and Information Policy, explains, “[t]he PATRIOT Act has come to be a kind of label for [privacy] concerns.… We think, to some extent, it’s taking advantage of a misperception, and we’d like to clear up that misperception.”
This article seeks to dispel some of the myths shrouding the Patriot Act, and to provide an assessment of the risks the Patriot Act poses to data stored in the cloud, particularly where the data, or its owner, are based outside of the United States.
Patriot Act Discovery Tools for Law Enforcement
Contrary to a common misconception, the Patriot Act did not create entirely new procedural mechanisms for US law enforcement to use to obtain data in furtherance of its investigations. However, the Patriot Act did expand certain discovery mechanisms already available to US law enforcement. Two of these expanded mechanisms that US law enforcement could use to access data in the cloud that warrant discussion are FISA Orders and National Security Letters.
Prior to enactment of the Patriot Act, the Foreign Intelligence Surveillance Act permitted the FBI to apply to a special court, the Foreign Intelligence Surveillance Court, for a FISA Order to obtain the business records of third parties for the purpose of foreign intelligence and international terrorism investigations. Originally, however, such business records were limited to car rental, hotel, storage locker, and common-carrier records.
Title II of the Patriot Act, “Enhanced Surveillance Procedures,” expanded the reach of FISA Orders to allow the FBI to obtain “an order requiring the production of any tangible things (including books, records, papers, documents and other items) for an investigation to protect against international terrorism and clandestine intelligence activities.” This includes data in the cloud. To obtain a FISA Order, the FBI must specify that the tangible things sought are for an authorized investigation either to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities.
FISA Orders, particularly as expanded under Section 215 of the Patriot Act, have given rise to privacy concerns for several reasons. First, such orders may be granted ex parte, meaning with only the FBI presenting evidence to the court. Second, Section 215 includes a “gag” provision that prohibits the party that receives a FISA Order from disclosing that fact. This typically would prevent a cloud service provider from informing its customers that the service provider had shared their data with the FBI in response to a FISA Order. Third, the fact that Section 215 allows the FBI to obtain a person’s library records sparked significant protests that the provision was invasive of reader privacy. Finally, the American Civil Liberties Unions objects that “[t]he FBI need not show probable cause, nor even reasonable grounds to believe, that the person whose records it seeks is engaged in criminal activity.”
In the USA Patriot Act Improvement and Reauthorization Act of 2005, enacted March 9, 2006, Congress took several steps to address these concerns, including adding provisions to allow the recipient of a FISA Order to oppose it before the Foreign Intelligence Surveillance Court and also, after a 1-year hiatus, to contest the gag provision. Congress also required the US Attorney General to promulgate regulations to “minimize the retention, and prohibit the dissemination, of non-publicly available information.” Notwithstanding these efforts, privacy and civil liberties advocates remain deeply troubled by Section 215.
What is the practical effect of FISA Orders on users of US cloud services? The answer is that the FBI rarely uses FISA orders. In 2010, the US government made only 96 applications to the Foreign Intelligence Surveillance Courts for FISA Orders granting access to business records. There are several reasons why the FBI may be reluctant to use FISA Orders: public outcry; internal FBI politics necessary to obtain approval to seek FISA Orders; and, the availability of other, less controversial mechanisms, with greater due process protections, to seek data that the FBI wants to access. As a result, this Patriot Act tool poses little risk for cloud users.
National Security Letters
The National Security Letter (NSL) is a form of administrative subpoena that the FBI and other US government agencies can use to obtain certain records and data pertaining to various types of government investigations.
When the Patriot Act was enacted, there were already four federal statutes authorizing enumerated government authorities (chiefly the FBI) to issue NSLs. First, under the Right to Financial Privacy Act (RFPA), the FBI and the Secret Service may obtain financial records from financial institutions such as banks, securities brokerages, car dealers, pawn brokers, casinos, and real estate agents (accountants and auditors, however, are not included).
Second, under the Fair Credit Reporting Act, the FBI may use a NSL to obtain from a consumer reporting agency (e.g., the three major credit bureaus: TransUnion, Equifax, Experian) the names and addresses of all financial institutions at which a consumer maintains or has maintained an account, plus consumer identifying information such as name, address and employment history.
Third, under the Electronic Communications Privacy Act, the FBI may request, from wire or electronic service providers (including Internet service providers) subscriber information, toll billing records information, and electronic communication transactions records. The US Department of Justice takes the position that this includes, with regard to email accounts, the name, address, and length of service of a person, as well as email addresses associated with an account and screen names.
Fourth, under the National Security Act, an authorized government investigative agency may request any of the types of information described above, from any of the sources described above, when necessary to conduct security checks of government employees or investigate US government employees believed to be spying for foreign powers.
Title V of the Patriot Act, Removing Obstacles to Investigating Terrorism, expanded the FBI’s authority to make NSL requests beyond its headquarters, to its 56 field offices; eliminated the requirement that information sought relate to a foreign power, instead requiring that the NSL request be relevant to international terrorism or foreign spying; and allowed the FBI to obtain full consumer credit reports. The Patriot Act also added another NSL section to the Fair Credit Reporting Act, this one allowing not just the FBI, but any government agency, to obtain information from a consumer reporting agency in connection with international terrorism or intelligence activities.
After the Patriot Act expanded the scope of NSLs as described above, their use began to rise. The Department of Justice reported to Congress that in 2010 the FBI made 24,287 NSL requests (excluding requests for subscriber information only).
NSLs give rise to privacy concerns and, according to critics, the potential for abuse, for several reasons. First, the FBI may issue NSLs on its own initiative, without the authorization of any court. (This was true even before the Patriot Act.) Nothing in the Patriot Act provides for any judicial review of the FBI’s decision to issue an NSL. Second, the NSL statutes impose a gag requirement on persons receiving an NSL. In addition, the Attorney General Guidelines and various information sharing agreements require the FBI to share NSL information with other federal agencies and the US intelligence community.
The Reauthorization Act tried to redress some of these concerns. It provided a right to judicial review of NSLs and a right to petition a court to lift the gag order. The Reauthorization Act also provided criminal penalties for violating gag obligations with the intent to obstruct an investigation.
So where does this complex statutory scheme leave cloud users? While the use of NSLs is not uncommon, the types of data that US authorities can gather from cloud service providers via an NSL is limited. In particular, the FBI cannot properly insist via a NSL that Internet service providers share the content of communications or other underlying data. Rather, as set forth above, the statutory provisions authorizing NSLs allow the FBI to obtain “envelope” information from Internet service providers. Indeed, the information that is specifically listed in the relevant statute is limited to customers’ name, address, and length of service.
The FBI often seeks more, such as who sent and received emails and what websites customers visited. But, more recently, many service providers receiving NSLs have limited the information they give to customers’ names, addresses, length of service and phone billing records. “Beginning in late 2009, certain electronic communications service providers no longer honored” more expansive requests, FBI officials wrote in August 2011, in response to questions from the Senate Judiciary Committee.
Although cloud users should expect their service providers that have a US presence to comply with US law, users also can reasonably ask that their cloud service providers limit what they share in response to an NSL to the minimum required by law. If cloud service providers do so, then their customers’ data should typically face only minimal exposure due to NSLs.
Other Law Enforcement Tools
As discussed above, the two law enforcement tools for discovery of third-party data that were most significantly enhanced by the Patriot Act and that have given rise to significant concerns by European critics of the Patriot Act—FISA Orders and NSLs—should not, as a practical matter, pose a significant risk to European data on the servers of US-based cloud providers. But it would be a mistake to end the analysis there.
Search Warrants and Grand Jury Subpoenas
US federal law enforcement has other, more traditional mechanisms for obtaining information it deems necessary to support its investigative efforts, such as search warrants (which must be approved by a US court upon a showing of probable cause) and grand jury subpoenas, which are issued by a US federal prosecutor in support of an ongoing grand jury investigation (and which a recipient may move to quash in court). These mechanisms also can be used to obtain data stored in the cloud. Should the risks these tools pose cause European companies to eschew US cloud services?
At the outset, consider that search warrants and grand jury subpoenas are hardly new. Search warrants trace their roots in the United States back at least to the Bill of Rights (ratified in 1791): the Fourth Amendment provides for protection against searches and seizures in the absence of a properly obtained warrant. Similarly, the grand jury has been functioning as an institution for receiving evidence of criminal activity since the Magna Carta and also has been incorporated into the US Constitution.
Moreover, Europeans (and others) have comparable discovery mechanisms in their home countries. For example, in France, the Police Nationale and the Gendarmerie Nationale both can execute search warrants. Article 13 of Germany’s Basic Law similarly recognizes judicially ordered search warrants. And, of course, US search warrants have their roots in English law. Accordingly, to the extent European consumers wish to avoid any risk that any government will access their cloud data, merely avoiding US service providers is unlikely to help.
Sequestering data on European cloud servers may be an ineffective prophylactic against US government access for another reason. The United States and most European governments have entered into bilateral Mutual Legal Assistance Treaties (MLATs). In a typical MLAT, the two countries commit to provide one another with “the widest measure of mutual assistance in investigations or proceedings in respect of criminal offenses ….”
In 2003, the United States and the European Union entered into an MLAT with a provision addressing data protection. That provision governs MLAT requests made pursuant to prior bilateral MLATs between EU Member States and the United States. The comments to the EU‑US MLAT explain that this provision was “meant to ensure that refusal of assistance on data protection grounds may be invoked only in exceptional cases.” Accordingly, US MLAT requests, particularly those concerning terrorism investigations, are seldom denied for data protection reasons.
US Jurisdictional Limitations
In the United States, only a party amendable to what is known as “personal jurisdiction” can be subject to a search warrant, grand jury subpoena, NSL, FISA Order or other enforceable request for documents or data. The fundamental requirements for exercising personal jurisdiction over an individual or corporation are grounded in the Constitution, and the Patriot Act did not alter those principles (nor did it purport to do so).
In the context of personal jurisdiction, due process considerations prohibit courts from exercising jurisdiction over a witness who lacks minimum contacts with the forum. In the case of a corporation, this means that any corporation based in the United States will be subject to US jurisdiction and, thus, can be subject to FISA Orders, NSLs, search warrants, or grand jury subpoenas. The same is generally true for a non-US corporation that has a location in the United States or that conducts continuous and systematic business in the United States.
Furthermore, an entity that is subject to US jurisdiction and is served with a valid subpoena must produce any documents within its “possession, custody, or control.” That means that an entity that is subject to US jurisdiction must produce not only materials located within the United States, but any data or materials it maintains in its branches or offices anywhere in the world. The entity even may be required to produce data stored at a non-US subsidiary.
What does this mean for non-US consumers of cloud services? First, US law enforcement authorities may serve FISA Orders, NSLs, warrants or subpoenas on any cloud service provider that is US based, has a US office, or conducts systematic or continuous US business—even if the data is stored outside the United States. Thus, merely choosing a European cloud service provider is not enough to ensure that data is beyond the reach of US jurisdiction and the Patriot Act.
Second, US law enforcement authorities may serve FISA Orders, NSLs, warrants or subpoenas on any cloud service customer that is US based, has a US branch, or conducts systematic or continuous US business—even if the data is stored outside the United States. Many European entities have a US presence, and their US presence will allow them to be subject directly to the authority of US law enforcement, regardless of what company they use for cloud storage.
The Patriot Act and European Data Protection
The European Commission’s Directive on Data Protection generally prohibits the transfer of personal data to non‑European Union countries that do not meet the EU “adequacy” standard for privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy. To bridge these different privacy approaches, the Department of Commerce, in consultation with the European Commission, developed a “Safe Harbor” framework. By joining and adhering to the EU-US Safe Harbor Agreement, US companies can demonstrate that their data protection practices meet EU data protection requirements. European companies then can share data with US participants in the Safe Harbor agreement without violating their home country data protection laws.
The Safe Harbor Agreement contains a provision that allows US companies to comply with applicable US laws compelling the production of data, including the Patriot Act. It is anticipated, however, that at the World Economic Forum in January 2012, the European Commission will announce legislation to repeal the existing EU data protection directive and replace it with more a robust framework. The new legislation might, among other things, replace EU/US Safe Harbor regulations with a new approach that would make it illegal for the US government to invoke the Patriot Act on a cloud-based or data processing company, in efforts to acquire data held in the European Union. The Member States’ data protection agency with authority over the company’s European headquarters would have to agree to the data transfer.
The foregoing developments may significantly affect the legal landscape for protection of data on the cloud servers in the cross-border context and, thus, should be monitored closely. However, it may be years before the new legislation is enacted (the current EU Data Protection Directive took three years to be enacted). By that time, changes in technology may present entirely new challenges and considerations.
Consumers of cloud services are wise to consider all types of risk to their data, whether from their home country’s government or another country’s government. Merely avoiding US cloud service providers based on concerns about the Patriot Act does not solve the problem. That choice alone provides no assurance that cloud data is beyond the reach of the Patriot Act, nor does it provide protection against the risk that non-US governments will access the cloud-stored data, either on their own initiative or in response to a MLAT request from the United States.
Rather than making a selection based solely on the home country of competing cloud providers, informed consumers of cloud services should (i) consult legal counsel in their home country, in any jurisdiction where their data may be stored, and in any jurisdiction where their cloud service provider does business; (ii) closely review their cloud services contracts and ask their providers questions; and (iii) carefully consider all the relevant risks before making a decision.