Companies and individuals who upload their files in the cloud often ask (or should ask) the question: “Where are my files and who can have access to them?”
In a prior article, we analyzed the laws that regulate US government access to data. In this article we will review their equivalent in three countries on three continents. What may be surprising to some is that most countries grant their law enforcement or intelligence services extensive powers that are similar to, and at times more substantial than, those of their U.S. counterparts.
In Canada, Part II of the Security Intelligence Service Act allows designated judges from the Federal Court to issue warrants authorizing the interception of communications and obtainment ofany information, record, document or thing. The judge may issue a warrant authorizing the persons to whom it is directed to intercept any communication or obtain any information, record, document or thing and, for that purpose:
To enter any place or open or obtain access to any thing;
- To search for, remove or return; or examine, take extracts from or make copies of; or record in any other manner the information, record, document or thing; or
- To install, maintain or remove any thing.
The National Defense Act gives the Minister of National Defense powers that are similar to those granted by the U.S. Foreign Intelligence Surveillance Act,such as the power to authorize the Communications Security Establishment to intercept communications for the purpose of obtaining foreign intelligence. The Minister may only issue an authorization if satisfied of the following:
- The interception will be directed at foreign entities located outside Canada;
- The information to be obtained could not reasonably be obtained by other means;
- The expected foreign intelligence value of the information that would be derived from the interception justifies it; and
- Satisfactory measures are in place to protect the privacy of Canadians and to ensure that private communications will only be used or retained if they are essential to international affairs, defense or security.
Further, several provisions of PIPEDA, the Canadian federal law that governs the protection of personal data, allow national security policies to take precedence over privacy rights. For example, PIPEDA allows an organization to collect, use or disclose an individuals’ personal data without the knowledge or consent of the individualin connection with an investigation, or if the information relates to national security, the defense of Canada, international affairs or an investigation, orto comply with a warrant or subpoena.
PIPEDA also contains an exception regarding individuals’ right of access to information about them held by organizations,when the organization has disclosed personal information to governmental agencies as described above. If an individual requests that the organizationinform him or her about a disclosure of information made to the intelligence services, the organization must notify the government agency (in writing andwithout delay) to which the disclosure was initially made and cannot respond to the individual until it has received the government agency’s response.
In India, the 2008 amendments to the Information Technology Act of 2000 gives extensive powers of investigation to the Indian government for combatting terrorism. For example, the Information Technology Act allows any agency of the Central or State Government to intercept, monitor or decrypt any information transmitted, received or storedthrough any computer resource, when it is necessary or expedient to do so in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign states or public order.
In addition, it gives the police the power to enter any public place and search and arrest, without a warrant, any person suspectedof having committed, or of committing or about to commit, any act prohibited by the Information Technology Act.
The United Kingdom’s Regulation of Investigatory Powers Act 2000 (RIPA) defines the powers of public agencies to carry out surveillance and investigations, intercept and use communications, conduct other related investigations, and follow people and use human intelligence sources.
The law allows public agencies to take part in such activities for national security and for detecting crime, preventing disorder, public safety and public health. RIPA allows the interception of communications, use of communications data, following people and the use of covert human intelligence sources. It may require individuals or companies to supply decrypted information that has been previously encrypted. Failure to disclose this information may be subject to up to two years in jail.
The broad powers of intelligence services
All countries have the same general needs for information and concerns over secrecy. In the global fight against terrorism, espionage and money laundering, among others, intelligence services have been granted significant powers in most countries. They frequently cooperate with each other across borders as a result.
If a cloud service provider (CSP) receives a request from an intelligence service or other law enforcement authority of the country in which it is located, in the manner prescribed by applicable law, it does not have many choices beyond providing access to the company’s data, unless the CSP opts to fight the request and argue that the request is illegal, does not conform to the legal requirements or is too broad.
The problem of the prerogatives and powers granted to United States intelligence services may be less serious than in other countries, because U.S. laws generally contain strict and detailed rules, provide transparency and require law enforcement agencies to make numerous disclosures of their activities. U.S. laws also include many control measures (e.g., annual reports), detailed procedures (e.g., warrant or a court order)and procedural rules. In countries such as India, access to servers by judicial police or intelligence services is less regulated. This lack of transparency may cause the public to be unaware of the extent of the government’s surveillance capabilities.
Wherever their data are stored or hosted by a third party, cloud service users should remain aware of the possibility that a government can obtain access to the data, especially when there are overarching reasons, such as national security or the prosecution or prevention of serious crimes. This has always been the case, even when data were stored on server farms in the same city. The cloud changes the dynamic, because the data may beheld in a server located anywhere in the world, which makes them accessible by more governments under many more laws.
When CSPs operate within the jurisdiction of a country, they must understand and abide by the rules in effect in that country. Concurrently, they have an obligation to their customers to respond to government and other requests for access to data in their custody in a responsible manner. They must evaluate the request for access to determine whether it conforms to the requirements of the applicable law and, when possible and permitted, inform the customer that their data was accessed.
To be able to address such requests in an appropriate manner, they should implement processes and procedures to analyze government and third-party requests for access and to respond to these requests in accordance with the applicable laws. Before engaging a CSP, customers should perform due diligence and inquire about the existence of these processes and procedures, as a way to evaluate the CSP’s level of awareness of these laws and complex issues.
Originally published in SearchCloudSecurity.com on 27 Feb 2013