In December, President Barack Obama signed the renewal of the Foreign Intelligence Surveillance Act Amendment Act (FAA), and quietly started a whole new chapter in the story of the cloud.
The FAA allows interception of cross-border electronic communications between foreign agencies and any US citizen where criminal or terrorist intent is suspected. Originally enacted in 1978 as the Foreign Intelligence Surveillance Act (FISA), it was first amended by the FAA in July 2008.
The renewal in 2012 raised little interest other than from civil liberties organizations claiming the "FAA is unconstitutional." However, the 2008 FAA contained a virtually unnoticeable amendment, which was renewed in 2012. It simply included the words "remote computing services" in the FISA definition of "an electronic communication service provider."
With one pen stroke, this extended the scope of surveillance under the Act beyond interception of communications to include any data held on public cloud servers under US jurisdiction. And the Patriot Act of 2001 just happens to extend that jurisdiction to the servers of US cloud suppliers anywhere in the world.
If this was purely related to criminal or terrorist investigation, it might pass unnoticed. However, definitions within the FAA also make it lawful to conduct political surveillance on foreigners' data held in US clouds. Any data belonging to a non-US individual or organization stored on a cloud server under US jurisdiction is effectively owned by US intelligence agencies.
European data on US-owned servers is simultaneously subject to the FAA and to European data protection law. One authorizes access to the data; the other forbids it. Policymakers in the UK and Europe appeared to be unaware of the impasse, possibly until 2011.
In 2008, the cloud was still at the concept stage. Amazon Web Drive and Apple iDrive only launched in 2011, and Google Drive in 2012. Whoever thought up and inserted that tiny amendment in 2008 certainly had no idea of its impact. And it's unlikely that either the House or the Senate noticed or debated it. But there it is -- and there it will probably stay.
The European Union represents a sizable market for U.S. managed and cloud service providers, a market that lawmakers could be closing.
Intelligence agencies and data are like Gollum and the Ruling Ring. Once their hands on it, they are not going to let go without a fight, and no one in the US or Europe is looking for that fight. Except maybe Amazon, or Google, or Apple, or maybe Microsoft, whose global cloud business is being put at risk.
The renewal of the FAA has at last registered on public consciousness on the other side of the Pond, helped by the release of an EU report, "Fighting Cyber Crime and Protecting Privacy in the Cloud," which concludes "that the EU is not addressing properly an irrevocable loss of data sovereignty," a loss which the report considers a greater threat than the cyber crime against which the EU's efforts are largely directed.
There has been some reaction. In September 2011, the Netherlands government excluded US cloud providers from government IT contracts, while in 2012, BAE, the major British defense contractor, backed out of plans to use Microsoft cloud-based services, citing fears that critical national defense secrets could go astray.
Now there are calls from all parties in the UK for restrictions on the use of US cloud providers.
In December, CBS quoted Brian Cunningham, a privacy and data protection lawyer who worked as a legal adviser under President George W. Bush, as saying "governments and institutions ... should, at least for now, stick to storing their own data or, perhaps, implementing national cloud solutions with robust privacy and security protections."
In the absence of any international forum in which the legal conundrums can be resolved, (the US does not recognize the International Court of The Hague), it looks as if the outcome will be a retreat behind national boundaries -- national interest fracturing the idea of the cloud, in the same way that it threatens to fracture the Internet itself.
Internet-based technological developments have (again) made monkeys of our legislators and emphasized the need for new legal processes and concepts at national and supra-national levels. Otherwise, the Net cannot evolve, and may simply become another international battleground.
— George Taylor worked in IT in both the public and private sectors for more than 20 years. He is a Subject of the Crown.