A common question asked by companies investigating cloud computing is how the Patriot Act affects them. The Patriot Act is the name of legislation introduced in the US in October 2001 to assist in identifying terrorists in the US and internationally.
The concern is that the US government has access to all data held by American companies anywhere in the world. For example Google, Microsoft and Salesforce.com are subject to the Patriot Act and therefore the US government can access to their customers’ data.
This doesn’t actually play out in practice. Concerns about the Act are largely the result of local IT companies spreading what we call Fear, Uncertainty and Doubt, or FUD. Many of these companies are afraid of losing customers to cloud platforms and therefore spread misinformation.
It often works. I have witnessed companies turn down cloud solutions because of fears about the Patriot Act and the supposed influence it gives the US government over your data.
In fact the concern with holding data in Australia or overseas is irrelevant. The Australian government already hands over data stored in Australia by Australian companies to the US government as part of the Australia-US Mutual Legal Assistance treaty. Under this agreement the Australian government will assist the US government with any enquiry and will provide data that would be legally obtained under US law.
Some US companies do a better job at communicating with customers about government requests for data. Google gets many requests and goes through a very rigorous legal process to ensure the law is met before handing over any data. It shows the number of requests and the results in Google’s Transparency Report.
How many Australian companies discuss requests for company data by the Australian (and by extension the US) government?
As cloud computing becomes the norm we are seeing lots of Australian government agencies and national businesses move to the cloud.
For example NSW Trade and Investment government agency has deployed Google Apps for its staff, Qantas has all of its data hosted by Oracle, and the Commonwealth Bank has deployed Salesforce.com, all of which are cloud programs hosted offshore.
You can rest assured that if Commonwealth Bank are providing services from the cloud they aren’t worried about the Patriot Act.
If you are still worried or unsure about the Patriot Act here are two ways to mitigate your exposure.
- Don’t host your data with any American company. This maybe a little hard as most cloud products are American based, for example Office 365, Google Apps, Salesforce.com, Netsuite, etc.
- Use products that encrypt your data in the cloud, for example Ciphercloud. It works by encrypting your data locally and only storing encrypted data in the cloud. It is available for Google Apps and Salesforce.com. If someone wanted to look at your data in the cloud they would need the encryption key or access to your Ciphercloud server stored in Australia.
The Patriot Act shouldn’t be a concern to law-abiding Australian businesses. The benefits of using cloud products far outweigh the remote concern of the US using the Patriot Act to gain access to your data.
Update: An earlier version of this article said that US government agencies needed a warrant to access US data under the Patriot Act. They don’t, however the hosting company has the opportunity to fight the request in court.
Image credit: OneUtah