Latest Posts

Latest Comments


The US Patriot Act: Who’s looking at YOUR data?


Posted by |

“As a law abiding company, we comply with valid legal process, and that – as for any US based company – means the data stored outside of the US may be subject to lawful access by the US government.” That was Google’s statement issued last month in response to reports that it had handed EU data to the US government.

It echoes an exchange earlier this year in which, in response to the question, “Can Microsoft guarantee that EU-stored data, held in EU based datacenters, will not leave the European Economic Area under any circumstances — even under a request by the Patriot Act?”, Gordon Frazer, managing director of Microsoft UK, said: “Microsoft cannot provide those guarantees. Neither can any other company.”

Both these examples highlight the significant vulnerabilities inherent with Cloud providers whose data hosting services are housed outside the UK: they give you no control over where your data is stored and they expose it to scrutiny by the US government.

As  suggested by the question to Microsoft, the bludgeon here is the USA Patriot Act (or to be more correct the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism act). The Act was created in the wake of the September 11th terrorist attacks and became law just 45 days later on 26 October.

5 facts about the Patriot Act

  1. The Act dramatically reduced restrictions on law enforcement agencies’ ability to search telephone, email and other records.
  2. Under the Act, data stored in the EU is insecure and at risk from US inspection if  EU-based subsidiaries (eg Microsoft UK) are linked to a US-based headquarters.
  3. Data belonging to EU-based companies is similarly at risk from US inspection if it is being stored by US-based subsidiaries (eg in the BBC’s US offices).
  4. Companies asked by the US government to handover EU-stored data to the US government can be legally prevented from disclosing  the request.
  5. In May this year – the year of 9/11’s tenth anniversary – President Obama extended some of the provisions of the Act.

So if you’re a UK company, what does this mean for you?

Financial and legal organisations are bound by law to ensure their clients’ data does not leave the UK. But even for many other organisations not bound by a regulatory framework – other than the not-to-be-dismissed UK Data Protection Act and European Commission’s Directive on Data Protection -  concern for corporate integrity makes it important that they know where there data is stored and who is looking at it. 

Private versus Public Cloud
Keeping all your data in-house is virtually impossible. Hosted Cloud solutions are now part of everyday business life. Even if you think you’re not using them, consider the web applications and website hosting services you employ.

So rather than trying to halt the inevitable and retain all your data in-house, the better course is to embrace the financial benefits and expertise offered by specialist third parties but ensure you do your research thoroughly.

The Amazons, Microsofts and Googles of this world offer a great range of consumer-grade services hosted on the public Cloud. And if you’re not worried about US security looking at your holiday snaps, there is nothing wrong with using these services.

But if you want business-grade data storage or hosting, you need to think about a private Cloud. Most providers guarantee excellent uptime, which will be SLA-backed. This will provide the availability, accessibility, security and compliance that’s needed for businesses.



Post a comment

Comment submitted! Comments needs approval before being displayed.