Seven routes for the US to access your cloud data
Brett Winterford
Jul 2, 2013 2:24 PM (17 hours ago)
http://www.itnews.com.au/News/348692,seven-routes-for-the-us-to-access-your-cloud-data.aspx

NSA, agencies have wealth of options.

The US Government has amassed an impressive arsenal of options for 
access to data stored by telecommunications and cloud service 
providers over the past decade, leaving experts surprised at the 
global reaction to revelations of former NSA operative Edward Snowden.

Releasing a comprehensive paper on data sovereignty today in Sydney, 
authors from the UNSW Cyberspace and Law Centre, law firm Baker and 
Mackenzie and financial insurer Aon joined security experts Stephen 
Wilson and Craig Scroggie on a panel to discuss privacy and the cloud.

[Vaile D., Kalinich K., Fair P. & Lawrence A. (2013)  'Data 
Sovereignty and the Cloud: A Board and Executive Officer's Guide 
-Technical, legal and risk governance issues around data hosting and 
jurisdiction'  Cyberspace Law and Policy Centre, UNSW Faculty of Law, 
with support from NEXTDC, Baker & McKenzie and Aon, 2 July 2013, at 
http://www.cyberlawcentre.org/data_sovereignty/ ]

Author David Vaile said Snowden's leaked material did not change what 
he knew to be far-reaching powers - "the only difference is three 
months ago, people didn't think it was interesting, today they do," 
he said.

Vaile nominated several instruments the US Government had at its 
disposal to request and obtain data from telecommunications and cloud 
service providers.

A summary is provided below, the full text can be found in Chapter 
Five of the report (pdf). The report was sponsored by Australian data 
centre builder, NextDC.

1. The Third Party exception

US citizens are protected under the Fourth Amendment of the US 
constitution from "unreasonable searches and seizures". For any 
search or seizure, this requires the Government to prove a probable 
cause of a crime having been committed, the production of a warrant 
and for the subject of the warrant to be notified.

But there is an exception to the Fourth Amendment when it comes to 
third parties. It is expected that a person can't claim data to be 
'private' if that data is stored with a third party.

Being that your telecommunications provider must produce statements 
on who you have called and when, for example, that metadata is exempt 
from the Fourth Amendment because you as a customer signed up for 
your telco's service.

The report claims the US Government uses this exception "routinely" 
so as not to require a warrant. It has used this exception to 
determine such data as the name and contact details of filesharers, 
users of shared wireless networks, webmail and chat accounts.

By comparison, Australian telecommunications access laws 'mention' 
the need for a warrant, but don't mandate it, offering little 
protection to citizens. There is no overriding assumption of a right 
to privacy in Australian law at present.

2. The Patriot Act (Foreign Intelligence Surveillance Act)

President Bush's 2001 'Patriot Act' amended existing US laws 
pertaining to the ability of the US Government and law enforcement to 
act on personal and private information.

The Patriot Act - and extensions of it in 2007 and 208 - modified the 
1978 FISA act to broaden the definition of targets of foreign 
intelligence - loosely defining "terrorists" as a category, 
regardless of whether suspected terrorists had ever committed a 
crime, and also allowed US authorities to skip the requirement for a 
warrant from the Federal Court System. Approval for surveillance is 
instead rubber-stamped by the Foreign Intelligence Surveillance Court 
(FISC).

The FISA Act allowed law enforcement to wiretap telecommunications 
services more or less at will, without a requirement to inform their 
target. ISPs, telcos and other service providers that comply with a 
FISA order must under the Act protect the secrecy of the operation. 
The Department of Justice can, for example, demand the electronic 
surveillance of an individual for up to a year without a warrant.

The abuse of powers detailed in Edward Snowden's PRISM revelations 
effectively relied on the NSA's interpretation of FISA.

3. Administrative Subpoenas - National Security Letters

The US Patriot Act also allowed for 'Administrative Subpoenas' - 
under which the FBI can order an individual or business to turn over 
documents without requiring a warrant or any other court order.

These 'National Security Letters' have most often been sent to 
telcos, financial services organisations and ISPs to gather data on 
suspects. An NSL can order a whole swathe of data from a service 
provider (phone records on 11,000 individuals, in one case) and again 
forbids the service provider from revealing the existence of the 
letter - to anyone.

By contrast, there is no 'broad' Act in Australia that allows 
authorities to demand data from private organisations or individuals, 
but instead a myriad of smaller pieces of legislation, usually aimed 
at regulating specific industries.

The Independent Commission Against Corruption can and does request 
data be turned over during an investigation, for example. The 
distinction is that more often than not, a warrant must be issued by 
a court before these demands can be made.

4. Secret surveillance programs

While the surveillance tools under the Patriot Act are extreme, 
privacy advocates have at least been made aware of their existence.

The PRISM system for harvesting information cloud services, and the 
NSA's simultaneous build of a database of phone records from US 
telecommunications carriers, are prime examples of US Government 
surveillance that were of a secretive nature until the events of 
recent weeks.

In Australia, by contrast, efforts to compel service providers to 
retain data for such purposes (Data Retention) have been met with 
stiff resistance.

5. Mutual assistance treaties

The US Government has signed treaties with over 50 nations and the EU 
in order to gain access to data on individuals outside of its 
immediate jurisdiction. It signed a Mutual Assistance Treaty with 
Australia in 1999.

The Council of Europe Convention on Cybercrime - signed by both the 
US and Australia, allows for a global network of law enforcement 
authorities to gather data from within their jurisdiction for the 
purpose of sharing with their peers.

Indeed, allegations of US surveillance of EU states leaked by Edward 
Snowden may threaten some of these treaties in future.

6. Discovery

Should the US Government - or the Australian Government for that 
matter - require more information from individuals or organisations, 
it has within its power the ability to demand it during litigation 
proceedings, through the process commonly referred to as 'discovery'.

In most cases, the discovery process is approved in a court hearing. 
But the US Government also reserves the right to subpoena information 
from private companies and individuals when it is involved in 
unrelated litigation with other parties. This, however, is again at 
the discretion of a judge.

7. Informal requests

While there are plenty of instruments by which the US can monitor its 
citizens and foreign citizens, most of these legal instruments assume 
the service provider was not willing to hand over customer data in 
the first place.

The report recognises that industry-specific regulators often make 
informal requests of service providers - requests service providers 
will often comply with in the hope that such matters won't be 
legislated in the future.

Vaile noted that in Australia, the apparently 'voluntary nature' of 
deciding what 'doing your best' means under the Telecommunications 
Act  [s313(1) and 313(2)] - puts unenforceable but nonetheless 
considerable pressure on ISPs and carriers to cooperate, without any 
of the checks and balances elsewhere in the Act.

"This seems to be the ambiguous basis for the informal back-door 
introduction of de facto ISP-level black list internet filtering 
despite the disavowal of the former, potentially more transparent 
'mandatory' proposal which failed to ever get enough support to pass 
into law."


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:[log in to unmask]                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law               University of NSW
Visiting Professor in Computer Science    Australian National University

****************************************************
This is a message from the SURVEILLANCE listserv
for research and teaching in surveillance studies.

To unsubscribe, please send the following message to
<[log in to unmask]>:

UNSUBSCRIBE SURVEILLANCE

For further help, please visit:

http://www.jiscmail.ac.uk/help
****************************************************