Seven routes for the US to access your cloud data
Brett Winterford
Jul 2, 2013 2:24 PM (17 hours ago)
http://www.itnews.com.au/News/348692,seven-routes-for-the-us-to-access-your-cloud-data.aspx
NSA, agencies have wealth of options.
The US Government has amassed an impressive arsenal of options for
access to data stored by telecommunications and cloud service
providers over the past decade, leaving experts surprised at the
global reaction to revelations of former NSA operative Edward Snowden.
Releasing a comprehensive paper on data sovereignty today in Sydney,
authors from the UNSW Cyberspace and Law Centre, law firm Baker and
Mackenzie and financial insurer Aon joined security experts Stephen
Wilson and Craig Scroggie on a panel to discuss privacy and the cloud.
[Vaile D., Kalinich K., Fair P. & Lawrence A. (2013) 'Data
Sovereignty and the Cloud: A Board and Executive Officer's Guide
-Technical, legal and risk governance issues around data hosting and
jurisdiction' Cyberspace Law and Policy Centre, UNSW Faculty of Law,
with support from NEXTDC, Baker & McKenzie and Aon, 2 July 2013, at
http://www.cyberlawcentre.org/data_sovereignty/ ]
Author David Vaile said Snowden's leaked material did not change what
he knew to be far-reaching powers - "the only difference is three
months ago, people didn't think it was interesting, today they do,"
he said.
Vaile nominated several instruments the US Government had at its
disposal to request and obtain data from telecommunications and cloud
service providers.
A summary is provided below, the full text can be found in Chapter
Five of the report (pdf). The report was sponsored by Australian data
centre builder, NextDC.
1. The Third Party exception
US citizens are protected under the Fourth Amendment of the US
constitution from "unreasonable searches and seizures". For any
search or seizure, this requires the Government to prove a probable
cause of a crime having been committed, the production of a warrant
and for the subject of the warrant to be notified.
But there is an exception to the Fourth Amendment when it comes to
third parties. It is expected that a person can't claim data to be
'private' if that data is stored with a third party.
Being that your telecommunications provider must produce statements
on who you have called and when, for example, that metadata is exempt
from the Fourth Amendment because you as a customer signed up for
your telco's service.
The report claims the US Government uses this exception "routinely"
so as not to require a warrant. It has used this exception to
determine such data as the name and contact details of filesharers,
users of shared wireless networks, webmail and chat accounts.
By comparison, Australian telecommunications access laws 'mention'
the need for a warrant, but don't mandate it, offering little
protection to citizens. There is no overriding assumption of a right
to privacy in Australian law at present.
2. The Patriot Act (Foreign Intelligence Surveillance Act)
President Bush's 2001 'Patriot Act' amended existing US laws
pertaining to the ability of the US Government and law enforcement to
act on personal and private information.
The Patriot Act - and extensions of it in 2007 and 208 - modified the
1978 FISA act to broaden the definition of targets of foreign
intelligence - loosely defining "terrorists" as a category,
regardless of whether suspected terrorists had ever committed a
crime, and also allowed US authorities to skip the requirement for a
warrant from the Federal Court System. Approval for surveillance is
instead rubber-stamped by the Foreign Intelligence Surveillance Court
(FISC).
The FISA Act allowed law enforcement to wiretap telecommunications
services more or less at will, without a requirement to inform their
target. ISPs, telcos and other service providers that comply with a
FISA order must under the Act protect the secrecy of the operation.
The Department of Justice can, for example, demand the electronic
surveillance of an individual for up to a year without a warrant.
The abuse of powers detailed in Edward Snowden's PRISM revelations
effectively relied on the NSA's interpretation of FISA.
3. Administrative Subpoenas - National Security Letters
The US Patriot Act also allowed for 'Administrative Subpoenas' -
under which the FBI can order an individual or business to turn over
documents without requiring a warrant or any other court order.
These 'National Security Letters' have most often been sent to
telcos, financial services organisations and ISPs to gather data on
suspects. An NSL can order a whole swathe of data from a service
provider (phone records on 11,000 individuals, in one case) and again
forbids the service provider from revealing the existence of the
letter - to anyone.
By contrast, there is no 'broad' Act in Australia that allows
authorities to demand data from private organisations or individuals,
but instead a myriad of smaller pieces of legislation, usually aimed
at regulating specific industries.
The Independent Commission Against Corruption can and does request
data be turned over during an investigation, for example. The
distinction is that more often than not, a warrant must be issued by
a court before these demands can be made.
4. Secret surveillance programs
While the surveillance tools under the Patriot Act are extreme,
privacy advocates have at least been made aware of their existence.
The PRISM system for harvesting information cloud services, and the
NSA's simultaneous build of a database of phone records from US
telecommunications carriers, are prime examples of US Government
surveillance that were of a secretive nature until the events of
recent weeks.
In Australia, by contrast, efforts to compel service providers to
retain data for such purposes (Data Retention) have been met with
stiff resistance.
5. Mutual assistance treaties
The US Government has signed treaties with over 50 nations and the EU
in order to gain access to data on individuals outside of its
immediate jurisdiction. It signed a Mutual Assistance Treaty with
Australia in 1999.
The Council of Europe Convention on Cybercrime - signed by both the
US and Australia, allows for a global network of law enforcement
authorities to gather data from within their jurisdiction for the
purpose of sharing with their peers.
Indeed, allegations of US surveillance of EU states leaked by Edward
Snowden may threaten some of these treaties in future.
6. Discovery
Should the US Government - or the Australian Government for that
matter - require more information from individuals or organisations,
it has within its power the ability to demand it during litigation
proceedings, through the process commonly referred to as 'discovery'.
In most cases, the discovery process is approved in a court hearing.
But the US Government also reserves the right to subpoena information
from private companies and individuals when it is involved in
unrelated litigation with other parties. This, however, is again at
the discretion of a judge.
7. Informal requests
While there are plenty of instruments by which the US can monitor its
citizens and foreign citizens, most of these legal instruments assume
the service provider was not willing to hand over customer data in
the first place.
The report recognises that industry-specific regulators often make
informal requests of service providers - requests service providers
will often comply with in the hope that such matters won't be
legislated in the future.
Vaile noted that in Australia, the apparently 'voluntary nature' of
deciding what 'doing your best' means under the Telecommunications
Act [s313(1) and 313(2)] - puts unenforceable but nonetheless
considerable pressure on ISPs and carriers to cooperate, without any
of the checks and balances elsewhere in the Act.
"This seems to be the ambiguous basis for the informal back-door
introduction of de facto ISP-level black list internet filtering
despite the disavowal of the former, potentially more transparent
'mandatory' proposal which failed to ever get enough support to pass
into law."
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:[log in to unmask] http://www.xamax.com.au/
Visiting Professor in the Faculty of Law University of NSW
Visiting Professor in Computer Science Australian National University
****************************************************
This is a message from the SURVEILLANCE listserv
for research and teaching in surveillance studies.
To unsubscribe, please send the following message to
<[log in to unmask]>:
UNSUBSCRIBE SURVEILLANCE
For further help, please visit:
http://www.jiscmail.ac.uk/help
****************************************************
|