I'm thinking of those local government authorities that moved / are moving to the Cloud under the justification of "Safe Harbour". They should be "Monumentally Concerned" over the developments of the past 6 months, but I've seen precious little evidence that they are.
Google has strongly opposed US government plans to expand federal powers to authorise remote searches of digital data - claiming in a letter the powers will weaken citizens' fourth amendment rights. The right is the part of the US Constitution that prohibits unreasonable searches and seizures and requires any warrant to be …
Thursday 19th February 2015 15:18 GMT Anonymous Coward
It's not just local authorities. Anyone storing users'/citizens'/customers'/whoever's personal data in the cloud with a supplier who is American owned is at risk of being in breach of the DPA if the safe harbor agreement collapses, as it may in the wake of this kind of US court case (the one everyone is watching with interest is the Microsoft Ireland one).
If any of these cases are ruled in favour of the US Government by the Supreme Court then the Safe Harbor Agreement isn't worth the paper it's written on.
I know the local authority I work for has this very high on its Information Governance agenda and has got contigency plans; however there is obviously a substantial cost involved in relocating to an entirely EU based supplier, which we would rather not spend (as it's taxpayers' money!) if we don't have to.
Of course the prospect of the UK leaving the EU (and therefore no longer being part of the safe harbor agreement (which is between the EU and the USA) is also a complicating factor.
Thursday 19th February 2015 17:05 GMT Anonymous Coward
They should also look at the American track record of abiding by international agreements. They do for the most part but are quick to do as they please when it suits them. Sometimes they tell us, sometimes we find out later, sometimes much much later, either way it does mean being very careful about assuming what agreements mean.
Friday 20th February 2015 15:14 GMT Anonymous Coward
They should also look at the American track record of abiding by international agreements
And that is basically the core problem. If it's illegal internally they excuse it, retrospectively change the laws and nobody gets charged for it (as seen with the NSA), and when it's done to "aliens", the US basically shrugs its shoulders and depends on blackmail with trade agreements to avoid having to change its modus operandi.
The problem is that this flat out destroys trust, and US industry is starting to notice that in its inability to sell to the larger EU companies whose lawyers have woken up to the threat of consequential liability - a far more costly side effect of losing client data that the frankly puny fines.
Thursday 19th February 2015 13:01 GMT Big_Ted
My thinking is that if the US enact this type of thing as law then they are saying that they are more than happy for any other country to do the same to them.
Therefore all those countries they claim are conducting cyber attacks just need a court in their own country to ok it and its no longer an attack but a legal search for information......
Oh the slippery slope approaches....
Thursday 19th February 2015 13:11 GMT NoneSuch
The US government feels the only way to protect liberty and freedom is to monitor everyone everywhere all the time. What is said, where they go, who they associate with. All violations of the US constitution.
Why has this not been changed changed? The typical American: "Yes, the NSA spies on everyone, but they would never do that to ME!"
Thursday 19th February 2015 14:01 GMT Anonymous Coward
Well, for citizens we expect this to a degree, but this has little to do with spying and is more a "cop" thing. Can officer blow off Ohio issue a search warrant in Montana...ultimately yes. This proposal, on terms of "terrorists", could cut off as much as 16 hours for a search (guesstimate), but it would be highly ignorant to think it wouldn't be abused. I foresee Disney putting their "man" behind a desk that runs scripts to issue warrants for "terrorists". After all, people don't seem to believe that the "attack" on Sony pushes violation of copyright one step closer to being a terrorist attack, when it most certainly does. This it's all tin foil hatish I know, but is it REALLY beyond plausible?
This proposal will open doors for abusive control of citizens rights even further, even if it makes sense on cases of real terrorism. But who defines what as terrorism is highly questionable, but this proposal isn't strictly about terrorism, any crime will do.
Of course, why does this interest Google? Is Google planning a cloud service that issues warrants for the gmen?
Thursday 19th February 2015 19:38 GMT Jack of Shadows
I've always thought they monitor me (came with the security clearance). What is really relevant is that everyone I talk with thought they were already subject to such surveillance by any/all federal agencies. Or as they put it - "you meant they weren't already?" Kinda' hard to argue with that what with all the revelations since.
What does concern me is the authorization of covert insertion in to "possibly foreign computer systems" which is hacking (cracking) by another name. To hand this authority to any federal court is practically handing the fed's an authorization to go venue-shopping (much like patent suits almost always ending up in east Texas). They already do that in far too many cases as is. Toss in hacking (cracking) being considered a casus belli, do we really, really want our courts to initiate hostilities with all and sundry? I thought that power was reserved to Congress, not the Executive (wink, wink) or Judiciary.
Thursday 19th February 2015 13:38 GMT Yet Another Anonymous coward
Thursday 19th February 2015 13:40 GMT Anonymous Coward
Thursday 19th February 2015 13:44 GMT Bob Wheeler
I don't understand...
On the grounds that the people in US government are not stupid, misguided maybe, but not totally stupid, how can they think/believe that they have the legal/moral right to utterly trounce over any overseas legal jurisdictions without a howl of protest from the rest of the world.
Thursday 19th February 2015 13:59 GMT Gordon 10
Thursday 19th February 2015 15:38 GMT Anonymous Coward
The risk to UK firms is significant
According to our ISO. He's stated that if there were to be a breach of safe harbour and/or personal data is leaked, our company would be liable - irrespective of whether it was to the US government or not.
Being *very* conservative, our exec team have banned any US linked cloud provision.
So either firms using the cloud are relying on incorrect counsel, or they haven't asked for counsel, or they have asked for it, or our ISO is mistaken (or overly cautious). Given I know their qualifications, and not that of anyone else, I trust their version of the truth.
Or, is everyone using the cloud securely encrypting their data before it leaves their networks ?
Thursday 19th February 2015 15:59 GMT Anonymous Coward
Re: The risk to UK firms is significant
If you are choosing a cloud supplier now, then I would totally agree with your ICO; putting EU personal data in the US owned cloud now is not a smart move.
If your data is already in the US-owned cloud, and was put there pre-Snowden, then the situation is more complicated (particularly if you're in the public sector where money is tight). The sensible thing to do here is to seek written assurances from your US supplier that they will resist this kind of pressure from the US courts. If you can't get that move your data. If you can get that then you are into the area of what is an acceptable risk for your organisation; we've developed contigency plans which would allow us to change suppliers quickly if it looks like the safe harbor agreement is in any more danger from US courts than it is now, but we're not going to spend money unless the risk grows significantly.
If your data is already in the US-owned cloud, and was put there post-Snowden, then you may choose the epithet of your choice to put after the word "Stupid"...
Thursday 19th February 2015 17:06 GMT Anonymous Coward
Re: The risk to UK firms is significant
According to our ISO putting data in a US cloud is fine because personal medical data leaked to a US govt organisation like the NSA is OK because they have a duty of confidentiality - it is no different from an FDA inspection.
But keeping patient data locally, unless we could demonstrate that we have the same level of disaster recovery, redundancy, n*9s uptime, physically separated data centers etc that Amazon,. Google,. Microsoft can boast - would make us liable for "failing to follow industry best practice".
Strangely it was a US consultancy that advised us of this.
Thursday 19th February 2015 17:13 GMT Anonymous Coward
Re: The risk to UK firms is significant
Advice has been to steer clear since MS "stunned" the world back in 2010/2011 ? by stating that safe harbour or not, if they were served with a PATRIOT Act warrant, they would cough up the data
A say "stunned" because it shouldn't have come as a shock - it was *exactly* what the PATRIOT Act was designed to do - steamroller Uncle Sam through any previous legislated safeguards. And it wasn't like it was kept secret - it was flagged at the time. However, I suspect the moneymen just made some vague noises, and said everything would be OK.
I hope if a company clouding it is sued because Uncle Sam sneaks their data (it *is* encrypted isn't it ?), a UK court hands them their arse, and rubbishes any "how could we have known" wails.
Another risk from the PATRIOT Act is it can be used to shut down *any* US controlled data centre. Irrespective of physical location. So if you go into work one day, and your data and/or service has gone AWOL because Uncle Sam figured a data centre in Manchester owned by AnyCorp inc.
Thursday 19th February 2015 16:29 GMT Dan Paul
Rule 41 says......
(3) a magistrate judge—in an investigation of domestic terrorism or international terrorism—with authority in any district in which activities related to the terrorism may have occurred has authority to issue a warrant for a person or property within or outside that district;
(5) a magistrate judge having authority in any district where activities related to the crime may have occurred, or in the District of Columbia, may issue a warrant for property that is located outside the jurisdiction of any state or district, but within any of the following:
(A) a United States territory, possession, or commonwealth;
I suggest you read Rule 41. See the following link for the current rule. Most countries have this kind of law. It's not just the USA.
Thursday 19th February 2015 16:30 GMT Anonymous Coward
Thursday 19th February 2015 17:09 GMT Brandon 2
Re: Too bad
If only the world could be so easily broken down into one simple dichotomy: criminal or citizen. Surely google cares what you do online. It only took me 10 seconds to come up with one example to prove your null hypothesis. Is my sample size of 1 too small? Would you like me to come up with 15 or 30 more entities that give a rats arse what you do online? If i remember from college stats, n=30 is usually capable of producing statistically significant correlations...
Thursday 19th February 2015 17:10 GMT Anonymous Coward
Re: Too bad
That's true if you live in the land of the free. But here under fascist oppressive Canadian regime - opposing an oil pipeline gets you listed as a threat to national security by the RCMP.
Since Canadian "intelligence" is already allowed to monitor all Canadian web traffic be careful not to visit http://www.whitehouse.gov/sites/default/files/omb/legislative/sap/114/saphr3r_20150107.pdf or any other extremsiosts site promoting a commie conspiracy against oil pipelines.
Thursday 19th February 2015 19:24 GMT Greg J Preece
Re: Too bad
Unless you're a crim you have nothing to fear as no one gives a rats arse what you do online.
Why do people who quote this absolute bullshit line not get the obvious problem with it? You're not a crim now, but once someone has complete control over your ability to dissent, and changes the rules, what then? The prudish UK government is constantly one moral outrage away from making kink illegal, for example. Yesterday you weren't a criminal, now you are and the proof is already in the government's hands.
Thursday 19th February 2015 17:16 GMT Anonymous Coward
It's hurting the US ...
At a recent event organised by IBM in Hursley, they wheeled out their cloud specialists to woo us. We politely declined, and expressed an interest in self-hosting. Very off the record the (British) techies reported this was happening a lot, and that UK senior management had escalated it to the US ...
So I suspect there's some golf going on somewhere with IBM execs and politicians.
Thursday 19th February 2015 22:48 GMT Captain Caveman
And to add to any European companies additional woes
...EU law is changing to make companies responsible for the Public's personal data that it holds. Most people will say so what until they realise that the risk of holding that data where they have been asked to delete it will result in a fine of 5% of global turnover or €100m, whichever is greater.
So picture yourself in about 2 years sitting at your desk when an email comes through to the CDO (or Data Officer is in charge of the data to the company) from Joe Public asking for the company to verify what data is held on them whilst CCing in the Information Commissioners Office for the UK (or whatever European company). Every data source will have to be checked by the company and deleted, and a response to Joe Public attesting to that the company holds no personal data on said Joe Public. 3 months later marketing send out an email to Joe Public with a "Congratulations, its your birthday/work anniversary/ retirement day/ whatever day and they're doing a special in the are where your live for 30% discount on some irrelevant product that will make your life better, more desirable and better job! (TM)."
Joe Public complains to ICO about data violation and the next thing you know you have the CEO/CFO/CIO/CSO/CDO/ whatever CxO(s) you happen to report to running into your department screaming about this and its your fault... not that they would spend any money getting you the tools that would have helped you clear up the mess in the first instance automatically.
One P60 later and a boot print on your arse as your kicked out the door (hey, someone has to be the fall guy and your at the bottom of the ladder) the company apologises profusely and takes a slap on the wrist and gets their shit together. You on the other hand need to find a new job with a "dismissed" notification on your CV, nice and the new employee/manager/whatever position you were in gets the tools you asked for in the first place!
May sound a bit pessimistic but remember 2 things, the law of gravity means shit always flows down so never be on the bottom and the EU Directive 95/46/EC (http://searchsecurity.techtarget.co.uk/definition/EU-Data-Protection-Directive) looks like it will be active by the end of 2015, with 18 months for companies to get their data in order.
Add this to the fact that the US wants the company's data and your in charge of the infrastructure means that your job is about become really interesting!
Gimp Mask Icon as you about to be that for your company, now where's the lube...