US Capital Building

What Happens to Your Cloud Data if the Government Wants It?

In the summer of 2011, Microsoft warned consumers that the U.S. Patriot Act could compel the company to hand over customer data to the United States authorities, without their permission. This data would extend not only to customer contact information, but also to any files stored in Microsoft Cloud Services. Additionally, this data transfer would be kept secret, violating the European Union Date Protection Directive. The directive requires organizations to inform users when personal information is disclosed. Since this news surfaced, concerns have been mounting about the access to personal data stored on cloud services. However, as this article will explain, there is minimal threat to cloud services.

The Patriot Act and Your Data

While Part II of the Patriot Act allows the FBI to petition courts for documents, including those in the cloud, the government has rarely used the Foreign Intelligence Services Act (FISA) order. In 2010, only 96 applications were made for business records.

Another part of the Patriot Act, the National Security Letter, could also impact cloud services. The National Security Letter enables the FBI to access subscriber information and electronic communications records. However, the scope is very limited, and they can’t view the actual message–just the transmission.

The idea of a safe haven from the U.S. Patriot Act, as promoted by some European companies, is misleading. If a suspected terrorist has data stored in a cloud outside the United Sates, the information can still be obtained, provided that country is an ally. The United States is not different from many countries in this regard. Likewise, if prosecutors in Europe needed data held in the United States for terrorism, the U.S. would likely seize that data.

Many countries have privacy challenges in their own right. For example, Internet Service Providers in the European Union must retain telecom customer data for between six and 24 months. Additionally, the European Union’s data-retention directive gives investigators access to information that may be deleted in other countries. Under this directive, police can access details such as IP address and the frequency of every email, phone call, and text message sent or received. Other regulations include the international transfer of certain kinds of data.

Keeping Your Data Safe

The safeguarding and protection of data ultimately resides in your hands. Business owners must make informed, calculated decisions before deciding whom to do business with.

When deciding on a cloud provider, business owners should ask themselves a number of questions:

  • How sensitive is the information being stored?
  • What is the risk if that information is leaked?
  • What role does jurisdiction play in that risk?

When people express fears about storing their data in the cloud, they are mostly afraid of the control they will lose when they hand over the storage reigns. Although data is stored securely in the cloud every day–even safe from the government’s eyes–those one or two stories you hear to the contrary are likely to stick in your mind. Just remember that most cloud computing companies are well-trained, have reliable backup systems and contingency plans in place, and employ a full staff of professionals to be sure disaster doesn’t strike.