Mention hosting data remotely to most people, and you will hear expressions of concern: concern that the data might be at times inaccessible – Internet failure; concern that unauthorized people might get access to the data; concern that government agencies might get access to the data. Mention the Patriot Act along with hosting data in the United States and people react even more strongly. Many have expressed the concern that the Patriot Act gives the U.S. government sweeping powers to look at any data at any time for any reason. It follows, therefore, that before making a decision to embrace a cloud computing solution that involves hosting data in the United States one should make the effort to separate myth from reality.
The Patriot Act primarily modifies existing legislation that deals with U.S. Government access to information. It extends provision that in the past have been used to deal with criminal investigations to apply to anti-terrorism investigations. It permits U.S. law enforcement officials to seek a court order allowing access to an individual’s personal records without that person’s knowledge. Any organization with a presence in the United States can be compelled to comply with such a warrant, even if the organization has its headquarters in another jurisdiction.
The Patriot Act may have made it easier in some circumstances for the U.S. Government to gain access to personal data, but it “did not fundamentally alter the right of the government to that data in those circumstances,” according to an article written by Jeff Bullwinkel, Associate General Counsel and Director of Legal & Corporate Affairs, Microsoft Australia. In other words, the U.S. Government has long had the ability to seek access to personal information in pursuit of legal investigations. At the same time, however, U.S. law still maintains strong protection for personal information.
How does the Patriot Act affect U.S. Government access to information that is stored outside of the United States? If the data is under the control of a U.S.-headquartered company, the government can use the provisions of the Patriot Act just as if the information were stored inside the United States. If the company is not an American company the Patriot Act does not apply, though there are still ways in which the U.S. Government can seek access to the information. Many cross-jurisdictional agreements have long been in place that allow law-enforcement agencies in one country to gain access to data that is stored in another country in pursuit of their investigations.
Government agencies in every country will all, at some time, have a legitimate need to access information in the course of enforcing their laws. That information may be stored within their borders, but increasingly, large amounts of data are stored in data centers located in other countries. Various laws and international agreements are in place to facilitate this data access, and to protect personal information.
Making a decision about where to store your data is complicated and today there are more options than ever before. You can store the information on a computer that is under your direct physical control, or on a computer that is physically remote, located anywhere in the world. Wherever that information is stored, appropriate measures need to be in place to enable appropriate access and to protect it from unauthorized access.
This article has concentrated on the Patriot Act and government access to your data, but there are many other factors that should be considered when planning your data storage. Deciding where to store information is not a simple task, nor is it one that should be undertaken lightly. Take the time to become informed about the pros and cons of the many places and methods available for storing your data. Then make a decision that is within your comfort zone, and rest assured that you have made a well-informed decision.
