Cloud e-data law puts users at risk
Canadians’ private info open to U.S. eyes via computing service
American spies can snoop through Canadians’ computer data — including that of political organizations and without warrants — if the data resides within popular U.S. cloud computing services, says a former Microsoft executive.
In a report commissioned by the European Parliament, former Microsoft chief privacy adviser Caspar Bowden reveals, “it is lawful in the U.S. to conduct purely political surveillance on foreigners’ data accessible in U.S. clouds,” operated by U.S. firms such as Google, Microsoft, Apple, IBM and others.
One sweeping provision of the Foreign Intelligence Surveillance Act (FISA) authorizes the targeting of, “foreign-based political organization(s) ... or foreign territory that relates to ... conduct of the foreign affairs of the United States.”
While other contentious U.S. post-9/11 laws, such as the Patriot Act, significantly lifted restrictions on government surveillance, Bowden says the foreign surveillance law, “for the first time (has) created a power of mass-surveillance specifically targeted at the data of non-U.S. persons located outside the U.S., which applies to cloud computing.”
In an interview with the Citizen, Bowden characterized the U.S. law as a “grave risk” to European data sovereignty and said, “everything I’ve said about the situation of Europeans applies also to Canadians.”
British lawmakers reacted with anger this week after Slate.com broke the story. The newspaper The Independent quoted members of parliament calling on the government to consider a halt to shared intelligence services with the U.S. and to end the use of U.S.-based cloud computing for sensitive government data.
The Canadian government makes limited use of cloud computing for some human resources and financial data services, but the systems are internal and controlled by Shared Services Canada.
The biggest threat from FISA snooping appears to be Canadian business and non-governmental organizations that use the cloud.
“There’s no question we would be targeted,” says Garry Neil, executive-director of Council of Canadians, one of the largest advocacy groups for Canada-first policies on issues such as energy, natural resources and economic policy. “We’re involved in campaigns that affect U.S. interests, in campaigns to try and slow down the development of the tarsands that would be seen as American foreign policy.”
The organization stores its primary computer data internally and contracts with only Canadian companies for Internet and web services.
Still, Neil says, “it does indicate for many who take advocacy positions that they really need to be very cautious about what they’re doing for the want of saving a few dollars,” by outsourcing their computer services to the cloud.
Authorization for the U.S. cloud surveillance comes from a subtle and largely unnoticed 2008 amendment to FISA commonly known as “warrantless wiretapping.”
The controversial act allows U.S. federal agencies to electronically gather foreign intelligence on U.S. soil through electronic eavesdropping and other measures and without probable-cause search warrants. One of the parties to the targeted information must be believed to be outside the U.S. to protect the privacy of American citizens.
But the 2008 change incorporated “remote computing services” — cloud computing — into the existing definition of an “electronic communication service provider.” Experts say that allows U.S. agencies to access customer files and other information at various U.S.-owned cloud data centres in the U.S., Europe, India and other countries.
Approval for electronic surveillance is given by the U.S. attorney general for a period of up to one year. U.S. companies that fail to comply with a FISA order can be brought before a secret FISA court for punishment and are prohibited from disclosing the existence of FISA orders served on them.
A five-year extension of the FISA Amendment Act of 2008 was granted by Congress and the White House in December 2012.
Cloud computing involves individuals, companies and governments outsourcing computing needs to companies like Google and Microsoft at far less cost than operating similar in-house services.
Internet-based cloud services range from email, such as Google’s Gmail, to data storage, software, database architecture and servers. Demands for cloud services have exploded as companies and governments cut operating costs while service providers fight to stake out lucrative territory in the cloud.
In a statement to the Citizen, Google said: “Law enforcement agencies must be able to pursue illegal activity and keep the public safe. But it’s just as important that laws protect our users against overly broad requests for their personal information. Respect for the privacy and security of data that users store with Google underpins our approach.”
In a statement to The Independent, Google added, “We think this kind of access to data merits serious discussion and more transparency.”
Several other cloud computing firms, including Microsoft, Apple, Amazon and Cisco, declined to comment.
The 2010 federal Cyber Security Strategy makes no detailed mention of the privacy and unresolved data sovereignty issues surrounding the cloud, though a public education element advises, “your data could be stored in one or more foreign countries — find out which ones, since your data will then be subject to that country’s or countries’ laws.”
In a statement Friday, Public Safety Canada, responsible for the strategy, said, “first and foremost, the Government of Canada is committed to protecting the privacy of Canadians. Canada has a solid legislative framework in place to ensure the protection of personal information.
“The Personal Information Protection and Electronic Documents Act (PIPEDA) protects the personal information of Canadians by establishing rules for the collection, use and disclosure of personal information by private sector organizations in the course of commercial activity.”
But the FISA Amendment Act overrides any privacy and data protection offered by third-party vendors, international agreements on data transfers and Canadian domestic legal protections, say experts.
PIPEDA certainly has no jurisdiction over FISA-driven operations of the U.S. Central Intelligence Agency, National Security Agency, Federal Bureau of Investigation or other U.S. intelligence agencies.
Treasury Board, the Canadian Security Intelligence Service, the Office of the Federal Privacy Commissioner and others have long warned of the vulnerabilities and risks associated with the use of transborder communications and cloud computing.
But two leading Canadian experts on national security law and privacy law aren’t surprised by the reach of the U.S. legislation.
“It’s been pretty clear for a long time that the authorities have more access to archived data in the U.S. then they would under our system,” says Craig Forcese, vice-dean of the University of Ottawa’s faculty of law.
David T.S. Fraser, a noted Halifax lawyer specializing in privacy law, agrees, but adds, “I do think that any informed discussion of this whole issue is useful.”
Bowden believes FISA surveillance may contravene the European Convention on Human Rights (ECHR) and possibly the Canadian Charter, which protects the right to be secure against unreasonable search or seizure. A European parliamentary committee hearing on civil liberties is to discuss the issue Feb. 20.
“Information is vulnerable to political surveillance from a foreign power, there should be a law stopping this, it should be their obligation positively to intervene and to protect citizens’ rights,” says Bowden, now an independent privacy advocate.
“People should make their elected representatives know that they care about this subject, that they don’t think surveillance for political purposes by a foreign government is a normal state of affairs.”
A spokeswoman at the U.S. embassy in Ottawa said Washington officials are expected to release a statement on the issue Monday.