Feature: The introduction of a new federal law on criminal investigations has created a grey area around whether UK based, US owned data centres are within the reach of the FBI
A new round of controversy has arisen over the storage of personal data – by public and private sector organisations – following the passing of a US law that, some observers argue, will make information held in UK data centres open to being extracted by federal authorities.
Rule 41 in the Federal Rules of Criminal Procedure came into force last week – despite considerable opposition inside Congress – giving the FBI permission to hack computers outside the jurisdiction in which the warrant was granted.
It follows the outburst of anxieties last year with the breakdown of the US-EU Safe Harbour Agreement, which effectively placed data on EU citizens within the reach of federal authorities if held in US data centres. It has led to an expansion in the building of UK data centres by US cloud service providers eager to assure UK customers that the data is safe; but critics of the new law claim that it undermines the assurance.
Cloud service provider UKCloud has been raising warnings, claiming that public authorities need to look seriously at whether any personal data they hold could be vulnerable to prying by US federal agents. Chief executive officer Simon Hansford says the new law has created “a very different proposition” under which a US judge can now tell a US company to hand over data stored anywhere in the world.
His interpretation is that it does not matter where the data centre is located: if the company holding it is based in the US it is subject to federal law.
“There are a number of other regulations, so that a cloud provider is not only subject to Rule 41 but other regulations that are equally concerning, and US players will never get away from always being subject to US law.”
This reflects clauses within the Patriot Act, Stored Communications Act and Foreign Intelligence Surveillance Act, and Hansford suggests that as Donald Trump takes over the presidency a belligerent mood is likely to support the grabbing of data worldwide, despite opposition (which has been unsuccessful) in the US Congress.
He adds that there are concerns about this in some areas of government on this side of the Atlantic, but that it is by no means widespread.
“Knowledgeable and key people have concerns, but there are others who are cavalier about it and have no understanding or appreciation of the issue,” he says.
Hansford also makes a distinction between data sovereignty and data residency, claiming that the former, with more protection, only applies in the UK when the company providing the service is based here, being subject to UK law.
“There is a need to be far more aware of the issues, to be aware of that difference, and take the issue very seriously,” he says.
There appear to be diverging views about the interpretation of the new law, and whether it is a significant threat to privacy. A spokesperson for the Information Commissioner’s Office told UKAuthority that it sees Rule 41 as applying only inside the US and that it should not have any bearing over anything held in UK data centres.
But there is another perspective that sees the issue in shades of grey, some of which are dark enough to create concern.
Wayne Cleghorn, chair of the Information Privacy Expert Panel at BCS – The Chartered Institute for IT, says the new law has created a grey area, but one in which there is enough of a risk to cause concern.
One of the key changes has been that the warrants to obtain access to data have usually been granted by each US state, but if the federal government takes charge it is much easier for its warrants to be applied internationally.
A lot depends on how the individual warrants are written, and there is the potential for the investigation to extend overseas if given permission to “follow the data”. In this case, if it happens to be on a server in the UK or another EU country there is every chance that it could be clandestinely gathered.
Cleghorn, who also runs data protection compliance consultancy PrivacySolved, agrees that federal authorities are likely to interpret US jurisdiction as extending to US companies’ operations elsewhere in the world.
He also emphasises that any intrusion by investigators into a data centre could well happen without the relevant company being aware, at least in the short term.
“The investigator will go where the data is, going through the back doors of computers and seeing encrypted data because they have legal authority,” he says. “There will be no-one policing that downstream.
“If (the warrant) is narrowly drawn the impact is small; but if it is widely drawn there is a wider impact and no-one will know until the IT guys see the system is being disturbed, and the horse will already have bolted.”
Cleghorn goes along with the view that there is theoretically more protection for data in a UK data centre run by a UK company, saying it would be “very strange” if a federal judge granted a warrant to break into its systems.
“If there is no US link to where the data is held, it is highly unlikely that Rule 41 would apply,” he says.
The change in the law reflects the ongoing tension between fears about national security and cyber crime currently have the upper hand on concerns around data privacy. Cleghorn relates what is happening in the US to the introduction of the Investigative Powers Act in the UK, and says that at the moment “security is trumping privacy”.
But he tempers this by saying it should be kept in proportion, and that there is no need to create any scares around Big Brother style surveillance. It should not unduly deter public authorities from making more use of remote storage and cloud services, but they could benefit by at least understanding whether the rule could affect their position.
“I would say that every public official in charge of data and information should look at their supply chain to see where personal data is held, and see if there is a risk of this rule biting them. They should also see if their contracts give them any levers, and look at getting written assurances from US partners.”
It will probably take some time for the real life implications of Rule 41 to become clear, but it creates an extra factor to consider for public authorities as they look at further exploiting cloud systems and storage. The key question could be ‘What is the risk in the FBI getting at our citizens’ data?’
Image by Kevin McCoy, CC BY-SA 2.0 through Wikimedia