The Patriot Act and Cloud Security - Busting the European FUD
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

The Patriot Act and Cloud Security - Busting the European FUD

on

  • 2,128 views

In the wake of Edward Snowden's allegations of NSA cyber spying, we are honored to have a former General Counsel of the NSA as one of our panelists. This is sure to be an especially interesting ...

In the wake of Edward Snowden's allegations of NSA cyber spying, we are honored to have a former General Counsel of the NSA as one of our panelists. This is sure to be an especially interesting webinar.

European hosting companies have cited the USA Patriot Act of 2001 as the boogieman that would leave information free for plunder by the dark and clandestine US Government. And NSA activity as described by Edward Snowden has provided a convenient, timely, and high profile case study. But are these concerns well founded? Learn more about the Patriot Act, ways other countries combat terrorism, and how these relate to privacy.

Our featured speakers for this timely webinar will be:

-Stewart Baker, Partner, Steptoe & Johnson LLP; Former Assistant Secretary for Policy at the Department of Homeland Security and General Counsel of the NSA

-Michael Vatis, Partner, Steptoe & Johnson LLP

-Gant Redmon, Esq. CIPP/US General Counsel, Co3 Systems

Statistics

Views

Total Views
2,128
Views on SlideShare
2,128
Embed Views
0

Actions

Likes
0
Downloads
35
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Adapted from the standard Emergency Response Process of : Prepare Respond Recover Mitigate

The Patriot Act and Cloud Security - Busting the European FUD Presentation Transcript

  • 1. The Patriot Act and Cloud Privacy: Busting the European FUD
  • 2. Page 2 Agenda • Introductions • The FUD & The Fallout • Patriot Act Reality • Europe (Un-)Reality • Q&A
  • 3. Page 3 Introductions: Today‟s Speakers • Stewart Baker, Partner, Steptoe & Johnson LLP • Michael Vatis, Partner, Steptoe & Johnson LLP • Gant Redmon, Esq. CIPP/US, General Counsel, Co3 Systems
  • 4. Page 4 The complete process – based on E.R. standards PREPARE Improve Organizational Readiness • Appoint team members • Fine-tune response SOPs • Link in legacy applications • Run simulations (firedrills / table tops) MITIGATE Document Results & Improve Performance • Generate reports for management, auditors, and authorities • Conduct post-mortem • Update SOPs • Track evidence • Evaluate historical performance • Educate the organization ASSESS Identify and Evaluate Incidents • Assign appropriate team members • Evaluate precursors and indicators • Automatically map intelligence • Track incidents, maintain logbook • Automatically prioritize activities based on criticality • Generate assessment summaries MANAGE Contain, Eradicate, and Recover • Generate real-time IR plan • Coordinate team response • Choose appropriate containment strategy • Isolate and remediate cause • Instruct evidence gathering and handling • Log evidence
  • 5. Page 5 The FUD • Data stored with American cloud providers is easily accessible by the U.S. government, with no privacy protection • U.S. law “enables the US government to snoop on Europeans‟ data held with US cloud providers without needing to obtain a warrant.” (http://blog.teamdrive.com/2013_02_01_archive.html)
  • 6. Page 6 The FUD (cont.) • “It is lawful in the US to conduct purely political surveillance on foreigners‟ data accessible in US clouds.” • “[A]ny data-at-rest formerly processed „on premise‟ within the EU, which becomes migrated into Clouds, becomes liable to mass-surveillance” by U.S. • European Parliament, Directorate-General for Internal Policies, “Fighting cyber crime and protecting privacy in the cloud,” 2012
  • 7. Page 7 Edward Snowden Didn‟t Help • “If European cloud customers cannot trust the United States government or their assurances, then maybe they won‟t trust US cloud providers either. And if I am right then there are multi-billion euro consequences for American companies.” • Neelie Kroes, Vice-President of the European Commission responsible for the Digital Agenda (http://www.businesscloudnews.com/2013/07/05/neelie-kroes-warns- cloud-may-suffer-from-prism-related-security-fears/) • Media coverage of leaks has fostered impression that NSA has access to everything, everywhere • And has caused the pile of FUD to grow
  • 8. Page 8 And More FUD • “The questions raised about the United States‟ FISA act have focused the minds of Europeans keen to share, but only with those they chose. TeamDrive has confirmed that European cloud users want to have data stored under the EU banner, away from the prying eyes of the US government.” (http://blog.teamdrive.com/2013_02_01_archive.html) • “[W]e comply with the highest German and European data privacy standards. And that is important when you consider the furor around the issue of unauthorised access in some third countries that don‟t offer the same level of security. But we can deliver CLOUD SERVICES „MADE IN GERMANY‟ - around the world.” • T-Systems brochure (http://www.t- systems.com/umn/uti/796860_2/blobBinary/Complete_Edition- ps.pdf?ts_layoutId=804564
  • 9. Page 9 …And Still More • “We believe that a service owned and operated locally in the EU, and fully compliant with EU data protection laws, will be vary attractive for European companies.” • Johan Christenson, Chairman, City Network (http://news.techworld.com/security/3322757/europe- cloud-vendors-cleaning-up-with-data-protection-fears/)
  • 10. POLL
  • 11. Page 11 The Legal Fallout in Europe • Government • HLCG revival • EU Parliament • Commission • Impact on data protection proposals • Companies • DPA investigations of cooperating companies • Efforts to discourage use of US cloud
  • 12. Page 12 Are US Providers At Risk? • The Models • PNR – holding air carriers hostage • SWIFT – criminal investigation • The theory: No data export to “inadequate” jurisdictions • Determining adequacy of US data protection regime includes scrutiny of security and law enforcement collection
  • 13. Page 13 Private Sector Defenses • Safe Harbor • Controversy over Safe Harbor • Inapplicability of data protection rules • Safe Harbor and EU directives exclude public security and law enforcement • US rules protecting privacy vis-à-vis government match or exceed EU
  • 14. Page 14 The Reality • U.S. accords greater privacy protections than other countries • Fourth Amendment • Electronic Communications Privacy Act • Foreign Intelligence Surveillance Act • No voluntary disclosures of customer data by providers • No data retention requirements
  • 15. Page 15 Patriot Games • Europeans claim the Patriot Act allows USG to seize customer records in bulk, from parent company in U.S. • But Section 215 allows access, with a court order, only to business records • Customer data is not a business record • And Section 215 has apparently not been applied to information stored abroad
  • 16. Page 16 Patriot Games II • Section 702 of FISA Amendments Act (50 U.S.C. § 1881a) • Limited to collection of “foreign intelligence” • Information to protect against • “potential attacks or other grave hostile acts of a foreign power” • “sabotage, international terrorism, or the international proliferation of weapons of mass destruction” • “clandestine intelligence activities” • Information with respect to foreign power or foreign territory that relates to • “national defense or…security” or • “the conduct of the foreign affairs of the United States”
  • 17. Page 17 Patriot Games II (cont.) • “The information must pertain to a foreign power or foreign territory; and thus it cannot simply be information about a citizen of a foreign country…unless the information would contribute to meeting intelligence requirements with respect to a foreign power or territory.” • H.R. Rep. No. 1283, Pt. I., 95th Cong. 2d Sess., 1978 U.S.C.C.A.N. 4048, at 50 (June 8, 1978)
  • 18. Page 18 Patriot Games II (cont.) • Judicial oversight • Minimization and targeting procedures • Cloud providers can object • Congressional oversight • “[The] information obtained by the Committee demonstrate[s] that the government implements the FAA surveillance authorities in a responsible manner with relatively few incidents of non-compliance. Where such incidents have arisen, they have been the inadvertent result of human error or technical defect and have been promptly reported and remedied. Through four years of oversight, the Committee has not identified a single case in which a government official engaged in a willful effort to circumvent or violate the law.” • S. Rep. No. 174, 112th Cong. 2d Sess. at 7 (June 7, 2012), available at https://fas.org/irp/congress/2012_rpt/faa-extend.pdf.
  • 19. POLL
  • 20. Page 20 Glass Houses • European governments have much freer access to data • UK government can seize or intercept data without court approval where necessary to protect national security, the economic well-being of the UK, or to prevent or detect “serious crime” • France Prime Minister‟s office can order wiretap without court approval or oversight, not just for national security or terrorism but to protect economic and scientific assets or combat organized crime • Spain government can enter providers‟ premises without a warrant in national security matters
  • 21. Page 21 Haus aus Glas • Germany authorities can • intercept electronic communications without court approval • not just for national security threats, but also “strategic surveillance” including drug trafficking or to gather information about other countries important to foreign policy • use a computer virus to infiltrate providers‟ networks without providers‟ or customers‟ knowledge or opportunity to challenge (with court order) • Regulated cloud providers may not disclose to customers that they gave information to government
  • 22. Page 22 Which countries conduct the most surveillance of their citizens?
  • 23. Page 23 Which countries allow providers to “volunteer” data to government?
  • 24. Page 24 The Bottom Line • Theory of EU interventions is open to question • Safe Harbor • Coverage of government practices • Adequacy: U.S. privacy protections exceed other countries‟ • Likely outcome: More threats, more drama, more talks
  • 25. QUESTIONS
  • 26. One Alewife Center, Suite 450 Cambridge, MA 02140 PHONE 617.206.3900 WWW.CO3SYS.COM “Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors‟ Choice.” PC MAGAZINE, EDITOR’S CHOICE “Co3…defines what software packages for privacy look like.” GARTNER “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE Stewart Baker sbaker@steptoe.com (202) 429-6402 Michael Vatis mvatis@steptoe.com (212) 506-3927