Can The US Government Assuage Cloud Privacy Concerns?
February 13, 2012
Even as the world tries to find a balance between individual privacy and the eternal vigilance of a nanny state, cloud computing is a casualty of the heightened security concerns in post-911 America. This is something that I had explored in earlier articles, from the ramifications of the PATRIOT Act (See: Is Cloud Computing a Threat to Consumer Rights?), to how rivals of American cloud vendors are actually touting the latter’s vulnerabilities to government investigation as a key business differentiator (See: Your Data in Australia is subject to the US Patriot Act).
More recently, I had written about how concerns have actually translated into business decisions to the detriment of American companies (See: European Firm Refuses To Go On the Microsoft Cloud Due to PATRIOT Act Concerns). Even the European Union had waded into the argument, stating that US laws may be contrary to the interests of the Union’s citizens. In an effort to address these concerns, the US government has decided on confidence building measures…
The first of these was a conference call with the press attended by Bruce Schwartz, deputy assistant attorney for the US Department of Justice, and Philip Verveer, deputy assistant secretary of state and US coordinator for international communications and information policy. According to them, while cloud computing had introduced some new parameters into the privacy equation, the fundamental legal protections for overseas operations have remained consistent, and that the country’s policies allow for as rigorous privacy protection as they do in Europe…
“There is a myth that the advent of cloud computing changes everything or has somehow presented us with new problems that we haven’t had before,” Swartz said. “In fact, while cloud has some important advantages for consumers and others, it doesn’t present any issues that have not always been present as long as there have been Internet service issues.” He added that any conflict is addressed by the framework stipulated by the Budapest Cybercrime Conventions, formulated as early as 2001. This includes issues relating to access to data stored outside the country, commenting that the problem “has been around as long as entities have stored records in one country and have been present in another.” According to him, “The Patriot Act really is in this context a red herring. It didn’t work a fundamental change in how we approach the issues of stored data.”
Now, coming back to the question posed in the article title, are these assurances enough? Personally speaking, I don’t believe they would satisfy the concerned parties. For one, stating that a problem has existed before does not mean that the problem doesn’t exist now. Secondly, for all the assurances, there is no direct US equivalent to the Data Protection Directive in Europe that seeks to protect privacy. When you add to this mix the statement made by a Microsoft executive last year, that under the PATRIOT Act, the company could be compelled to turn over information stored overseas to US authorities without providing prior notice or seeking consent from the data owner, the situation gets murkier.
However, all is not lost. The fact that the US government is trying to address these concerns indicates that it has heard the voices of the affected. With cooperation between the EU and the US authorities, an amicable settlement that allows for privacy without endangering world peace is certainly possible.