Privacy lawsuits: Will sueballs lobbed at US cloud services hit you where it HURTS?
Probably not... yet
Crossing borders... and privacy boundaries
Nobody can even tell you how different they have to be for the organic compost to really hit the rotating air-circulation device. I've been looking into this since before Snowden's gift to the tech media, and even back then things were iffy.
Cloud providers talking about privacy with Canadians will point to that aging "Guidelines for Processing Personal Data Across Borders" document as though it were a sacred text declaring the US cloud open for business. But "Guidelines" isn't law. PIPEDA, FOIP (Freedom of Information and Protection of Privacy Act) and others are laws.
In 2012, there was a landmark case: R v. Tse. It centred on the legalities of wiretapping and it was appealed by the government all the way to the Supreme Court. The dismissal made for some powerfully fascinating reading that shows the fundamental disconnect between the Canadian and American views on wiretapping.
The Supreme Court judges held that:
In principle, Parliament may craft such a narrow emergency wiretap authority for exigent circumstances. The more difficult question is whether the particular power enacted in s. 184.4 strikes a reasonable balance between an individual’s right to be free from unreasonable searches or seizures and society’s interest in preventing serious harm. To the extent that the power to intercept private communications without judicial authorization is available only in exigent circumstances to prevent serious harm, this section strikes an appropriate balance. However, s. 184.4 violates s. 8 of the Charter as it does not provide a mechanism for oversight, and more particularly, notice to persons whose private communications have been intercepted. This breach cannot be saved under s. 1 of the Charter.
TL;DR? Warrantless wiretaps without some very tight constraints were held to be unconstitutional.
The trial judge found that s. 184.4 contravened the right to be free from unreasonable search or seizure under s. 8 of the Charter and that it was not a reasonable limit under s. 1. The Crown has appealed the declaration of unconstitutionality directly to this Court.
The disconnect was later resolved with the passing of Bill C-55, which addressed the Supreme Court's constitutional concerns. The vote in support of this bill was unanimous. Francoise Boisvin (an MP for the Official Opposition) praised the bill:
Bill C-55 satisfied the Supreme Court's demands word for word. For once, the government resisted the urge to go too far. It chose individual rights over all-out accessibility and going after people who might be dealing with certain situations.So, with Bill C-55, the government showed tremendous restraint.
Canada now has a warrantless wiretapping law, but unlike the US version, it is narrowly tailored. It is to be used only "in exigent circumstances to prevent serious harm". Also, unlike in the US, our law requires a lot of oversight and transparency about its use.
This includes yearly reports by the Attorney General of each province detailing how many times warrantless wiretapping occurred. It also requires "the Minister of Public Safety and Emergency Preparedness shall give notice in writing of the interception to any person who was the object of the interception within 90 days after the day on which it occurred." Extensions to this 90-day period are possible for up to three years if the investigation is ongoing.
Unreasonable search and seizure
If you're American, "unreasonable search or seizure" should sound awfully familiar. It's an important part of the fourth amendment to the United States constitution.
You might remember the fourth amendment as the bit that is carefully sidestepped by things like the Department of Homeland Security's Border Search Exception; the one that has been extended to 100 miles of the US border, encompassing some 75 per cent of the population and virtually all the data centres.
The fourth amendment trampling bit that has the potential to make cloud computing legally iffy for Canadians is the pervasive warrantless wiretapping that is at the heart of the Snowden scandal. How the Americans approach this clearly isn't remotely in line with the Canadian view that has been established with R v. Tse. Canada's Bill C-55 is to a scalpel as the NSA's internet-wide virtually unchecked dragnets are to Kinetic Bombardment.
Abort, Retry, Flail
Some aspects of the warrantless wiretapping programme were known to the Privacy Commissioner's office in 2005 when this first reared its head during the George Bush Jr era. Canada's "Guidelines" was released in January of 2009 with specific mention of the Patriot Act.
But the sheer scale of this issue is totally different now. What we know today dwarfs what we knew then. What's more, the law has trundled on. Despite the Conservative government's decade of persistent attempts to strip Canadians of their civil rights (Bill C-30, I'm looking at you,) we ended up with a Canadian precedent that says pretty explicitly "warrantless wiretapping = bad".
The legal theory attached to the above is that it should be possible to sue a Canadian company storing Personally Identifiable Information (PII) in the US on the basis that the disconnect between our laws regarding wiretapping – and especially notification that intercept has occurred – are radically different.
There are other laws
The wiretapping legal theory was mostly crafted before Canada's terrifying new anti-terror law, Bill S-7 passed Canada's House of Commons. It could hypothetically poke some holes in this particular legal theory, but S-7 has not yet been tested in a court of law.
Technically, none of this has. The Privacy Commissioner of Canada is an ombudsman, not a judge. There have been no substantive tests of cloud computing and privacy to make it to our Supreme Court and some very important cases and legislation have dropped in only the last few years.
This article only goes into the most simple theories of how ways of storing data in the US could be challenged under Canadian law. I am aware of others.
Canada is quite cosy with the United States and we do have a tendency to bend to make sure nothing about our laws prevents commerce between the two nations. The European Union, on the other hand, is less flexible. Both "Steelie" Neelie Kroes and Viviane Reding – backed by Germany – are fairly upset at the goings-on.
Both of those politicians – not to mention Germany – have a tendency to get what they want. Currently, that seems to be an overhaul of "safe harbour" laws, the only hope that American cloud companies have of being legal within the EU. So far, it doesn't look like the purpose of the overhaul is to relax restrictions.
Ultimately, nobody has gone to jail for using American cloud services. "Everybody does it" is a frequently cited argument you'll encounter when talking with US cloud evangelists. I've heard at least 100 variations on "we have plenty of foreign customers, so it obviously isn't a problem" in the past month.
The dice, roll them
The multi-billion dollar megacorp can afford to offload all of its data onto Amazon because a privacy lawsuit would be like a mosquito bite to blue whale. The small business, on the other hand, probably wouldn't survive the lawsuit.
It is a question of risk. Is the money you save – assuming you save any money – by going into the cloud worth the risk of a privacy lawsuit? How likely do you feel such a lawsuit could be? Are you prepared to take steps to minimise such a suit? What steps?
For some (perhaps most), the risk of being sued over privacy is so minimal as to be existential. For others – like myself – it is enough for us to swear off US cloud providers until a whole lot of someones have dragged this all through the courts.
One thing I am certain of is this: the legal fallout from Snowden's leaks has barely even begun. ®