Sysadmin blog Thinking of using US cloud services, outsourcing to a US-based provider or just leasing a piece of their cloud and concerned about lawsuits? Here's some food for thought.

Privacy, of course, became the overarching concern of many after former US National Security Agency sysadmin Edward Snowden leaked documents about the country's global web surveillance scheme PRISM. At present, however, there is no legal precedent that says that using US cloud services has any implications when it comes to privacy suits.

This is not to say that that there aren't laws that can be used to sue businesses for storing data in the cloud. It is also not saying that there aren't legal theories on how such lawsuits might succeed.

What this means is that there are no precedent-setting cases in the EU, Canada, Australia or New Zealand that have successfully gotten a company in trouble for using American cloud services (under existing laws).

Cloud advocates might point to this lack of extant precedent and say: "It is safe because nobody has gone to jail or paid huge fines for this." But the flip side of this is that it only means nobody has succeeded yet, and there remain some nasty untested legal waters.

Canada has slightly more lax laws than the European Union has regarding privacy and should theoretically have a smaller privacy attack surface. I'll use Canadian law to illustrate what I mean by untested waters.

Fact sheets

The Canadian government has put out a charmingly vague "fact sheet" about cloud computing privacy concerns. It says "privacy is not a barrier but it must be taken into consideration". This – and the rest of the document – doesn't exactly tell you much, but it is actually a great summary of the Canadian approach to this whole mess. The FAQ "fact sheet" (a separate document) is far more helpful:

According to the document:

The Personal Information Protection and Electronic Documents Act (PIPEDA) does not prohibit cloud computing, even when the cloud provider is in another country. Under PIPEDA, organizations must ensure that they collect personal information for appropriate purposes and that these purposes be made clear to individuals; they obtain consent; they limit collection of personal information to those purposes; they protect the information; and that they be transparent about their privacy practices.

PIPEDA also requires that when an organization transfers personal information to a third party for processing, it remains accountable for that information. It must use contractual or other means to ensure that the personal information transferred to the third-party is appropriately protected.

Therefore, an organization that is considering using a cloud service remains accountable for the personal information that it transfers to the cloud service, and it must ensure that the personal information remain protected in the hands of that cloud service provider. Organizations need to carefully review the terms of service of the cloud provider and ensure that the personal information it entrusts to it will be treated in a manner consistent with PIPEDA. For more information on transferring of personal information to third parties, please see our Guidelines for Processing Personal Data Across Borders.

Now we're getting somewhere. So under Canadian law, I can send my data wherever I please, however, I must ensure ("by contract or other means") that whomever is sent that data agrees to treat that data more or less the same way that a Canadian would expect the data to be treated under Canadian law. There are some big squigglies on the details here, though; we're Canadian and we try to be accommodating and understanding that different places do things a little differently.

The Canadian Privacy Commissioner's "Guidelines for Processing Personal Data Across Borders" promises to clear this up once and for all. The first thing I note is that the guidelines are from January of 2009, which means the review that generated these guidelines took place in 2008, at the earliest. Not exactly post-Snowden guidance, but we'll trundle on.

Under a section labelled "What Must Organizations Do?" there is a discussion of a very important complaint investigation: PIPEDA Case Summary #313 (Bank's notification to customers triggers PATRIOT Act concerns). I won't go in to full detail here, but the result is summarised in the document thusly:

In the case of outsourcing to another jurisdiction, PIPEDA does not require a measure by measure comparison by organizations of foreign laws with Canadian laws. But it does require organizations to take into consideration all of the elements surrounding the transaction. The result may well be that some transfers are unwise because of the uncertain nature of the foreign regime or that in some cases information is so sensitive that it should not be sent to any foreign jurisdiction.

Not discussed in the document – but critically important – is PIPEDA Case Summary #365 (Responsibility of Canadian financial institutions in SWIFT’s disclosure of personal information to US authorities considered) in which the conclusion reached is essentially the same: banks don't need your OK to transfer data out of Canada. That data is subject to the laws of the nation where it will reside when transferred outside of Canada, and Canada is OK with this as long as those laws are more or less like our own.

But what happens when the laws are substantially different than our own? The short answer: nobody knows.

Crossing borders... and privacy boundaries

Nobody can even tell you how different they have to be for the organic compost to really hit the rotating air-circulation device. I've been looking into this since before Snowden's gift to the tech media, and even back then things were iffy.

Cloud providers talking about privacy with Canadians will point to that aging "Guidelines for Processing Personal Data Across Borders" document as though it were a sacred text declaring the US cloud open for business. But "Guidelines" isn't law. PIPEDA, FOIP (Freedom of Information and Protection of Privacy Act) and others are laws.

Disconnect

In 2012, there was a landmark case: R v. Tse. It centred on the legalities of wiretapping and it was appealed by the government all the way to the Supreme Court. The dismissal made for some powerfully fascinating reading that shows the fundamental disconnect between the Canadian and American views on wiretapping.

The Supreme Court judges held that:

In principle, Parliament may craft such a narrow emergency wiretap authority for exigent circumstances. The more difficult question is whether the particular power enacted in s. 184.4 strikes a reasonable balance between an individual’s right to be free from unreasonable searches or seizures and society’s interest in preventing serious harm. To the extent that the power to intercept private communications without judicial authorization is available only in exigent circumstances to prevent serious harm, this section strikes an appropriate balance. However, s. 184.4 violates s. 8 of the Charter as it does not provide a mechanism for oversight, and more particularly, notice to persons whose private communications have been intercepted. This breach cannot be saved under s. 1 of the Charter.

TL;DR? Warrantless wiretaps without some very tight constraints were held to be unconstitutional.

Specifically:

The trial judge found that s. 184.4 contravened the right to be free from unreasonable search or seizure under s. 8 of the Charter and that it was not a reasonable limit under s. 1. The Crown has appealed the declaration of unconstitutionality directly to this Court.

The disconnect was later resolved with the passing of Bill C-55, which addressed the Supreme Court's constitutional concerns. The vote in support of this bill was unanimous. Francoise Boisvin (an MP for the Official Opposition) praised the bill:

Bill C-55 satisfied the Supreme Court's demands word for word. For once, the government resisted the urge to go too far. It chose individual rights over all-out accessibility and going after people who might be dealing with certain situations.

So, with Bill C-55, the government showed tremendous restraint.

Canada now has a warrantless wiretapping law, but unlike the US version, it is narrowly tailored. It is to be used only "in exigent circumstances to prevent serious harm". Also, unlike in the US, our law requires a lot of oversight and transparency about its use.

This includes yearly reports by the Attorney General of each province detailing how many times warrantless wiretapping occurred. It also requires "the Minister of Public Safety and Emergency Preparedness shall give notice in writing of the interception to any person who was the object of the interception within 90 days after the day on which it occurred." Extensions to this 90-day period are possible for up to three years if the investigation is ongoing.

Unreasonable search and seizure

If you're American, "unreasonable search or seizure" should sound awfully familiar. It's an important part of the fourth amendment to the United States constitution.

You might remember the fourth amendment as the bit that is carefully sidestepped by things like the Department of Homeland Security's Border Search Exception; the one that has been extended to 100 miles of the US border, encompassing some 75 per cent of the population and virtually all the data centres.

The fourth amendment trampling bit that has the potential to make cloud computing legally iffy for Canadians is the pervasive warrantless wiretapping that is at the heart of the Snowden scandal. How the Americans approach this clearly isn't remotely in line with the Canadian view that has been established with R v. Tse. Canada's Bill C-55 is to a scalpel as the NSA's internet-wide virtually unchecked dragnets are to Kinetic Bombardment.

Abort, Retry, Flail

Some aspects of the warrantless wiretapping programme were known to the Privacy Commissioner's office in 2005 when this first reared its head during the George Bush Jr era. Canada's "Guidelines" was released in January of 2009 with specific mention of the Patriot Act.

But the sheer scale of this issue is totally different now. What we know today dwarfs what we knew then. What's more, the law has trundled on. Despite the Conservative government's decade of persistent attempts to strip Canadians of their civil rights (Bill C-30, I'm looking at you,) we ended up with a Canadian precedent that says pretty explicitly "warrantless wiretapping = bad".

The legal theory attached to the above is that it should be possible to sue a Canadian company storing Personally Identifiable Information (PII) in the US on the basis that the disconnect between our laws regarding wiretapping – and especially notification that intercept has occurred – are radically different.

There are other laws

The wiretapping legal theory was mostly crafted before Canada's terrifying new anti-terror law, Bill S-7 passed Canada's House of Commons. It could hypothetically poke some holes in this particular legal theory, but S-7 has not yet been tested in a court of law.

Technically, none of this has. The Privacy Commissioner of Canada is an ombudsman, not a judge. There have been no substantive tests of cloud computing and privacy to make it to our Supreme Court and some very important cases and legislation have dropped in only the last few years.

This article only goes into the most simple theories of how ways of storing data in the US could be challenged under Canadian law. I am aware of others.

Canada is quite cosy with the United States and we do have a tendency to bend to make sure nothing about our laws prevents commerce between the two nations. The European Union, on the other hand, is less flexible. Both "Steelie" Neelie Kroes and Viviane Reding – backed by Germany – are fairly upset at the goings-on.

Both of those politicians – not to mention Germany – have a tendency to get what they want. Currently, that seems to be an overhaul of "safe harbour" laws, the only hope that American cloud companies have of being legal within the EU. So far, it doesn't look like the purpose of the overhaul is to relax restrictions.

Ultimately, nobody has gone to jail for using American cloud services. "Everybody does it" is a frequently cited argument you'll encounter when talking with US cloud evangelists. I've heard at least 100 variations on "we have plenty of foreign customers, so it obviously isn't a problem" in the past month.

The dice, roll them

The multi-billion dollar megacorp can afford to offload all of its data onto Amazon because a privacy lawsuit would be like a mosquito bite to blue whale. The small business, on the other hand, probably wouldn't survive the lawsuit.

It is a question of risk. Is the money you save – assuming you save any money – by going into the cloud worth the risk of a privacy lawsuit? How likely do you feel such a lawsuit could be? Are you prepared to take steps to minimise such a suit? What steps?

For some (perhaps most), the risk of being sued over privacy is so minimal as to be existential. For others – like myself – it is enough for us to swear off US cloud providers until a whole lot of someones have dragged this all through the courts.

One thing I am certain of is this: the legal fallout from Snowden's leaks has barely even begun. ®

Related stories

• THE TRUTH about beaver arse milk in your cakes: There's nothing vanilla about vanilla (18 September 2013)

  http://www.theregister.co.uk/2013/09/18/beaver_bum_juice_tastes_of_vanilla_says_sweden/

• Report: NSA spying deals billion dollar knockout to US cloud prospects (6 August 2013)

  http://www.theregister.co.uk/2013/08/06/prism_revenue_wobble_worries/

• World+Dog hates PRISM: Cloud Security Alliance (25 July 2013)

  http://www.theregister.co.uk/2013/07/25/worlddog_hates_prism_cloud_security_alliance/

• US: We spied on you Europeans but we can still be chums. Right? (5 July 2013)

  http://www.theregister.co.uk/2013/07/05/americans_to_fess_up_to_spying_on_europeans/

• Using encryption? That means the US spooks have you on file (21 June 2013)

  http://www.theregister.co.uk/2013/06/21/nsa_spooks_can_pry_on_your_encrypted_emails/