PATRIOT Act clouds picture for tech

Cloud computing is a gold mine for the U.S. tech industry, but American firms are encountering resistance from an unexpected enemy overseas: the PATRIOT Act.

The Sept. 11-era law was supposed to help the intelligence community gather data on suspected terrorists. But competitors overseas are using it as a way to discourage foreign countries from signing on with U.S. cloud computing providers like Google and Microsoft: Put your data on a U.S.-based cloud, they warn, and you may just put it in the hands of the U.S. government.


“The PATRIOT Act has come to be a kind of label for this set of concerns,” Ambassador Philip Verveer, U.S. coordinator for International Communications and Information Policy at the State Department, told POLITICO. “We think, to some extent, it’s taking advantage of a misperception, and we’d like to clear up that misperception.”

Reacting to concerns raised by some of the country’s most influential tech firms, the Obama administration is engaging in diplomatic talks around the world to put to rest fears in foreign capitals about the controversial surveillance law’s power to give the U.S. government access to international data stored by American companies.

The PATRIOT Act, which had key provisions extended by President Barack Obama in May, has become a flash point in sales of cloud computing services to governments in parts of Europe, Asia and elsewhere around the globe because of fears that under the law, providers can be compelled to hand over data to U.S. authorities.

While no foreign governments have moved to block U.S. tech companies, authorities in the Netherlands as recently as September floated the idea of banning U.S.-based cloud firms from competing for government contracts. And Verveer said on a trip to Germany in October that technology firms based in that country were openly using the PATRIOT Act as a “marketing proposition” to raise questions about U.S. cloud firms.

It has created a high-stakes trade issue that’s become a top agenda item for U.S. firms already profiting in the cloud and for those eyeing the technology for the future. It also registers high on the list of international tech priorities for the White House because of the potential negative impact such fears could have on the U.S. cloud market.

“I’ve heard directly from EU leaders, from Canadian policymakers and from companies all around the world about problems, or perceived problems, with the act,” said Phil Bond, a tech lobbyist and the former CEO of TechAmerica. “There is no shortage of people who misapprehend the law. If some of these misperceptions harden or real problems [are] not addressed, it will cause companies and governments to hesitate in doing business with U.S. cloud companies.”

For their part, the domestic tech industry, academics and even administration officials argue the PATRIOT Act is being hoisted up by foreign entities as a red herring to ban U.S. cloud firms from competing overseas. Laws in some countries allow governments to request private information from companies — and the fear is that this information could be turned over to U.S. authorities under the anti-terrorist law.

“It’s not at this point, I think, entirely clear that governments are doing this. But it is clear that for competitive purposes, this sort of thing is being raised,” Verveer said. “It’s definitely a genuine issue.”

Now, Washington-based tech trade groups are increasingly hearing from their members that foreign governments engaging in cloud contract discussions are raising questions about data moving outside their respective borders.

And the concerns are not isolated to Europe.

In the Asia-Pacific region, where cloud computing is experiencing a boom similar to the U.S., tech industry observers are also seeing the same issues pop up during government cloud contract negotiations, said Mark MacCarthy, vice president for public policy at the Software and Information Industry Association.

Some of that tension in the region could be alleviated as the result of recent trade discussions.

Obama earlier this month laid the foundation for an agreement with eight Pacific nations to drop trade barriers. That deal, which is still being negotiated, included provisions to the bar requirements for local data centers as well as cross-border data flow restrictions.

“It would be dramatically helpful for the cloud industry,” MacCarthy said. “That can then become the precedent for future trade agreements, and it might be the basis for further action with the [World Trade Organization].”

The PATRIOT Act argument has implications that extend to any U.S. company peddling in data that travels across the world.

But it’s an especially acute concern for cloud firms, experts say, because the whole business model is predicated on the ability of data to travel freely. Foreign countries are now asking cloud firms to restrict data flow within their respective borders.

“There’s a feeling that there’s a risk we’ll end up with a Tower of Babel with cloud computing,” said Darrell West, founding director of the Center for Technology Innovation at the Brookings Institution. “Several nations are imposing restrictions on data sharing to prevent data from moving across their own national boundaries, and that’s very shortsighted. You end up losing much of the benefit of cloud computing if you end with 192 systems.”

Aside from data restrictions, foreign governments are also asking U.S. cloud firms to establish data centers in their respective countries to keep a better eye on where data is being stored, creating another potential roadblock for international cloud contracts.

The need for the Obama administration to take an international lead on the issue was highlighted in a cloud computing report this summer authored by a coalition of 71 experts from some of the largest hardware, software and Internet companies, including Microsoft, Amazon and Salesforce.

Aside from reforming antiquated U.S. digital privacy laws, the report urged the Commerce Department to conduct a study of the PATRIOT Act and national security laws in other countries to determine a company’s ability to deploy cloud computing services in the global marketplace.

“This action may provide insights into how best to address uncertainty and confusion caused by national security statutes … that are perceived as impediments to a global marketplace for cloud services,” the report said.

And if the U.S. and other countries don’t simplify the complex legal environment surrounding cloud computing soon, experts are warning the environment will become riddled with uncertainty and confusion that could dampen the competitive position of U.S. firms in the future.

And for now, Congress is taking a back seat because “the point of the sword is in the administration,” MacCarthy said, noting that agencies tasked with trade responsibilities are handling the bulk of the negotiations.

The concern over the PATRIOT Act also mirrors a broader worry for U.S. tech companies — that protectionist efforts here and abroad will put a damper on the international cloud market.

But Congress may not be a silent player in the long run. Tech associations caution that lawmakers should avoid following suit by taking restrictive actions that harm foreign tech companies. That could backfire.

Instead, lawmakers should craft policy to ensure “trade barriers don’t get adopted” that impinge on the ability of foreign cloud providers to land government contracts in the U.S., said Robert Holleyman, president and CEO of the Business Software Alliance.

“It’s absolutely essential that the U.S. gets this right as a policy matter,” Holleyman said. “The stakes around this are huge. If the U.S. gets this wrong, it’s going to be a field day for other countries to emulate a protectionist example.”

Top federal tech officials have laid out guidance for how agencies should categorize data and what type of data should be kept within U.S. borders. Verveer, a lead official in the State Department’s efforts to establish an international framework for cloud computing, said agencies are supposed to peg only “high-sensitivity” data for cross-border restrictions.

But several recent cloud contracts point in the direction of federal agencies increasingly requiring providers to maintain domestic data centers and restrict the flow of data within U.S. borders.

For example, a General Services Administration solicitation for a governmentwide procurement vehicle for cloud-based email contained an element to restrict where data centers could be located. The federal government’s top watchdog shot down that part of the contract last month as part of a bid protest because the GSA could not provide a justifiable reason for the location requirement.

And the Department of the Interior recently reissued a request for information for cloud computing services with several location requirements. According to procurement documents, the agency wants its cloud provider to keep software development inside the U.S. to the “maximum extent practical,” and the physical data centers housing cloud data must also be located in the U.S.

“There’s an important role for the federal [chief technology officer] and federal [chief information officer] to play in helping define this,” Holleyman said. “When the CTO and CIO speak out on this issue, they need to know words matter. Other countries will look for signals.”