This January 28 marks International Privacy Day. Different countries around the world are celebrating this day with their own events. This year, we are honoring the day by calling attention to recent international privacy threats and interviewing data protection authorities, government officials, and activists to gain insight into various aspects of privacy rights and related legislation in their own respective countries.

---



Does using cloud computing services based in the United States create a risk of US law enforcement access to people's data? The US Department of Justice (DOJ) seems to be trying to placate international concern by saying one thing in international fora; but it says something quite different in the US courts.

On January 18, a senior Justice Department official tried to reassure companies and people around the world that hosting their data in the United States creates no increased privacy risk for them from the US government. Deputy Assistant Attorney General Bruce Swartz noted: "Cloud computing has important advantages to consumers (but) doesn't present any issues that have not always been present. Certainly not regarding Internet service issues, but even before that."

Apparently, the DOJ is reacting to decisions by foreign entities to drop US-based services due to concerns about US government access, including British company BAE dropping Microsoft Office 365 and the Dutch government's hesitation about allowing its contractors to use US-based cloud services. In the past, Denmark and Canada have also voiced their concerns about the level of protection the United States can provide to their citizens’ data. EU public tenders of cloud services are also avoiding US cloud services for the same reasons. European-based companies, which have to comply with EU data protection law, see this opportunity as a competitive advantage, as do Australian cloud services.

Yet the DOJ's reassurances ring hollow. While the DOJ may spin its position one way to try to appease foreign audiences, its actual position is quite clear where it really matters: in US courts when it is trying to access subscriber information held by US-based cloud computing services. Indeed, the DOJ's position in its court filings is that very little, if any, privacy protection is available against US government access to the records of users of US-based cloud computing services.

EFF’s recent high-profile case involving DOJ access to Twitter customer records as part of the Wikileaks investigation demonstrates this. There, the DOJ has been unequivocal that cloud users have no right to challenge government access to the tremendous amount of "non-content" information held by these systems -- their location, their contacts, their communications patterns and more. In November 2011, the court agreed, holding that the Twitter users could not challenge the request for their information under the Stored Communications Act or under the constitution, chiefly on the grounds that having "given" their IP address and other information to Twitter in the US, they had no further privacy interest[1]. The DOJ also stated that it has strong doubts about whether foreign users of US-based cloud services had any constitutional privacy rights at all.

In fact, Deputy Assistant Attorney General Swartz doesn't really say anything different. He says only that the issues predate the Internet. But that's no answer. The truth is that the Internet has made it much, much easier for companies and individuals to use services based in the United States for very sensitive activities. Before the Internet it was highly unlikely that a US company hosted personal conversations between loved ones in Germany, reports from medical providers in Israel, or sensitive business dealings like potential bids on a government project in the Netherlands. And with that ease comes a treasure trove of information now available to the DOJ about foreigners who use those services (and about Americans, too).

Perhaps the most disingenuous comment came when Swartz said, “the US government is as committed to privacy and civil liberties as much as or more so than any nation on the planet.” The reality is that other nations have adopted comprehensive data protection regulations that forbid companies to transfer their customers’ data to a third country without the customers’ consent, or if the country does not provide an adequate level of protection; the United States is considered to have a lower level of protection.[2]

In the end, no amount of spin aimed at international audiences can hide the underlying facts. The US government believes that when you use a US-based cloud service, you have no ability to prevent the government from having access without a warrant under either the Stored Communications Act or the constitution. Lawyers call this the "third party problem" and we were heartened earlier this week when Supreme Court Justice Sotomayor strongly criticized the position that the government has been taking in cases across the US.

Until this problem is fixed, US DOJ officials' reassurances about the privacy protections of US cloud computing services should be met with strong skepticism, both internationally and here at home.