The USA’s controversial Patriot Act has just got, well, a lot more controversial. A recent study by The University of Amsterdam says US government agencies can secretly request US-based cloud storage companies to hand over data they have on foreign citizens.

Go-Cloud

Now this is very interesting for Brits, as the UK government recently launched the latest iteration of its Go-Cloud portal, which is designed to speed-up and facilitate the adoption of cloud services throughout government institutions. Go-Cloud’s ‘Cloud Store’ lists all the government approved vendors who offer SaaS and cloud-storage to everyone from local councils to the Ministry of Defence. You can head over here and check it out for yourself.

After a quick search I managed to find a few US-based companies offering cloud storage solutions to UK institutions. These included big names such as Verizon and Dell, as well as lesser known US-companies with UK branches, such as Sunguard Availability Services. Both Amazon and Google will be included as service providers in the next phase of Go-Cloud, although interestingly they were denied entry into the programme last month.

It’s also worth mentioning this press release, which details how Stratford-on-Avon council has archived over 12 million emails with US company Metalogix, and that US start-up CipherCloud is currently working with an unnamed central government department. Perhaps more worrying is PayPal’s role delivering a “secure online identity registration service” for the Department of Work and Pensions…

Real threat

The University of Amsterdam study says this information request can be made even if the service provider is subsidiary of a US company. As TechDirt points out, the revelation has caused a big stir in The Netherlands, where the Dutch Electronic Patient Database is implemented next month. The EPD database is run by a US-based company called CSC, causing Dutch citizens to worry over whether US agencies can now access their medical records.

The Dutch government and CSC are convinced there isn’t a problem, telling activists there’s stringent data protection laws that guard patient data. But the researchers say that the threat is genuine and has global ramifications. Here’s a quote, summarised by TechDirt, from the paper.

“When using a cloud service provider that is subject to U.S. jurisdiction, data may be requested directly from the company in question in the United States. […] From a legal point of view, access to such information cannot be denied and cloud service providers can give no guarantees in this respect. […] The possibility that foreign governments request information is a risk that cannot be eliminated by contractual guarantees. Nor do Dutch privacy laws offer any safeguards in this respect. […] It is a persistent misconception that U.S. jurisdiction does not apply if the data government requests for information do not apply to Dutch users of the cloud. […] legal protection under specific U.S. laws applies primarily to U.S. citizens and residents. […] Given the nature of intelligence work, it is not possible to gain insight into actual requests for information by the U.S. authorities […] Cloud providers will typically not be able to disclose whether such requests are made”

Perhaps the UK government has different safeguards than the Dutch government, or perhaps it’s taken precautions not to entrust any really sensitive data to US companies. But nevertheless, as with SOPA, it appears that US legislation is once again having big ramifications for the rest of the world….