Snowden, privacy and cloud services


By Puneet Kukreja
Thursday, 03 October, 2013


Snowden, privacy and cloud services

Edward Snowden was until most recently an unknown entity. But now, he is being heralded in various circles as a whistleblower who has undertaken a ‘magnificent act of civil disobedience’ by sharing details of the PRISM electronic surveillance program operated by the United States National Security Agency (NSA).

To bring all onto the same page, PRISM is a government codename for a data collection effort operated under the supervision of the United States Foreign Intelligence Surveillance Court pursuant to the Foreign Intelligence Surveillance Act (FISA). Further information is available here.

There are multiple facets of the PRISM program that civil libertarians are arguing about, in the same manner that they were arguing about the Patriot Act and multiple others, but I want to focus on what the business impact and awareness of programs like this means for organisations that are looking to embrace the cloud.

There has been a lot written about the Patriot Act and how the PRISM program is an implementation instrument of the Patriot Act. However, from a cloud services perspective, I believe that a program like PRISM will have limited impact on organisations looking to onboard cloud services hosted in the US, Australia or Europe.

There are numerous US legal instruments in play, including but not limited to:

  • Patriot Act
  • US Patriot Act National Security Letter (NSL) power under 18 U.S.C. 2709 Section 505
  • US Foreign Intelligence Surveillance Act.2 Pursuant to s. 215 of the Patriot Act
  • US-Australia Legal Assistance Treaty from 1997 EPF309 04/30/1997, modern framework for cooperation (410), where the United States and Australia have signed a Mutual Legal Assistance Treaty (MLAT)
  • Electronic Communications Privacy Act of 1986 (ECPA)
  • Communications Assistance to Law Enforcement Act 1994 (CALEA)
  • FISA Amendments Act of 2008

The Fourth Amendment of the US Constitution and common principles derived from the International Covenant on Civil and Political Rights (ICCPR) prohibit cloud service organisations voluntarily releasing customer data to government agencies.

However, where a US government agency requires access to your organisation’s data and it is hosted in a US-based cloud, they will get it.
What organisations are required to do is:

  1. Carefully consult your terms of service with all cloud service providers to ensure that security, transparency and legal certainty are the key drivers supporting your cloud computing services.
  2. Select a cloud provider that guarantees compliance with your own policies and the data protection legislation of the country where the cloud service is based.
  3. Understand and verify how the cloud services provider will guarantee the lawfulness of any cross-border international data transfers.

The above represents the personal views of Puneet Kukreja and not necessarily those of AISA, CSA-AU or any organisation Kukreja works for or is on the board of.

*Puneet Kukreja is an independent IT Risk Advisory and Service Management expert. He is a member of the Harvard Business Review (HBR) Advisory Council and is on the boards for Cloud Security Alliance Australia and the Australian Information Security Association. He is an authorised spokesperson for AISA and is pursuing research interests in the areas of cybercrime, legislative implications of cross-border data transfer, cloud convergence and shared services.

Related Articles

Private AI models: redefining data privacy and customisation

Private AI signifies a critical step forward towards a more secure, personalised and efficient...

Why having an observability strategy is critical for effective AI adoption

As organisations continue to adopt AI and put it to work in a variety of innovative ways, many...

What you need to know to build a winning AI strategy

For organisations that have yet to start investing in AI solutions, it's not too late to use...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd