Patriot Act provides 'comfortable' risk on cloud

Businesses can reach a "comfortable" level of risk when considering the potential impact of the US Patriot Act on the privacy and confidentiality of data stored on US-hosted cloud services, according to a legal expert.

Norton Rose partner Nick Abrahams told attendees of a government-sponsored cloud forum this week that while the risk associated with the contentious legislation should not be dismissed, the Act itself isn't a dealbreaker for the cloud.

"There is a risk associated with the Patriot Act; government has a different risk profile to private sector," Abrahams said.

"I think particularly for private sector, it is possible to get your heads around the risk and get comfortable with it.

"I'm not saying that this is something that you just dismiss. It is an issue but it is a risk that can be managed."

Abrahams pointed to an unnamed major Australian bank as having assessed and comfortably settled the risk of using US-based cloud provides despite the existence of such legislation.

"This is no different to what banks have been doing; most of the banks, some more than others, are outsourced to large US providers so the Patriot Act has been around," he said.

"The sheer fact of the matter is that if US intelligence agencies want to get access to Australian consumer data, they don't need to use the Patriot Act, they can just fire up the bilateral treaty that we have and they will be able to get access to it."

The Patriot Act, instituted by the Bush Administration in 2001, "enables access to a narrowly defined set of data around terrorist-related activities" according to Abrahams. 

The legislation has been pushed as a key concern for Australian government agencies, financial services and large enterprises in consuming cloud cloud services hosted overseas, as well as a key defence for ongoing data sovereignty concerns.

Cloud vendors have pushed against the notion, with at least Microsoft and Amazon directly lobbying governments in a bid to change what they argued were misheld notions about the impact of the Patriot Act.

A standing committee on cloud computing established last year by the think tank Global Access Partners and chaired by a key bureaucrat at the Department of Broadband was tasked with assessing the impact of the US legislation on cloud vendors and Australian businesses procuring those services.

A source close to the committee told iTnews that the committee — which includes vendors SAP, Hitachi, HP, CSC and Optus — had similarly agreed that the legislation posed no additional risk to those that already existing prior to the Act.

Abrahams said that while banks had become more willing to offshore data as a result of the financial regulator's loosening of data security concerns, it remained their obligation to ensure customer data remained safe.

"I think that banks have always been managing risk and they've always been using outsourcers, they should be making people comfortable that they are keeping people's information confidential and ensuring that he providers that they work with keep it confidential," he said.

Conroy wants self-regulation

Though concerns of US legislative impact on Australian cloud services have weakened in recent months, the introduction of local legislation could also impact vendor confidence and their potential entry to Australia's hosting market.

The introduction of new Australian privacy principles, for example, would tighten regulations on the export of customer and user data overseas while the Privacy Commissioner has warned of a possible mandate for data breach disclosure in future legislative amendments.

Communications minister Stephen Conroy told the cloud forum that the Federal Government had sought to refocus on issues related to cloud, but indicated an unwillingness to directly regulate vendors.

"Where we probably really need to focus is on public perceptions and ensuring trust in the cloud," he said, noting consumer and vendor contractual arrangements, privacy and data security concerns as persistent issues.

"They require our ongoing commitment to resolve. Policies and protections can be put in place, but the ultimate test for consumers will be what they experience firsthand.

"That is where industry needs to step up and ensure the customers' cloud experience is a positive one. Self-regulatory efforts to address key challenges will also be important in ensuring consumers can engage with the cloud safely and confidently."