Seven routes for the US to access your cloud data

The US Government has amassed an impressive arsenal of options for access to data stored by telecommunications and cloud service providers over the past decade, leaving experts surprised at the global reaction to revelations of former NSA operative Edward Snowden.

Releasing a comprehensive paper on data sovereignty today in Sydney, authors from the UNSW Cyberspace and Law Centre, law firm Baker and Mackenzie and financial insurer Aon joined security experts Stephen Wilson and Craig Scroggie on a panel to discuss privacy and the cloud.

Author David Vaile said Snowden's leaked material did not change what he knew to be far-reaching powers - "the only difference is three months ago, people didn't think it was interesting, today they do," he said.

Vaile nominated several instruments the US Government had at its disposal to request and obtain data from telecommunications and cloud service providers.

A summary is provided below, the full text can be found in Chapter Five of the report (pdf). The report was sponsored by Australian data centre builder, NextDC.

1. The Third Party exception

US citizens are protected under the Fourth Amendment of the US constitution from "unreasonable searches and seizures". For any search or seizure, this requires the Government to prove a probable cause of a crime having been committed, the production of a warrant and for the subject of the warrant to be notified.

But there is an exception to the Fourth Amendment when it comes to third parties. It is expected that a person can't claim data to be 'private' if that data is stored with a third party.

Being that your telecommunications provider must produce statements on who you have called and when, for example, that metadata is exempt from the Fourth Amendment because you as a customer signed up for your telco's service.

The report claims the US Government uses this exception "routinely" so as not to require a warrant. It has used this exception to determine such data as the name and contact details of filesharers, users of shared wireless networks, webmail and chat accounts.

By comparison, Australian telecommunications access laws 'mention' the need for a warrant, but don't mandate it, offering little protection to citizens. There is no overriding assumption of a right to privacy in Australian law at present.

2. The Patriot Act (Foreign Intelligence Surveillance Act)

President Bush's 2001 'Patriot Act' amended existing US laws pertaining to the ability of the US Government and law enforcement to act on personal and private information.

The Patriot Act - and extensions of it in 2007 and 208 - modified the 1978 FISA act to broaden the definition of targets of foreign intelligence – loosely defining "terrorists" as a category, regardless of whether suspected terrorists had ever committed a crime, and also allowed US authorities to skip the requirement for a warrant from the Federal Court System. Approval for surveillance is instead rubber-stamped by the Foreign Intelligence Surveillance Court (FISC).

The FISA Act allowed law enforcement to wiretap telecommunications services more or less at will, without a requirement to inform their target. ISPs, telcos and other service providers that comply with a FISA order must under the Act protect the secrecy of the operation. The Department of Justice can, for example, demand the electronic surveillance of an individual for up to a year without a warrant.

The abuse of powers detailed in Edward Snowden's PRISM revelations effectively relied on the NSA's interpretation of FISA.

3. Administrative Subpoenas — National Security Letters

The US Patriot Act also allowed for 'Administrative Subpoenas' – under which the FBI can order an individual or business to turn over documents without requiring a warrant or any other court order.

These 'National Security Letters' have most often been sent to telcos, financial services organisations and ISPs to gather data on suspects. An NSL can order a whole swathe of data from a service provider (phone records on 11,000 individuals, in one case) and again forbids the service provider from revealing the existence of the letter – to anyone.

By contrast, there is no 'broad' Act in Australia that allows authorities to demand data from private organisations or individuals, but instead a myriad of smaller pieces of legislation, usually aimed at regulating specific industries.

The Independent Commission Against Corruption can and does request data be turned over during an investigation, for example. The distinction is that more often than not, a warrant must be issued by a court before these demands can be made.

4. Secret surveillance programs

While the surveillance tools under the Patriot Act are extreme, privacy advocates have at least been made aware of their existence.

The PRISM system for harvesting information cloud services, and the NSA's simultaneous build of a database of phone records from US telecommunications carriers, are prime examples of US Government surveillance that were of a secretive nature until the events of recent weeks.

In Australia, by contrast, efforts to compel service providers to retain data for such purposes (Data Retention) have been met with stiff resistance.

5. Mutual assistance treaties

The US Government has signed treaties with over 50 nations and the EU in order to gain access to data on individuals outside of its immediate jurisdiction. It signed a Mutual Assistance Treaty with Australia in 1999.

The Council of Europe Convention on Cybercrime – signed by both the US and Australia, allows for a global network of law enforcement authorities to gather data from within their jurisdiction for the purpose of sharing with their peers.

Indeed, allegations of US surveillance of EU states leaked by Edward Snowden may threaten some of these treaties in future.

6. Discovery

Should the US Government – or the Australian Government for that matter - require more information from individuals or organisations, it has within its power the ability to demand it during litigation proceedings, through the process commonly referred to as 'discovery'.

In most cases, the discovery process is approved in a court hearing. But the US Government also reserves the right to subpoena information from private companies and individuals when it is involved in unrelated litigation with other parties. This, however, is again at the discretion of a judge.

7. Informal requests

While there are plenty of instruments by which the US can monitor its citizens and foreign citizens, most of these legal instruments assume the service provider was not willing to hand over customer data in the first place.

The report recognises that industry-specific regulators often make informal requests of service providers – requests service providers will often comply with in the hope that such matters won't be legislated in the future.

Vaile noted that in Australia, the apparently 'voluntary nature' of deciding what 'doing your best' means under the Telecommunications Act  [s313(1) and 313(2)] - puts unenforceable but nonetheless considerable pressure on ISPs and carriers to cooperate, without any of the checks and balances elsewhere in the Act.

"This seems to be the ambiguous basis for the informal back-door introduction of de facto ISP-level black list internet filtering despite the disavowal of the former, potentially more transparent 'mandatory' proposal which failed to ever get enough support to pass into law."