Every new computing technology seems to bring with it a privacy flap. Right now, cloud computing is going through that phase, at least outside the US. Canadian and European elites fear that putting data in the cloud will somehow let the US government paw through it at will, a fear that usually centers on Section 215 of the USA PATRIOT Act.
The debate has been fed by interest groups worried about their future in a world of cloud computing. It was first raised as part of a campaign by the British Columbia Government Employees Union against the outsourcing of British Columbia’s health insurance data processing. (Full disclosure: I worked on the issue for clients both at the time and more recently.)
After years of remission, the issue has recently returned even more virulently, when Europe’s small cloud providers began using the Patriot Act as a marketing tool. In November of 2011, two European companies announced the creation of a European cloud offering that they advertised as providing a “safe haven from the reaches of the U.S. Patriot Act” in a press release that goes on to say, “Under the Patriot Act, data from EU users of U.S.-owned cloud-based services can currently be shared with U.S. law enforcement agencies without the need to tell the user.”
This is a pretty clear reference to section 215 of the Patriot Act, which once allowed the FBI to “gag” recipients of 215 orders. (That authority was substantially cut back by Congress in 2005; now recipients may challenge gag orders in court annually until they are revoked. See 50 USC 1861(f)(2)(A).)
As a competitive strategy, this line of attack has some problems. It assumes that, while US-owned companies can be compelled to produce data from around the world, European companies can safely refuse to comply. The argument that the US can compel global compliance is grounded in a line of cases ordering banks to produce records from foreign branches. Unfortunately for the European companies making this pitch, the line of cases is named after the unsuccessful party – the Bank of, uh, Nova Scotia– which is rather plainly not a US company and thus hardly the best case to cite if you’re arguing that people can defeat American discovery orders by giving their records to companies headquartered outside the US.
Nonetheless, the argument is still shaking up customers and officials in Europe, who are understandably not comforted by the response that even European cloud companies can be compelled to produce records. I think for several reasons that this risk has been severely hyped – there are only a couple of hundred section 215 orders a year, compared to tens of thousands of criminal subpoenas, and the Justice Department discourages foreign fishing expeditions. But those reasons have been discussed by others. Instead of digging into them, I’d like to explore a point that hasn’t been discussed as widely: the utter uselessness of serving a section 215 order on a cloud computing company.
In essence, it seems pretty clear to me that section 215, entitled “Access to certain business records,” is designed to collect a company’s business records. And a company’s business records are ordinarily viewed as the records the company uses to conduct business, not information belonging to the company’s customers.
Why does this matter for European privacy buffs? Because the records that cloud companies need to conduct business are very different from the records kept by the Bank of Nova Scotia. Banks must keep track of how much money you move in and out of your account, since that determines how much interest they owe you, how much they can charge for wire transfers and bounced checks, and so on.
Put another way, your transactions are part of the bank’s business records. But the records you store on cloud computing platforms aren’t part of the cloud company’s business records, because that’s not how they measure their costs and revenues, among other reasons.
Judging by this calculation, the data that cloud computing companies need to send out their bills is a lot less interesting. They need to keep records of how many CPUs the customer rented, for how many hours, with how much storage space (RAM and disk), on how fast a network. Last I looked, that is information that I already tell the world about my own computer when I visit any site on the Internet.
If that’s all the US government can get by serving a 215 order on cloud companies, it’s no wonder that we haven’t actually seen or heard of such an order in real life.
So, am I right? The best argument against this conclusion is that the title of section 215 doesn’t really tell you what the government can demand. Although the title speaks of “access to business records,” the body of the provision allows the court to order “the production of any tangible things (including books, records, papers, documents, and other items).” That sounds pretty broad, but also pretty familiar. Under the federal rules of criminal procedure, a federal grand jury “subpoena may order the witness to produce any books, papers, documents, data, or other objects.” But as broad language as this language is, the government doesn’t ordinarily use grand jury subpoenas to order people to produce things that belong to other parties. That practice is prudent, given that some courts, notably the Sixth Circuit in Warshak v. United States, think the fourth amendment requires use of a warrant, and the Congressional authorizations for administrative subpoenas require notice to the target.
The link between section 215 and criminal investigative practice is firmed up by a sentence added to section 215 when it was renewed in 2005. The new sentence says, in essence, that section 215 can only “only require the production of a tangible thing if such thing can be obtained with a [grand jury] subpoena.” See 50 U.S.C. § 1861(c)(2)(D).
It seems to me that this puts a special new burden on the Europeans who think that section 215 is a problem for American cloud providers. When it was the spooky, subterranean, and evil Patriot Act they were construing, they could plausibly say, “Who knows what the government is doing behind those gag orders in that secret court?” But now that the tie between 215 and grand jury subpoenas has been clearly written into the statute, there is no dearth of information about US practice. We have fifty years or more of criminal procedure, and tens of thousands of criminal subpoenas a year, to draw upon. If grand jury subpoenas have been used to obtain third-party records across international boundaries, especially from cloud providers, then the European merchants of FUD have a point. If not, they can safely be ignored, by customers and policymakers alike.