Photo credit: Stefano Brivio/Flickr.

What is the US Patriot Act?

The US Patriot Act is a law from the U.S of A which enables law enforcement agencies to search telephone and email communications as well as medical, financial, and other records that are stored on American soil. This means that almost any data – personal, private, business critical, confidential or otherwise – can be accessed by government departments if they believe it is in the country’s interest to do so.

The Act was introduced in October 2001 by George W. Bush following the 9/11 terrorist attacks. It was a means of granting the US authorities greater power for security and defence measures but now it also serves as primary concern for those storing data in the cloud.

Simon May, cloud evangelist for Microsoft, says that “any company with a significant US presence is subject to it. Any data which travels through the US is subject to it. That could be interpreted to mean that if you have a laptop and fly over the US, you would be subject to it from that one point forward.”

So what does that mean with regards to the cloud?

The very nature of cloud computing is that you store and access your data from an off-site server. The issue that therefore arises is where exactly said server is. You, as a UK-based company, for example, may wish to utilise the cloud services of Google, Microsoft or Amazon (to name but a few of the options). The cloud provider could put your data round the corner or on the other side of the world. If it’s in the States – even temporarily – you will be subject to the Patriot Act.

If your company’s data, which may include the personal details of your customers and clients or could be critical business information, was to be stored across the pond then this data can be subjected to the US government’s peepers. What you must ask is ‘what would the impact of this be on our company?’ And ‘will this conflict with any of our compliance regulations?’

Should I be as concerned about it as some people seem to be?

Some of the concern that surrounds this Act regards trust. There seems to be a lack of trust when it comes to the US government and their desire to be in the know about anything and everything which could concern them. I can’t imagine why.

However, trust issues aside, it can come down to simple data location regulations that your company and its data might have to adhere to. As Michael Charles, product manager at Outsourcery, says:

“Sometimes it’s irrespective of whether we trust them, it can just be a compliance issue. It’s not that we don’t trust them, we just can’t let our data be exposed to such laws.”

So yes, there is cause for concern. Quite simply, some companies cannot put their data into the cloud if it is at risk of being accessed by a third party. It may contain private and sensitive data and for this to be rummaged through by US government officials could either conflict with contracts they have with their customers or could conflict with data privacy laws in their home country.

However, as Dr. Graham Oakes, freelance business consultant, says: “The reality is that it does not matter to the vast majority of organisations. There are only a few exceptions when it matters. It is also easy to find suppliers and SLAs that ensure that your data is stored in European jurisdiction.”

What else should I be aware of?

Data separation, in a word or two. If your data or applications are hosted within a public cloud, they will either stand alone on its own server or it will be co-mingled with other organisations. If it’s the latter, and it happens to be hosted in the US, there could feasibly be problems. In short, if the US government decides that it wants to see a company’s data but finds that it cannot separate it from all of the other companies, it will simply take the lot. You can expect downtime as a result.

What’s the best way round the problem?

As Oakes says, the easiest way round the problem is to go with a cloud supplier who can guarantee you that your data will be stored on a server outside of the US and then to make sure that this guarantee is included in your SLA. This way your data will be safe from the prying eyes of the US government and you can rest assured that you know where your data is being held (if at very least this is only refined to it being stored in servers in the EU) and that therefore it is not going to be subjected to the Patriot Act.

If it came down to a choice between breaking the law in your home country and risking the wrath of the US powers that be, it wouldn’t be the most comfortable decision you’ve ever had to make.