The Patriot Act: For data, is this where it all began or is it the same old same old?
Posted on October 17th, 2014
The world since 9/11 is different. America was touched by something sinister. In the immediate aftermath of September 2001, it seemed like anything that strengthened the fight against terrorism was justifiable. So the Bush administration gave the American people the Patriot Act. Officially the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001- a name so graceful it’s a wonder everybody knows it by acronym. But the USA PATRIOT Act is more than a mouthful of legislative language; it’s a huge boost to US Government power and reach when it comes to fighting terrorism and keeping Americans safe. This means more power to your monitor data. Not new power.
Reading the act is like coming face to face with the protocols of the Ministry of Peace in 1984. The definition of terrorism is so broad it includes activist groups as well as cyberterrorists. You can be an organization or a lone wolf. You can be a family member or just someone who gives assistance or help to a terrorist and still fit the act’s definition. It also authorizes data searches and seizures with delayed notification warrants, rendering the very idea of a warrant before search and seizure perfectly sterile if not meaningless. This is a constitutional more than a technological issue. But for those who have data- that means both data hosts and hosting clients- it’s worrying. The good news is that some of these provisions have been successfully challenged and defeated in federal courts. But as long as the law wants to find a way, the Patriot Act paves the road.
It’s no surprise that sunset clauses, those clever insertions designed to let Patriot Act powers expire, weren’t enacted. Both Republican and Democratic presidents and congresses extended the Patriot Act beyond its intended lifespan. It’s almost sentimental! It’s so hard letting go.
What really matters is what’s happening behind the scenes, where few eyes have gazed. This is the bad news. When it comes to data surveillance, the Patriot Act is so “mission creep” that it would be comic if it wasn’t so disturbing and the veil is hard to peer through.
So what’s being done with data? Who has seen the other side?
Well, according to the ACLU, the EFF, Edward Snowden and just about everyone else concerned who isn’t a loyal part of some US government agency, the definition of terrorism and the scope of jurisdiction are too wide. Some say that mass data hoarding and the clandestine pinching off of data at network access point have been conducted under a blind eye or even with support of large US telecoms. Some of this has been admitted to. Regardless, everyone agrees that US data hosts, no matter where their servers physically are, can be forced to give over private data at request and are under no obligation to inform the data’s owner. It’s as easy as issuing a NSL (National Security Letter), an extrajudicial note requiring electronic communication providers to render up records. The truth about mass surveillance and indiscriminate data mining is only slowly coming to light.
Whether you think a government should have this power is beside the point. If your data is hosted on a US based (or even affiliated) cloud network you’re a potential target for monitoring. This isn’t really anything new or different from old fashioned warrant monitoring, except that some of the checks and protections which used to be available to you are gone and the speed and reach, in abstract legal terms, of the watchers have grown. In some sense, legislation protecting and enabling the surveillance of data is obsolete. This is also a key point of debate.
And international data? Well, if your data hosts have one office or one employee in the US then they can be forced to turn over data under the provisions of the Patriot Act. If you’re a US citizen, same thing goes. If your host isn’t operative on US territory, it’s up to your home government and their courts. Access to your data in this case also depends on your data hosting company’s stance and the success of a MLAT or Mutual Legal Assistance Treaty request. This is good if you’re a Canadian company, like 7L, because it makes the data requisition process more transparent and includes local law enforcement. (But it’s not all good news. In Canada, ministerial authorities can issue an order to seize electronic data without a warrant and of course, the possibility still exists that data is passed over to authorities by extrajudicial means.)
The bottom line is that the Patriot Act has changed the reach of US government surveillance and the most interesting and controversial exercise of that power has been hidden from the public. We don’t know exactly how the Patriot Act is being applied. In early December 2013, Google, Linkedin, Facebook, Microsoft, Yahoo, Twitter, Apple and AOL published a joint statement on surveillance. They are opposed! And one of the main points they collectively made was that we need to see the rules. Transparency. They also warn governments against bulk data collection, in effect telling them they have no business in the servers of the people.
The tech giants are not alone. One of the original authors of the Patriot Act is now in the game. Jim Sensenbrenner, a Wisconsinite Republican Senator who co-authored the act, has now come out against it, although in a highly qualified way. He says he’s sure that the Patriot Act has saved lives, and that it was painstakingly crafted to protect individual freedoms, even though it was drafted in great haste after 9/11 (no mention of how many lives it’s ruined). But now his innocent creation has been misinterpreted and abused by the NSA, especially recently. (Thank you, Mr. Snowden!) Now the good senator saves face and turns with the tide of public opinion. He’s writing new laws to undo the damage. He recently travelled to Europe to tell the EU just how bad his act was mistreated by hidden knaves and scoundrels tucked away in government agencies.
There’s so much more to this story than can be run through in a single blog post. Of course, and that’s good news because the 7L blog has more to offer.
For now, fellow data hounds, please keep the following in mind. Find a data host you trust. Find out what their policy is. Be sure to ask is they will be transferring your data through US partners. Never put any data in the cloud that might get government attention. And learn, learn, learn because at the end of the data it’s your data and your responsibility.