Can remote software be private?
OUT-LAW Radio, 27/03/2008
Software as a service is an emerging trend, but can you use
US-based services and keep your documents from the prying eyes of
the US authorities?
A text transcription follows.
This transcript is for anyone with a hearing impairment or who
for any other reason cannot listen to the MP3 audio file.
The following is the text spoken by OUT-LAW journalist Matthew
Magee.
Hello and welcome to out-law radio, the weekly podcast that
keeps you up to date on all the twists and turns in the world of
technology law.
Every week we bring you the latest news and in depth features
that help you to make sense of the ever changing laws that govern
technology today.
My name is Matthew Magee, and this week we investigate a ruling
that could neuter freedom of information law, and look into how
BT's wireless sharing technology keeps the police from your
door.
But first, the news:
UK air passengers will soon be making in flight phone calls
and
EU biometric passport measures criticised by privacy
watchdog.
Passengers on UK planes could soon be able to make phone calls
in the air. Telecoms regulator Ofcom has decided to allow the
airwaves to be used for in flight calls but has warned consumers
about the high likely costs of doing so.
Ofcom has said that it will now allow airlines to use radio
spectrum to relay calls from planes to mobile networks using
specialised on board equipment. Phone users will connect to the
equipment on the plane which will then connect via satellite to
their own networks once they have reached a height of 3,000
metres.
The regulator, though, has said that it is not in control of the
likely prices to be charged and that these could prove a shock for
users.
It said: "Ofcom is concerned about this issue
as tariffs may well be high relative to other mobile communication
services and there is a danger that consumers will receive
unexpectedly high bills. No system will be introduced unless
it has been approved by air safety bodies the Civil Aviation
Authority (CAA) and the European Aviation Safety Agency."
Proposed Europe wide rules governing biometric passports are
still unsatisfactory despite some concessions, according to
Europe's top privacy watchdog the European Data Protection
Supervisor.
The European Commission has proposed new rules demanding that
passports contain biometric identifiers in the form of
fingerprints.
Supervisor Peter Hustinx has reviewed the proposed rules and
identified some welcome exemptions, principally for young children
and the elderly. But he said that the concessions do not go far
enough to protect the rights of citizens.
Hustinx has asked that an exemption for children under six years
old be extended to children under 14.
Hustinx said that by law he should have been consulted by the
European Commission over the proposals but wasn't. A statement from
his office said the EDPS regrets that the European Commission did
not comply with its legal obligation to consult him and expects to
be consulted in the future.
That was this week's OUT-LAW news.
Call it cloud computing, call it software as a service, call it
plain old outsourcing. People are becoming increasingly fond of the
idea of getting other people's computers to do the work.
But could using software on other people's machines cause your
name to be on a terror watch list? Could it mean that investigators
in the US will be reading your email?
Canadian academics and legislators fear just that, and are
taking action to stop their personal information falling into the
US government's hands thanks to that country's Patriot Act.
Outsourcing by major corporations has meant that personal data
has for some time been sent to countries where labour has been
cheaper, such as India.
Now smaller businesses and even consumers are routinely sending
their data abroad every time they use technology such as Google
Docs, the free, on demand word processing and spreadsheet software
package attached to Google's web email service Gmail.
Google's services have been so popular that institutions are
even turning over their entire email infrastructure to the system.
That's what Lakehead University in Ontario, Canada did, but there
was one catch. Students and staff were told not to send private
data through the system, including student marks.
Why? The answer is the US Patriot Act, a piece of legislation
passed in the wake of 2001's terrorist attacks in America which
dramatically increased the powers of US investigators to gain
access to communications without a court warrant.
The university's warning was designed to protect the privacy of
staff and students from the prying eyes of the US government but
the prohibition sparked outcry, and the university's faculty
association has taken Lakehead to task over the issue.
David Fraser is a privacy lawyer in Canada who specialises in
cross border data transfers to the US. He says that although some
reports have exaggerated the impact of the Patriot Act, there is
definitely cause for concern for anyone whose data goes through the
US.
David Fraser: I think the big
concern with the US Patriot Act is that certain searches, or
certain demands for information that used to require a warrant from
the court and therefore was subject to court oversight and
supervision, now can be done with something similar to an
administrative subpoena; something called the National Security
Letter which can be issued to a custodian of personal information
requiring them to hand over anything. That can include a record,
can include information. Then there's also a gagging order that
goes along with it so that the custodian of that information is not
allowed to tell anybody that the demand has been made. And so the
concern is that once a US based service provider has that
information in their custody they could be required to hand it over
without a warrant.
Matthew Magee: And who can
issue one of those subpoenas and in what circumstances?
David Fraser: My understanding is that they
come from the US Department of Justice and the Federal Bureau of
Investigation and certain warrants or certain searches or demands
can be done with a warrant issued by the Foreign Intelligence Court
in the United States which is a court that operates in relative
secrecy.
In fact this is far from a new issue in Canada, said Fraser.
Some Canadian provinces were so concerned with the Patriot Act a
few years ago that they passed laws banning publicly funded bodies
from sending personal data to the US at all.
David Fraser: Those concerns - they first
really came to light a number of years ago when the provincial
government of British Columbia proposed to outsource processing of
Medicare claims to a company that was headquartered in the United
States and the labour unions, the public sector of labour unions of
British Columbia, raised the issue of the possibility that medical
records of Canadians, including mental health records, would be
accessible to the US authorities under the United States Patriot
Act. And the concerns, some of them were overblown, but it did
result in suggestions and recommendations that the British Columbia
government actually pre empted by introducing amendments to the
public sector privacy law in British Columbia to strictly regulate
and limit the export or storage of personal information of British
Columbians outside of Canada.
Where British Columbia led, Alberta and Nova Scotia followed,
restricting the ability of publicly funded bodies, including
hospitals and universities, to send personal data abroad.
The problem is not that government agencies can access the data
in the US. Almost every country has some process by which
investigators can access communications data. This will typically
involve getting a judge to give you permission to force access to
the information. The problem is over how easy it is for US agencies
under the Patriot Act. When no judge issued warrant is required,
many people worry about whether every intrusion is really
necessary.
David Fraser: The concern is that check and
balance is no longer there and therefore it's simply law
enforcement deciding that they have the compelling need and that
they believe that that need overrides the individual's privacy
rights. But I think a lot of people are cynical about how concerned
those organisations are about privacy in general.
On an individual level you might be able to cope with the idea
that US investigators can trawl your emails without a judge's
say-so, but if you are a company dealing with other people's
information you have to be much more careful.
The UK and the European Union have strict rules about where you
can send your customers' or employees' data. The basic principle,
according to privacy specialist William Malcolm of Pinsent Masons,
the law firm behind OUT-LAW, is that anywhere you send the data has
to protect it as well as Europe does.
William Malcolm: The Data Protection Act sets
out a number of principles which organisations need to comply with.
One of those principles is designed to ensure that transfer of data
outside the UK meets certain standards and in essence what the Act
is trying to achieve is to make sure that data doesn't go to
countries or territories which provide safeguards which are lesser
than those provided in the European Union. There are various
solutions that companies can put in place to achieve compliance but
the broad principle is making sure that data doesn't go to
countries where lesser protections are available.
Malcolm said that companies are generally on safe ground when it
comes to countries in the European Economic Area, and places on an
EU list of approved countries whose data protections are strong
enough. For the US, though, the situation is more complicated.
William Malcolm: Aside from EEA countries and
those countries on the EU approved list you would need to look at
another compliance solution. One such solution is transfers to the
USA are deemed to be meeting adequate safeguards if the
company to which you're transferring that data is signed up to the
US safe harbor scheme. That's a scheme whereby companies bind
themselves to comply with certain privacy standards and US
regulators take action against them if they fail to meet those
standards.
Malcolm cautions, though, that a company sending data abroad is
ultimately responsible for what happens to it. And a safe harbour
agreement does not exempt data from US law.
Last year the inter-bank payments firm SWIFT was heavily criticised
for allowing US authorities access to the banking transaction
details of Europeans. SWIFT had servers in the US and had responded
to a US demand for data.
Malcolm says that this is evidence that no agreement can trump the
law, and that companies sending data through the US must realise
that it will be subject to the controversial Patriot Act.
William Malcolm: We saw with the SWIFT case in
the last couple of years the debate between the EU Commission and
the US in relation to privacy protection but if local US laws give
organisations and public authorities the ability to require
organisations holding data in their territory to make disclosures,
then there's very little that can be done to stop that. That was
the whole issue in the SWIFT case where subpoenas were handed down
under which SWIFT had to disclose financial data on EU bank
customers. The fact of the matter is once the data reaches there if
it can be accessed locally and legitimately under local laws,
there's very little you can do to prevent that.
So as corporate outsourcing techniques begin to creep down into
consumer on demand software services, and as organisations begin to
hand over their entire systems to online providers, users should be
aware that privacy may be the first casualty of convenience.
That's all we have time for this week, thanks for
listening.
Why not get in touch with OUT-LAW radio? Do you know of a
technology law story? We'd love to hear from you on radio@out-law.com.
Make sure you tune in next week; for now, goodbye.
OUT-LAW radio was produced and presented by Matthew Magee for
international law firm Pinsent Masons.
