"Just thinking of avoiding U.S. providers does not solve anything," says Lakatos, "the analysis is much more complex."
Working with cloud providers
So, what's a European cloud customer to do -- or, for that matter, a U.S. customer anxious about how their cloud provider might respond to a government request for data under the Patriot Act? Cloud and other technology service providers have a mixed record when it comes to keeping customer data out of government hands. "For the cloud service providers, their life may be easier if they give the government whatever it's asking for," Lakatos says.
First, figure out what your concerns are. Many European cloud customers that have come to Lakatos for advice are not especially worried about whether the U.S. government knows with whom they do business -- but their clients are. In that case, the solution is making clear to customers the risks are and what you and your cloud provider are doing to mitigate them. "A lot of it has to do with messaging," says Lakatos. "What promises and assurances can I give them?" Others may have legitimate concerns about information the government might obtain and how it could affect their business going forward. They must determine what specific information is valuable, how likely the government would seek it out for a terrorism investigation, and whether it's worth storing in the cloud. (Data kept in-house for those with a U.S. presence is still subject to Patriot Act discovery tools, but the feds will have to go through you, not the cloud provider, for access.)
Secondly, take some time to understand how the Patriot Act might play out with regard to data stored in the cloud. The legislation expanded certain discovery mechanisms already available to U.S. law enforcement. The two most likely to be used to access cloud-stored data are Foreign Intelligence Surveillance Act (FISA) Orders and National Security Letters, says Lakatos. Both forms of discovery may include gag orders, preventing the cloud provider from notifying its customers about the government request for data. (Lakatos provides a detailed analysis of the types of data the government is likely to seek via these mechanisms.)
Thirdly, customizing your cloud contract to include a clause covering how the cloud provider is required to respond to government requests for data is also important. Of course, we all know how reticent cloud providers are to adjust their boilerplate agreements, but it's worth a shot. "If you have the market power, you can reasonably ask that those terms be customized a bit so that they promise you that, to the extent that there's not a gag order, they will immediately make you aware of requests for your data, or that they assume some obligations on themselves to not voluntarily provide more that they have to," says Lakatos. "A lot of times when the government comes knocking on the door of the cloud service provider, there's some room to negotiate or push back and say, 'Look, you're asking for more than the law requires.' You have to decide what you want to ask them to do."
Finally, advises Lakatos, get real about the most likely legal risks to your cloud-stored data. "Customers ought to be as concerned with traditional methods the government uses to obtain data. You may be more likely to see a grand jury subpoena or search warrant -- that type of thing," Lakatos says. "Consumers of cloud services often get distracted from the fact that often a lot of these investigations may occur in their home country. Even if they successfully fence themselves off from the United States, their country may have a concern about terrorism, and they can't assume that [their own government] won't be fairly aggressive about getting your documents through their own means."
Stephanie Overby is regular contributor to CIO.com's IT Outsourcing section.
Read more about government in CIO's Government Drilldown.