Data security and the Patriot Act
Here in Canada the province of Nova Scotia just enacted a law intended to protect citizens from the U.S. Patriot Act. The law purports to solve the problem, but to me it looks worse than useless.
According to the press release, under this new law "the minister of Justice must be notified if there is a foreign demand for disclosure of any personal information of Nova Scotians". Penalties for disobeying are up to $2,000 for government and private sector employees and up to $500,000 for companies.
The problem is that the U.S. Patriot Act specifically forbids notifying anyone. For example section 215 makes these amendments to the Foreign Intelligence Surveillance Act:
‘‘(d) No person shall disclose to any other person (other than those persons necessary to produce the tangible things under this section) that the Federal Bureau of Investigation has sought or obtained tangible things under this section.
‘‘(e) A person who, in good faith, produces tangible things under an order pursuant to this section shall not be liable to any other person for such production. Such production shall not be deemed to constitute a waiver of any privilege in any other proceeding or context.
Any U.S. company handling personal information of Nova Scotians (or of any other persons) cannot reveal that a request has been made or that records have been handed over to the FBI. This contradicts Nova Scotia’s new law, but that provides even more incentive to stay quiet about disclosure: notify the Nova Scotia minister of Justice and your company faces a half-million dollar fine, plus you may go to prison in the U.S. for violating the terms of the Patriot Act.
Warrants and probable cause are not required to make a demand under the Patriot Act. Any local FBI office can demand whatever it wants to see from any person or organization. A strict reading of section 215 implies that you can’t even discuss a demand with your lawyer.
The terms of the Patriot Act provide ample fuel for almost any paranoid theory. For example, remember the Total Information Awareness program? It sparked outrage and was supposedly killed but it seems it was really just renamed and classified. Perhaps records from every U.S. financial institution, Internet Service Provider, search engine and retailer are being vacuumed up via Patriot Act requests to feed TIA. Who knows? It’s illegal to tell anyone.
Paranoia aside, if you’re outside the U.S. and responsible for the security of your organization’s data the only safeguard against a breach via the Patriot Act is to keep it away from U.S.-controlled entities. It’s a threat to data confidentiality that no firewall or non-disclosure agreement can prevent.
Last week, the CBC reported how Canadian universities are starting to stay away from U.S.-based reference databases. The fear is that records of scholarly searches for "terrorism related" bibliographic data will wind up in U.S. government hands, perhaps getting you listed on the infamous "no fly" list or worse. The Globe and Mail also picked up the story over the weekend.
Concern over the Patriot Act is certainly not new, especially inside the U.S. Over on the other coast of Canada, the privacy commissioner for British Columbia investigated its impact back in 2004. The conclusions and recommendations in that report are interesting reading. For one, he concluded that even data residing outside the U.S. could be requested if it’s held by a U.S.-controlled entity.
However, unlike Canadian Universities the BC privacy commissioner concluded that "a ban on outsourcing [to U.S. companies] would not be a practical or effective way of ensuring the protection of personal information". I disagree and think that is exactly what is happening around the world… organization are keeping data out of U.S. hands because of the Patriot Act.
Pretty Good Privacy (PGP) celebrated it’s 15th anniversary this week. The author Phil Zimmermann fought for years against laws that equated cryptography with military weapons. Export of any crypto software better than ROT13 could land a U.S. citizen in prison. The policy was ineffective and turned the U.S. into a bit of a crypto backwater: other nations had strong crypto and foreign companies were making money because they were free to use it. In 1999 the policy was repealed, in part because of the money being lost by U.S. businesses who wanted to compete globally.
Perhaps something similar will happen when enough international customers stop using U.S. businesses.
Related posts: