Disclaimer: Ok, let’s get one thing straight right off the bat – I am NOT, by any stretch of the imagination, a lawyer or even a subject matter expert on the question of access to data. I am an IT professional who keeps hearing customers say that they don’t want to use services such as Office 365 because they don’t want their data hosted in the US. They are afraid that the USA Patriot Act means that US authorities can peek into their data whenever they want, so I decided to just do a bit of research (not exhaustive by any means!) to see what came up about that. It was a little surprising.
First off, a little trivia:
The term USA PATRIOT Act is actually an acronym for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act.
Who doesn’t love a good acronym?
Now, let’s get down to what I found.
The first article I came across was by Timothy M. Banks, in his article titled Cloud Computing and the USA Patriot Act: Canadian Implications, Mr. Banks clarifies that the Canadian Criminal Code already permits the seizure of electronic data:
this legislation has led the Office of the Privacy Commissioner of Canada to conclude in three decisions not only that Canadians are at risk of personal information being seized by Canadian governmental authorities (including without the knowledge of the target), but also that there is already a risk of that information being shared with U.S. authorities.
So there you go. A first indication that your data may not be as safe as you think even if it’s in Canada.
Then, I came across this FAQ on the Governement of Canada’s own web site: Frequently Asked Questions: USA PATRIOT ACT Comprehensive Assessment Results. Significantly, question #6:
Has there been a case where personal information about a Canadian was accessed under the USA PATRIOT Act?
The federal government is not aware of any such case to date.
Ok, so it’s not like this is happening on a daily basis…
A little more digging, and I found references to David Fraser, a Partner at McInnes Cooper in Halifax, Nova Scotia. Mr. Fraser specializes in Internet technologies and privacy. In this IT World article titled Don’t use the Patriot Act as an excuse, Mr. Fraser states that
The U.S.A. Patriot Act has become short for “Oh, we can’t use the cloud”
In another article – Keeping data here no protection against US: Lawyer – he says:
The Patriot Act is a “boogey man”,… The fact is most developed countries have legal tools that allow their law enforcement agencies to make legal claims on data held in their countries or outside their borders
Interestingly, that article contained a link to another one, where Mr. Fraser warns that there are security issues much bigger than “the cloud”: Never mind the Patriot Act, watch your thumb drives. Too true!! It’s incredible that still today, so few organizations have clear policies or tools to manage data loss through these tiny little storage devices.
More digging, and I came up with this Government of Canada page: Summary of Submissions to the Lawful Access Consultation, where it clearly states that:
For the police, this involves the lawful interception of communications and the lawful search and seizure of information, including computer data. Lawful access is a specialized tool used to investigate serious crimes, such as drug trafficking, money laundering, smuggling, child pornography, and murder. Lawful interception of communications is also an essential tool for the investigation of threats to national security, such as terrorism.
In other words, even if your data is on your own server, locked in you office, authorities can still get to it if they suspect you of illegal activities!
And there have been enough examples of that in Quebec in the last couple of years:
- Quebec’s anti-corruption squad seizes computer data in raid on Liberal party’s Montreal headquarters
- Anti-corruption squad raid on Laval city hall, mayor’s home
- Charbonneau Commission: Laval notary Jean Gauthier minimizes his link to Vaillancourt
Municipalities, mayors, notaries, engineering firms – all had data seized from their offices by the anti-corruption unit in this debacle.
My personal conclusion: unless your organization is doing something highly illegal, there should be no reason to fear using services like Office 365. And if you are into illegal activities, chances are that the authorities will be able to get to your data, no matter where it is!
