UK Cloud Computing Interception - nothing new Clive Gringras Olswang LLP 2011 www.olswang.com 1
UK Cloud Computing Interception - nothing new Some UK cloud-computing customers are concerned that they should not entrust US cloud-providers with their data for fear of US law enforcement interception. If interception is so much of a concern they should not only avoid US cloud providers but also should avoid using the UK s telephone, the Internet, and the postal system. The interception of communications, whether stored in the 21 st Century cloud or sealed in 16 th Century scrolls, and whether here in the UK or in the US, is nothing new. All communications data, where justified, may be intercepted by the State s watchful and proportional eye. Any access to communications data by public authorities is an intrusion into someone s privacy. To be justified, such intrusion must satisfy the principles of necessity and proportionality These are not the post 9/11 words of a US legislator justifying new legislation to spy on unwitting citizens; they are the words in June from the UK s Interception of Communications Commissioner, Sir Paul Kennedy. Both the US and the UK (together with many other EU Member States) have morally-principled and strong legislation allowing their State s machinery to intercept certain electronic communications stored and transmitted through the cloud. True, the two countries differ in branding: the USA uses the optimistically-pitched PATRIOT Act whilst Britain uses the graveyard-echoing RIP Act. Naming apart, both nations regimes are concerned to intercept, across every system, the plotting and evidence of society s most feared and serious offences. Aware of the mobility of today s criminals and terrorists, legislators in the US and the UK, wanted interception rules to apply to any traffic passing through communications equipment in their territories. These legislators wanted to ensure that terrorists and serious criminals cannot find a digital safe haven in either the UK or the US nor can they simply hide from view by diving behind the firewall of an unwitting enterprise hosted on a cloud computing service. Businesses on either side of the Atlantic wanting to take advantage of cloud computing must accept that just as terrorists might squat in their systems in the UK or in the US, so law enforcement must have rights to intercept communications, whether in Newcastle or New York. Olswang LLP 2011 www.olswang.com 1
This article briefly sets out the parameters of the USA PATRIOT Act before looking in greater detail at the framework and workings of UK s RIP Act. This analysis will reveal that UK businesses will not escape interception merely by shifting from a cloud provider in the US to one in the UK, or even elsewhere in the EU; to remove entirely a business s exposure to interception one needs to take the Luddite step of stopping all phone calls, all use of the internet and mobile phones and of stopping using any postal systems. In the dark shadow of the 9/11 attacks, the US government joined other governments in strengthening their powers of interception of and access to enterprise customer s data. No doubt with the final acronym in mind, on 26 October 2001 the US passed the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001. The USA Patriot Act was mainly an update to pre-existing federal statutes. For example, the Act stretched the investigative tools previously available to fight organised crime to include fighting terrorism. The Act also extended the authorities to defeat cross-border money laundering and terrorism funding. Providing no novel state powers, this legislation was more re-brand than new regulation. And crucially, the Patriot Act, has checks and balances, and oversight, as to when and why data is accessed. A full year earlier on 2 October 2000, the UK brought into force the Regulation of Investigatory Powers Act 2000, or RIPA. Not unlike its US cousin, the RIPA also was not novel. Interception has been on the British Statute book since at least 1663 and the British State is not unfamiliar with interceptions and de-encryption of communications. In the late 1500's Sir Francis Walsingham worked for Queen Elizabeth I, to intercept, and with Thomas Phelippes, decipher and forge, letters between Mary Queen of Scots and her treasonous plotters. The cloud, just like the letters to Queen Mary and the messages intercepted in 1940 s Bletchley Park, merely provides a different medium through which much good, but sometimes bad, communications are shared. RIPA regulates interception of the content of communications as well as disclosure of information as to the who, where and when of these communications. Just as serious criminals and terrorists will resort to using email, letters, phone calls and text messages, so the legislation permits the interception, where appropriate, of these and other communication media. UK Cloud-based communications systems are certainly within RIPA s ambit, but so are the Royal Mail and every UK mobile phone network. Legislators have sought to ensure that criminals and terrorists cannot hide from detection by merely using one form of communication over another. Although the types of communication are wide, the power to intercept the content of communications (or the power to access data about the communication) is not provided lightly nor widely. It can only be used relation to the prevention and detection of acts of terrorism and other national security interests and for the prevention and detection of serious crime and in order to safeguard the economic well-being of the UK. Even within these areas, the powers can only be legitimately deployed when it is necessary and proportionate to do so. Olswang LLP 2011 www.olswang.com 2
The set of government bodies with the rights to intercept these communications naturally are limited to those with investigation and detection remits over the types of offences listed above. As one might expect, therefore, the security services, police forces, local authorities and others can request the information from the relevant communication service provider. Despite this narrow set of intercepting bodies, last year, UK authorities issued almost two-thousand intercept warrants, prompted by "growing problems from serious crime and threats to national security. In the same period, UK public authorities as a wholesubmitted over half-a-million requests for communications data. Whilst nearly two thirds of these requests were for subscriber data (usually in the form of enquiries to determine who owns a mobile phone) there will be some enterprises who see this figure and make the decision that they want to keep their data away from the risks of interception. If they make that decision, after they cancel their phone contracts and disconnect from the Internet, they should remember also to stop sending and receiving letters and parcels too. Clive Gringras Head of Technology T: +44 20 7067 3189 E: clive.gringras@olswang.com The information contained in this update is intended as a general review of the subjects featured and detailed specialist advice should always be taken before taking or refraining from taking any action. Olswang LLP 2011 www.olswang.com 3
Berlin Brussels London Madrid Paris Thames Valley +49 (0) 30 700 171 100 +32 2 647 4772 +44 (0) 20 7067 3000 +34 91 187 1920 +33 17 091 8720 +44 (0) 20 7067 3000 www.olswang.com 5632988-1