Security Experts:

Connect with us

Hi, what are you looking for?



Patriot Act and Cloud Privacy: Notes from Europe

I love how Europeans pronounce my name. Gant sounds like Gawnt and rhymes with jaunt. In America, people say Gant, like Ant. Not so dashing.

I love how Europeans pronounce my name. Gant sounds like Gawnt and rhymes with jaunt. In America, people say Gant, like Ant. Not so dashing.

So speaking at the European Association of Corporate Counsel conference in Barcelona last month where attorneys from major European corporations pronounced Gant the European way was quite the treat. What was not music to my ears was concern I heard from European counsel over US companies that host information in the US. These folks often cited the USA Patriot Act of 2001 as the boogieman that would leave their information free for plunder by the dark and clandestine US Government. But are their concerns well founded?

A great place to start is with the Patriot Act itself. We all have a sense of what it is; something that lets the US Government take the gloves off when it comes to terrorism. That’s a good start, but there are 132-pages to the monster and it covers a lot of territory. It begins by condemning discrimination against Arab and Muslim Americans. Then it amends a lot of other laws so more modern electronic communications are available that law enforcement can use to tap. A huge part of the Act is focused on international money laundering and terrorist financing. There are provisions to harden US borders and to provide assistance to the families and victims of terrorism. Criminal laws against terrorism are stiffened and sharing of intelligence within the government is called for. And a lot of money is allocated to make it all happen.

So what’s the part that gets non-US folks in a twist? That would be section 215 that amends the Foreign Intelligence Surveillance Act of 1978. It says the Director of the FBI can ask a special court for an order to see records to protect against terrorists and spies, provided first amendment rights aren’t violated. Next comes the part I think my European colleagues are most concerned about: Pursuant to that court order, the recipient can’t tell the owner of the info about the disclosure and it offers immunity for those who doing the disclosing.

Fair enough. Sounds like if someone really senior at the FBI needs to go to court for an order, they can present that order to a company, and the company can’t tell the data owner about it. Lack of notice is a bit troubling on its face, but let’s compare this process to how governmental searches happen in other countries.

The truth is that, generally, authorities in all countries may require a data host to disclose customer data in the course of a governmental investigation without notice to the data owner. Investigation without notice to the subject is neither novel nor unique to the Patriot Act. What is unique to the Patriot Act compared to most other countries is the need for a court order. Most other countries allow their government authorities to go directly to the data host with administrative orders to produce data. That’s a lower bar to disclosure.

European marketers have made Europeans fearful to put their data in the US. But do you really think the physical location of data matters? The US and other countries have two primary ways to get at data not stored in their country. The first is simple jurisdiction based on a legal presence. Most authorities will claim jurisdiction over data outside of the country as long as the company has an office in that country. So you can be a UK company with a US office and the US can still get to data stored in the UK or a third country. The exceptions to this are Germany and Japan, which limit discovery to in-country data except non-content data from telcos in Germany and only with cooperation from the other country in Japan.

Speaking of cooperation, the second way for authorities to get at data out of the country is via Multi National Legal Assistance Treaties or MLATs. These treaties allow authorities in each country to request and receive information located in the other’s jurisdiction (including information stored in third-party facilities). So if the US or UK authorities need information from one another regarding a criminal activity, that information will be made available.

The Patriot Act is no different than the laws of many other countries and actually offers more protections than in many of those countries. In addition, the US and other countries have other options when it comes to getting at data through simple jurisdiction and MLATs. The Patriot Act was created to prevent terrorism, not to be twisted into a fear based marketing tool.

I hope I have removed the clandestine mystique from the Patriot Act and calmed fears of those with data hosted in the US. Now if only I could get Americans to pronounce my name like those Europeans.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...


U.S. fighter jets successfully shot down the high altitude spy balloon launched by and belonging to China.


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.