Cloud
7/12/2011
09:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Have You Heard Of The Patriot Act?

Let's get this straight: Every cloud provider is obliged to follow the law and respond to court orders -- even Microsoft

Sometimes our propensity to find scapegoats and shoot messengers gets the best of us. For that reason, I am not going to call out the name of the poor soul at Microsoft who got flamed for stating something I had believed to be common knowledge, but apparently was not.

You see, Mr. MS-X got into trouble for stating that Microsoft is obliged to obey the law. OK, it is a little more nuanced than that, and the law in question is the U.S. Patriot Act.

The Patriot Act, of course, is the law enacted post-9/11 as a terrorist-fighting tool. Provisions of the law allow authorities in the U.S. to demand information, which can include a broad range of personal communications, as part of an investigation. Proponents claim it updates wiretapping legal processes for today’s digital world, while opponents claim it is a dangerous increase in governmental surveillance of the Internet.

I want to state right now that fighting terrorism is way above my pay grade, and I am not qualified to comment on the act’s effectiveness or whether information gathered under this act has been used unscrupulously. No cloud provider has marketing people insane enough to brand their services as “Patriot Act Compliant,” but in reality they all are -- in the U.S., anyway. If you were bored enough to read privacy policies in your free time, then you would see that any online business collecting personal information reserves the right to give your information to a government that follows the appropriate legal processes, which include subpoenas, warrants, and other instruments of legal investigation.

Mr. MS-X got into hot water for essentially connecting the dots, i.e., admitting that the Patriot Act is one of these laws applicable to an online provider’s privacy policy. What got me inspired enough to actually blog about this event was the fact that news headlines actually implied this was unique to Microsoft and was going hurt its particular cloud services.

So let’s get this straight: Every cloud provider is obliged to follow the law and respond to court orders. A subpoena is a subpoena, and whether it is the Patriot Act in the U.S. or the authorities in any other country, they can and will demand personal information in this way. Whatever your opinion is of the Patriot Act, I don’t think anyone can disagree that there are several countries that have a much more streamlined approach in how their police gather information from online providers. Certainly companies often fight against unreasonable searches and seizures, but unless Microsoft’s worthy competitors all want to announce tomorrow that they give the Patriot Act the middle finger, we should probably give Mr. MS-X a break.

Jim Reavis is the executive director of the Cloud Security Alliance, and president of Reavis Consulting Group.

Jim Reavis is the President of Reavis Consulting Group LLC, where he advises organizations on how to take advantage of the latest security trends. Jim has served as an international board member of the Information Systems Security Association and was co-founder of the ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

CVE-2014-0897
Published: 2014-08-29
The Configuration Patterns component in IBM Flex System Manager (FSM) 1.2.0.x, 1.2.1.x, 1.3.0.x, and 1.3.1.x uses a weak algorithm in an encryption step during Chassis Management Module (CMM) account creation, which makes it easier for remote authenticated users to defeat cryptographic protection me...

CVE-2014-3024
Published: 2014-08-29
Cross-site request forgery (CSRF) vulnerability in IBM Maximo Asset Management 7.1 through 7.1.1.12 and 7.5 through 7.5.0.6 and Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk allows remote authenticated users to hijack the authentication of arbitr...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.