Cloud
7/12/2011
09:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%
Repost This

Have You Heard Of The Patriot Act?

Let's get this straight: Every cloud provider is obliged to follow the law and respond to court orders -- even Microsoft

Sometimes our propensity to find scapegoats and shoot messengers gets the best of us. For that reason, I am not going to call out the name of the poor soul at Microsoft who got flamed for stating something I had believed to be common knowledge, but apparently was not.

You see, Mr. MS-X got into trouble for stating that Microsoft is obliged to obey the law. OK, it is a little more nuanced than that, and the law in question is the U.S. Patriot Act.

The Patriot Act, of course, is the law enacted post-9/11 as a terrorist-fighting tool. Provisions of the law allow authorities in the U.S. to demand information, which can include a broad range of personal communications, as part of an investigation. Proponents claim it updates wiretapping legal processes for today’s digital world, while opponents claim it is a dangerous increase in governmental surveillance of the Internet.

I want to state right now that fighting terrorism is way above my pay grade, and I am not qualified to comment on the act’s effectiveness or whether information gathered under this act has been used unscrupulously. No cloud provider has marketing people insane enough to brand their services as “Patriot Act Compliant,” but in reality they all are -- in the U.S., anyway. If you were bored enough to read privacy policies in your free time, then you would see that any online business collecting personal information reserves the right to give your information to a government that follows the appropriate legal processes, which include subpoenas, warrants, and other instruments of legal investigation.

Mr. MS-X got into hot water for essentially connecting the dots, i.e., admitting that the Patriot Act is one of these laws applicable to an online provider’s privacy policy. What got me inspired enough to actually blog about this event was the fact that news headlines actually implied this was unique to Microsoft and was going hurt its particular cloud services.

So let’s get this straight: Every cloud provider is obliged to follow the law and respond to court orders. A subpoena is a subpoena, and whether it is the Patriot Act in the U.S. or the authorities in any other country, they can and will demand personal information in this way. Whatever your opinion is of the Patriot Act, I don’t think anyone can disagree that there are several countries that have a much more streamlined approach in how their police gather information from online providers. Certainly companies often fight against unreasonable searches and seizures, but unless Microsoft’s worthy competitors all want to announce tomorrow that they give the Patriot Act the middle finger, we should probably give Mr. MS-X a break.

Jim Reavis is the executive director of the Cloud Security Alliance, and president of Reavis Consulting Group.

Jim Reavis is the President of Reavis Consulting Group LLC, where he advises organizations on how to take advantage of the latest security trends. Jim has served as an international board member of the Information Systems Security Association and was co-founder of the ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web