Cloud
7/12/2011
09:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%
Repost This

Have You Heard Of The Patriot Act?

Let's get this straight: Every cloud provider is obliged to follow the law and respond to court orders -- even Microsoft

Sometimes our propensity to find scapegoats and shoot messengers gets the best of us. For that reason, I am not going to call out the name of the poor soul at Microsoft who got flamed for stating something I had believed to be common knowledge, but apparently was not.

You see, Mr. MS-X got into trouble for stating that Microsoft is obliged to obey the law. OK, it is a little more nuanced than that, and the law in question is the U.S. Patriot Act.

The Patriot Act, of course, is the law enacted post-9/11 as a terrorist-fighting tool. Provisions of the law allow authorities in the U.S. to demand information, which can include a broad range of personal communications, as part of an investigation. Proponents claim it updates wiretapping legal processes for today’s digital world, while opponents claim it is a dangerous increase in governmental surveillance of the Internet.

I want to state right now that fighting terrorism is way above my pay grade, and I am not qualified to comment on the act’s effectiveness or whether information gathered under this act has been used unscrupulously. No cloud provider has marketing people insane enough to brand their services as “Patriot Act Compliant,” but in reality they all are -- in the U.S., anyway. If you were bored enough to read privacy policies in your free time, then you would see that any online business collecting personal information reserves the right to give your information to a government that follows the appropriate legal processes, which include subpoenas, warrants, and other instruments of legal investigation.

Mr. MS-X got into hot water for essentially connecting the dots, i.e., admitting that the Patriot Act is one of these laws applicable to an online provider’s privacy policy. What got me inspired enough to actually blog about this event was the fact that news headlines actually implied this was unique to Microsoft and was going hurt its particular cloud services.

So let’s get this straight: Every cloud provider is obliged to follow the law and respond to court orders. A subpoena is a subpoena, and whether it is the Patriot Act in the U.S. or the authorities in any other country, they can and will demand personal information in this way. Whatever your opinion is of the Patriot Act, I don’t think anyone can disagree that there are several countries that have a much more streamlined approach in how their police gather information from online providers. Certainly companies often fight against unreasonable searches and seizures, but unless Microsoft’s worthy competitors all want to announce tomorrow that they give the Patriot Act the middle finger, we should probably give Mr. MS-X a break.

Jim Reavis is the executive director of the Cloud Security Alliance, and president of Reavis Consulting Group.

Jim Reavis is the President of Reavis Consulting Group LLC, where he advises organizations on how to take advantage of the latest security trends. Jim has served as an international board member of the Information Systems Security Association and was co-founder of the ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web