Let's get this straight: Every cloud provider is obliged to follow the law and respond to court orders -- even Microsoft

Jim Reavis, Co-Founder & Executive Director, Cloud Security Alliance

July 12, 2011

2 Min Read

Sometimes our propensity to find scapegoats and shoot messengers gets the best of us. For that reason, I am not going to call out the name of the poor soul at Microsoft who got flamed for stating something I had believed to be common knowledge, but apparently was not.

You see, Mr. MS-X got into trouble for stating that Microsoft is obliged to obey the law. OK, it is a little more nuanced than that, and the law in question is the U.S. Patriot Act.

The Patriot Act, of course, is the law enacted post-9/11 as a terrorist-fighting tool. Provisions of the law allow authorities in the U.S. to demand information, which can include a broad range of personal communications, as part of an investigation. Proponents claim it updates wiretapping legal processes for today’s digital world, while opponents claim it is a dangerous increase in governmental surveillance of the Internet.

I want to state right now that fighting terrorism is way above my pay grade, and I am not qualified to comment on the act’s effectiveness or whether information gathered under this act has been used unscrupulously. No cloud provider has marketing people insane enough to brand their services as “Patriot Act Compliant,” but in reality they all are -- in the U.S., anyway. If you were bored enough to read privacy policies in your free time, then you would see that any online business collecting personal information reserves the right to give your information to a government that follows the appropriate legal processes, which include subpoenas, warrants, and other instruments of legal investigation.

Mr. MS-X got into hot water for essentially connecting the dots, i.e., admitting that the Patriot Act is one of these laws applicable to an online provider’s privacy policy. What got me inspired enough to actually blog about this event was the fact that news headlines actually implied this was unique to Microsoft and was going hurt its particular cloud services.

So let’s get this straight: Every cloud provider is obliged to follow the law and respond to court orders. A subpoena is a subpoena, and whether it is the Patriot Act in the U.S. or the authorities in any other country, they can and will demand personal information in this way. Whatever your opinion is of the Patriot Act, I don’t think anyone can disagree that there are several countries that have a much more streamlined approach in how their police gather information from online providers. Certainly companies often fight against unreasonable searches and seizures, but unless Microsoft’s worthy competitors all want to announce tomorrow that they give the Patriot Act the middle finger, we should probably give Mr. MS-X a break.

Jim Reavis is the executive director of the Cloud Security Alliance, and president of Reavis Consulting Group.

About the Author(s)

Jim Reavis

Co-Founder & Executive Director, Cloud Security Alliance

Jim Reavis is the President of Reavis Consulting Group LLC, where he advises organizations on how to take advantage of the latest security trends. Jim has served as an international board member of the Information Systems Security Association and was co-founder of the Alliance for Enterprise Security Risk Management.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights