Sunday, February 26, 2012

Microsoft Azure is part of the Safe Harbor Act

The U.S. and European Union (EU) have vastly differing views of what privacy is. In the U.S. companies who collect the information own the information. In the EU the individuals own their own information collected by companies like Facebook or Google.  Microsoft says Azure supports the Safe harbor Act which acts like a bridge of the differing view on privacy but what do we need to know?

The Safe harbor is designed to protect privacy of individuals by legislating the manner in which personal data is processed including storage, collection, etc. A high overview of the safe harbor principles is as follows:

  • Notice – Organizations must inform individuals as to the purposes for which information about them is being collected and used, and the types of third parties to whom the organization may disclose information. Individuals must be informed how they can contact the organization with inquires or complaints as well as the choices they have with respect to limiting the use and disclosure of information about them.
  • Choice – Individuals must be provided the opportunity to “opt out” of allowing their information to be disclosed to a third party or to be used for a purpose incompatible with the purpose for which it was originally collected.
  • Safe Harbor Sensitive Information Principle – For sensitive personal information, such as that specifying medical conditions, racial or ethnic origin, political opinions, religious beliefs, or sexual orientation, individuals must explicitly “opt in” before such information can be disclosed to a third party or be used in a manner other than for which it was originally collected.
  • Onward Transfer – Prior to disclosing information to a third party, the organization must ensure that the third party provides the same level of privacy protection as required by the safe harbor principles. Having done this, the organization will not be held responsible should the third party process the data in a manner contrary to the safe harbor privacy principles.
  • Security – Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
  • Data Integrity– Organizations must take reasonable steps to ensure that data is accurate, complete, current, relevant, and reliable for its intended use.
  • Access – Organizations must provide individuals with access to personal information collected about them. Individuals must be allowed to correct, amend, or delete such information if it is inaccurate. Exceptions to this principle may be allowed where the burden or expense of providing such access is considered disproportionate to the risks to the individual’s privacy.
  • Enforcement – Organizations must define procedures and mechanisms for assuring compliance with the principles. These mechanisms must also include a means by which complaints and disputes raised will be investigated and resolved, and obligations whereby sanctions will be applied should the organization fail to be compliant. 

Another important fact we should consider is having our data stored in a foreign country doesn’t put us outside of the U.S. laws. The USA Patriot Act can give our government access to expat data stored outside the US.
Plus now we add state privacy laws from California, New York, and Massachusetts. Massachusetts has new regulations that went into on March 1, 2010. Significantly, the new regulations are not restricted to companies that are located or operate in Massachusetts. Instead, they apply to businesses located anywhere in the United States that store or maintain “personal information” about a Massachusetts resident. By default this means any data on Massachusetts’s residents no matter where the data is stored subject to Massachusetts’s privacy laws. 

Encryption equals Privacy???

Does the Fourth Amendment provide us protection if we encrypt our communications? Good question, the answer is still being ironed out in the court cases in court both state and federal levels. Further more to keep matters in the dark some of the courts finding is based on a specific case so we can’t generalize a general court ruling that we can apply across the board.

Orin Kerr, a Law Professor at George Washington University - Law School believes that the Fourth Amendment does not offer us any protection for encrypted data. He argues, “that Fourth Amendment regulates government access to communications, not the cognitive understanding of communications already obtained.” Mr. Kerr bases his argument on previous court law where court upheld the government’s effort to patch together 5/32-inch strips of paper to obtain information for their case. Further the FBI that translated conversations into English and law enforcement has undeleting files stored on a computer. All of these actions have been upheld by courts as permissible and did not provide the defendants any level of privacy. His point is the “Fourth Amendment does not protect the individual if the government decides to devote its resources to decrypting the communications and manages to succeed.”

We in IT view encryption with a lock-and-key metaphor.  Kerr’s opinion is the lock only makes the communication inaccessible by making it incomprehensible, similar to Arabic text or to physician handwriting.  We may look at Arabic with the same view a text encrypted with PGP.

Ok, but can the court make us give them the password/key to decrypt our data? Again the answer is maybe. Currently there are no model court cases for clarity. We have cases where the court has held defendant in civil contempt and ordered him to divulge the password and cases where the defendant’s right based on the Fifth Amendment privilege not to self-incrimination himself has been upheld. 

Use encryption to protect information against hackers but encryption may give you any privacy in court.

Stored Communications Act

In our discussion on data stored in the cloud we need to understand the laws and regulations governing our data. Unfortunately this area of privacy with federal, state and industry regulations is not unified under one encompassing umbrella. In fact it is a broken mosaic with federal and state laws competing against each other. In this blog post I will look at the Stored Communications Act (SCA), which is part of the Electronic Communications Privacy Act (ECPA) and how it relates to our Fourth Amendment rights.

A federal statue known as Stored Communications Act governs the privacy of stored Internet communications. The SCA was enacted in 1986 as part of the Electronic Communications Privacy Act.

We need to start with the Fourth Amendment and see why the architecture of the Internet raises puzzling issues for the scope of Fourth Amendment protection. The Fourth Amendment offers strong privacy protections for our homes; it reads, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

The Fourth Amendment protection is extended to luggage, briefcases, backpacks, purses, opaque bags, and lockers. The important point here is these are all physical objects.

The privacy protection given above is not extended to the Internet. The Internet does not give us a physical “home”, nor really any private space at all. Although we may think of the storage on the Internet space as a “virtual home”, in fact our “virtual home” is just a block of ones and zeroes stored somewhere on somebody else’s computer.

The reasons why privacy protections do not apply to our “virtual homes” in cyberspace are three fold.

  1. The Supreme Court has held that Fourth Amendment does not protect information revealed to third parties.  This is important we in IT do not view http/tcp traffic as being revealed to third parties, however the courts have upheld this belief in more than one case. This is the biggest obstacle for applying Fourth Amendment rights to the Internet.
  2. Fourth Amendment governing grand jury subpoenas offer a second reason why Fourth Amendment has weak privacy protection online.
  3. The third reason is the Fourth Amendment generally offers weak privacy protection online is that most ISPs are private actors.
The SCA tries to fix these issues to help provide privacy. But we need to understand some basic provisions that are in the SCA. The SCA adopts two distinctions of computer services providers. However these distinctions today are not vital in understanding the SCA. Most computer service providers have blurred the lines between the two distinctions by providing cross over services.

The first thing we need to understand is the SCA does not provide any privacy protection for “basic subscriber information” (session logs, IP addresses, etc).

The second thing is privacy of content. This is very frustrating to learn at first but it is the current law. With SCA our takeaways need to be the following.

  • Unretrieved/Unopened communications, including email and voice mail (in electronic storage 180 days or less) the provider is allowed to voluntary disclosed to law enforcement or government.
  • Opened communications, including email and voice mail (in electronic storage more than 180 days) the provider is allowed to voluntary disclosed to law enforcement or government.
  • Other content (including database records, images, music files, etc.) being stored or processed the provider is allowed to voluntary disclosed to law enforcement or government.