Canadians are cautious about using cloud computing services hosted in the States due to concerns that data stored on U.S. ground becomes subject to the u.s.a. patriot act, but lesser-known Canadian laws also provide sweeping powers to authorities, according to one privacy expert.
The Patriot Act expands law enforcement’s surveillance and investigative powers, which is an issue for Canadians, said David Fraser, partner at McInnes Cooper, a law firm based in Atlantic Canada. “The U.S.A. Patriot Act has become short for, ‘Oh, we can’t use the cloud,’” he said.
Speaking from a Canadian legal perspective on the topic of cloud computing at the Office of the Privacy Commissioner of Canada’s (OPC) 2010 Consumer Privacy Consultations in Calgary, Fraser highlighted common Patriot Act concerns.
National Security Letters are U.S. subpoenas that can require service providers or institutions to hand over information about someone’s transactions without a court order, he said. These letters don’t apply, however, to the substance within an e-mail message, he said.
Another concern is Roving Surveillance, which is a U.S. federal warrant that covers the entire country, said Fraser.
The Foreign Intelligence Surveillance Act (FISA) Court Order is a third concern. These search warrants are issued from a secret court in the U.S. for the contents of communications and are usually coupled with a gag order, he said.
But the Canada Anti-Terrorism Act (ATA), which also became law a few months after the Sept. 11, 2001 terrorist acts, amended a range of federal statutes and is very similar to the Patriot Act in the U.S., he said.
In reality, “most of the provisions of the U.S.A. Patriot Act are mirrored in Canadian law,” said Fraser.
“Canada has a ‘secret court’ that allows ex parte applications for warrants, including ‘sneak and peek’ warrants,” he said. And like the U.S., “Canada has warrant-less wiretap powers for international communications,” he said.
Secret orders from secret courts comprised of specially-designated federal court judges are allowed by the Canadian Security Intelligence Service (CSIS) Act, he said. And with the National Defense Act, a minister (as opposed to a court) can authorize interactions for the purpose of foreign intelligence, he said.
There is also “a significant degree of cooperation between law enforcement/national security agencies on both sides of the border,” said Fraser. “Canadian and U.S. intelligence agencies share vast amounts of information,” he said.
Mutual Legal Assistance Treaties (MLATs) also exist for information sharing related to targets of mutual interest, he said. "Canadian authorities can get information in the U.S. without a warrant and American authorities can get information in Canada without a warrant" and this happens on a daily basis, he said.
“The ATA improves Canada's ability to investigate, detect and prevent terrorist activities at home and abroad,” states the Department of Justice Canada’s Web site, which lists the statutes amended by the ATA.
These statutes include: the Criminal Code, the Security of Information Act, the Canada Evidence Act, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, the Charities Registration (Security Information) Act and the National Defence Act.
In an interview with ComputerWorld Canada, Fraser said he doesn’t think the Patriot Act is understood as well as it should be. “And similarly, I think the Canadian context is not understood at all,” he said.
Anyone involved in decision-making about outsourcing or using cloud computing needs to makes those decisions with all the facts, he said. “The ‘boogey man’ of the U.S.A. Patriot Act has just become an easy excuse to say no,” he said.
“There’s no absolute restriction or absolute privacy in Canada or in the United States when it comes to these sorts of things, so with that in mind, people need to make informed decisions about what they are going to do with their data,” said Fraser.
In certain cases, storing data in the U.S. may be a problem and companies may want to keep their data in Canada or in a server closet in their office, he said. But companies need to define what their concerns are and understand the risks, he said.
“Is your concern law enforcement access or national security access to information? If that’s the case, the risk is almost the same … If your concern is that American authorities may get access to it, well, American authorities can get access to it on either side of the border,” he said.
Frank Work, information and privacy commissioner of the Province of Alberta who also spoke at the OPC-hosted event, said there is “no doubt” that cloud computing will stretch regulatory limits. But the courts are slow to change laws and it will be difficult to protect both users and businesses, he said.
“One has to be careful about how quickly one reacts,” said Work. He highlighted the province of British Columbia, which reacted to the Patriot Act and amended its privacy act in 2004. B.C.’s reaction was “ill advised in the long run,” he said.
“We did a report on outsourcing that said as far as outsourcing goes, for business or government, do what you want to do. Our only hold on you is that whoever has control of the information must be responsible for the information wherever it goes … the outsourcer is the one accountable for the risks,” he said.
Daniel Koffler, chief technology officer at Montreal-based Syntenic Inc., participated in a panel discussion at the OPC event later that day. He said his key concern is the “real lack of strategic discussion” in Canada. “In the U.S., they not only have the largest cloud providers and social networking sites, but they are developing a national cloud strategy,” he said.
There is strategic value in having “pure bred Canadian cloud providers” that fall into Canadian jurisdiction, which would also provide an option that Canadian government and military can use, said Koffler.
Fraser disagrees with those who perceive cloud computing as a radical shift. “In my view, this doesn’t require throwing out the existing rules and supplanting new rules. I think Canadian rules continue to apply,” he said.
When information crosses borders it becomes subject to others laws and simultaneously applies to multiple rules, said Fraser. “But no matter where that information goes, if you are Canadian, Canadian privacy laws will continue to apply,” he said.
Follow me on Twitter @jenniferkavur.