Canadians are cautious about using cloud computing services hosted in the United States due to concerns that data stored there becomes subject to the U.S.A. Patriot Act. But lesser-known Canadian laws also provide sweeping powers to authorities, according to one privacy expert.
The PatriotAct expands law enforcement’s surveillance and investigative powers, which is an issue for Canadians, said David Fraser, partner at McInnes Cooper, a law firm based in Atlantic Canada. “The U.S.A. Patriot Act has become short for,‘Oh, we can’t use the cloud,’” he said.
Speaking from a Canadian legal perspective on the topic of cloud computing at the Office of the Privacy Commissioner of Canada’s(OPC) 2010 Consumer Privacy Consultations in Calgary, Fraser highlighted common PatriotAct concerns.
National Security Letters are U.S.subpoenas that can require service providers or institutions to hand overinformation about someone’s transactions without a court order, he said. Theseletters don’t apply, however, to the substance within an e-mail message, he said.
Another concern is Roving Surveillance, which is a U.S. federal warrant that covers the entire country, said Fraser.
The ForeignIntelligence Surveillance Act (FISA) Court Order is a third concern. These search warrants are issued from a secret court in the U.S. for the contents ofcommunications and are usually coupled with a gag order, he said.
But the Canada Anti-Terrorism Act (ATA), which also became law a few months after the Sept. 11, 2001 terrorist acts, amended a range of federal statutes and is verysimilar to the Patriot Act in the U.S., he said.
In reality,“most of the provisions of the U.S.A. Patriot Act are mirrored in Canadianlaw,” said Fraser.
“Canada has a‘secret court’ that allows ex parte applications for warrants, including ‘sneak and peek’ warrants,” he said. And like the U.S., “Canada has warrant-less wiretap powers for international communications,” he said.
Secret orders from secret courts comprised of specially-designated federal court judges are allowed by the Canadian Security Intelligence Service (CSIS) Act, hesaid. And with the National Defence Act, a minister (as opposed to a court) can authorize interactions for the purpose of foreign intelligence, he said.
There is also “a significant degree of co-operation between law enforcement/nationalsecurity agencies on both sides of the border,” said Fraser. “Canadian and U.S.intelligence agencies share vast amounts of information,” he said.
Mutual LegalAssistance Treaties (MLATs) also exist for information sharing related to targetsof mutual interest, he said. “Canadian authorities can get information in the U.S. without a warrant and American authorities can get information in Canada without a warrant” and this happens on a daily basis, he said.
“The ATA improves Canada’sability to investigate, detect and prevent terrorist activities at home andabroad,” states the Department of Justice Canada’s Web site, which lists thestatutes amended by the ATA.
These statutes include: the Criminal Code, the Security ofInformation Act, the Canada Evidence Act, the Proceeds of Crime (MoneyLaundering) and Terrorist Financing Act, the Charities Registration (SecurityInformation) Act and the National Defence Act.
In aninterview with ComputerWorld Canada,Fraser said he doesn’t think the Patriot Act is understood as well as it shouldbe. “And similarly, I think the Canadian context is not understood at all,” hesaid.
Anyoneinvolved in decision-making about outsourcing or using cloud computing needs tomakes those decisions with all the facts, he said. “The ‘boogey man’ of theU.S.A. Patriot Act has just become an easy excuse to say no,” he said.
“There’s noabsolute restriction or absolute privacy in Canada or in the United States whenit comes to these sorts of things, so with that in mind, people need to makeinformed decisions about what they are going to do with their data,” saidFraser.
In certain cases,storing data in the U.S. maybe a problem and companies may want to keep their data in Canada or in a server closet intheir office, he said. But companies need to define what their concerns are andunderstand the risks, he said.
“Is yourconcern law enforcement access or national security access to information? Ifthat’s the case, the risk is almost the same … If your concern is that Americanauthorities may get access to it, well, American authorities can get access toit on either side of the border,” he said.
Frank Work,information and privacy commissioner of the Province of Albertawho also spoke at the OPC-hosted event, said there is “no doubt” that cloudcomputing will stretch regulatory limits. But the courts are slow to change laws and itwill be difficult to protect both users and businesses, he said.
“One has tobe careful about how quickly one reacts,” said Work. He highlighted the province of British Columbia, which reacted to the Patriot Act and amended its privacy act in 2004. B.C.’s reaction was “illadvised in the long run,” he said.
“We did areport on outsourcing that said as far as outsourcing goes, for business orgovernment, do what you want to do. Our only hold on you is that whoever hascontrol of the information must be responsible for the information wherever itgoes … the outsourcer is the one accountable for the risks,” he said.
DanielKoffler, chief technology officer at Montreal-based Syntenic Inc., participatedin a panel discussion at the OPC event later that day. He said his key concern is the “real lack of strategic discussion” in Canada. “In the U.S.,they not only have the largest cloud providers and social networking sites, butthey are developing a national cloud strategy,” he said.
There is strategic value inhaving “pure bred Canadian cloud providers” that fall into Canadianjurisdiction, which would also provide an option that Canadian government andmilitary can use, said Koffler.
Fraser disagrees with thosewho perceive cloud computing as a radical shift. “In my view, this doesn’trequire throwing out the existing rules and supplanting new rules. I thinkCanadian rules continue to apply,” he said.
Wheninformation crosses borders it becomes subject to others laws andsimultaneously applies to multiple rules, said Fraser. “But no matter wherethat information goes, if you are Canadian, Canadian privacy laws will continueto apply,” he said.
Follow me on Twitter @jenniferkavur.