Georgetown Hosts Lawful Access to the Cloud Seminar

By Peter Swire

Posted on March 23, 2012

This post was written by professor Peter Swire and Steven Beale.

On Tuesday, Georgetown’s Law School hosted a Seminar titled “Lawful Access to the Cloud.” The seminar’s panelists grappled with how to find the right balance between civil liberties and legitimate law enforcement needs to access data in the cloud.

The morning’s first panel focused on lawful access to data in the U.S., and the second panel focused on law enforcement access to data in the E.U. Bruce Schwartz, Deputy Assistant Attorney General at the U.S. Justice Department began the day by pushing back at the widespread perception that the U.S. has less protection than the E.U. for data stored in the cloud. In fact, he said, the U.S. has greater protections for electronically stored data than the E.U. The Center for Democracy and Technology’s President and CEO, Leslie Harris, responded that the most important criterion for laws and practices regarding lawful access to data in the cloud is conforming to citizen’s expectations. Harris submitted that most users would be very surprised at the permissiveness of the current legislative structure in the U.S. regarding lawful access to data in the cloud.

Next, Mark Rasch, the Director of Cybersecurity and Privacy Consulting at Cybersecurity and Privacy Consulting (CSC), examined several of the ways that the cloud is different from previous technologies and explained how much of the legal structure regarding lawful access to electronic communication is hopelessly out of date. The final panelist, Fred Cate, Professor of Law and Director of the Center for Applied Cybersecurity Research at Indiana University, talked about how U.S. lawful access statutes need to change more quickly. He also argued that the U.S. government needs to do a much better job being transparent and accountable about lawful access to electronically stored information.

Peter Swire, Senior Fellow at Future of Privacy Forum (FPF) and the C. William O’Neill Professor of Law at the Ohio State University, began the second panel by explaining that the widespread use of encryption has led law enforcement to increasingly rely on accessing data stored in the cloud. Widespread encryption makes it very difficult for law enforcement officials to access encrypted electronic communications as they are being sent, so law enforcement places greater emphasis on accessing the unencrypted, stored communications in the cloud. Swire then gave an overview of UK data protection laws and pointed out that the laws in the UK in many respects are more permissive than U.S. law.

Following Swire, Google’s Richard Salgado talked about the practices his company follows regarding lawful access. Salgado explained that Google’s policies are based on the reasonable privacy expectations of users. Google, he said, works hard to be transparent and, when legal, provides notices to consumers when their data is accessed by law enforcement. Emilio de Capitani, former Head of Unit at the Committee on Citizens’ Freedoms and Rights in the European Parliament, rounded out the day. He gave an overview of E.U. laws governing lawful access and discussed some of the challenges facing E.U. member states as they try to increasingly standardize their policies for lawful access to data.

Throughout the day, several themes emerged time and again. The seminar made it clear that there is a significant amount of uncertainty about the laws and practices of lawful access in both the U.S. and the E.U. Secondly, U.S. laws regarding lawful access are very outdated and need to be updated to take into account the technological changes that have emerged during the last several decades. Finally, many foreign companies and countries believe that U.S. laws regarding lawful access, especially the PATRIOT Act, allow the U.S. government significant access to electronically stored data. Regardless of the validity, this fear is having an adverse effect on the ability of U.S. cloud providers to sell their services overseas.