Ignore Patriot Act cloud ‘scare stories’
25 October 2012 | 0
Fears for security remain stubbornly high on the list of public cloud computing inhibitors for many organisations. Among those security fears, a worry that data stored by US companies would come under the Patriot Act, and so could be accessed by US government agencies without the need for a warrant or notification of the data gatherer.
However, according to new research from analyst IDC, these fears are unfounded.
“Scare stories over the Patriot Act abound, but they are fallacious,” said David Bradshaw, research manager for European public cloud services, IDC. “The Patriot Act is nothing special, indeed data stored in the US is generally better protected than in most European countries, in particular the UK”
Bradshaw points out that almost all countries have similar legislation which gives the authorities a means to requisition data on cloud services, and stored anywhere in their jurisdiction, in order to investigate and prevent acts of terrorism. The issue, says IDC, is ensuring that these powers are used only when absolutely necessary.
IDC says that contrary to popular belief, “all access to cloud data in the US requires a court order,” except in cases of “truly exceptional circumstances” such as imminent danger of loss of life.
However, most European countries are less stringent in their requirements according to IDC, and as a result, data stored in the US is arguably better protected with legal safeguards than data stored in most European countries.
In particular the UK, IDC reports, has weaker legal controls, and this may become a barrier to organisations in other European countries adopting services that store data there.
“Users need to ignore the Patriot Act scare stories,” advises IDC. “Most large organisations will already be using services, such as outsourcing, where their data is stored on a service vendor’s system.” Adopting cloud services brings nothing new to these customers, the analyst argues, and with many cloud vendors storing data in the US, data is arguably more stringently protected.
For smaller organisations, cloud services should primarily be evaluated on the business value they bring, the analyst advises. Data location is a far smaller consideration, and should not be a big concern for the vast majority of users.