The thousands of documents leaked by whistleblower Edward Snowden have alarmed citizens, governments and businesses alike. But another outcome of his revelations has been widespread confusion.
According to Gavin Jackson, vice president and general manager of cloud services EMEA at virtualisation giant VMware, enterprises are not yet completely aware of the distinction between the powers of the National Security Agency (NSA) and the US Patriot Act.
“Customers are not aware; there is a lot of scaremongering and not a clear distinction between the Patriot Act and NSA. Most customers have got over the Patriot Act because it is mostly for criminal activity and is legislated, whereas the NSA stuff is not something you can legislate to; customers need to be educated that there is a distinction between the two,” he says.
The Patriot Act enables US authorities to seize data if they think it’s in the country’s national security interests to do so.

While according to the Snowden leaks, the NSA has long been monitoring all communications – irrespective of national interests.
“Most of the US Patriot Act has nothing to do with NSA surveillance authority. Furthermore, the Patriot Act provisions that relate to NSA authority do not address much of the NSA’s activities,” Jim Halpert, a partner at law firm DLA Piper, explains.
But Jackson is under no illusion that by building data centres in Europe, VMware will be able to stop the US government from getting hold of data, as it is a US company. However, he does believe it would make it a lot harder for it to do so.
“We will be operating under local legal rules, so it would be much harder for [the US authorities] to ask for it, they need to know what they are looking for. So we can harden ourselves to a degree but as an American company we have to adhere to our federal governors,” he says.
According to Halpert, if the US entity has control over the overseas entity that runs the data centre, then the US can still access the information it wants, but they would first have to get the go-ahead from overseas intelligence agencies.
“As a practical matter, in almost all cases, the request will come through the overseas intelligence agency. In most cases, allied intelligence agencies co-operate actively in investigating terrorism, proliferation of weapons of mass destruction and other top priorities of US intelligence-gathering that form the overwhelming majority of Patriot Act requests,” he says.
But US companies can still put up a fight; last year HP’s privacy officer of EMEA, Daniel Pradelles, told Computing that the firm would try its hardest to hold on to its customers’ data if the US authorities came calling to access it.
“If the company wants to fight the subpoena, it might be able to, based on the foreign statute that precludes the relief of the data. Whether that works or not depends on whether they raise the issue, and what the foreign statute is,” explains Oliver Ireland, a partner at law firm Morrison & Foerster.
“The law is not well-defined, but the Department of Justice’s manual for dealing with these kinds of issues states that they would expect the court to consider the effects of what they call ‘foreign blocking statutes’,” he adds.
So is building data centres in other countries, as VMware intends in France and Germany, just a ploy to gain government approval and customer trust?
“Yes, [you have to ask] if it is going to protect the data from the US government, and you can’t be sure of that,” says Ireland, who is an expert in the US Patriot Act.
But VMware’s Jackson claims it was always the company’s intention to “get as close to the customer as possible”, suggesting that the strategy to build data centres was not borne out of customers being more wary of data privacy since the NSA-Snowden revelations.
Indeed, Ireland says that he has not been approached by end-users who are confused about the difference between the US Patriot Act and the NSA’s oversight.

And that the question he has been asked most frequently, pre- and post-Snowden, has been ‘what [data] can the US government get from us?’.
“We were getting this question a long time before Snowden had been in the news,” states Ireland.
Although that may be the case for Ireland, end-users and governments are likely to be more concerned about their customers’ and citizens’ privacy after the Snowden leaks, while vendors are looking to exploit this by building data centres in selected regions. Enterprises should note that while it is hard to determine how the NSA may be monitoring data, US companies such as VMware will still be subject to the powers of the US Patriot Act, whether their data centre is based in Slough, Munich or Paris.

Leave a Reply