Business users have nothing to fear from FISAAA, it's claimed

News Jane McCallion Jan 30, 2013
Digital spying eye
Digital spying eye

Privacy campaigner highlights virtually unknown US legislation, but cloud watchers claim it's nothing to worry about

A little known piece of US legislation could give US authorities the right to access EU data stored on American clouds.

The allegations were made by Caspar Bowden, former chief privacy adviser to Microsoft turned independent advocate for information rights, at the CDCP conference in Brussels.

The controversy centres on the Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008 (FISAAA), which Bowden claims gives US authorities powers to collect data from any non-US citizen stored on a US cloud, such as Google or Amazon, without a warrant.

“It intentionally targets only non-US persons located outside the US and provides for a blanket authorisation to this for one year at a time. There is no individual warrantry,” Bowden told delegates.

Frank Jennings, a partner at lawyers DMH Stallard, told Cloud Pro that businesses should not worry too much about the implications of FISAAA.

“US legislation appears to come in for particular criticism since a lot of the cloud sector is based in the US," he said.

“[However], the US government is unlikely to want to get access to data of the average business and will more likely target those engaging in activities which are unlawful or which are potentially against US interests, such as activist, protest or political groups,” said Jennings.

Businesses that are still worried should consider keeping their critical data on-premise or moving to a non-US public cloud, Jennings suggested.

Phil Wainewright, vice president of Eurocloud, suggested FISAAA was largely unknown as it originally targeted telephone and email communications, and its extension to cloud has not been tested in the courts.

“It is important for people to be aware that governments often have these powers ... [but] in most cases the potential for harm [to their business] is negligible.

If people believe the law poses a risk to their business or to their personal freedoms then they must carefully assess which jurisdictions their cloud providers are governed by,” Wainewright told Cloud Pro.