Security and Privacy in Lawful Government Access

Government access to private and commercially sensitive data remains a contentious issue in countries around the world. On one hand, governments have a set of law enforcement and national security responsibilities that may involve their seeking information on individuals and entities of concern. As the cloud aggregates large amounts of personal and confidential or proprietary information, it has become a target for government access requests in support of law enforcement activities, in particular.1 Yet, broad authorities to access this information could be abused for political and other purposes. Moreover, the excessive use of such authorities risks undermining customers’ confidence in the cloud as a global operating environment. As governments seek access to cloud-hosted data, they must weigh the security benefits of their actions against the potential privacy costs.

Key Considerations

  • Differing definitions of “access.” Around the world, domestic laws2 provide different and potentially conflicting definitions of lawful access, including on its degree, duration, process, and the roles of cloud providers and their customers in facilitating that access.3 As a result, there is no consistent and fair balance between privacy rights and law enforcement needs across countries. Moreover, the issue is politically charged within and among countries, leading that balance to fluctuate as stakeholder interests change.
  • Threat of access undermines trust. The threat of unfettered government access to cloud-hosted data may undermine customers’ and other governments’ trust in those services, even if the threat does not materialize.4
  • Recipients of access requests. It is more efficient for government agencies to request data on a range of targets from a single cloud provider than to send individual requests to many enterprise customers for the same data. The potential for efficient access to vast amounts of sensitive data generates anxiety about its implications for civil liberties and the potential for abuse.5
  • Barriers to disclosing access requests and seeking redress. Providers are not presently required to inform customers about government requests for their data (unless stipulated in a contract), but sometimes voluntarily disclose this information privately to enterprise customers6 and in anonymized transparency reports.7 Governments may use gag or secrecy orders on providers to prevent disclosure of access requests, preventing customers from learning of government attempts to access private data.8 Additionally, in less democratic regimes, providers (and their customers) might lack an independent and transparent domestic process for challenging government access requests.
  • Access can create security vulnerabilities. Some forms of sustained government access can create security vulnerabilities,9 for example, if achieved by undermining privacy- and security-enhancing mechanisms (for example, via the creation of back doors or other methods of undermining encryption).
  • Balancing the need to remain a competitive market for providers. In crafting lawful access policies, governments are forced to balance their security responsibilities against the risks that unfettered government access could deter cloud providers from offering services to their populations. This could limit the population’s choices to only those providers willing to comply with the government’s policy or, potentially deny them the cloud’s economic and social benefits altogether.

Stakeholder Perspectives

  • Seek timely access to cloud-hosted data and services, potentially both at rest and in transit.
  • Interested in restricting foreign governments’ access to cloud services and cloud-hosted data.
  • Express varying degrees of interest in ensuring that arrangements to grant them access to the cloud do not excessively compromise individual privacy and commercial confidentiality.
  • Eager to minimize the scope, duration, and rationales for government access to cloud systems and data.
  • Aim to comply in a timely fashion with legal requests from the government.
  • Seek to retain ability to challenge the legality of government requests.
  • Wish to maintain customer trust by demonstrating a cautious approach to fulfilling government access requests and offering transparency into how such requests are fulfilled.
  • Want to navigate the different (and potentially irreconcilable) legal obligations that may exist across their domestic and foreign operations.
  • Wish to be informed and have the ability to challenge government access requests or other demands pertaining to their cloud services.
  • Wish to retain the ability to move and keep data where they want it, securely and privately.
  • Wish to use cloud services that neither undermine nor excessively impede government investigative and law enforcement functions.10

Tensions With Other Cloud Governance Issues

  • Privacy Protections: Recognizing the cross-border nature of cloud-hosted data, national policies on what constitutes lawful government access to cloud services and data may grant governments access to data physically located outside of their jurisdictions, potentially implicating the privacy of customers abroad.
  • Restricting Exports of Cloud Services to Human Rights Violators: Although governments often seek access for themselves, they may seek to deny such access to other governments whom they suspect will exploit cloud services and cloud-hosted data to encroach on human and civil rights. As a result, some governments may restrict exports to nations with expansive government access authorities.
  • Localization and Routing Requirements: Permissive government access authorities may be used as justification for others to impose data localization requirements and routing restrictions, impairing the free flow of data across jurisdictions.

Potential Ways Ahead

  • Wherever possible, direct access requests to customers rather than to cloud providers.
  • Allow cloud providers to notify enterprise customers in advance of government access to their data, other than in exceptional circumstances, for example by limiting the use of secrecy orders.11
  • Mandate scoping, oversight, and transparency on government access requests (including requests received from foreign governments).
  • Work with foreign governments to establish international agreements and mechanisms to resolve conflicts of laws and to ensure that foreign government access to data does not impinge on the privacy of citizens, national security, or defense.12
  • Inform enterprise customers of government access requests in every circumstance permitted by law.13
  • Publish, on a regular basis, transparency reports detailing aggregate statistics on government access requests (including requests received from foreign governments).14 (Shared with Enterprise Customers.)
  • Develop industry standards for challenging and, where appropriate, rejecting certain overbroad government access requests (for example, requesting unfettered access, encryption keys, and ability to break encryption). (Shared with Enterprise Customers.)
  • Dissuade government access requests that do not meet agreed-upon criteria (such as requesting unfettered access, encryption keys, and the ability to break encryption) and challenge these requests through legal actions and public relations.
  • Enterprise Customers: Publish, on a regular basis, transparency reports detailing aggregate statistics on government access requests (including requests received from foreign governments).15 (Shared with Cloud Providers.)
  • Enterprise Customers: Develop industry standards for challenging certain overbroad government access requests (for example, requesting unfettered access, encryption keys, and ability to break encryption). (Shared with Cloud Providers.)

Recent Examples and Additional Resources

Notes

Notes

1 See: Microsoft, “Law Enforcement Requests Report.” Microsoft, 2021, https://www.microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report.

2 See: Ju (Lindsay) Zhu, “China Passes New Data Privacy and Security Laws,” The National Law Review, August 23, 2021, https://www.natlawreview.com/article/china-passes-new-data-privacy-and-security-laws.

3 In the case of enterprise cloud deployments, cloud providers may re-direct access requests to the owners of the data, the enterprise customers themselves.

4 A similar effect has been observed in the past. For example, Edward Snowden’s revealing of U.S. National Security Agency surveillance programs damaged customer trust in U.S. technology companies and their products, both domestically and globally. See: The New York Times, “Revelations of N.S.A. Spying Cost U.S. Tech Companies.” The New York Times, March 21, 2014, https://www.nytimes.com/2014/03/22/business/fallout-from-snowden-hurting-bottom-line-of-tech-companies.html.

5 Mechanisms for data storage and backup in the cloud further enhance the appeal of gaining access to the cloud as a repository of data, bypassing restrictions and difficulties of accessing data elsewhere. Trusted Cloud Principles, “Principles.” Trusted Cloud Principles, 2021, https://trustedcloudprinciples.com/principles/.

6 See: Microsoft, “About our practices and your data: Q: Does Microsoft notify its enterprise customers when law enforcement or another governmental entity requests their data?” Microsoft (Blog), n.d., https://blogs.microsoft.com/datalaw/our-practices/#does-microsoft-notify-enterprise-customers.

7 See: Microsoft, “Law Enforcement Requests Report,” Microsoft, 2021, https://www.microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report.

8 Even when gag orders are not in place, providers may still fail to disclose government access requests to their customers.

9 See: “Open Letter to GCHQ,” Coalition of civil society organizations, technology companies, trade associations, and security and policy experts, May 22, 2019, https://newamericadotorg.s3.amazonaws.com/documents/Coalition_Letter_to_GCHQ_on_Ghost_Proposal_-_May_22_2019.pdf.

10 Customers in any given jurisdiction are also citizens/residents and thus have an interest in refraining from utilizing cloud services/providers which undermine or excessively impede government access, to the point where traditional security threats and other undesirable law enforcement outcomes (such as the proliferation of terrorism-related material or CSAM) abounds.

11 See: Jay Greene and Drew Harwell, “When the FBI seizes your messages from Big Tech, you may not know it for years,” The Washington Post, September 25, 2021, https://www.washingtonpost.com/technology/2021/09/25/tech-subpoena-secrecy-fight/.

12 See: U.S. Department of Justice, “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act,” U.S. Department of Justice, April 2019, https://www.justice.gov/opa/press-release/file/1153446/download.

13 See: Trusted Cloud Principles, “Principles,” Trusted Cloud Principles, 2021, https://trustedcloudprinciples.com/principles/.

14 Many cloud providers already produce information request reports on a voluntary basis, as part of their corporate social responsibility commitments. See: IBM, “IBM 1H 2021 Law Enforcement Requests Transparency Report,” IBM, 2021, https://www.ibm.com/downloads/cas/DAGAKDJG and Microsoft, “Law Enforcement Requests Report,” Microsoft, 2021, https://www.microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report.

15 Many enterprise customers already produce information request reports on a voluntary basis, as part of their corporate social responsibility commitments. See: Twitter, “Information Requests,” Twitter Transparency Center, 2021, https://transparency.twitter.com/en/reports/information-requests.html#2020-jul-dec.