Disclosure of the National Security Agency’s digital surveillance programs, such as PRISM, by a former NSA contractor Edward Snowden, have already damaged the business of US companies providing services on the Internet, and these companies have to know fundamental laws that govern access to data they store before more damage can be done, David Snead, attorney and co-founder of the Internet Infrastructure Coalition, said.
Snead delivered a presentation on legal matters that concern data center operators and service providers when it gets to providing the US government access to data at the Data Center World conference in Las Vegas, Nev., Tuesday. His coalition, also referred to as the i2Coalition, describes itself as an organization that supports builders of “the nuts and bolts of the Internet.”
Most Internet traffic travels between the US and Europe regardless of its origin or destination because of the way the network has developed. Because US infrastructure is so central to all of the world’s traffic, NSA surveillance disclosures and US regulations have a big impact on the global Internet.
Impact of PRISM Disclosures
A lot of damage by the PRISM disclosures has already been done. Fifty-six percent of respondents to a post-Snowden Cloud Security Alliance survey said they were less likely to use US providers.
The Alliance estimated potential losses to be between $21.5 billion and $35 billion.
Two Acts Everyone Needs to Know
Snead said there were two US laws that were fundamental to understanding the government’s rights to access data.
The first one is the Communications Decency Act, which underpins the US communications infrastructure. “If there’s one statute to know, it’s this one,” he said.
The act takes the responsibility for data and communications taking place on servers away from the operator of the data center housing those servers. Snead and the i2Coalition believe this is a bedrock statute, and they spend a lot of time defending it.
The second law is the 10-year-old Electronic Communications Privacy Act (ECPA), which distinguishes between data with a privacy interest and without. It also makes data stored 180 days or more accessible with a government subpoena.
“This statute undermines the US brand by creating exceptions to warrant requirements,” Snead said.
Never turn over information in response to “courtesy subpoenas” unless required by law. Have procedures for employees so they are not complying with information requests just to be helpful.
Make sure the lines between warrant and subpoena are clearly drawn.
Snead recommends calling the FBI and inviting them for a tour to help them understand your business, so that when the time comes, they send you a warrant instead of coming in and taking an entire cage of equipment (which happens when FBI agents do not understand how the service provider business is run).
Finally, providers need to understand how law enforcement can access data.