Skip to content

Christmas Special: Urban legends, from the kidney heist to the data hand over at gunpoint

December 23, 2011

Have you ever heard the story of a tourist waking up in a bath hub full of ice missing a kidney? It is a story well told and distributed virally in the western hemisphere. It is not true but everybody who hears it for the first time feels the chill?

While it has been proven to be wrong (have a look here as an example: http://urbanlegends.about.com/od/horrors/a/kidney_thieves.htm) is keeps going. There are three elements that make it so difficult to stop it from resurfacing every now and then.

  • The story has a true core or at least is plausible.
  • It is addresses a bad feeling, a fear or a concern already existing in the listener, sometimes consciously sometimes not.
  • It usually has an element of bad and good or of guilty and innocent.

Let me tell you an urban legend from the world of cloud computing and data privacy.

UK hosting company forced to hand over data at gunpoint:

It has been reported that lately the Patriot Act has shown its true face. Hosting UK ltd. (fictional name) a company that hosts web servers and databases for their customer mainly in the UK also has an office in the U.S.A. where administrators cover off hours support issues. As it happened one of these customers (from Europe) came under suspicion by one US governmental agency. It has not been disclosed so far whether this was a terrorist threat or a corruption investigation.

Rather than addressing this customer of the UK hosting company directly the authorities walked up the US office of the hosting company itself one evening and forced entry. Making use of the fact that Europe was sound asleep and no one was available, they approached an administrator and requested to pull data from the servers in the UK. When the administrator refused to do so for two reasons, 1st he had no right to do so under company rules as well as UK law and secondly because he did not have access to the systems, the agents from the US agency reacted straight forward.

Rather than presenting any legal material, which would have had no effect anyhow as the administrator was no lawyer able to understand it, they pulled their guns and forced the US citizen to gain access through all means. They threatened him that as a US citizen they would be able to detain him and his family for obstructing legal action and forced him into action. He had to ignore rules and laws and pull the data. He was then told to obscure what has happened and threatened even further if he reported on the events of the night.

Have you ever heard this story or a similar one?

I have been told it many times. It often is told to be an absolute fact and used to frighten European customers. It does have an effect on customers and adds to the uncertainty already in the market about the Patriot Act and the fear on data privacy. So let’s check how it fits the three points mentioned in the beginning.

  • The story has a true core or at least is plausible

It has a true core in a sense that there are rules under the Patriot Act that would force hosting companies to hand over data without notifying the end customer. The so called sealed subpoenas are enforced by courts under special circumstances (see below for more).

  • It is addresses a bad feeling, a fear or a concern already existing in the listener, sometimes consciously sometimes not.

There is a fear already instilled in the people about the Patriot Act. It is a fear about data hungry Americans and FBI, NSA, CIA and all other three letter agencies having free access to data. The fear is also that this is not only to answer the terrorist threat and corruption cases. There is fear that the Americans would use their data access to steal patents to give their companies an economical and unfair advantage.

  • It usually has an element of bad and good or of guilty and innocent.

This one is easy, the bad guys are the Americans, their weapon is the patriot act and the three letter agencies’ Ethan Hunts are the enforcers.

So much for the legend, I predict that this one will be a long lasting one. It will resurface at least amongst certain audiences again and again even if it will not be as tenacious as the kidney heist story.  To get a little bit beyond the story and dig into the topic we need to have a look at the Patriot Act and its consequences. These are the only parts we could really get an understanding on. Any James Bond, Ethan Hunt, or whatever agent you favor actions I cannot analyze or judge. These things are outside of our visible world. But if you are afraid on that level you probably do not have any computers anymore anyhow and only do business locally.

The Patriot Act it is we look at. One of the statements that created quite some publicity was a statement by Microsoft during the Office 365 launch in the UK. It was a basic statement that said that there are circumstances under which Microsoft could be forced to hand over customer data even if stored in European data centers. The press picked this up happily and it sounded in many reports as if Microsoft had opened up the gates to customer data while others did not do this, quite an unlucky situation for Microsoft in a sense of unjustified bad press. The Patriot Act is the same for all companies and individuals. It has not been created for cloud computing only and therefore it needs to be viewed in a different light.

More on the Patriot Act beyond this specific view of today’s special can be found in this earlier post:

https://clouddiscussions.wordpress.com/2011/08/12/weekend-special-privacy-the-patriot-act-and-contracting-explained/

Who falls under the Patriot Act? (Not to be meant to be a comprehensive list)

  • American companies and their subsidiaries
  • Non-American companies with a substantial subsidiary in the USA
  • Non-American companies dealing with the USA or companies in the USA

Where company means all companies of any kind and not just IT cloud service providers

What would happen if a company would not follow the ruling of a court to hand over data?

What is the leverage a court would have? It is a debate that started controversial when I first discussed this with different legal experts. But there is one view that was distilled in the end and if you believe it or not, the majority agrees with it.

Whether an end customer is requested to hand over data, the US subsidiary of an end customer, a US hosting/outsourcing/cloud company or even a foreign company’s US subsidiary, the final resolve is all the same. If denied the data the US authorities would put the CEO/ manager of the US subsidiary into detention to enforce the handover of data. As far as I have understood the rules would allow a detention of up to 6 months.

Can you imagine Steve Ballmer going into jail for 6 months, or Larry Page? That is the reasons why the companies clearly state that bottom line if it comes to that they would hand over data. So how would a German company like Deutsche Telekom and their IT division T-Systems act? They claim as a German company with German data centers the Patriot Act does not apply. But T-Systems and Deutsche Telekom do have significant business in the U.S.A. Would it be different for them? My understanding is that they need to follow the same rules but they might see this different.  As always law is not black and white but shades of gray. My advice, not only for T-Systems, is to discuss this with the potential provider. And remember these rules do not only apply to cloud computing but also to all other kinds of business, e.g. Outsourcing, BPO, etc. Also important to understand is that these rules also apply to your customers themselves as soon as they do business in the U.S.A. or have a significant subsidiary there.

I have been in contact over the years with one customer that decided against the cloud. Amongst other reasons one of the dominant ones was that they had decided to rather send their American management into detention and compensate the individuals for that than handing over data. That was a policy we were not able to comply with.

So do not be misguided by an urban legend and dig to through to your own interpretation. Get legal support and create your own view on it.

Here are some Christmas urban legends: http://socyberty.com/holidays/christmas-urban-legends/

I do wish all readers and their families a merry Christmas and a happy new year. Enjoy the time off with families and friends.

Advertisements
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: