Executives from top cloud vendors Microsoft, Google, Amazon.com, Salesforce.com and Rackspace urged a congressional committee to support their goal of giving data stored in cloud computing systems the same legal protections as information stored on one's personal computer. The lack of such protections today is a particularly important issue for enterprise customers, and is deterring some from using cloud services, the executives said.
To give lawmakers a sense of the scale of cloud-based system use, Google senior counsel Richard Salgado told the committee that there are 3 million business users of the company's cloud services today, and about 3,000 more sign up for them each day. All face "inconsistent, confusing and uncertain" privacy laws that can be applied to data, he added.
For instance, the Electronic Communications Privacy Act of 1986 allows the government to compel a service provider to disclose the contents of an email older than 180 days "with nothing more than a subpoena," said Salgado. A search warrant, which unlike a supoena requires that investigators provide probable cause, is needed to turn over emails less than 180-days-old, he added.
Salgado said communications and documents stored online should be treated "as if they were stored at home," which would require that the government "get a search warrant before compelling a service provider to access and disclose the information" at any time. The US Senate is also looking at this issue.
Michael Hintze, associate general counsel at Microsoft, said that users of its Business Productivity Online Suite, which includes a document storage product, include companies that must protect highly confidential information, including trade secrets, business plans and customer lists.
"Enterprise users tell us that they are very concerned about the privacy implications for moving such sensitive data from local storage to remote storage," said Hintze. "A significant part of that concern relates to the circumstances under which the government can compel disclosure of data from third party providers," he added.
Similarly, David Schellhase, executive vice president and general counsel of Salesforce.com, said that its customers, especially those based outside the country, "want assurances that the US government will not access their data without deliberate due process."
Opposition to changes in the law may come from law enforcement agencies. Kurt Schmid, executive director of the Chicago High Intensity Drug Trafficking Area, a federal group that helps to coordinate drug control efforts among local state and federal law enforcement agencies, said law enforcement officials don't want to relinquish established legal thresholds.
"Subpoenas assist law enforcement to focus on investigative targets, frequently serving as a tool to eliminate innocent persons from being investigated, while serving to develop additional leads and evidence on the offender in question," said Schmid, in prepared remarks.
The hearing, held by the Judiciary Subcommittee of the Constitution, Civil Rights and Civil Liberties, drew the attention of US Representative John Conyers, chairman of the full committee. He called the cloud data privacy issue important, and one that is "being undervalued by the committee."
Conyers, citing the severe damage that could be caused by cyberattacks, told the committee that privacy must be protected as much as possible "but at the same time there needs to be other issues that I hope you bring up."