August 6, 2013

DigiTar and the Patriot Act

There is a lot of concern and discussion among lawyers, regulators, academics and others about:

“Can a global cloud hosting services provider be forced by its government to access and disclose data which is stored by its customers in their cloud or dedicated hosted environments in foreign countries?”

The intent of this written declaration is to explain DigiTar’s view of the law, and our approach to this issue.

DigiTar has been in the hosting services business since 2004, and we have a corporate policy dealing with law enforcement requests for customer-owned content.

Background:

First, let’s address U.S. requests, as this will help explain how we have arrived at our philosophy and global approach. Our primary guiding principle for responding to requests from U.S. law enforcement agencies (“LEA”) is the Fourth Amendment to the United States Constitution, which states:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Additionally, we analyzed the Electronic Communications Privacy Act (“ECPA”) which controls how stored data is treated by providers.

Based on our interpretation of the Fourth Amendment, and the ECPA, we are of the view that DigiTar is prohibited from accessing and turning over customer data stored on a DigiTar host system or other storage device in a U.S. data center without a properly issued, lawful request (e.g. search warrants, court orders, Foreign Intelligence Surveillance Orders) from a U.S. court with appropriate jurisdiction over DigiTar systems and the data sought. This view applies to all LEA requests, including those under the PATRIOT Act. DigiTar’s interpretation of the law is based on the specific relationship that DigiTar has with its customers. By contract and in practice, DigiTar’s customers have full control over their information and any data that may be stored on DigiTar’s SaaS Systems.

USA Efficacy:

By agreement, our customers own the data they store on DigiTar systems. This includes allowing them full control of the resources, and control of passwords used to access their data. Because of this, we take the view that, in legal terms, DigiTar has no “possession” over customer stored data; and that we are legally prohibited from accessing that data on our own. It is also our position that we can’t give any “customer data” to third parties other than in compliance with a properly authenticated legal warrant. Our understanding of law enforcement, lawyers, and our customers gives us a great deal of confidence in our position and methodology.

We believe the same principles hold true in the other countries in which we do business. When we open new data center operation in a non-USA country, i.e., Singapore & Amsterdam, we receive counsel on the local laws and take steps to ensure compliance. Just as in the U.S., DigiTar cannot access customer-owned data in those countries without permission, and we can’t access it for any LEA, other than in compliance with a proper warrant or its local equivalent. If we receive a law enforcement request from proper federal authorities, we will answer in a responsible manner in accordance with applicable law. It is as simple as that!

The Global Issue:

Now, back to the central issue of this statement, i.e. whether a global cloud provider like DigiTar can be forced by U.S. LEA to access and disclose data which is stored by our customers in their cloud or dedicated hosting environments in foreign countries. This issue has been fiercely debated and widely discussed in the media in the USA, Asia-Pacific, and the EU. DigiTar has listened to the debate, consulted experts, and developed a reasoned position on this issue which we believe complies with all applicable laws, is respectful of the privacy rights of our customers, and is consistent with the approach we have developed for requests from U.S. LEAs in the US.

If a U.S. LEA believes it needs access to customer data located on DigiTar Systems or other storage device in a non- U.S. DigiTar data center we will require the U.S. LEA to contact its counterpart law enforcement agency or court of the Foreign Country, which is covered by the two countries’ Mutual Legal Assistance Treaty (“MLAT”). We will respond to any appropriate LEA request that lawfully comes out of that cooperative effort.

Global Efficacy:

DigiTar will not attempt to access customer content remotely from the U.S. in response to a U.S. LEA request, and we will not order our non-USA agents or employees to comply with the request unless and until the proper MLAT request is granted. That is our approach.

If in the highly unlikely event a U.S. LEA demands that DigiTar grant access to a non-USA customer’s data located in our non-USA facility, without an MLAT, we will take the matter to court in the U.S. and mount a vigorous challenge. We consider that any such demand would be unlawful. We sincerely believe that we would win.

In the same way, we will follow the same process in response to a non-USA LEA request (i.e., Singapore, U.K., Hong Kong, Netherlands, etc.,) for access to customer data in DigiTar operations centers outside their respective jurisdictions.

The principle that we follow, is that DigiTar respects and complies with the laws of the countries in which it does business. DigiTar’s understanding of its responsibilities is that we are not permitted to violate a law nor contract with a customer, in response to a demand from another country’s LEA.

We think this is the responsible way to manage a global cloud infrastructure across the U.S., Europe, Asia and globally.

A Touch of Reality Please…

In the real world of SaaS/cloud computing and hosting, we just don’t envision U.S. LEAs demanding customer content, which is stored in foreign data centers, without complying with MLATs.
This issue is really an academic argument, which certain local providers and self-styled privacy advocates are trying to exploit, in an attempt to gain a competitive advantage.

However, that hoped for competitive advantage does not really exist, because if there is a true need for data in a legitimate law enforcement investigation, whether it is being conducted by non-USA or U.S. authorities, in our experience, reason will prevail and the LEAs of the two countries will use the MLAT approach to secure the data. That is how it works in practice.

In the meantime, while the theoretical debate rages on, fueled by competitive interests and political bluster, DigiTar will simply follow its guiding principles and do its very best to protect its customers to the fullest extent of the law.

Filed under: Press Releases

Tagged:,