G-Cloud, GDS, HMRC, Skyscape and the USA PATRIOT Act

At the Office 365 launch, Gordon Frazer, managing director of Microsoft UK,

gave the first admission that cloud data

— regardless of where it is in the world —

is not protected against the USA PATRIOT Act.

[Skyscape has subsequently changed its name to UKCloud: "London – August 1, 2016 – Skyscape Cloud Services Limited, the easy to adopt, easy to use and easy to leave assured cloud services company, has today renamed and relaunched as UKCloud Ltd (www.ukcloud.com), to reinforce the company’s exclusive focus on supporting the UK public sector in the digital transformation of services".]

----------  o  O  o  ----------

G-Cloud
Whitehall's G-Cloud team have taken the baffling decision to include Skyscape Cloud Services Ltd in its Cloudstore.

Cloudstore is an on-line shop the team have set up to display the wares of approved suppliers and from which government departments are supposed to be able to buy with confidence.

That confidence must be limited in the case of Skyscape which has no track record in business, is so young a company that it has yet to file any accounts and has only one director, who is also the only shareholder.

What are the G-Cloud approval procedures? Is it possible to fail them?

HMRC
HMRC have taken the baffling decision to stop storing data in their local offices and store it instead in the cloud with Skyscape. What data? PAYE and NI payments? VAT payments? Personal tax returns? Company tax returns? That's the kind of thing HMRC deal with.

In the name of efficiency and greenness, HMRC think it is wise to lose control of their data – more properly, our data – and hand it over to a company owned and directed by just one man?

GDS
The Government Digital Service (GDS) have taken the baffling decision to host GOV.UK on Skyscape's servers.

GDS are the people whose job it is to make all public services digital by default.

They don't have a lot of successes to their name. They're meant to have approved the suppliers of identity assurance services by now. Today's the deadline and they still haven't got round to it. As a result, DWP's Universal Credit scheme, among others, is left twisting in the wind, unable to proceed for lack of the necessary identity assurance.

But they have produced GOV.UK. It's still in testing, but at least there's something to show for their work. You'd think they'd look after it. But no, they're entrusting its care to a one-man business, Skyscape.

GOV.UK is only meant to replace every single central government website + Directgov + Businesslink + (this is a guess) the Government Gateway. But what the heck, let's stick it in the cloud, that's the modern way, that's where everything's heading, in a handcart ...

We're not just talking here about the businesslike behaviour of Whitehall, its responsible attitude and its grasp of reality. We're nibbling at Constitutional questions, including questions of sovereignty.

Skyscape
On their website, Skyscape say:

SOVEREIGNTY Skyscape is a UK registered company owned exclusively by UK domiciled shareholders. All our secure operational centers and data centres for UK Public Sector clients are sited within the UK in highly secure IL6 data centres. A significant competitive differentiator is our focus on the integrity of our client’s data, including protection from potential access by overseas legislation including the US Patriot Act.

Let's sweep up some of the small stuff first:

• Skyscape only has one shareholder, so what's all this about "UK domiciled shareholders" plural?
• Are Skyscape promising never to have any non-dom shareholders?
• Why can't they spell "centres" the same way twice in a single sentence?
• How secure are their data centres given that their "partner" ARK Continuity publishes a map of how to get to one of them on their website?
• Is a "focus on the integrity of our client’s data" a "significant competitive differentiator"? Don't other cloud service suppliers focus on exactly the same thing?
• And what do they mean by "integrity"?

Now the big one.

The USA PATRIOT Act 2001
"USA PATRIOT" is an acronym standing for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism. The Act was passed in the aftermath of 9/11.

It's a long document and DMossEsq hasn't read it. Bits of it, but not all of it. Mayer Brown have. Mayer Brown are a US firm of lawyers and in their paper The USA Patriot Act and the Privacy of Data Stored in the Cloud they say:

European consumers have expressed concern that the USA Patriot Act ... will afford the US government undue and unfettered access to their data if they choose to store it on the cloud servers of US providers (e.g., Microsoft or IBM) ... Two ... mechanisms that US law enforcement could use to access data in the cloud that warrant discussion are FISA [Foreign Intelligence Security Act] Orders and National Security Letters [NSLs] ... FISA Orders, particularly as expanded under Section 215 of the Patriot Act, have given rise to privacy concerns for several reasons. First, such orders may be granted ex parte, meaning with only the FBI presenting evidence to the court. Second, Section 215 includes a “gag” provision that prohibits the party that receives a FISA Order from disclosing that fact. This typically would prevent a cloud service provider from informing its customers that the service provider had shared their data with the FBI in response to a FISA Order ... ... the FBI may issue NSLs on its own initiative, without the authorization of any court. (This was true even before the Patriot Act.) Nothing in the Patriot Act provides for any judicial review of the FBI’s decision to issue an NSL. Second, the NSL statutes impose a gag requirement on persons receiving an NSL. In addition, the Attorney General Guidelines and various information sharing agreements require the FBI to share NSL information with other federal agencies and the US intelligence community ... ... any corporation based in the United States will be subject to US jurisdiction and, thus, can be subject to FISA Orders, NSLs, search warrants, or grand jury subpoenas. The same is generally true for a non-US corporation that has a location in the United States or that conducts continuous and systematic business in the United States ... ... an entity that is subject to US jurisdiction must produce not only materials located within the United States, but any data or materials it maintains in its branches or offices anywhere in the world. The entity even may be required to produce data stored at a non-US subsidiary ... ... US law enforcement authorities may serve FISA Orders, NSLs, warrants or subpoenas on any cloud service provider that is US based, has a US office, or conducts systematic or continuous US business—even if the data is stored outside the United States ... ... US law enforcement authorities may serve FISA Orders, NSLs, warrants or subpoenas on any cloud service customer that is US based, has a US branch, or conducts systematic or continuous US business—even if the data is stored outside the United States ...

You get the message.

In case you don't, Microsoft say the same thing more briefly, Microsoft admits Patriot Act can access EU-based cloud data:

At the Office 365 launch, Gordon Frazer, managing director of Microsoft UK, gave the first admission that cloud data — regardless of where it is in the world — is not protected against the USA PATRIOT Act.

So do Google, Web freedom faces greatest threat ever, warns Google's Sergey Brin:

Brin acknowledged that some people were anxious about the amount of their data that was now in the reach of US authorities because it sits on Google's servers. He said the company was periodically forced to hand over data and sometimes prevented by legal restrictions from even notifying users that it had done so.

Microsoft and Google are both themselves suppliers of cloud services. They're being straight with the public.

Skyscape can tell us till they're blue in the face that its one and only shareholder is domiciled in the UK. But as long as the company is somehow linked up in its mysterious partnership with QinetiQ, Cisco, VMware and EMC the claim to offer "protection from potential access by overseas legislation including the US Patriot Act" is arguably false.

Whitehall has a duty to keep control of the data we entrust to its custody. Sticking our data in the cloud is a breach of that duty.

If Whitehall, GDS, HMRC and/or the British public are relying on that claim of Skyscape's, they/we may be sadly mistaken.

----------

Cribsheet
What? Even QinetiQ? The dear old true blue DERA as was?

Yes, even QinetiQ, because of its "conduct of a systematic and continuous US business", viz. QinetiQ North America, 7918 Jones Branch Drive, McLean, VA 20165, Tel: 703-652-9595, www.QinetiQ-NA.com, contactus@qinetiq-na.com ...

Added 10.1.13
U.S. Spy Law Authorizes Mass Surveillance of European Citizens

Added 13.2.13
Yes, U.S. authorities can spy on EU cloud data. Here's how

Added 16.3.13
National Security Letters ruled unconstitutional