In response to my colleague Dave Asprey's Patriot Act post:
- Any law that is abused or misinterpreted is bad for society and business
- There is a delicate balance between protecting citizens’ safety and violating civil liberties
First some history. The Patriot Act, passed in 2001, is not the first American law to provide law enforcement authorities with the powers to retrieve information.
- The Wiretap Act: Title III of The Omnibus Crime Control and Safe Streets Act of 1968 permits authorities to obtain wiretaps
- FISA: The Foreign Intelligence Surveillance Act of 1978 is an Act of Congress, (signed by President Jimmy Carter), which describes procedures for the physical and electronic surveillance and collection of information
Both of the above laws have provisions to protect civil rights and liberties.
A careful reading of the Patriot Act does not give the Federal government, unfettered carte-blanche access to data stored in an organizations’ databases. Rather, the section quoted by Dave, specifies:
‘‘SEC. 501. ACCESS TO CERTAIN BUSINESS RECORDS FOR FOREIGN INTELLIGENCE AND INTERNATIONAL TERRORISM INVESTIGATION”
The Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution.
Request for information have to either fall under Executive order 12333 (1982) or a panel of judges.
Use of encryption:
Use of encryption in the United States is not regulated. If a cloud service provider encrypts information and has the encryption key, the service provider must decrypt the communications when served with a Federal wiretap order. But a service provider has no obligation to decrypt communication encrypted by the end user when the service provider does not have the encryption key.
Few if any wiretap orders have been hindered by encryption.
As Dave says “....you should consider using policy based key management with your keys stored away from your data...“, that way your data is safeguarded, regardless of who attempts to access it, since you control the encryption keys.