US Government Agencies Will Soon Be Able To Access Foreign Medical Dossiers Due To Patriot Act

from the radical-transparency dept

The US Patriot Act has suddenly scared an entire nation, and it's not the US itself this time. The Netherlands is currently going nuts about the US government being able to request medical details of all its citizens when the Dutch Electronic Patient Database (EPD) is implemented next month. This will not be the only country that freaks out because of the Patriot Act, as this sort of thing is likely to happen a lot more often. A recent study explained that US government agencies can secretly request anyone's data if they are using a cloud-computing service which 'conducts systematic business in the US'. It is already sufficient when the service provider is somehow a subsidiary of a US company.

That turns out to be a problem in the Netherlands, because the company that has developed the EPD and will be hosting the patients' data on its cloud computing systems is the US-based CSC. The Dutch government and the organization responsible for implementing the EPD are convinced there is no problem, because there are clear contracts which have assigned Dutch jurisdiction, and fortunately the Dutch have stringent data protection laws that will protect patients' sensitive data. Because that's what data protection laws do, right?

False! At least with regard to information law, researchers from Amsterdam University warn that this analysis is way too simplistic. According to the scholars, it is quite possible the US government agencies can circumvent data protection laws and could easily request access to medical information of every single person in the Netherlands. The study doesn't just cover the Netherlands (though it is especially timely for that), but rather looks at how these risks may apply more globally. Here are just a few of the findings that should raise eyebrows across the globe:
"When using a cloud service provider that is subject to U.S. jurisdiction, data may be requested directly from the company in question in the United States. […] From a legal point of view, access to such information cannot be denied and cloud service providers can give no guarantees in this respect. […] The possibility that foreign governments request information is a risk that cannot be eliminated by contractual guarantees. Nor do Dutch privacy laws offer any safeguards in this respect. […] It is a persistent misconception that U.S. jurisdiction does not apply if the data government requests for information do not apply to Dutch users of the cloud. […] legal protection under specific U.S. laws applies primarily to U.S. citizens and residents. […] Given the nature of intelligence work, it is not possible to gain insight into actual requests for information by the U.S. authorities […] Cloud providers will typically not be able to disclose whether such requests are made"
If the above doesn't yet lead to a new international outrage against the US Patriot Act, then the following sentence on the extra-territorial effects of the Patriot Act should at least send shivers down the spines of sovereignty-loving non-US government officials:
"The transition to cloud computing will, in principle, result in a lower degree of autonomy [...]"


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Richard (profile), Dec 7th, 2012 @ 2:16am

    Own Goal

    Once this becomes widely known the net result will be that no-one outside the US will do this kind of business with a US company.

    US companies wil be frozen out of a huge swathe of business.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Zakida Paul (profile), Dec 7th, 2012 @ 2:35am

      Re: Own Goal

      Good. It might force them to change their business practices to make them acceptable.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Josh in CharlotteNC (profile), Dec 7th, 2012 @ 7:00am

        Re: Re: Own Goal

        The only business practice they could change would be to move to another country and incorporate there.

        What it might do is force the businesses to call Congress to tell them to stop passing stupid laws.

         

        reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 7th, 2012 @ 2:47am

      Re: Own Goal

      I have been advising people not to use any US-based service providers for quite some time now, partly because of things like the above, but also because most if not all companies tend to shut down service to the whim of any government official (and a number of non-gov other companies). So no GoDaddy, Amazon, etc. Not that local companies may not do the same, but at least you know what your rights are and where you can get them (up to a point).

      And of course the same goes for companies that use them.

      So yes, this is already costing the US business, and it will probably only get worse.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      gorehound (profile), Dec 7th, 2012 @ 5:01am

      Re: Own Goal

      I stay away from using US Business when I can in regards to this type of stuff.
      And I do not use Cloud at all.I do use a VPN which is on a Foreign Company who does not keep Logs.

      I advise folks to do the same and stay away from US as your info will be known.

      It will be great to see folks around the World wake up and realize what is going on if they use the US stuff.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      SUNWARD (profile), Dec 7th, 2012 @ 6:04am

      Re: Own Goal

      already moved my hosting and registrar from the US for these reasons.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Jesse (profile), Dec 7th, 2012 @ 8:25am

      Re: Own Goal

      When I got tested for my life insurance policy I had my provider switch to an all Canadian company for this very reason.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 7th, 2012 @ 2:23am

    'there are clear contracts which have assigned Dutch jurisdiction'
    So when the US government requests the data, CSC has a choice to either comply with the 'clear contracts', or with the Patriot Act.
    Guess what they'll choose.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 7th, 2012 @ 2:25am

    I wonder when the EU will get a Patriot Act of their own? This should be fun - any info on any US citizen from any company in the US that does business in the EU - is ours for the taking. I can hear the outcry from DC politicians already...

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 7th, 2012 @ 2:28am

      Re:

      Which will in turn lead to geopolitical "fences" around the internet. The ITU will have it's way, eventually...

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Dec 7th, 2012 @ 4:48am

        Re: Re:

        If they cant control, fragment the internet......win win.

        Control/manipulate undesired outside information, or cut of the ability for that communication

         

        reply to this | link to this | view in chronology ]

    •  
      icon
      Beta (profile), Dec 7th, 2012 @ 6:04am

      Re:

      A few DC politicians may protest in soft voices. Most will go along quietly as everyone in law enforcement, intelligence, pharmaceutics, IP protection, security theater (sorry, theatre) or a dozen other fields sets up transatlantic deals to trade EU citizens' info for US citizens' info.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 7th, 2012 @ 2:26am

    and if people world wide still cant see why the USA conducts secret 'negotiations' over new 'treaties', why they freak out when bodies like the ITU try to take over running something or implementing more control over something, more fool them. the US is doing whatever it takes, whatever it can to take control of the whole nine yards! it wants to have every bit of data on everyone and everything, but doesn't want anyone else to have that data. to go down this route of being able to access info on non-US citizens or even US citizens that live in other countries is taking the piss. talk about defeat German Fascism so as to gradually bring in the home-grown version. what a joke!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 7th, 2012 @ 3:01am

    Well, at least if there was some non - US based file storage and cloud service provider with good services - oh, wait, that was the direction Megaupload was about to take, and a plan Dotcom still endorses. "Ahem - PIRACY". Nevermind.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 7th, 2012 @ 3:10am

    I'm getting confused

    Damn.

    Now I have to go back and reread the US statements about why they're opposed to ITU's WCIT initiative because apparently I completely misunderstood it.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous, Dec 7th, 2012 @ 3:36am

    "You should've read the books and understood that America's no damn good." -Sister Souljah

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 7th, 2012 @ 4:06am

    legal protection under specific U.S. laws applies primarily to U.S. citizens and residents
    I wish. As soon as they ran into that hurdle, they came up with a "secret interpretation" of the law that lets them spy on anyone, anytime, without any oversight or accountability.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 7th, 2012 @ 4:43am

    The NSA should, via shell companies, become the major cloud provider in every country. This would save the US tax payer money and make data gathering so much simpler./s

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    The Real Michael, Dec 7th, 2012 @ 5:16am

    One thing this article doesn't explain is what the US intends to do with the info that's being retrieved. Does anyone know? It seems odd that they're taking up interest in foreign medical dossiers, of all things.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Michael, Dec 7th, 2012 @ 5:25am

      Re:

      They aren't. The article is citing an example that has made a group of people uneasy. The US (as far as we can see from the information provided) has not accessed this information. The problem is that under the Patriot Act, they can.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Dec 7th, 2012 @ 5:35am

        Re: Re:

        I woudn't bet on it, apply for a visa to visit the US and they will hoover up every bit of data on you that they can find.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Michael, Dec 7th, 2012 @ 7:18am

          Re: Re: Re:

          You don't have to visit. If you use Expedia to book your trip anywhere, apparently the Patriot Act let's them hoover up your information remotely.

          Don't even get me started on what they collect if you actually buy a Hoover...

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            The Real Michael, Dec 7th, 2012 @ 8:42am

            Re: Re: Re: Re:

            The only logical explanation seems to be that they'd want to create a profiling database to be freely accessed by all interested gov/law parties. The thing is, much of that data would be acquired without rhyme or reason and with zero oversight, then inevitably be used against certain individuals. Sort of like playing god with people's lives.

             

            reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 7th, 2012 @ 6:57am

    Data Security

    If you do not control the machines that hold your data then you do not control access to that data. This holds true when cloud services and/or external companies running your machines.
    Whenever a person or organization does not have control over their data storage they can be held hostage by another entity, and risk losing all their data if they fall out with that entity, or it ceases to exist.
    How long before the US government uses cloud services as coercion in gaining their way in trade treaties.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Michael, Dec 7th, 2012 @ 7:19am

      Re: Data Security

      "How long before the US government uses cloud services as coercion in gaining their way in trade treaties"

      They already have the MPAA for that.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    G Thompson (profile), Dec 7th, 2012 @ 7:15am

    Thankfully here in Australia the Government has mandated that at a Federal and State level (under our own Privacy Rules) NO data of any sort by any government or quasi-government (or even ones that tender to govt) can be held outside of Australia at all.

    This strangely enough has made the US companies annoyed with the Australian Government to the extent that the USG has queried it and made an issue about it to no effect whatsoever. Our Privacy laws cannot be diluted, changed, nor removed for any reason for anyone no matter what any treaty the USG wants to rant about.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Michael, Dec 7th, 2012 @ 7:23am

      Re:

      "Federal and State level (under our own Privacy Rules) NO data of any sort by any government or quasi-government (or even ones that tender to govt) can be held outside of Australia at all"

      Sure, but the US government has access to lots of private company information (Facebook, Google, Microsoft, and health providers that use something remotely attached to a US company, etc.).

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        G Thompson (profile), Dec 7th, 2012 @ 7:47am

        Re: Re:

        All health records from Private or Public health providers are NOT allowed out of the country in any way shape nor form. In fact the Records are highly restricted and come under the National Privacy principals specifically that have full criminal (not just civil/governmental fines) sanctions attached for all knowing individuals (glass ceiling for PTY/LTD is gone in this respect)

        The info that private individuals and in a limited way business's place upon Google, Facebook, et.al are fair game yes. But a company that uses these venues is still liable believe it or not under the Privacy Act, and also under numerous other acts like the one that creates criminal sanctions for SPAM and selling of identifiable lists of people who are placed upon the DNC register.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 7th, 2012 @ 8:24am

    It's definitely time to shut down the US.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Wally (profile), Dec 7th, 2012 @ 4:28pm

    The reason the Feds are doing this is for Obamacare. So the main motivation is insurance and not your personal life...does it make it right? Not one bit it doesn't.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This