Rackspace may not be able to ignore USA Patriot Act requests for data in its Sydney data centre, privacy and civil liberties advocates have said. But concerns raised by Rackspace competitor Macquarie Telecom seem unlikely to derail Rackspace from success in Australia, said two industry analysts.
When Rackspace announced the opening of its first data centre in Australia, the company emphasised that only Australian laws would apply to hosted data. That claim “puzzled” Macquarie Telecom general counsel, Heather Tropman. “The Patriot Act is widely recognised as having extra-territorial reach outside of just the US,” she said. Whether Rackspace has “set up a subsidiary company [in Australia] or not, they’re either a US company or they’re a US-owned company.”
“It is a very grey area,” said Information Integrity Solutions managing director, Malcolm Crompton, a former Australian Privacy Commissioner. “Much more insight is needed into questions such as whether and how a company has a link to the US before it is possible to say whether the Patriot Act applies to it. For example, what are the ownership structures? I would be sceptical of claims from both sides without clear evidence.”
“I wouldn’t accept as a condition that just because you’re a subsidiary company in Australia, the US can’t use the Patriot Act to request data from you,” Civil Liberties Australia director, Tim Vines, told Computerworld Australia. US law enforcement expects subsidiaries of American companies to comply, and usually companies are less-than-willing to challenge those requests, he said.
“The question for a company like Rackspace is whether they have taken steps to ensure that data stored in Australia isn't under their ‘possession, custody and control,’” said Electronic Frontier Foundation legal director, Cindy Cohn. EFF is a San Francisco-based advocacy group that has fought the Patriot Act in US courts.
“Some companies maintain that their foreign subsidiaries are outside the control of the parent company and so they don't have to respond to US requests for data held by those subsidiaries,” Cohn said.
“There isn't much case law on it in the US, though, and many people are sceptical that the courts would agree.” Other factors include “whether the subsidiary really is separate, whether there are interlocking boards of directors [and] how money is moved around,” she said.
“So I wouldn't say Rackspace is necessarily mistaken, but I'd want to have a pretty clear explanation from them about how their corporate structure and activities are separate enough that they feel they can demonstrate to an American judge that data stored in Australia is not under their possession, custody and control,” she said.
Rackspace v. Macquarie
Macquarie’s Tropman said her understanding of the Patriot Act process is that the FBI can issue a national security letter to Rackspace in the US, and then Rackspace would request the information from its Australian subsidiary. If the Australian subsidiary of Rackspace refused to comply with its US parent company, “the only way I could see this playing out is the US company sues its own kid,” she said.
The Hague Convention, a treaty of which the US and Australia are part, can be used “to provide cooperation on matters of international law between jurisdictions,” and there can be multi-lateral treaties, Tropman said. However, “at the end of the day ... the request [from the US] would not come to the Australian company.”
Rackspace rejected Macquarie’s objections in a lengthy statement issued Monday. “To be clear, Rackspace does not maintain custody or control over its customers' data hosted in Australia or anywhere,” said Rackspace general counsel, Alan Schoenbaum. “This is important as it is the trigger for the operation of the US Laws (including the Patriot Act).”
“Rackspace follows the laws of the countries in which it does business,” Schoenbaum countered. “Rackspace's policy on customer data is very clear: Rackspace will never turn over customer data located in its Australian data centre other than in compliance with a lawful and proper warrant served by Australian authorities. Not U.S. authorities.”
“If a U.S. or other foreign law enforcement authority believes it needs customer data located on a server or other storage device in Australia managed by a hosting company (foreign or domestic, it doesn’t matter) to solve or prevent a crime, the foreign law enforcement agency is required to contact its counterpart law enforcement agency or court in Australia as covered by the two countries’ Mutual Legal Assistance Treaty,” he said.
“If the Australian authorities agree that the request is necessary, valid and appropriate, and they choose to cooperate, at that point the Australian authorities take over and serve the warrant. If Australia does not believe the data should be turned over, the case is closed.”
“This principle applies to all IT hosting companies in Australia, domestic and foreign, and all of them must abide by Australian law,” Schoenbaum added. “No IT host in Australia is exempt from complying with local laws and international law enforcement treaties -- and it is naïve at best and dishonest at worst for any legitimate hosting company to suggest otherwise.”
Whether Rackspace has to comply with the Patriot Act shouldn’t be a deciding factor for businesses deciding where to host their data, said Ovum analyst Steve Hodgkinson. “The most important discussion is around how robust and trustworthy is the service.”
If all things are equal, a company might opt for an Australian company over an American company, he said. However, “it’s likely to be a rounding error in the overall benefit proposition that’s on the table.”
Telsyte analyst Rodney Gedda agreed that the Patriot Act issue is unlikely to hurt Rackspace as it seeks to expand in Australia. “Rackspace actually has a lot of customers already,” collected over 10 years in Australia. “If that’s a concern, it isn’t showing.”
“There’s a difference between data not leaving Australia and the Patriot Act, so we shouldn’t immediately combine the two,” Gedda said. “Just because a company doesn’t want to send data offshore doesn’t mean they’re particularly worried about the Patriot Act.”
The question will affect any US company that wants to open a data centre in Australia, Vines said. “The Patriot Act not only impacts on the privacy of Australian individual businesses, but it actually impacts on American businesses and their capacity to operate overseas.”
The Patriot Act is a “monster under the bed” used by Australian cloud computing companies to scare businesses away from American competitors, said Hodgkinson. “They use it as a way to say local is better.” But law enforcement in any country, including Australia, can get access to data when they want it, he said.
“A lot of Australian hosting companies tend to make a point about the Patriot Act,” Gedda said. “I think what customers need to understand is that it’s just one risk factor. It shouldn’t be seen as a deal breaker.”
Follow Adam Bender on Twitter: @WatchAdam