Law enforcement and national security officials have broad access to data stored locally with Cloud service providers in the countries we investigated. Our research found that that it is not possible to isolate data in the Cloud from governmental access based on the physical location of the Cloud service provider or its facilities, and that Governments' ability to access data in the Cloud extends across borders.
Notably, every single country that we examined vests authority in the government to require a Cloud service provider to disclose customer data in a range of situations. Moreover, some governments permit invasive investigatory measures of Cloud providers when the investigation concerns national security.
For example, the German Federal Office of Criminal Investigation (BKA) may, in investigations involving terrorism or national security, use a "Federal Trojan" (a government-issued computer virus) to search a Cloud provider's servers, monitor ongoing communications, or collect communication traffic data without the knowledge of the target. In addition, the G10 Act provides German intelligence services with the authority to monitor and record telecommunications without a court order in investigation of a serious crime or a threat against national security, such as terrorism.
And certainly worth noting is the fact that in some of the jurisdictions we studied, there is the real potential of data relating to people being disclosed to governmental authorities voluntarily, without legal process and protections. In other words, governmental authorities can use their "influence" with Cloud service providerswho, it can be assumed, will be incentivized to cooperate since it is a governmental authority askingto hand over information outside of any legal framework. United States law specifically protects such data from that kind of voluntary turn-over to the government.
And the Patriot Act? It commonly, but erroneously, is believed to have created invasive new mechanisms for the United States government to get information. The reality is that most of the investigatory methods in the Patriot Act were available long before it was enacted. And those investigative tools had, and still have, limitations imposed by the United States Constitution and by statute.