Is it due diligence to avoid US hosting providers?

I just read a letter to the editor by Richard Stallman in Communications of the ACM, May 2005, where he points out that whatever the privacy policy of a website, the USA PATRIOT act (or USA PAT RIOT act as he calls it) allows collection by law enforcement of any private information without a warrant. His point is that the “privacy seal” advocated by some, means nothing.

US companies are subject to this act in any case, but for us non-US residents and non-US companies, it seems an utterly bad idea to host our data on American based ISPs, since all of a sudden our data can be collected by the US government without a warrant or even without us knowing about it. The ISP can’t even tell us, can they?

Does this mean that applying prudent IT security principles would prohibit any non-US based company from using any US-based hosting provider? Or maybe even any hosting provider with a US-based company anywhere in the ownership chain?

It seems that way to me.

Would it not be prudent to require of any hosting provider/ISP we non-US based businesses use that they confirm in writing that they are not subject to the USA PATRIOT act in any way? And that they must inform us if their ownership or location changes in such a way as to make them subject to that law?

Would having your data on a site that becomes subject to the PATRIOT act at some point in time, automatically make all the past data on that site subject to warrantless (“unwarranted?”) collection? If so, guys, we’ve got a problem.

Maybe co-locations could be a solution. Or maybe not? What happens in these cases? Take your blades and run? What about backups? Co-locate your own backup equipment, too?

I can easily envision that we, as consumers, will soon only be prepared to enter private information into web forms, if the site has a privacy seal and guarantees it is not subject to American (or other similar) laws.

The problem is the nature of the PATRIOT act that makes a business unable to trust their hosting provider. The hosting provider can be forced to deliver copies of data that is not theirs to deliver, without knowing or being allowed to know the purpose and without even being allowed to inform their customer.

In a way, this is acceptable if the customer is a US corporation; it’s their own government, after all. But for a non-US corporation, normally not subject to the USA PATRIOT act, this may be totally unacceptable and very risky. So, I’m back to my tentative conclusion: would it not be a lack of due diligence for a security professional in a non-US corporation to approve hosting with US providers? In other words, we would have to take a stance against US hosts, or any hosting company with any US-based owner.

Talk about unintended consequences.

So, what do we do? We could either host our own data on our own servers, in our own building. That sounds expensive. Or we could find some hosting provider that is located in a country not subject to US laws, while preferrably not being a dictatorship or unstable in other ways. Or we could have our site hosted in a data haven, such as Sealand. They’ve got a company doing precisely that. There’s a whole story about them in Wired magazine.

2005-07-10: Added the last paragraph about Sealand and HavenCo.