Da
http://www.zdnet.com/yes-u-s-authorities-can-spy-on-eu-cloud-data-heres-how-7000010653/?s_cid=e540
Yes, U.S. authorities can spy on EU cloud
data. Here's how
Summary: EU citizens and businesses are warned against using the cloud over
the risk that U.S. law enforcement and intelligence agencies can obtain your
personal records. Here's how the U.S. can acquire your data, even if you're
based in
the EU.
Zack Whittaker
By Zack Whittaker for Between the Lines | February 1, 2013 -- 15:26 GMT (07:26 PST)
Follow @zackwhittaker
patriot-act-banner-btl-zaw2 (1)
The U.S. government's law enforcement and intelligence agencies can access
cloud stored files in Europe—such as medical and financial records, business
secrets and dealings, and even government documents—in spite of seemingly strong
EU data
protection laws.
Sound vaguely familiar?
Former Microsoft privacy chief Caspar Bowden, speaking at a panel discussion
in Brussels this week, warned that U.S. law allows the government to spy on
non-U.S. citizens files and documents, and that new Europe-wide data protection
law
proposals specifically allow such surveillance.
More from CBS News
Patriot Act can "obtain" data in Europe, researchers say
Dutch researchers believe EU data stored on the Web can be obtained by U.S.
authorities, despite EU data protection laws
Bowden told the panel that anyone outside the U.S. who uses cloud
products—such as Amazon, Apple, Microsoft, Google products, including businesses
that outsource their infrastructures to keep
costs down—are at risk of being spied on by the U.S. government.
"It doesn’t have to be a political party," he told attendees. "It can be an
activist group or anybody engaged in political activity, or even just data from
a foreign territory that relates to the conduct of foreign affairs in the United
States."
He also warned that the new EU Data Protection Regulation, which will be
voted on by members of the European Parliament later this year, introduces
"loopholes" that permit foreign state spying. He warned that U.S.-based Internet
giants—such
as the aforementioned, are forced into handing over data on European citizens
when required, or they could face sanctions or prosecution.
But, it's actually not that much of a secret anymore.
After close to two years of research in the land of 'extra-territorial'
legalese, I published a well-thought out theory, which closely detailed how a
European company could be forced to hand over data to a third-country, such as
the United
States, without going through the proper legal channels.
This would, if proven correct at the so-called "World Court," the
International Court of Justice in The Hague, be a breach of international law.
The reason is that law enforcement or government agencies must use so-called
"mutual legal assistance" (MLA), the formal process of asking a foreign
government for citizen data to help with an active law enforcement
investigation. Many
countries have MLA treaties in place to help other countries out with
investigations in their own countries.
But in doing so, it would mean that the requesting government may have to
dish out even a small amount of intelligence to suggest that something, like a
terrorist attack, could be in the works. And, governments like the U.K. and
U.S., like to
hold their intelligence cards closely to their chest.
According to a European Commission spokesperson:
No legal acts of a third country as such can legally overrule the relevant
EU legislation or Member State legislation, and this includes data protection
rules. Any processing of personal data in the EU has to respect the applicable
EU data
protection law.
If, for example, a U.S. law enforcement authority requires information from
companies operating in the European Union, whatever the nationality of those
companies, they have to use existing channels of cooperation and mutual legal
assistance agreements
In a nutshell: Use the official mutual legal assistance channels, or don't
bother at all.
After this was published, Microsoft U.K. managing director Gordon Frazer
became the first European regional chief of a major technology company to admit
that no company could guarantee that data stored in Europe would not be
transferred out
of the 27 member state bloc under a third-country government's request.
Theory proved, one thought. But that wasn't enough.
A group of Dutch law academics at the University of Amsterdam's Law School
also took this theory and ultimately concluded that it was accurate. A country
outside the EU—such as the U.S.—are able to 'steal' sensitive and personal data
from a
European company and pass it back to their own government for their
intelligence services to sift through.
For whatever reason, it doesn't matter. Intelligence services do a lot of
strange things, such as planting cupcake recipes on terrorist's bomb-making
forums.
Before we get on to the "how," it's worth exploring the "why."
A brief history lesson
The key to the U.S.' power to access cloud-based content abroad? The Foreign
Intelligence Surveillance Act, or FISA, first passed by Congress in 1978 and
amended by the Patriot Act in 2001, just a month after the September 11
terrorist attacks,
gives the U.S. government even more power to acquire data on U.S. citizens
and those abroad. The law was created at a time before cloud computing even
existed.
But the problems began, unwittingly, when a disparity in the law quietly
emerged in 1995 when the European Commission ratified the European Data
Protection Directive, which was meant to protect the 500 million strong
population of the
European Union against third-country laws.
When FISA was last amended in 2008, a bevy of provisions were added that gave
the U.S. government the power of mass surveillance, and specifically targeting
data outside the U.S. on non-U.S. citizens. This power, known as 'section
1881a',
also applied to cloud computing, and according to the American Civil
Liberties Union (ACLU) it targeted citizens "without any individualized review,
and without any finding of wrongdoing."
Read this
Yes, the FBI and CIA can read your email. Here's how
Yes, the FBI and CIA can read your email. Here's how
"Petraeus-gate," some U.S. pundits are calling it. How significant is it that
even the head of the CIA can have his emails read by an albeit friendly domestic
intelligence agency, which can lead to his resignation and global, and very
public
humiliation? Here's how.
* Read more
Most of these powers in section 1881a were already defined in earlier
versions of FISA, according to a report by the European Parliament last year,
but the "conjunction of all of these elements was new." The amendments were set
at the end
of 2012, but were extended by Congress with only hours to spare.
According to the Electronic Frontier Foundation (EFF), in 2007 there were
2,370 applications for wiretaps under FISA. While the "FISA wiretap risk is
very low, as is the risk of being subjected to a secret physical search under
FISA," the
privacy organization says: "The risk of having records about you secretly
subpoenaed under FISA is much higher, but if it's your communications records
the government is after, they're more likely to use a [gag order]."
Section 1881a remains the legal playbook in which the U.S. government and its
law enforcement agencies are allowed to acquire data on non-U.S. citizens, so
long as they can reasonably access it.
In a nutshell, if you live in Europe or anywhere else outside the U.S. but
use services that are based in, or by a U.S.-based company, such as Apple's
iCloud, Google Drive, or even Facebook, then your data is free for inspection by
U.S.
authorities.
The trouble is nobody in power in Europe knew about this until Microsoft
U.K.'s managing director inadvertently said something that pricked up the ears
of journalists in the room, ironically at the launch of the software giant's
cloud
productivity suite, Office 365, in London two years ago.
You might think, "ah, but my data is stored in an European data center."
Correct, but f you're a European citizen or a resident in one of the 27 member
states, it's likely that your data that is hosted by a U.S. provider has your
data on
European soil.
But it doesn't mean you're safe from third-country snooping. It just means
other governments have to use a slightly less international legal method of
acquiring that data.
Here's how it works
Let's take a fake company—not just to avoid getting sued—but also for the
sake of simplicity and playing fair. After all, this applies to any U.S.-based
company with a presence in Europe or further afield, such as the aforementioned
Amazon,
Apple, Google, Microsoft, Facebook, and even Twitter.
Slicklizzard U.S. Corp. is a U.S.-based technology giant that focuses its
efforts in providing data storage to companies in the northern hemisphere. Its
headquarters contains a U.S. data center for North American customers. To serve
its
European counterparts and to comply with EU laws—essentially keeping EU data
within the 27 member state bloc—the company has a wholly owned London,
U.K.-based subsidiary called Slicklizzard U.K. Ltd., which owns a data center in
Dublin,
Ireland, a European Union member state.
This set up may be familiar to those using services from real-life companies.
Read more
European Commission 'in denial' over Patriot Act loophole
European Commission 'in denial' over Patriot Act loophole
Exclusive: One prominent member of the European Parliament describes how the
Commission is effectively in denial over the reach of U.S. law on European
citizens.
* Read more
The U.S. government sends a FISA warrant to Slicklizzard U.S. Corp. A FISA
court, which has no public record and convenes in secret, must receive "probable
cause," which could be as simple as requesting documents or records "for" an
intelligence or terrorism investigation. In reality, these warrants could be
for people even multiple degrees of separation from a "suspected"—not
convicted—terrorist.
Attached to the warrant is a so-called National Security Letter (NSL), which
is for all intents and purposes a 'gagging order,' preventing the company from
disclosing the warrant to anyone—including its subsidiaries or offices around
the
world.
Slicklizzard U.S. Corp. can either do one of two things: fight the warrant
and argue it's a violation of First Amendment rights, which some courts have
found and have overturned the gag order; or do nothing and simply comply with
the order.
It's far easier and simpler to go with the latter. After all, there's a gag
order in place. Nobody will find out.
The FISA warrant is requesting details of a "suspect," for now, let's call
him John Doe, who the U.S. government's law enforcement agencies want to
investigate as part of a terrorism investigation, a common request under FISA.
John Doe lives in Germany and hosts his private and confidential data in
Slicklizzard U.K. Ltd's data center in Dublin, because Doe is a European
citizen. Seemingly, the FISA warrant cannot reach Doe because it is outside of
the jurisdiction
of the U.S. company, but it's not.
Slicklizzard U.S. Corp. is obliged to carry out the warrant, or face
sanctions to its U.S. office. It can either face prosecution by U.S. authorities
or a minor slap on the wrist and a meager fine from EU authorities if they find
out, but
because there's a gagging order in place, how could they?
So, Slicklizzard U.S. Corp. instructs its subsidiary—which it wholly owns,
and therefore can order its London-based subsidiary to carry out actions,
without reason or prior warning, to send all of Doe's data from its Dublin data
center to
its U.S.-based data center. All this, and it can't tell its London subsidiary
what it's for or face sanctions in the U.S. for breaking the gagging order.
This is legal through the U.S.—EU Safe Harbor agreement, in which a U.S.
company must treat the data with the same level of protection as the EU-based
company. However, Safe Harbor does not protect against FISA warrants.
The moment it lands in that U.S. data center, it falls under U.S. legal
jurisdiction and can be acquired by U.S. authorities. The data is then sent to
the requesting agency which requires the data.
And that's how the U.S. government, and other governments where their laws
can supersede the laws of others, particularly if that company can face
sanctions under that state's laws, can acquire data on Europeans and further
afield without using
the internationally legal "mutual legal assistance" treaties.
Now apply this scenario—actually, quite a simple scenario—to any of the
aforementioned companies. From your iTunes collection to your personal Dropbox
storage, your Google Gmail or Microsoft Office 365 company data, all the way
through
to your hidden Facebook and Twitter information, activity and searches.
We don't know if it has happened or will happen, because these FISA warrants
are secret and data is limited. All we do know, however, is that it can happen.
Think twice before you put your data in the cloud.
Topics: Cloud, Government US, Legal, EU
Zack Whittaker
About Zack Whittaker
Zack Whittaker writes for ZDNet, CNET and CBS News. He is based in New York City.
Google+ Follow @zackwhittaker Contact Disclosure
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
