America reacts to 9/11: Why I began investigating the Patriot Act

America reacts to 9/11: Why I began investigating the Patriot Act

Summary: A personal telling of my experience of September 11th, 2001, and the subsequent battle to unravel the post-9/11 Patriot Act's reach to Europe and further afield.

SHARE:

September 11: Ten years afterIn this personal account, I reflect back ten years almost to the day, when the world changed as a result of the September 11th attacks. A month later, the USA PATRIOT Act was signed into law. A visit last year to the city which suffered the foulest of all terrorist attacks, opened my eyes to the Patriot Act and its reach to Europe and further afield.

September 11, 2001 -- Nottinghamshire, U.K.

As I approached my family home as I returned from school, my mother stood at the door with a red, puffy face. She had been crying.

I was two weeks away from turning thirteen years old. A split second of inconceivable thought crossed my mind. I thought my father had died.

She told me to come into the house and told me: "America is under attack.". The BBC had interrupted its broadcast stream -- something I vaguely remembered happening a few years before -- when I was much younger, as I was watching cartoons in the living room. Princess Diana had died, and "all programming was suspended."

I saw footage of a plane gliding through the sky, before it exploded upon impact between these two large, unidentifiable buildings. I had no idea what the World Trade Center was, but knew that the Twin Towers -- something covered in school only a week before -- were two of the largest buildings in the world.

It was around 3:40 p.m. in Nottinghamshire, England. I had just finished school for the day. By this point, it was approaching 11 a.m. in New York City. The towers had already collapsed. Thousands were dead in the less than ten seconds it took for the towers to crumble to the ground.

I stood there gazing at the television with only one thought crossing my mind. At that point, I murmured: "This will bring us to World War 3, won't it, mum?"

A world without Facebook, or Twitter, and barely mobile phones -- the technology that we now take for granted was a world away. New York City to me was a world away. The events that day, to the people in Manhattan, were a world away from what they were used to.

The world changed in the space of three hours.

June 10, 2010 -- New York City, U.S.

I sat in a bar on East 30th Street with my colleague Mary Jo Foley, and a mutual friend Jon Honeyball, contributing editor to PC Pro.

Many discussions were banded around, and we laughed. How we laughed. As we shared bread and olives, something Jon said pricked my ears.

"Say you have a student at college, who has an Arabic name. Sure, he is born in England and has a U.K. passport and nationality, but his parents are Iranian".

"The student goes on holiday to Florida to visit Disneyland. But he gets detained at immigration, without warning or even suspicion. He doesn't know why he is stopped, and nobody tells him why".

"He is doing research into statistical modeling of nuclear reactions and is co-funded by a public sector organization, run by a branch of the U.K.'s chief laboratory", he added.

"But the U.S. decides, wrongly, that he is hostile and of interest."

In a post-9/11 world, we hear stories of law enforcement's institutional racism and ethnic profiling at airports. Whether it truly exists, we have no way of truly knowing.

"The U.S. government can wave the Patriot Act legislation at Microsoft, a U.S. headquartered company, which handles the email of that students' college. Microsoft hands it over, but is gagged from telling the college that this is happened."

I was still unclear of the implications. This was the first time I heard of the Patriot Act, the U.S. counter-terrorism legislation that was brought in a month after the September 11th attacks. A political 'martial law', I believed.

I had to go outside for a cigarette.

This naive, young writer had never even considered that a law from another government could infringe the rights of a foreign national in this way.

I made Honeyball a promise that I would investigate this. I left that evening feeling empowered but equally disheartened. I could not believe that governments could force companies like Microsoft, Google and other cloud-service providers to act in this way.

Honeyball pointed me in the right direction. He had covered this extensively before, and had heated discussions and conversations with many about this. But while he and so many others suspected foul play, it was all but impossible to prove.

June 17, 2010 -- Canterbury, U.K.

After a long week of semi-sleepless nights, I found a crucial discrepancy between two statements late into the evening.

Microsoft, to which I had a good working relationship with, was the focus of my investigation. My college around the same time, the University of Kent, had announced that it was switching to Microsoft's Live@edu service -- the outsourced communications platform -- now known as Office 365.

I had a source. This person has the highest level of trust possible in my books. I trusted everything that this person said, because they had laid down their career, their financial security, and potentially their freedom, to disclose something extremely damaging to the global technology industry.

This person handed me a document, which showed a contradiction between what Microsoft was publicly saying and what it knew about the Patriot Act and gagging orders, known as National Security Letters.

Concerned initially for my university -- my colleagues and friends I studied with, and my own personal data security, regarding my institution's imminent contract signing with Microsoft's U.K. subsidiary -- I acted probably before I should have.

I presented this to Julia Goodfellow, vice-chancellor at the University of Kent, who all but dismissed my claims, stating that, "Safe Harbor is enough to protect our data." Whether I had failed to adequately explain the situation as well as I could have done, only a week after discovering the initial issue, or whether her institution that was already suffering at the helm of a global recession, could simply afford to ignore this student for the sake of financial security, I did not know.

I begged her not to sign the contract.

Two months later, our email had been outsourced. Such an action immediately put 19,000 fellow students at my university at risk from having their data intercepted by U.S. authorities. Considering we are an international university, with a good proportion of students studying from the Middle East and further afield, who knows what repercussions they could face.

A few days after, I received "assurances" from the director of IT services at my university following my meeting with the university chief, stating that the lawyers had explored all avenues in relation to data protection and European data laws.

But I was not convinced. My source already gave me enough evidence for me to pursue this until the bitter end.

October 20, 2010

After months of work, I had managed to drown myself through stacks of paper in my office. I had spent many nights crying, frustrated and annoyed at the lack of clarity I was getting from obnoxious lawyers and members of legal counsel from all sides.

It all came down to asking the right questions; a process that is far more difficult, I assure you, than it sounds. There were people out there who were on my side, but could not declare it, and could not go beyond their brief.

After months of research, I settled on "the questions" I wanted an answer to. After a number of correspondence between the U.K.'s data protection agency, the Information Commissioner's Office, I had it nailed down to one "perfect question".

I was out for a friend's birthday, when I received the reply. It was the turning point in my year-long investigation, for which I then published as crucial evidence as part of the Patriot Act series.

"The US PATRIOT Act could be used to get EU-sourced information from a U.S. company. If the U.S. company approached the EU company with a request for the information, then the EU company would have to consider whether to disclose the data."

That was it. My work, after months of inconsolable stress, was given carte blanche by an agency on behalf of the British government.

I began to write. I wrote, and wrote, and couldn't not stop. But I was aware that this would be no more than an elaborate, convoluted but crucial theoretical framework. I could not prove, no matter how hard I tried, but I could hypothesize.

My editors reviewed my work for months; scrutinizing it at every step. Eventually, a timeline was given, and it was rolled out into the public domain.

June 28, 2011 -- London, U.K.

Annoyed at the lack of publicity my Patriot Act series had received, I felt disparaged by the lack of anger other people did not seem to feel. When your data is at risk, why are you not as annoyed as I am? How dare you?

But it would not deflect my need to validate the theory I had spent so long to build upon.

I was invited to attend the launch of Office 365 in London. Microsoft, for some reason, allowed me to attend, even though I believed, perhaps in a slight sense of paranoia, that I had blown open their entire cloud-based industry. By publishing a deeply complex theory that showed the European cloud, and further afield, was not safe from the U.S. intelligence services and law enforcement authorities, I questioned why they had asked me there in the first place.

I was turned away due to my obsessive-compulsive nature to be early for any event. It was raining, heavily.

I was annoyed, and walked around the corner -- ironically directly past Thames House, the building of the British domestic intelligence service, MI5 -- and bought a coffee from the shop nearby.

I flipped a coin -- something I do often when I am tied between something -- to determine whether I should even go back. Flip, land, "heads". I decided to go back. It was a decision that, had I not gone back, I would have missed the moment I had been waiting for.

I met Jack Schofield, Guardian newspaper veteran and ZDNet columnist, at the event. We had conversed many times before, but never in person.

After nearly an hour of discussion, he knew also of the reach of the Patriot Act in Europe, and I told him of my work. I mustered up the courage to tell him of my plan. It was not a well-thought out plan, but I told him of my question -- another question, which would end up changing the world, in part, again.

I told Jack: "Can Microsoft guarantee that EU-stored data, held in EU based datacenters, will not leave the European Economic Area under any circumstances -- even under a request by the Patriot Act?"

An hour later, at the question-and-answer session shortly after the Office 365 presentation, my heart was throbbing. I could feel my arm aching. Now is not the time, for either a heart attack or a panic attack, I thought.

I signaled for the microphone, and was handed it shortly after. I asked the question, and I received my answer.

"Microsoft cannot provide those guarantees. Neither can any other company", said Gordon Frazer, managing director of Microsoft U.K.

That was it. I sat down, shaking, and thought: "This is going to change a hell of a lot of stuff".

I went outside to breathe. I rang my colleague Mary Jo Foley, for who was in the bar over a year ago. She did not answer; she was at the same Office 365 event in New York with colleague Ed Bott. I sent her a text message.

"It took me a year but I proved it."

September 6, 2011 -- Brussels, Belgium

It has been nearly three months since I proved the theory. Like all scientists, I suspect along the way I have gone a little mad through the constant work and legal debauchery.

The work went on to spark a war of words: a full-on diplomatic outrage between the European Union of countries, and the United States.

The EU wanted answers, and rightfully so. The United States, the leader of the free world, is taking advantage of its position in a post-9/11 state of vulnerability, and our laws of data protection are worth nothing.

The European Parliament cited the work that both I, my editors had helped write, and Jon Honeyball had help inspire. Work is under way to gain clarification on the laws, which govern European data protection and transatlantic data transfer.

Though now, my work is over, the governing body of all of Europe's 27 member states has taken the reigns from this mere mortal columnist, and will pursue this until a time for which it can be said that cloud stored data in Europe, is safe from American hands.

How it all unfolded:

The teaser:

The theory:

The proof:

The aftermath:

Topics: Social Enterprise, Government, Government UK

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

17 comments
Log in or register to join the discussion
  • Message has been deleted.

    bmeacham98@...
  • Extra Judicial Jurisdiction Has Existed Long Before the Patriot Act

    You are at greater risk of having your information illegally purloined by wikileaks activists than lawfully gathered by any provision of the Patriot Act.
    Your Non Advocate
    • Maybe so, but...

      @facebook@... <br>...if my country needs my data, my preference would be for a uniformed deputy US Marshal to come to my door with a search warrant. I would then *voluntarily* hand over everything listed in the warrant while the Marshal watched me get it.<br><br>That probably makes me old fashioned, but that's the contract. Having my ISP hand my data over in secret is, to me, unacceptable, so I'll minimize what I keep on line, thank you.
      John L. Ries
  • RE: America reacts to 9/11: Why I began investigating the Patriot Act

    I live in Canada and work for a Canadian company. Our web services provider was bought out by an American company. Because of your series, we switched to a Canadian-owned provider in Canada. We don't feel we have anything worth hiding, but it was very much the principle of it all.

    Thank you for all of your hard work.
    mheartwood
  • If you don't like it, build your own

    If you are that upset that a US based company is putting US law about EU law, especially when there are criminal sanctions on the line, then nothing is stopping you from creating an EU based cloud provider. Of course it sounds like that the author would still be upset even if a court issued a warrant. The fact of the matter is, either through chance or better regulatory environment, all of the major cloud providers are US based.
    thomasa@...
    • Depends on the court..

      @thomasa@...

      If it was a US court which issued an order to turn over his data, which resides on a server outside the US, controlled by a company outside the US, and the provider complied, he would have every reason to be upset.

      The US courts and US law does not should not have any jurisdiction outside the US. Period.

      Even if the cloud provider is a subsidiary of a US-based company, if the data is housed outside the US, and the subsidiary operates outside the US and provides services to non-US residents, then the Patriot Act should have no effect - there'd be no legal reason that the subsidiary should have to hand over the data, and I would bet there would be a legal challange waiting for any cloud provider who did.
      daftkey
      • BTW - I'm referring only to wholly-owned subs here.

        @daftkey .. There is a different story at play if the sub is simply an extension of a US-based corporation - they wouldn't be fully independent.

        What I'm referring to here is a subsidiary which is set up as a corporation and registered in another country, whose major shareholder just happens to be the US-based parent.
        daftkey
      • So if a US corporation elected to store all of its data in Monaco...

        @daftkey
        ...then they should be immune to search warrants issued by any state in which they do business (including the one that issued its charter), except for Monaco?

        Can you say "flag of convenience?" I knew you could!
        John L. Ries
      • No.. but a Monaco corporation owned by a US parent..

        @daftkey

        Depending on the relationship between the corporation and Monaco and the US parent. If the US parent is simply a shareholder, and the Monaco corporation is otherwise an independent entity which operates, is managed, and does business outside the US, then yes, it should be immune to US law, and all other laws in areas where it doesn't have any reach.

        To make it more relevant to the current topic, if Microsoft spins off an independent "Office 365 Europe inc.", remains its sole shareholder, but otherwise builds a head office in Brussels, builds a data centre in London, and excludes US customers from its services, the Patriot Act should have no bearing on it whatsoever.

        I understand this would create, as you call, a "flag of convenience" scenario, but moving operations outside a country in order to avoid that country's laws is hardly a new thing (wonder why we import so many goods from China which are otherwise "American" brands?)
        daftkey
      • RE: America reacts to 9/11: Why I began investigating the Patriot Act

        @daftkey

        "I understand this would create, as you call, a "flag of convenience" scenario, but moving operations outside a country in order to avoid that country's laws is hardly a new thing "

        OK, so you acknowledge that nations have laws already on the books for the very things that the Patriot Act does not even create - but extends. This ensures that Nazis do not keep the jews gold and US billionaires can no longer hide money in Switzerland.

        You have the right to find a rogue safe haven nation for your data -- such as Righthaven. However, just as Righthaven was treated as a pariah nation and functionally disconnected from the rest of the world by ISPs, so too would such a nation state that thinks it cannot cooperate with its fellow nations.
        Your Non Advocate
      • Since you're talking &quot;should&quot;...

        @daftkey
        ...if you were "World Emperor" for a day, what principle would you write into international law to cover the case? And how would you prevent it from interfering with legitimate law enforcement efforts?

        Your existing response covers how you think corporations should be able to evade laws they find obnoxious, which really isn't the same thing.
        John L. Ries
      • The reach of laws vs. the sovereignty of nations..

        @John L. Ries and @Facebook..

        <i>OK, so you acknowledge that nations have laws already on the books for the very things that the Patriot Act does not even create - but extends. This ensures that Nazis do not keep the jews gold and US billionaires can no longer hide money in Switzerland.</i>

        I will ackowledge this, yes, and I'm in agreeance that nations should and do cooperate with each other, just for the reasons you've mentioned. But you're still talking about a nation enforcing its own laws, and making those laws line up with the laws of other nations with which they are cooperating.

        I'm talking more about the heart of Zach's concerns with the Patriot Act (a US law, not an English law) and its reach outside of US borders, and it's effect on non-US citizens.

        For instance, in Canada, we have an act similar to the Patriot Act, however it is not nearly as far-reaching, and much of it is balanced by rights granted by a previous legislation (Freedom of Information and Privacy). A Patriot-Act type of data request wouldn't fly if it were handed to a Canadian corporation, as it violates Canadian law.

        The "Should" that I mention is this scenario - Microsoft has a data centre in Toronto, run by "Microsoft Canada" which is a Canadian corporation, owned by Microsoft Corporation. In all legal respects, it is a Canadian entity. If Microsoft is handed a request for data citing the Patriot Act, and it hands over data from a Canadian customer, residing in their Canadian data centre owned by Microsoft Canada, that customer "should" have recourse against MS Canada within the bounds of Canadian law.

        As seems to be the case now (and where Zack is most concerned), is that Microsoft can now "hide behind" the Patriot Act as a reason for handing over that data. This should not be possible in any country other than the US.
        daftkey
        • RE: America reacts to 9/11: Why I began investigating the Patriot Act

          @John L. Ries<br><br><i>...if you were "World Emperor" for a day, what principle would you write into international law to cover the case? And how would you prevent it from interfering with legitimate law enforcement efforts?<br><br>Your existing response covers how you think corporations should be able to evade laws they find obnoxious, which really isn't the same thing. </i><br><br>It's funny that you'd ask what I would do if I was "world emporer" because the point I'm trying to get accross is that this is the situation I would most like to avoid.<br><br>Read my post above for a bit more information, but in a nutshell, my answer is that the law enforcement of one country has jurisdiction *in that country*. Outside of that country, they have to rely on the laws and enforcement agencies of whatever other country they are dealing with. <br><br>I use Corporations as the example because the corporate structure is really where this all becomes a problem. It's easy to say "if you're a person living in England, then I'm obviously subject to English law". Corporations are a bit different in that they are still independent entities and subject to the laws for the countries in which they do business, which in itself I'm not really all too concerned about (neither are you, apparently). But as a "CUSTOMER" of these corporations, I am all of a sudden exposed to laws in a country for which I've never lived, visited, or even intend to in the future.
          daftkey
  • Finally a true journalist, he does exist...

    Great work Zack. La ringrazio per i vostri sforzi illuminare le persone.
    mario@...
    • RE: America reacts to 9/11: Why I began investigating the Patriot Act

      @mario@... Thankyou for the lovely words. Means a lot.
      zwhittaker
  • RE: America reacts to 9/11: Why I began investigating the Patriot Act

    At the time it was passed I thought the Patriot Act was a stupid idea with a weaselly name (it's high school level acronym actually -- look it up). Nearly 10 years later I now think I was too kind in my description of it back then. Law enforcement may like it, but that's because the Act let's them take shortcuts, i.e., be lazy about minding the Bill of Rights and personal privacy; however, as far as I can see, the exact same results can be achieved with old fashioned, straight-up investigation and heads up police work. Yeah, that takes more effort because of all those darn Constitutional protections you have to take in account, but....the people who wrote the Constitution got to that point by having to deal with a much greater threat than 19 suicidal religious zealots.

    The argument that things are somehow more dangerous in these times than when this country's founding fathers rebelled against what was at the time the most powerful nation on Earth was, is, and will always be disingenuously stupid. People with weak ideals and weaker convictions will always find excuses to do bad things or to allow others to do bad things.
    JustCallMeBC
  • RE: America reacts to 9/11: Why I began investigating the Patriot Act

    Sounds like he patriot act would justify banning all US companies from the rest of the world
    redking44