iGeneration

Charlie Osborne
Home / News & Blogs / iGeneration

Case study: How the USA PATRIOT Act can be used to access EU data

By | April 26, 2011, 7:00am PDT

Summary: ZDNet’s USA PATRIOT Act series: European universities are risking their students’ security by outsourcing to the cloud. A case study.

This is the third in a series of posts that examine the principles governing the transfer of data across borders between the European Union and the United States, and the effect that the USA PATRIOT Act has on businesses, citizens and governments outside the United States. Although this is a U.S.-oriented site and I am a British citizen, the issues I surface here affect all readers, whether living and working inside or outside the United States.

British and European universities are risking their students’ security by outsourcing to the cloud. Here’s a theoretical case study cross-examined with supporting evidence.

[See also: USA PATRIOT Act and the repercussions on the cloud, and Safe Harbor principles designed to protect European data from misuse in the United States.]

Taking real world evidence along with testimony from various sources, and printed communiques between various organisations including governments, and those who provide cloud services, this post will provide the relevant evidence to support the case that European data can be vulnerable to U.S. law.

Though written evidence plays a crucial element in this research, these issues are hypothetical. They are likely to remain that way since the Patriot Act operates at the highest level of the legal framework. The law is designed to be theorised, and tested and debated in the courts. This series of posts is designed solely to raise awareness for future discussion.

Though this case study does not focus on one particular institution, it can be applied to any school, college or university outside of the United States, which has an outsourced communications infrastructure - like email - to the cloud.

In Europe, there are at least 300 universities with over 5 million students that have outsourced student and/or staff email to Microsoft’s Live@edu service or Google Apps for Education.

A former Microsoft employee explained to me in June 2010 that the UK and the EU believe they have “nothing to worry about” when it comes to the USA PATRIOT Act, because of the “vast geographic distance to the United States”. In regards to numbers:

“Uptake in the UK has been huge. It has been one of the most successful Live@edu adoption areas. But there is something amiss about the issues in Canada.”

One of Google’s customers is the University of Cambridge, which has not only published their contract with Google on its website, but also notes there the existence of the Safe Harbor framework, and the risk to the disclosure of data under US law for ‘national security considerations’.

The governing contracts and the laws they follow »

More from “iGeneration”

Topics

Google Inc., Data Protection, University Of Cambridge, Contract, Data Center, Law, University, Student, Customer, U.K., Microsoft Corp., Service, European Union, USA PATRIOT Act, Education, Live@edu, Information Commissioner, ICO, Data Centers, E-mail, Storage, Hardware, Data Management, Online Communications, Zack Whittaker

Zack Whittaker, a criminologist who studied at the University of Kent, Canterbury, is a journalist, writer and broadcaster.

Disclosure

Zack Whittaker

I worked briefly with Microsoft UK in 2006 but no longer have any connection with the company. Regardless, I remain impartial and unbiased in my views.

I don't hold any stock or shares, investments or industrial secrets in any company, but have signed confidentiality agreements with a number of UK and U.S. organisations, whose names I am not at liberty to disclose.

I was involved with Kent Union, the University of Kent's student union, undertaking voluntary, non-salaried, elected positions between early 2009 and mid-2010.

No other company, body, government department, non-governmental organisation or third sector organisation employs me or pays me a salary in any capacity whatsoever.

As a freelance journalist, whenever expenses are given and taken by a company that is not CBS Interactive, these will be disclosed in each relevant post to ensure transparency.

I currently work with a UK law enforcement unit, but this is an entirely separate position which bears no connection to other work.

(Updated: 23rd October 2011)

Biography

Zack Whittaker

Zack Whittaker, criminologist who studied at the University of Kent, UK, is a journalist, writer and broadcaster.

After studying criminology at university, though still in his early-20's, he has already had a series unconventional work and voluntary positions. He has worked with researchers studying neurological illnesses like Tourette's syndrome (which he suffers from), has given lectures on the nature of disabilities in the public community, and occasionally ends up speaking on television and radio discussing the events of the day.

He first had academic work published at the age of 22, then still an undergraduate, and has been cited by a wide range of publications: from the Huffington Post, Business Insider, AllThingsDigital, The Atlantic Wire and CBS News.

Talkback Most Recent of 21 Talkback(s)

  • there is no worry if give your digital data
    to the US governmet or google because they are trustworthy and your info won't go into the wrong hands.
    If you give it to somebody else...good luck with that.
    ZDNet Gravatar
    Linux Geek
    26th Apr

  • ZDNet Blogger

    RE: Case study: How the USA PATRIOT Act can be used to access EU data
    @Linux Geek Doesn't quite work like that. Regardless of how trustworthy a company is, if it receives a request under the Patriot Act, it has *no* choice but to hand it over. Trust in a company is entirely negated by this Act.
    ZDNet Gravatar
    zwhittaker
    26th Apr
  • RE: Case study: How the USA PATRIOT Act can be used to access EU data
    @zwhittaker and you actually wasted the time to type that? happy This has nothing to do with sensibility... with a name like Linux Geek I thought you'd know that! wink
    ZDNet Gravatar
    jessiethe3rd
    26th Apr
  • RE: Case study: How the USA PATRIOT Act can be used to access EU data
    Uptake in the UK has been huge. It has been one of the most successful Live@edu adoption areas. But there is something amiss about the issues in Canada. online masters degree | online associate degree
    ZDNet Gravatar
    jordanhawk
    16th Sep
  • RE: Case study: How the USA PATRIOT Act can be used to access EU data
    @Linux Geek Accepting your premise that said entities are trustworthy today, when management changes, will they still be? That is the rub with this stuff: you want to protect your privacy and liberty from the guy/company you most fear, just in case those guys come to power. That means limiting the power of even the guys you trust today.
    ZDNet Gravatar
    letranger66
    11th Jul
  • RE: Case study: How the USA PATRIOT Act can be used to access EU data
    Thanks for sharing this information, keep up the good work. online doctorate degree | diploma high school
    ZDNet Gravatar
    jordanhawk
    16th Sep
  • RE: Case study: How the USA PATRIOT Act can be used to access EU data
    That is the rub with this stuff: you want to protect your privacy and liberty from the guy/company you most fear, just in case those guys come to power. online doctorate degree | diploma high school
    ZDNet Gravatar
    jordanhawk
    16th Sep
  • RE: Case study: How the USA PATRIOT Act can be used to access EU data
    @Linux Geek is Google that safe? Look at the recent Google Places incident. texas real estate attorney
    ZDNet Gravatar
    esm2012
    24th Sep
  • It doesn't have to be
    If the data is outsourced to *any* multinational company that falls under US jurisdiction (eg. IBM, HP, Accenture) then the Patriot Act can be used to access the data. This includes data centers located in the EU, so the data does not even have to "cross a border" to be compromised. Assume that if your data is accessible by a company that has an office in the USA, your data can and will be turned over if the Feds demand it. And note that you will never be informed that it is happening, so you have no opportunity to appeal.
    ZDNet Gravatar
    terry flores
    26th Apr
  • Just to add in...
    Any BRITISH, Japanese, German, Chinese, or INSERT COUNTRY NAME HERE based company that has an operating arm in the US is also applicable under the US Patriot Act. Yahoo Mail, Hotmail, and Gmail accounts are also applicable to the US Patriot Act.

    This Act has reaching consequences both far and wide. Most is hypothetical but the US Patriot Act still stands as the largest invasion of privacy in the history of the world.

    Regardless of what you think, however, Canada, the UK, most countries in the EU, Japan, and many other countries have the exact same style of laws. Simple fact is the US has the headquarters of some of the largest companies in the world which leaves a lot of data open to the Act.
    ZDNet Gravatar
    jessiethe3rd
    26th Apr
  • Source?
    @ jessiethe3rd

    Can you point to a source confirming this? I do know that merely operating in the US (or EU) places a firm under the jurisdiction of US (or EU) competition law, but does this also apply to privacy law, and laws such as the US Patriot Act?

    I think you're right, since there have been a lot of complaints about Google's violations of German privacy law, but I'd very much like to have a reliable source to confirm it.
    ZDNet Gravatar
    WilErz
    27th Apr

  • ZDNet Blogger

    RE: Case study: How the USA PATRIOT Act can be used to access EU data
    @WilErz You'll find in the post (and the previous two) supporting evidence to show Canada and the UK having similar laws. It's just worth noting -- who has the more powerful government, and where are the vast majority of technology/cloud companies based? The US...
    ZDNet Gravatar
    zwhittaker
    27th Apr
  • RE: Case study: How the USA PATRIOT Act can be used to access EU data
    @ zwhittaker

    Thanks for the comment, but what I'm actually wondering about is whether or not an EU firm operating in the US (or with a wholly owned subsidiary in the US) would also be subject to the US Patriot Act. If so, then even outsourcing to an EU-based cloud provider would have the same impact (if they also operate in the US or wholly own a subsidiary there) as outsourcing to a US-based one.

    Also, with Google, I'm not sure if German privacy law only covers their actions within Germany (e.g. sending round vans to photograph everything without permission) or if the actions of the parent firm in the US are also subject to German law.
    ZDNet Gravatar
    WilErz
    27th Apr
  • RE: Case study: How the USA PATRIOT Act can be used to access EU data
    if it keeps the us safe from another 9/11 type of attack (or worse), its fine with me. what is everyone so worried about....makes me wonder what you have to hide....
    ZDNet Gravatar
    willowreed@...
    26th Apr

  • ZDNet Blogger

    RE: Case study: How the USA PATRIOT Act can be used to access EU data
    @willowreed@... I thought you might say that -- which is why I wrote this the other day. Everyone has *something* to hide -- including you. http://www.zdnet.com/blog/igeneration/privacy-is-innately-flawed-nothing-to-hide-does-not-exist/9577
    ZDNet Gravatar
    zwhittaker
    27th Apr
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources