Microsoft admits Patriot Act can access EU-based cloud data

Microsoft admits Patriot Act can access EU-based cloud data

Summary: Microsoft's U.K. head admitted today that no cloud data is safe from the Patriot Act, and the company can be forced to hand EU-stored data over to U.S. authorities.

SHARE:

Editor's note: This article was first published in June 2011. This ultimately sparked a transatlantic dispute over the sovereignity of data, and ignited a change in European data protection and privacy law. In June 2013, the NSA's domestic and international surveillance program was uncovered. The article you are now reading showed back in 2011 that the Patriot Act's reach is not limited to the U.S., and can affect EU citizens and those around the world. University law researchers also confirmed this was the case. We also invite you to read why ZDNet began investigating the Patriot Act.

LONDON, U.K. — At the Office 365 launch, Microsoft U.K.'s managing director Gordon Frazer, gave the first admission that cloud data, regardless of where it is in the world, is not protected against the Patriot Act Act.

After a year of researching the Patriot Act's breadth and ability to access data held within protected EU boundaries, Microsoft was the first cloud provider to openly admit it.

The question put forward:

Can Microsoft guarantee that EU-stored data, held in EU based datacenters, will not leave the European Economic Area under any circumstances — even under a request by the Patriot Act?

Frazer explained that, as Microsoft is a U.S.-headquartered company, it has to comply with local laws (the United States, as well as any other location where one of its subsidiary companies is based).

Though he said that "customers would be informed wherever possible," he could not provide a guarantee that they would be informed — if a gagging order, injunction or U.S. National Security Letter permits it.

He said: "Microsoft cannot provide those guarantees. Neither can any other company."

While it has been suspected for some time, this is the first time Microsoft, or any other company, has given this answer.

Any data which is housed, stored or processed by a company, which is a U.S. based company or is wholly owned by a U.S. parent company, is vulnerable to interception and inspection by U.S. authorities. 

Microsoft previously opened up its Online Services Trust Center which explained in great detail how data was managed, handled and if necessary, handed over to the authorities.

Related:

Also read ZDNet’s Patriot Act series:

Topics: Government US, Collaboration, Government, Government UK, Microsoft, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

43 comments
Log in or register to join the discussion
  • RE: Microsoft admits Patriot Act can access EU-based cloud data

    There is no surprise here, you are reporting on activities that have been going on since 2004. The only difference between outsourced and cloud exposure is that, when your data is in a specific datacenter, you at least know who might get access to it. If you have stuff in an IBM DC in Germany, you know who can look at it:
    - US (all Federal agencies via Patriot Act)
    - Germany (Bundespolizei and Bundeskriminalamt)
    - EU (Interpol and 17 associated organizations).

    But in the cloud, you really have no idea where your data resides, it could be sitting on a server in Shanghai, which means that any number of Chinese local and national groups could demand access, including the PLA. Once again, you have no idea if such access is happening, because the hoster is prevented from informing you.
    terry flores
    • RE: Microsoft admits Patriot Act can access EU-based cloud data

      @terry flores That's not true. Every cloud-based service I've used has been very upfront about where my data is stored. I have server in GoGrid's California data centre, and many cloud backup solutions not only let you choose with cloud storage provider to use, but also which of those provider's data centres (e.g. Amazon's UK data centre).

      Not all vendors provide this information, but many (if not most) do.
      dereksilva
      • RE: Microsoft admits Patriot Act can access EU-based cloud data

        @dereksilva
        Yes, that's true, but if Amazon's UK data center goes down, your data will be in another data center, possibly in a different country or even continent. Your provider doesn't ask you where to DR your data, they ask where to store your data. There's a difference.
        swmace
      • Derek's right..

        @swmace

        You are talking tosh. AWS' datacenter is in Ireland and they are very public on the fact that they don't move your data from where you put it. The US East problems a month back prove that.
        notanothercomment
      • RE: Microsoft admits Patriot Act can access EU-based cloud data

        @dereksilva

        [i]Every cloud-based service I've used has been very upfront about where my data is stored.[/i]

        I think you misunderstood. What "the hoster is prevented from informing you" is the fact a government agency is snooping your data. The OP is right.




        :)
        none none
      • RE: Microsoft admits Patriot Act can access EU-based cloud data

        @dereksilva
        The exception would seem to be Google, who persist in refusing to define where your data is stored. It may be that they really don't know, because the storage is all virtualised and striped across continents. That might be good engineering, but as usual they ignored the need to think about privacy and data protection laws.
        A.Sinic
      • RE: Microsoft admits Patriot Act can access EU-based cloud data

        I was under the impression my data is stored in EU and subject to EU laws. Hosting providers should be more transparent as to exactly who can access the data, just out of respect to their customers.
        Johnath
      • RE: Microsoft admits Patriot Act can access EU-based cloud data

        @dereksilva that's true, but if Amazon's UK data center goes down, your data will be in another data center, possibly in a different country or even continent. Your provider doesn't ask you where to DR your data, they ask where to store your data.
        fise
      • RE: Microsoft admits Patriot Act can access EU-based cloud data

        @dereksilva Bogus
        Todd Lillitch
      • RE: Microsoft admits Patriot Act can access EU-based cloud data

        @dereksilva

        This kind of thing is why I don't see cloud computing being completely practicle at the moment. Businesses do not want their sensitive business information being compromised due to vulnerabilities and limitations associated with cloud computing. And of course people do not want their personal information and files floating about in the cloud ready to be taken advantage of by computer exploits etc.
        Until they can create a cloud network that is truely 100% secure I really don't see it being adopted any time soon on a significant level. And as mentioned in this article, litigation makes it such that this information is never truely protected.
        On a more positive note at least Microsoft admitted to it unlike other firms that do whatever they can not to give an answer to these types of questions.
        M4ylee
    • RE: Microsoft admits Patriot Act can access EU-based cloud data

      @terry flores
      Surely these companies that supply cloud servers should comply to the local legislation of the country that they reside.
      paulmillard
  • RE: Microsoft admits Patriot Act can access EU-based cloud data

    And Safe Harbour can gain access to your information.
    If you use Google same goes.

    Choice is - go public cloud or use a hoster and get private cloud... same situation.
    jessiethe3rd
  • We've always told our customers this...

    That's why my published research on cloud storage and cloud backup states very explicitly that you have to use a non-US based company, in addition to a non-US data centre, for storing your data if you don't want it subject to the PATRIOT Act.
    dereksilva
    • RE: Microsoft admits Patriot Act can access EU-based cloud data

      @dereksilva
      If a U.S. company is being investigated under the PATRIOT Act, it doesn't matter where their data is stored. The U.S. Government will get their grubby little hands on it. You could have your data sitting on a server in Timbuktu. If your company is a U.S. company, your data is subject to U.S. laws, regardless of where it physically resides.
      swmace
      • RE: Microsoft admits Patriot Act can access EU-based cloud data

        @swmace it's not even if your company is a US company, it's also if you do business with any americans
        _JimB_
  • Big Brother

    The omnipresence of the US of A
    Bradish@...
    • RE: Microsoft admits Patriot Act can access EU-based cloud data

      @Bradish@...

      Yep. It's terrifying how Big Brother 1.0 is basically here already and hardly anyone seems to care. If George Orwell were alive he would be screaming at the top of his lungs for the American public to WAKE UP!!!!
      josh92
      • RE: Microsoft admits Patriot Act can access EU-based cloud data

        @josh92 not me. I have been fighting the Patriot Act. It seemed like a good idea after 911 for a temporary basis but now it keeps getting renewed. We have seen abuses by the FBI and other agencies and will continue to see this sort of thing. Our 4th Amendment rights just went out the window.<br><br>A warrant is no longer required. They can blow down your door and take you in.<br><br>It is time to end the Patriot Act. Too much power in too few hands will eventually be abused. It is human nature. Time for citizens to rise up !
        pizzaman7
      • RE: Microsoft admits Patriot Act can access EU-based cloud data

        @josh92 You are right. I recently re-read 1984 after so many years. A very interesting read in light of today's society. Highly recommended that all read it (a weekend read) and then the comments here would be so much more hard hitting.
        Bradish@...
      • re: If George Orwell were alive...

        @josh92 So long as "Dancing With The Idiot Of The Week" and "Housewives of The Trailer Park" is on the tube, NO-ONE is going to wake up.

        When the American public finally wakes up, it will be too late.
        frizzllefry