Microsoft's European 'cloud pact' still does not protect data against FISA, Patriot Act

Microsoft's European 'cloud pact' still does not protect data against FISA, Patriot Act

Summary: Microsoft's cloud pact with Europe still does not protect EU citizens from U.S. law, like FISA or the Patriot Act. Was it simply signed to quell fears, and prevent the loss of business?

TOPICS: Microsoft, Cloud, Google

Microsoft announced yesterday it would sign the European Union's "model clauses", which will help customers certify compliance with the Europe's data protection laws, and the United States' HIPAA accountability act.

The problem is, overlooked by many, is that this 'cloud pact' means little to those within the walls of Europe.

Yes, it's great news that Office 365 will now be compliant with HIPAA users and organisations, to provide "physical, administrative and technical safeguards" that allows Microsoft to be fully compliant with U.S. legal requirements.

Simply put, it means that health records and medical data will be safe in the cloud.

The niggling problem that Microsoft, and the rest of the cloud industry has, is that this agreement with the European authorities still does not protect against 'third-country' legislation.

In particular, we are talking about the U.S.' PATRIOT Act, and the Foreign Intelligence Surveillance Act (FISA).

While Microsoft claims to be the "first and only major cloud-based platform to offer leading information privacy and security standards for customers operating in the European Union", Microsoft will not disclose the terms it is signing.

A Microsoft spokesperson declined to comment on the details of the agreement that it will sign.

The company is struggling with European customers' cloud concerns, after Gordon Frazer, Microsoft UK's managing director, told ZDNet exclusively at the Office 365 launch in London, that "no company" could guarantee that European data was safe from U.S. law.

But others are already seeing this announcement as a way of quelling the fears that European users may have regarding the integrity and security of crucial cloud data it outsources.

It was only last week that global defence contractor BAE Systems pulled the plug on its outsourcing venture with Microsoft, citing the PATRIOT Act as the main concern.

The Microsoft spokesperson could neither confirm nor deny that FISA or the PATRIOT Act could still be used by U.S. law enforcement to covertly and secretly acquire European data.

The company did however say:

"It’s not uncommon for new technologies to create legal questions, and the current dialogue about data sovereignty and the cloud is only the latest example. This is an important topic which affects all cloud providers, including non-U.S. companies with a presence in the U.S., as well as those companies headquartered in the U.S.

It is also an active discussion in many regions with similar statutes".

The spokesperson was hinting at the UK's Regulation of Investigatory Powers Act (RIPA), which offers very similar powers to that of the PATRIOT Act.

While Microsoft was not willing to explain exactly how this cloud pact offers protection to consumers, it did say that it's "willingness to sign data processing agreements that include the EU Model Clauses means that Microsoft contractually guarantees that Office 365 will uphold European standards for privacy and security".

It was mostly a trick question. The proof already exists, but it was always worth a shot.

At that point, Microsoft stonewalled me, again.

Microsoft's Trust Center was also updated to enhance its "transparency", so that ordinary users' can see what happens to their data, where it is stored, and the terms of the service agreement.

But at no point does it mention the PATRIOT Act, FISA, or any third-country law that the company may be under the thumb of. The chances are that Microsoft does enact its policy -- probably down to the letter -- and most certainly only to protect itself.

A Microsoft spokesperson said that the company will "make every effort to notify customers in advance" that data will leave European soil, "unless we are legally prohibited from doing so".

Invoke the PATRIOT Act, throw in a National Security Letter gagging order, and a cloud company can take what it likes from any datacenter it owns, without having to inform the customer who owns the data, back to headquarters for inspection by U.S. authorities.

The company's efforts in attempting to calm fears over foreign legislative implications are fair. After all, and I state this for the record, it is not Microsoft's fault. It is making the best of a bad situation. But it continues to ignore key questions in its documentation, online resources, and governing contracts.

Apple is just as guilty. So are Google and Amazon, and every other U.S.-based cloud provider with a presence within Europe.

What is clear from this announcement is that Microsoft is offering a slightly safer alternative to cloud service potentials. Google is yet to seek HIPAA compliance, meaning Microsoft's solution is at least a viable option should you fall within the direct jurisdiction of the United States.

One interesting point made by Wired suggests that should these companies lose enough money, revenue and business from the damaging fears of foreign legislation on European citizens, a collective of between 500--700 million people, perhaps they will fight in coalition with the same vigour as they are with the SOPA bill.

While the European Commission is expected to announce the draft version of the upcoming Data Protection Directive, members of the European Parliament are seeking emergency legislation to plug the flaws in the current directive immediately.


Also see:

Topics: Microsoft, Cloud, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Microsoft's European 'cloud pact' still does not protect data against FISA, Patriot Act

    You just assume it doesn't protect because nobody stated it. You make you assumption seem fact with your title and your words.

    You over-rate your influence and your clairvoyance
    • RE: Microsoft's European 'cloud pact' still does not protect data against FISA, Patriot Act

      @TardHugger@... The European Parliament confirmed. Microsoft itself confirmed in a statement at the Office 365 launch. Happy?
      • RE: Microsoft's European 'cloud pact' still does not protect data against FISA, Patriot Act

        @zwhittaker other than the previous statement before the new pact, where is the link to the new MS Confirmation and Parliament confirmation.
      • RE: Microsoft's European 'cloud pact' still does not protect data against FISA, Patriot Act

        @tardhugger Until Microsoft states otherwise, the case is still clear. Microsoft will make a major song and dance about the fact that it is clear from U.S. law (which won't be possible for the foreseeable future). So will every other cloud provider. It's a huge selling point for EU cloud providers.
    • Good assumption

      @TardHugger@... <br>If MS is required by U.S. law to turn over any data that may be under their control to the U.S. authorities on demand, then they really can't make any guarantees of compliance with EU privacy laws.<br><br>Reply to TardHugger:<br><br>MS, as a US corporation, is bound by U.S. law no matter what it and the UK authorities agree. Ultimately, the only ways out of this impasse are for Congress to amend the Patriot Act, for the European Parliament to amend its privacy statute, or for MS and other US corporations to stop providing data services in the EU. And any of the three would have to be done publicly.
      John L. Ries
      • RE: Microsoft's European 'cloud pact' still does not protect data against FISA, Patriot Act

        @John L. Ries maybe true, but the article states as fact without real evidence, it is assumption that the last MS/Parliament statements before the pact was signed stands, My point is the author seems to take his assumption (no matter how obvious he feels that assumption is) and states it as fact he knows as well as anybody, most people (lemmings) will take his position because it is written down as absolute truth, he has a responsibility to be clear that it is his educated assumption and not fact.

        Technically nobody in the public knows for sure what is in the pact yet or what wrangling is being done with the US and EU over all of this.
  • More with the tin foil hats?

    More tin foil hat stuff?

    Yes, Microsoft has the power and ability to sign agreements with the EU, agreements that supersede US law and supersede the US constitution.

    Not to create a totally different type of tin foil hat brigade but the covert arm of most Governments do not follow laws when covertly gathering intelligence. Chances are it is not the Patriot act that the people of the world need to be concerned with. At least if the FBI officially gathers information they also need to officially properly protect and properly utilize the information. If a covert arm of some Government gathers the same information, they do with it as they please.

    I could not care less about the Patriot act collecting my information. What I do care about is some company spouting all sorts of confidentiality protection rules that govern the information I give the company and then that company sells my information. What I do care about is some company arbitrarily changing my preselected security measures for my account and, without my approval, opening parts of my account to the general public or opening my account to any company that will pay. What I do care about is some company making my confidential information available for use by those who make their living by stealing identities.

    If you???re going to put on a tin foil hat, you should put it on for the correct reason. I do not believe anyone's identity has ever been stolen because of the US using the Patriot act to try and follow money being laundered by terrorists. On the other side though, many peoples identitys have been stolen from companies that were lax with the information trusted to them.