Forgetting the Patriot Act is a bit dumb

Forgetting the Patriot Act is a bit dumb

Summary: There's been a bit of a brouhaha in Europe recently after Microsoft was cornered by a tough question, and produced an answer that many had suspected, but not known for sure, was true.

SHARE:

There's been a bit of a brouhaha in Europe recently after Microsoft was cornered by a tough question, and produced an answer that many had suspected, but not known for sure, was true.

It was the opening of Office 365 when Gordon Frazer, managing director of Microsoft UK, was asked whether Microsoft could guarantee that data held in EU-based datacentres would not leave the EU under any circumstances, ie, even under a request made in accordance with the Patriot Act.

Frazer, to the not-so-shocked but nevertheless horrified audience, said that neither it, nor any other US-based country, could give such a guarantee.

Since then, European parliamentary figures have demanded that something must be done; in their view, European law, which has strong privacy clauses, means nothing once the US decides that it wants something. That is, a US law could essentially nullify a European one.

I, personally, was a bit taken aback, and needed a few days to ruminate over the thought of Microsoft, or any other US company that had my data, handing it over.

It seems hard to imagine, now, that the US government would make unreasonable requests of companies based within its borders, but who knows what time will bring?

I decided to ask the company, just to be safe, if the response would be the same for Australia. This is the response that I received:

Any company with a presence in the US is legally required to respond to a valid demand from the US government for information if the company retains custody or control over the data. This is the case, regardless of where the data is stored or the existence of any conflicting obligations under the laws where the data is located. Microsoft will only respond to government requests for enterprise customer data when legally required, and, understanding general customer concerns in this area, we will use commercially reasonable efforts to notify those customers in advance, unless we are legally prohibited from doing so.

Firstly, I'd like to say that I don't blame Microsoft for this. The law is the law. But there are a number of parts of this statement which really interest me.

First: "This is the case, regardless of where the data is stored." Truly, the world is moving towards a data economy where borders become meaningless, except for the sense of the borders of who owns data.

Second: "regardless ... of any conflicting obligations under the laws where the data is located". This sentence shows certain hubris on the part of the US government. Why do they think that other countries won't be annoyed about this? Shouldn't it read: "if in war time" — or have some similar clause? Surely, there should be some discussion between the US government and the government upon whose soil the data is?

Third: "we will use commercially reasonable efforts to notify those customers in advance, unless we are legally prohibited from doing so". "Commercially reasonable" is a bit ha-ha funny contract words stuff, but the rest of it is pretty serious. I hope it wouldn't come to data being taken in a secret manner like that. After all, it would be like corporate espionage, but in a secret manner. Who knows what they'd take?

I listened to a webcast recently, where an American argued that if foreigners wanted to take cheap US services, then it was their problem if they had an issue with the US government being able to see it. In part, I agree with that. But, after all, these businesses do have subsidiaries on the soil of other nations where they are making their sales — and they may be putting down datacentres in those other nations. There must be some give, and not just all take. How would the extremely patriotic, "we rule the world" Americans feel if the shoe was on the other foot? After all of the scaremongering about Chinese espionage, I feel as though such a law has a bit of hypocrisy.

I feel like government, and any other organisation in Australia, should be fully aware of the possibility that that their data may be requested at any time before they pass along data to a US company's care. I'm not saying that they shouldn't do it. But I am saying that if they're not aware of it, and if they haven't done a risk assessment, then they're being a bit reckless.

Topics: Cloud, Government, Government AU, Microsoft, Privacy, Security

Suzanne Tindal

About Suzanne Tindal

Suzanne Tindal cut her teeth at ZDNet.com.au as the site's telecommunications reporter, a role that saw her break some of the biggest stories associated with the National Broadband Network process. She then turned her attention to all matters in government and corporate ICT circles. Now she's taking on the whole gamut as news editor for the site.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • Thank you for the excellent article. I'm not the only person now questioning how various foreign governments believe they can extend their legislation beyond their jurisdiction. More importantly, our government needs to protect the rights of its citizens from the jurisdictional scope creep of foreign legislators.

    Sure, have some international conventions and other agreements but don't let foreigners just legislate over the rights of Australians in Australia.

    US ITAR legislation falls foul of our anti-discrimination act, and perhaps elements ofthe TPA.

    New UK legislation pretends it has authority over UK owned foreign subsiduaries. Technically an Australian, in Australia, can be held liable in the UK for things which may be perfectly legal here.

    Then there is the example given in the article.

    Wake up Australian politicians, other parts of the world now deem their law as having higher precedent in Australia than our own!
    Scott W-ef9ad
  • @Scott W, your principles are fine, but there may be a bit more to this than a simple stroke-of-the-pen response from Australian or other governments.

    Companies are subject to the law of the country in which they are registered. So a US based company is unquestionably covered by US laws, and 'Australian politicians' might as well whistle in the dark for all the effect they can have on that.

    It's called national sovereignty, and the catch-22 is that even if we were able to effectively set up a national cloud company here in competition with Microsoft (unlikely), it would then be subject to interference by a fruit loop like Conboy who wants to impose secret government censorship.
    gnome-8be8a
    • Agreed, it's not quite a 'stroke of the pen' but there appears to be less public consultation about what our government will sign 'us' up for in recent times.

      My major gripe was how other nations try to extend their law to foreign lands, for which they have no legal authority (in the target land).

      The US, for example, can pass as many laws as they like over Australia but they have no authority to enforce them within Australia.
      Scott W-ef9ad
  • A company may be subject to the local juristication of its registration in terms of contract law and equity disputes. Here we are talking about local subsidiaries in "foriegn" countries and local employees breaking local laws. Even if the local employee, with knowledge of the systems administrative powers based in the US, allow data to cross a border when a US based empoyee presses a button, they are personally liable for that criminal act as an accessory.

    It is monsterously unfair for an employee in a subsidiary to be made liable for the unlawful cross border data exporting of its parent, but that's the case presently.
    ptrrssll
    • Cross border exchanges as you outlined can be quite complex.

      What I'm concerned about are situations where a government imposes a law which is also meant to apply to those outside its jurisdiction, and then presumes an authority over the jurisdiction of other governments.

      As a simple example, imagine a country that bans alcohol consumption prosecuting an individual in a foreign country for drinking alcohol (where it is legal)? The country with the ban is assuming a level of legal authority above that of other.
      Scott W-ef9ad
  • @Gnome, it is not just US *based* companies, according to this, any company with a presence in the US would be covered.

    Although, other countries are free to make similar laws that would cover US information from US companies that have a presence in their jurisdiction.
    meski.oz
  • From what i can see above, it appears that everybody fails to read the fine print in every contract that they agree to, all of this may start when you first use your computer, no matter who has set it up.

    There is an explicit agreement to terms you have not even seen,let alone understand.

    This is the same with any agreement you may make over the internet.

    Wake up, Australia needs you.
    Fredsan
  • That's the thing. Because the software is developed by a US company, it is subject to US laws and regulations. Now, this is stupid and arrogant from a political point of view, but this is a reflection of the arrogance that the US has shown in every aspect.

    Now that the Internet and cloud computing has rendered the flow of information borderless, it is hard to regulate where that data is going to flow. Even if the spokesman had said that data would not leave EU borders, it would be impossible to truly guarantee this.
    dmh_paul