Microsoft's pledge to 'shield foreign data' may increase NSA surveillance, experts suggest

Microsoft's pledge to 'shield foreign data' may increase NSA surveillance, experts suggest

Summary: Microsoft's efforts to allow foreign customers to move their data to non-U.S. regional datacenters could increase the scope of NSA surveillance, academics and lawyers suggest.


In efforts to appease international customers amid a spate of intelligence leaks that implicated Microsoft in the PRISM scandal, the software giant is offering to store foreign data outside the U.S.

But international law specialists, privacy experts, and academics alike have suggested that in the wake of such broad U.S. government surveillance, allowing customers to make a move like this could put foreign customer data, stored in the European Union and further afield in Asia and Australia, more at risk from U.S. surveillance.

First reported by the Financial Times (via CNBC), Microsoft general counsel Brad Smith said the move was "necessary" following the leaks that showed the U.S. National Security Agency (NSA) had been monitoring data of foreign citizens across the EU and beyond.

"People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country, and should have the ability to make an informed choice of where their data resides," Smith told the London financial newspaper.

"The events of the last year undermine some of that trust; that is one of the reasons new steps are needed to address it," he added, referring to the Snowden leaks.

Microsoft spokesperson Kathy Roeder confirmed that the quotes were accurate, but was not able to explain whether this would affect consumers or business users.

The issues surrounding outsourcing and data sovereignty has, thanks to the Snowden disclosures, became a top corporate concern. Yet, attempts by technology companies and telecoms giants to reassure customers in the wake of the leaks appear to be more concerned with mitigating the damage from the NSA fallout, rather than protecting their customers' data.

All roads lead back to America

In discussions between ZDNet and academics, privacy experts, legal specialists, and lawyers, the consensus is clear: Foreign-stored data can be just as vulnerable to U.S. government surveillance, and in some cases more so than if it were stored in the United States.

"Whatever data an American company collects, it can be vulnerable to be obtained by the U.S. government," said Nicole Ozer, Technology and Civil Liberties policy director at the American Civil Liberties Union (ACLU) of Northern California.

"Right now, the government is taking advantage of outdated privacy laws and loopholes to obtain very sensitive information with very little oversight." — Nicole Ozer, ACLU (N. CA)

Speaking to ZDNet in a telephone interview on Sunday, Douwe Korff, professor of international law at London Metropolitan University, said that if the U.S. government were to use these laws to conduct eavesdropping and surveillance overseas, it would be in breach of international law.

"If a state takes action that affects the human rights of those in another state, that first state is acting extraterritorially," he said. "And without the consent of the targeted state, that is in violation of public international law."

In terms of Microsoft's structure, with subsidiary offices around the globe, Korff explained that the relationship between parent companies and their international subsidiaries holds the key to the U.S. government's ability to access foreign data outside of the international legal channels.

"If a U.S. company stores customer data in a datacenter — wherever it is — and can retrieve it from that datacenter and move it to somewhere else of its choosing, which could be in the U.S., I would certainly see that as showing that it had control and quite possibly custody and possession of the data," he said.

This, he added, would be enough for the U.S. government to force the U.S. parent company with adequate powers to instruct its European subsidiary to comply with data-requesting court orders.

Korff's comments resonate with the news first published by ZDNet before the Edward Snowden leaks confirmed the foreign spying machinery of the U.S. government, and work by Dutch academics published exclusively by sister-site CBS News in December 2012.

On Tuesday, ZDNet reported comments made by Verizon's chief counsel Randal Milch in late January, following the release of its first transparency report, which claimed that the U.S. government "cannot compel us to produce our customers' data stored in datacenters outside the U.S., and, if it attempts to do so, we would challenge that attempt in court."

Those claims were refuted by leading experts on Tuesday, who said that Milch's comments were "misleading," and that international treaties designed to govern transnational data transfers for law enforcement purposes are being bypassed.

Verizon spokesperson Ed McFadden declined to comment on the report.

Bypassing the international legal channels

Under Microsoft's plan to "shield foreign users' data," the data would become available for the government of the country that it is located in. For Europeans, that would most likely be where the company's Dublin datacenter is located, falling under Irish law.

In this case, European data protection and privacy law would apply. However, based on the Snowden leaks, many of the NSA programs have been found to have fallen afoul of apparently strong European laws.

European Justice Commissioner Viviane Reding warned U.S. Attorney General Eric Holder in a strongly worded letter, not long after details of the PRISM program broke, of "grave adverse consequences" in U.S.-EU relations. In doing so, she argued that European law had not been as effective as it should have been, partly down to the U.S. government not having "respect for fundamental rights and the rule of law."

These so-called mutual legal assistance treaties, which are designed to help law enforcement and intelligence agencies in one country seek data from an allied nation elsewhere for investigative purposes, are often old, outdated, and decadent. Not least of these is the well-known post-World War II treaty, the UKUSA Agreement, which was eventually expanded to Canada, Australia, and New Zealand.

Smith himself said in the Financial Times article that these treaties should be "modernized or replaced."

While Reding has echoed similar statements that U.S. authorities "have to use existing channels of cooperation and mutual legal assistance agreements" as the only avenues for data requests, Korff told ZDNet that based on the Snowden leaks, he is "absolutely certain" that the U.S. government is bypassing these treaties with its own intelligence gathering laws.

This was the foundation principle of the work conducted by Dutch researchers at the University of Amsterdam's Institute for Information Law more than six months before the first batch of Snowden documents were leaked.

Arnbak said in an academic paper in November 2012, following similar work published on ZDNet, that: "If a company is a subsidiary or branch of a U.S.-based company, or if it has one in the United States, it may be assumed that such jurisdiction exists, but jurisdiction may also exist in other, more complex, cases."

Much can be said about countries and regions outside the European Union, including Asia and Australia, and other places where Microsoft has subsidiary offices and datacenters.

"In any event, the location where the data are stored is not decisive for determining whether a cloud provider is subject to FISA jurisdiction and statutory powers concerning access to data," the paper stated.

Updated in 2008, following earlier disclosures of President George W. Bush's domestic intelligence program, the FISA Amendments Act (FAA) 2008 is one of the strongest intelligence-gathering weapons in the government's surveillance arsenal. Particularly in so-called Section 702, the U.S. government is granted by Congress the power to specifically target non-U.S. persons for almost any reason it suspects, while protecting the rights of U.S. citizens no matter where they are in the world.

According to Electronic Frontier Foundation (EFF) staff attorney Mark Rumold, in an email to ZDNet in late January, Section 702 restricts the NSA's targets to those who are "physically located overseas."

But Jennifer Granick, director of Civil Liberties at the Stanford Center for Internet and Society, explained in a call on Monday that the U.S. government is "virtually unregulated in terms of what it can do and where collection takes place overseas — particularly if there isn't a U.S. target."

"For every piece of information, the NSA has multiple technical points at which it can collect it, and multiple legal authorities to do so, so there's almost certainly another way around forcing a subsidiary into handing over data," she said.

Foreign data "fair game" for NSA

For the U.S. government to acquire data, whether it's through mutual legal assistance channels — or by approaching the U.S. parent company as Korff and Arnbak described — a FISA court order would be significantly easier to get if the majority of the data was foreign users' data located outside the United States.

By virtue of being an overseas datacenter, whether in Ireland, Asia, or Australia, more than 51 percent of all stored information will be non-U.S. data in order to accommodate local laws and regulations, and also increase data access speeds and decrease latency and delays.

"U.S. intelligence agencies ... are virtually unregulated in terms of what they do and where collection takes place overseas." — Jennifer Granick, Stanford Center

"If you're a U.S. person communicating with someone overseas, who is related to or talking about something of foreign intelligence interest, the statute here allows the NSA to collect that information," Granick said. "That’s allowed."

The leaks have shown that this may not strictly be the case, however.

According to The Guardian, which first broke the "minimization" story, the FISA Court-approved rules allow the U.S. government to collect, retain, and use U.S. communications under certain circumstances. This includes data on "usable intelligence, information on criminal activity, [or] threat of harm to people or property [that] are encrypted, or are believed to contain any information relevant to cybersecurity."

Perhaps more worryingly, the documents add: "In the absence of specific information regarding whether a target is a United States person ... a person reasonably believed to be located outside the United States or whose location is not known will be presumed to be a non-United States person, unless such person can be positively identified as a United States person."

The NSA also has additional tools that can be used to acquire foreign data, which is permitted under U.S. law — however, as stated by Korff, this is in breach of international law.

Other Snowden documents confirmed that the NSA can not only tap the fiber cable links between Google and Yahoo datacenters, but, with the British GCHQ's help, the intelligence agencies can also break common encryption standards that are used to secure data — codenamed MUSCULAR and BULLRUN, respectively.

It's not clear whether other companies, including Microsoft, are vulnerable to similar data intercepting tactics as their Silicon Valley rivals.

The privately owned fiber links between datacenters being tapped, first disclosed by The Washington Post, were located in Ireland, where many technology giants house their European data, according to one source familiar with the matter, who declined to be named.

Following the MUSCULAR disclosure, Microsoft said it would follow Yahoo's trail and encrypt the network traffic that flows over its own datacenter links. This suggests that the company's own private fiber links are not already encrypted, under the assumption that they are not being tapped.

Microsoft did not say when it would begin encrypting international data traffic, however.

Arnbak, who is particularly critical of the secret interpretations of U.S. surveillance statutes, said in an email: "Legality and oversight are consistently referred to by authority and industry to keep the surveillance system under control, but have failed on the most fundamental levels imaginable."

Without U.S. legal reform, Microsoft's efforts do not necessarily help anyone. Indeed, under certain circumstances — notably, U.S. persons overseas and foreigners with equally surveilling governments — this could leave it more vulnerable to NSA data interception.

Topics: Security, Networking, Storage, EU


Corinne is sub-editor across all CBS Interactive sites, and joined the company after completing her degrees in Communications and Law, and undertaking a string of internships in law and journalism. Corinne is also a journalist for ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • No - it won't change a thing.

    The NSL will just direct Microsoft to transfer the files and hand it over... and not report it.
  • Why does the NSA need to spy on everything?

    It doesn't make any sense. They can't possibly, even with Big Data, make any sense of that volume of information, so spying on every electronic doing of six billion people? It just doesn't make any sense.
    • To those who are paranoid...

      there is never enough information.

      After all, the only way to prove "they" are not out to get you is to know everything about everyone...

      And anyone that objects is obviously out to "get" them...
  • Funny

    The United States, home of the free... Except for the NSA thing. :)
    • It isn't as free as it used to be.

      You now have to have travel papers to fly or ride a bus or train.

      And hitchhiking is considered illegal in many places.

      so the only remaining free transport is to try cash and take a taxi...(though you are still tracked)

      or walk.
  • In the end, NO governments care about international law vs "security."

    Eichmann wasn't safe from Israeli agents in Argentina, and Trotsky wasn't safe in Mexico. If one nation needs to break another nation's laws in order to get what it wants, it will do it ... even though international law says this should only be done in wartime (i.e. in a DECLARED war). But it happens in peacetime also.

    When the public approves of the RESULT (as in the Eichmann case), the illegal process is often overlooked. When the public believes the result to be EVIL, as most Western nationals believed, and still do, about the murder of Trotsky, the illegal process aggravates public opinion against the result.
  • wow

    this immediately came to mind...

    The spirit was freedom and justice
    And it's keepers seem friendly and kind
    It's leaders were supposed to serve the country
    But now they won't pay it no mind

    'Cause the people got fat and grew lazy
    Now their vote is like a meaningless joke
    You know they talk about law, about order
    But it's all just an echo of what they've been told

    'Cause there's a monster on the loose
    It's got our heads into a noose
    And it just sits there watchin' (surveillance)

    OLD old tune still has such merit.
  • It could

    That's actually beyond MS' control, which is why the public needs to keep the pressure on the Administration and Congress.
    John L. Ries
  • Odd bedfellows.

    When a cornerstone of American and world-wide technology/business is at odds with and in competition with an over-wrought/bloated arm of the American government, you know this marks the beginning of the end. If you had to chose which entity was more justified, which would you choose?
  • Doesn't change a thing, but puts pressure on Obama to do more

    If MS and the others decide to move their data centres away from US, then that means jobs running those centres go too.

    However, analysis above is quite correct, it doesn't change anything for the clients. The concern is even if the data is stored locally, the vendor is still subject to foreign laws when they are owned or even partly owned by an overseas entity. Won't matter if is a US, Chinese or whatever company. All governments have FISA type laws.

    I still say the only real fix for MS & the others is franchising if the legislation is not eased and the secrecy around it removed.
  • Forcing away from the Cloud

    Frankly, put yourself in the shoes of the CIO of an sizable organization. Would you dare to take the responsibilities to move your data or process to a cloud? No cloud is safe afterall and seeing what is happened no matter what the providers promised. I can see more companies insisting to keep all their data and process on premises.....
  • It's the path, not the final destination

    It's pointless to argue that data is stored on foreign (non US located) servers when the path taken by data to reach their final destination is completely unclear.

    It's fathomable that data from a German user might be saved in a Czech data warehouse therefore in theory data never gets outside the EU. In practice it is pretty much conceivable that the stream of data is routed via US or UK servers/routers and tapped by NSA.

    MS's argument is moot.