Yes, U.S. authorities can spy on EU cloud data. Here's how

Yes, U.S. authorities can spy on EU cloud data. Here's how

Summary: EU citizens and businesses are warned against using the cloud over the risk that U.S. law enforcement and intelligence agencies can obtain your personal records. Here's how the U.S. can acquire your data, even if you're based in the EU.

patriot-act-banner-btl-zaw2 (1)

The U.S. government's law enforcement and intelligence agencies can access cloud stored files in Europe—such as medical and financial records, business secrets and dealings, and even government documents—in spite of seemingly strong EU data protection laws.

Sound vaguely familiar?

Former Microsoft privacy chief Caspar Bowden, speaking at a panel discussion in Brussels this week, warned that U.S. law allows the government to spy on non-U.S. citizens files and documents, and that new Europe-wide data protection law proposals specifically allow such surveillance.

More from CBS News

Patriot Act can "obtain" data in Europe, researchers say

Dutch researchers believe EU data stored on the Web can be obtained by U.S. authorities, despite EU data protection laws

Bowden told the panel that anyone outside the U.S. who uses cloud products—such as Amazon, Apple, Microsoft, Google products, including businesses that outsource their infrastructures to keep costs down—are at risk of being spied on by the U.S. government.

"It doesn’t have to be a political party," he told attendees. "It can be an activist group or anybody engaged in political activity, or even just data from a foreign territory that relates to the conduct of foreign affairs in the United States."

He also warned that the new EU Data Protection Regulation, which will be voted on by members of the European Parliament later this year, introduces "loopholes" that permit foreign state spying. He warned that U.S.-based Internet giants—such as the aforementioned, are forced into handing over data on European citizens when required, or they could face sanctions or prosecution.

But, it's actually not that much of a secret anymore.

After close to two years of research in the land of 'extra-territorial' legalese, I published a well-thought out theory, which closely detailed how a European company could be forced to hand over data to a third-country, such as the United States, without going through the proper legal channels.

This would, if proven correct at the so-called "World Court," the International Court of Justice in The Hague, be a breach of international law.

The reason is that law enforcement or government agencies must use so-called "mutual legal assistance" (MLA), the formal process of asking a foreign government for citizen data to help with an active law enforcement investigation. Many countries have MLA treaties in place to help other countries out with investigations in their own countries.

But in doing so, it would mean that the requesting government may have to dish out even a small amount of intelligence to suggest that something, like a terrorist attack, could be in the works. And, governments like the U.K. and U.S., like to hold their intelligence cards closely to their chest. 

According to a European Commission spokesperson:

No legal acts of a third country as such can legally overrule the relevant EU legislation or Member State legislation, and this includes data protection rules. Any processing of personal data in the EU has to respect the applicable EU data protection law.

If, for example, a U.S. law enforcement authority requires information from companies operating in the European Union, whatever the nationality of those companies, they have to use existing channels of cooperation and mutual legal assistance agreements

In a nutshell: Use the official mutual legal assistance channels, or don't bother at all.

After this was published, Microsoft U.K. managing director Gordon Frazer became the first European regional chief of a major technology company to admit that no company could guarantee that data stored in Europe would not be transferred out of the 27 member state bloc under a third-country government's request. 

Theory proved, one thought. But that wasn't enough.

A group of Dutch law academics at the University of Amsterdam's Law School also took this theory and ultimately concluded that it was accurate. A country outside the EU—such as the U.S.—are able to 'steal' sensitive and personal data from a European company and pass it back to their own government for their intelligence services to sift through.

For whatever reason, it doesn't matter. Intelligence services do a lot of strange things, such as planting cupcake recipes on terrorist's bomb-making forums.

Before we get on to the "how," it's worth exploring the "why." 

A brief history lesson

The key to the U.S.' power to access cloud-based content abroad? The Foreign Intelligence Surveillance Act, or FISA, first passed by Congress in 1978 and amended by the Patriot Act in 2001, just a month after the September 11 terrorist attacks, gives the U.S. government even more power to acquire data on U.S. citizens and those abroad. The law was created at a time before cloud computing even existed.

But the problems began, unwittingly, when a disparity in the law quietly emerged in 1995 when the European Commission ratified the European Data Protection Directive, which was meant to protect the 500 million strong population of the European Union against third-country laws. 

When FISA was last amended in 2008, a bevy of provisions were added that gave the U.S. government the power of mass surveillance, and specifically targeting data outside the U.S. on non-U.S. citizens. This power, known as 'section 1881a', also applied to cloud computing, and according to the American Civil Liberties Union (ACLU) it targeted citizens "without any individualized review, and without any finding of wrongdoing."

Read this

Yes, the FBI and CIA can read your email. Here's how

Yes, the FBI and CIA can read your email. Here's how

"Petraeus-gate," some U.S. pundits are calling it. How significant is it that even the head of the CIA can have his emails read by an albeit friendly domestic intelligence agency, which can lead to his resignation and global, and very public humiliation? Here's how.

Most of these powers in section 1881a were already defined in earlier versions of FISA, according to a report by the European Parliament last year, but the "conjunction of all of these elements was new." The amendments were set at the end of 2012, but were extended by Congress with only hours to spare.

According to the Electronic Frontier Foundation (EFF), in 2007 there were 2,370 applications for wiretaps under FISA. While the "FISA wiretap risk is very low, as is the risk of being subjected to a secret physical search under FISA," the privacy organization says: "The risk of having records about you secretly subpoenaed under FISA is much higher, but if it's your communications records the government is after, they're more likely to use a [gag order]."

Section 1881a remains the legal playbook in which the U.S. government and its law enforcement agencies are allowed to acquire data on non-U.S. citizens, so long as they can reasonably access it.

In a nutshell, if you live in Europe or anywhere else outside the U.S. but use services that are based in, or by a U.S.-based company, such as Apple's iCloud, Google Drive, or even Facebook, then your data is free for inspection by U.S. authorities.

The trouble is nobody in power in Europe knew about this until Microsoft U.K.'s managing director inadvertently said something that pricked up the ears of journalists in the room, ironically at the launch of the software giant's cloud productivity suite, Office 365, in London two years ago.

You might think, "ah, but my data is stored in an European data center." Correct, but f you're a European citizen or a resident in one of the 27 member states, it's likely that your data that is hosted by a U.S. provider has your data on European soil.

But it doesn't mean you're safe from third-country snooping. It just means other governments have to use a slightly less international legal method of acquiring that data. 

Here's how it works

Let's take a fake company—not just to avoid getting sued—but also for the sake of simplicity and playing fair. After all, this applies to any U.S.-based company with a presence in Europe or further afield, such as the aforementioned Amazon, Apple, Google, Microsoft, Facebook, and even Twitter.

Slicklizzard U.S. Corp. is a U.S.-based technology giant that focuses its efforts in providing data storage to companies in the northern hemisphere. Its headquarters contains a U.S. data center for North American customers. To serve its European counterparts and to comply with EU laws—essentially keeping EU data within the 27 member state bloc—the company has a wholly owned London, U.K.-based subsidiary called Slicklizzard U.K. Ltd., which owns a data center in Dublin, Ireland, a European Union member state. 

This set up may be familiar to those using services from real-life companies.

Read more

European Commission 'in denial' over Patriot Act loophole

European Commission 'in denial' over Patriot Act loophole

Exclusive: One prominent member of the European Parliament describes how the Commission is effectively in denial over the reach of U.S. law on European citizens.

The U.S. government sends a FISA warrant to Slicklizzard U.S. Corp. A FISA court, which has no public record and convenes in secret, must receive "probable cause," which could be as simple as requesting documents or records "for" an intelligence or terrorism investigation. In reality, these warrants could be for people even multiple degrees of separation from a "suspected"—not convicted—terrorist.

Attached to the warrant is a so-called National Security Letter (NSL), which is for all intents and purposes a 'gagging order,' preventing the company from disclosing the warrant to anyone—including its subsidiaries or offices around the world. 

Slicklizzard U.S. Corp. can either do one of two things: fight the warrant and argue it's a violation of First Amendment rights, which some courts have found and have overturned the gag order; or do nothing and simply comply with the order.

It's far easier and simpler to go with the latter. After all, there's a gag order in place. Nobody will find out.

The FISA warrant is requesting details of a "suspect," for now, let's call him John Doe, who the U.S. government's law enforcement agencies want to investigate as part of a terrorism investigation, a common request under FISA.

John Doe lives in Germany and hosts his private and confidential data in Slicklizzard U.K. Ltd's data center in Dublin, because Doe is a European citizen. Seemingly, the FISA warrant cannot reach Doe because it is outside of the jurisdiction of the U.S. company, but it's not. 

Slicklizzard U.S. Corp. is obliged to carry out the warrant, or face sanctions to its U.S. office. It can either face prosecution by U.S. authorities or a minor slap on the wrist and a meager fine from EU authorities if they find out, but because there's a gagging order in place, how could they?

So, Slicklizzard U.S. Corp. instructs its subsidiary—which it wholly owns, and therefore can order its London-based subsidiary to carry out actions, without reason or prior warning, to send all of Doe's data from its Dublin data center to its U.S.-based data center. All this, and it can't tell its London subsidiary what it's for or face sanctions in the U.S. for breaking the gagging order.

This is legal through the U.S.—EU Safe Harbor agreement, in which a U.S. company must treat the data with the same level of protection as the EU-based company. However, Safe Harbor does not protect against FISA warrants. 

The moment it lands in that U.S. data center, it falls under U.S. legal jurisdiction and can be acquired by U.S. authorities. The data is then sent to the requesting agency which requires the data.

And that's how the U.S. government, and other governments where their laws can supersede the laws of others, particularly if that company can face sanctions under that state's laws, can acquire data on Europeans and further afield without using the internationally legal "mutual legal assistance" treaties.

Now apply this scenario—actually, quite a simple scenario—to any of the aforementioned companies. From your iTunes collection to your personal Dropbox storage, your Google Gmail or Microsoft Office 365 company data, all the way through to your hidden Facebook and Twitter information, activity and searches. 

We don't know if it has happened or will happen, because these FISA warrants are secret and data is limited. All we do know, however, is that it can happen.

Think twice before you put your data in the cloud. 

Topics: Cloud, Government US, Legal, EU

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • And EU authorities can spy on US cloud data. And they can both spy on non

    cloud data. Get over it. Don't do anything to give them a reason to be concerned with you and they wont. Information overload is very very real at this scale. There's way too much to care about peons. There would have been dozens of terrorist attacks per year in the last decade just in London without spying. It may have already saved your life several times without you knowing it.
    Johnny Vegas
    • You're naive

      Do you really think they need people sifting though millions of e-mails and data points, one by one, by now?

      They're obviously creating better and better algorithms to both show them the type of information they could be interested in at a glance, and to search for it with very relevant results.
    • Don't be an idiot.

      Just how often does such data get "analyzed" by contractors for a different company that also has a vested interest in knowing what that data contains.
    • Liberty

      Those willing to relinquish liberties in exchange for imagined additional security deserve neither liberty nor security

      BTW- the NSA Utah data facility can store and sift through exabytes of supposed peon data looking for anything it construes or misconstrues as interesting - net: personal privacy goes out the window and government run amok shows up at people's doors with swat teams because a computer somewhere mischaracterized someone's private email rant with a friend as a possible terrorist threat
    • Never heard of data mining?

      Nobody is going through individual emails by hand, but you can be scanned, simply because you're a few degrees separated from a suspect (where the evidence may be very skimpy).

      But you're probably right. If not for the U.S. spying on the UK, there would have been more attacks, because England can't do anything without the U.S. doing all the footwork
  • You are utterly confusing FISAAA and PATRIOT

    The earlier Zack Whittaker reports are all about the PATRIOT Act. The law which is in the news now because of the EP report is FISAAA 1881a, and it is nothing to do with the PATRIOT Act, in fact ZDNet is being naughty by implying its earlier reports covered this (whereas it ignored FISAAA and kept banging on about PATRIOT), indeed it is continuing to confuse its readers by mixing up powers under PATRIOT and FISAAA.

    So who cares? Non-American readers ought to care because FISAAA 1881a is a lot nastier than anything in PATRIOT, if you are not a US citizen and you are located outside the US. Read the EP report to find out why. It's (a little bit) complicated, but other news sites have done a better (and more honest) job than ZDNet of explaining it.

    Your account of the use of "warrants", NSL letters, and probable cause is spectacularly garbled
    • Haters gonna hate?

      Sure, the whole thing is rather confusing, but let me remind you that the Patriot Act -- which amended FISA 1978 in the first place -- included a bunch of rather nasty things that *helped* U.S. authorities acquire data in foreign countries. And, also worth remind you that if it wasn't for our original reporting, the chances are that this would still not be widely known.
  • Not quite

    A wholly owned UK subsidiary is still a UK legal entity. As such the UK entity can reject the parent company's request if the UK entity believes it would be violating a local or EU law. The UK legal entity can request that the parent company provide justification or reasons for transferring EU data to the US. The UK entity can deny the request on the grounds that it does not know for what purpose the data would be used.
    • unlikely

      They should reject, but they will not. After all, their are a subsidiary of an US company. They can just ignore the EU laws, as the US won't say they asked the company to breach them, etc.

      All this means that one should be very careful with their valuable data, when handing it to an US corporation. Especially companies. Doesn't matter if it's Google or Microsoft, really.
  • It's even easier than your article says

    A great deal of Western European ip traffic is handled by Level 3 Communications, based in Colorado, and recipient in 2012 of a significant DISA contract. The US now ALREADY has all our internet traffic under its watchful eye. Wake up chaps - you're too late.
  • Collaborators

    Every country has intelligence services. These services are of course legal in the country of origin, not in the country that is the victim of espionage. It does not matter if it's the citizens, companies or the government that is the goal of the activity.

    Anyone who has knowledge of or contribute to provide a foreign government intelligence, is risking severe punishment (imprisonment).

    It does not matter that the foreign state gave you a gagging order. And it does not matter if the company (or its parent company) that you work for gave you an order. All citizens are responsible to report any unauthorized disclosure of data. If this is not done, you are a collaborator with the foreign goverment.
  • Pointless

    Only a fool would store unencrypted data in the cloud.
    You can easily use very strong public key encryption.

    I only store stuff in the cloud that I don't mind if anyone reads.
    • How strong

      How strong you think is "unbreakable"?

      If your data is any valuable, you can be certain it will be decoded in a whim. Even if you encrypt it yourself.

      If you rely on the cloud provider's "encryption", don't forget that the USG has passed several regulations to have backdoor access, so that stuff is essentially not encrypted for such purposes.
      • encryption methods

        regular encryption methods are classed as cryptography and can be systematically cracked.
        The highly secure methods involve natural language encryption (steganography) which hides data in seemingly unencrypted data. This can be next to impossible to recognise let alone be cracked.
    • True

      It is interesting that UK was used as an example being that it's citizens seem to be the most watched by their government.
  • I live in the US

    ....and I'm tired of feeling spied on. It's not just the government here, either (another one I like Zack to look into):

    How on earth did we ever allow this happen?
  • Cyberspace espionage

    I wonder if they have cones of silence and shoe phones there too. So, turns out the Chinese aren't the only bad boys on the block, hmm.
    • Re: Cyberspace espionage

      The Chinese were never the bad guys. The west needs bad guys, so we create some, to spend $$$$ on defense (the DoD is the largest employer in the world).
  • Spying: It's nothing new.

    Governments have been spying on each other and on their own citizens for as long as there have been governments. This is no secret. Never has been. But for most of us, hackers are a bigger reason than spooks to be wary of storing personal information in the cloud. There are more of them, they are more tech savvy, and they answer to no laws. Your data is worth money, and greed is a strong motivation.
  • So the US spys on other countries? That's the point of this?

    Of course the US can get at the data if it can either use the official channels OR by breaking in. That is what spying is.