America reacts to 9/11: Why I began investigating the Patriot Act

A personal telling of my experience of September 11th, 2001, and the subsequent battle to unravel the post-9/11 Patriot Act's reach to Europe and further afield.
Written by Zack Whittaker, Contributor

In this personal account, I reflect back ten years almost to the day, when the world changed as a result of the September 11th attacks. A month later, the USA PATRIOT Act was signed into law. A visit last year to the city which suffered the foulest of all terrorist attacks, opened my eyes to the Patriot Act and its reach to Europe and further afield.

September 11, 2001 -- Nottinghamshire, U.K.

As I approached my family home as I returned from school, my mother stood at the door with a red, puffy face. She had been crying.

I was two weeks away from turning thirteen years old. A split second of inconceivable thought crossed my mind. I thought my father had died.

She told me to come into the house and told me: "America is under attack.". The BBC had interrupted its broadcast stream -- something I vaguely remembered happening a few years before -- when I was much younger, as I was watching cartoons in the living room. Princess Diana had died, and "all programming was suspended."

I saw footage of a plane gliding through the sky, before it exploded upon impact between these two large, unidentifiable buildings. I had no idea what the World Trade Center was, but knew that the Twin Towers -- something covered in school only a week before -- were two of the largest buildings in the world.

It was around 3:40 p.m. in Nottinghamshire, England. I had just finished school for the day. By this point, it was approaching 11 a.m. in New York City. The towers had already collapsed. Thousands were dead in the less than ten seconds it took for the towers to crumble to the ground.

I stood there gazing at the television with only one thought crossing my mind. At that point, I murmured: "This will bring us to World War 3, won't it, mum?"

A world without Facebook, or Twitter, and barely mobile phones -- the technology that we now take for granted was a world away. New York City to me was a world away. The events that day, to the people in Manhattan, were a world away from what they were used to.

The world changed in the space of three hours.

June 10, 2010 -- New York City, U.S.

I sat in a bar on East 30th Street with my colleague Mary Jo Foley, and a mutual friend Jon Honeyball, contributing editor to PC Pro.

Many discussions were banded around, and we laughed. How we laughed. As we shared bread and olives, something Jon said pricked my ears.

"Say you have a student at college, who has an Arabic name. Sure, he is born in England and has a U.K. passport and nationality, but his parents are Iranian".

"The student goes on holiday to Florida to visit Disneyland. But he gets detained at immigration, without warning or even suspicion. He doesn't know why he is stopped, and nobody tells him why".

"He is doing research into statistical modeling of nuclear reactions and is co-funded by a public sector organization, run by a branch of the U.K.'s chief laboratory", he added.

"But the U.S. decides, wrongly, that he is hostile and of interest."

In a post-9/11 world, we hear stories of law enforcement's institutional racism and ethnic profiling at airports. Whether it truly exists, we have no way of truly knowing.

"The U.S. government can wave the Patriot Act legislation at Microsoft, a U.S. headquartered company, which handles the email of that students' college. Microsoft hands it over, but is gagged from telling the college that this is happened."

I was still unclear of the implications. This was the first time I heard of the Patriot Act, the U.S. counter-terrorism legislation that was brought in a month after the September 11th attacks. A political 'martial law', I believed.

I had to go outside for a cigarette.

This naive, young writer had never even considered that a law from another government could infringe the rights of a foreign national in this way.

I made Honeyball a promise that I would investigate this. I left that evening feeling empowered but equally disheartened. I could not believe that governments could force companies like Microsoft, Google and other cloud-service providers to act in this way.

Honeyball pointed me in the right direction. He had covered this extensively before, and had heated discussions and conversations with many about this. But while he and so many others suspected foul play, it was all but impossible to prove.

June 17, 2010 -- Canterbury, U.K.

After a long week of semi-sleepless nights, I found a crucial discrepancy between two statements late into the evening.

Microsoft, to which I had a good working relationship with, was the focus of my investigation. My college around the same time, the University of Kent, had announced that it was switching to Microsoft's Live@edu service -- the outsourced communications platform -- now known as Office 365.

I had a source. This person has the highest level of trust possible in my books. I trusted everything that this person said, because they had laid down their career, their financial security, and potentially their freedom, to disclose something extremely damaging to the global technology industry.

This person handed me a document, which showed a contradiction between what Microsoft was publicly saying and what it knew about the Patriot Act and gagging orders, known as National Security Letters.

Concerned initially for my university -- my colleagues and friends I studied with, and my own personal data security, regarding my institution's imminent contract signing with Microsoft's U.K. subsidiary -- I acted probably before I should have.

I presented this to Julia Goodfellow, vice-chancellor at the University of Kent, who all but dismissed my claims, stating that, "Safe Harbor is enough to protect our data." Whether I had failed to adequately explain the situation as well as I could have done, only a week after discovering the initial issue, or whether her institution that was already suffering at the helm of a global recession, could simply afford to ignore this student for the sake of financial security, I did not know.

I begged her not to sign the contract.

Two months later, our email had been outsourced. Such an action immediately put 19,000 fellow students at my university at risk from having their data intercepted by U.S. authorities. Considering we are an international university, with a good proportion of students studying from the Middle East and further afield, who knows what repercussions they could face.

A few days after, I received "assurances" from the director of IT services at my university following my meeting with the university chief, stating that the lawyers had explored all avenues in relation to data protection and European data laws.

But I was not convinced. My source already gave me enough evidence for me to pursue this until the bitter end.

October 20, 2010

After months of work, I had managed to drown myself through stacks of paper in my office. I had spent many nights crying, frustrated and annoyed at the lack of clarity I was getting from obnoxious lawyers and members of legal counsel from all sides.

It all came down to asking the right questions; a process that is far more difficult, I assure you, than it sounds. There were people out there who were on my side, but could not declare it, and could not go beyond their brief.

After months of research, I settled on "the questions" I wanted an answer to. After a number of correspondence between the U.K.'s data protection agency, the Information Commissioner's Office, I had it nailed down to one "perfect question".

I was out for a friend's birthday, when I received the reply. It was the turning point in my year-long investigation, for which I then published as crucial evidence as part of the Patriot Act series.

"The US PATRIOT Act could be used to get EU-sourced information from a U.S. company. If the U.S. company approached the EU company with a request for the information, then the EU company would have to consider whether to disclose the data."

That was it. My work, after months of inconsolable stress, was given carte blanche by an agency on behalf of the British government.

I began to write. I wrote, and wrote, and couldn't not stop. But I was aware that this would be no more than an elaborate, convoluted but crucial theoretical framework. I could not prove, no matter how hard I tried, but I could hypothesize.

My editors reviewed my work for months; scrutinizing it at every step. Eventually, a timeline was given, and it was rolled out into the public domain.

June 28, 2011 -- London, U.K.

Annoyed at the lack of publicity my Patriot Act series had received, I felt disparaged by the lack of anger other people did not seem to feel. When your data is at risk, why are you not as annoyed as I am? How dare you?

But it would not deflect my need to validate the theory I had spent so long to build upon.

I was invited to attend the launch of Office 365 in London. Microsoft, for some reason, allowed me to attend, even though I believed, perhaps in a slight sense of paranoia, that I had blown open their entire cloud-based industry. By publishing a deeply complex theory that showed the European cloud, and further afield, was not safe from the U.S. intelligence services and law enforcement authorities, I questioned why they had asked me there in the first place.

I was turned away due to my obsessive-compulsive nature to be early for any event. It was raining, heavily.

I was annoyed, and walked around the corner -- ironically directly past Thames House, the building of the British domestic intelligence service, MI5 -- and bought a coffee from the shop nearby.

I flipped a coin -- something I do often when I am tied between something -- to determine whether I should even go back. Flip, land, "heads". I decided to go back. It was a decision that, had I not gone back, I would have missed the moment I had been waiting for.

I met Jack Schofield, Guardian newspaper veteran and ZDNet columnist, at the event. We had conversed many times before, but never in person.

After nearly an hour of discussion, he knew also of the reach of the Patriot Act in Europe, and I told him of my work. I mustered up the courage to tell him of my plan. It was not a well-thought out plan, but I told him of my question -- another question, which would end up changing the world, in part, again.

I told Jack: "Can Microsoft guarantee that EU-stored data, held in EU based datacenters, will not leave the European Economic Area under any circumstances -- even under a request by the Patriot Act?"

An hour later, at the question-and-answer session shortly after the Office 365 presentation, my heart was throbbing. I could feel my arm aching. Now is not the time, for either a heart attack or a panic attack, I thought.

I signaled for the microphone, and was handed it shortly after. I asked the question, and I received my answer.

"Microsoft cannot provide those guarantees. Neither can any other company", said Gordon Frazer, managing director of Microsoft U.K.

That was it. I sat down, shaking, and thought: "This is going to change a hell of a lot of stuff".

I went outside to breathe. I rang my colleague Mary Jo Foley, for who was in the bar over a year ago. She did not answer; she was at the same Office 365 event in New York with colleague Ed Bott. I sent her a text message.

"It took me a year but I proved it."

September 6, 2011 -- Brussels, Belgium

It has been nearly three months since I proved the theory. Like all scientists, I suspect along the way I have gone a little mad through the constant work and legal debauchery.

The work went on to spark a war of words: a full-on diplomatic outrage between the European Union of countries, and the United States.

The EU wanted answers, and rightfully so. The United States, the leader of the free world, is taking advantage of its position in a post-9/11 state of vulnerability, and our laws of data protection are worth nothing.

The European Parliament cited the work that both I, my editors had helped write, and Jon Honeyball had help inspire. Work is under way to gain clarification on the laws, which govern European data protection and transatlantic data transfer.

Though now, my work is over, the governing body of all of Europe's 27 member states has taken the reigns from this mere mortal columnist, and will pursue this until a time for which it can be said that cloud stored data in Europe, is safe from American hands.

How it all unfolded:

The teaser:

The theory:

The proof:

The aftermath:

Editorial standards