Case study: How the USA PATRIOT Act can be used to access EU data

This is the third in a series of posts that examine the principles governing the transfer of data across borders between the European Union and the United States, and the effect that the USA PATRIOT Act has on businesses, citizens and governments outside the United States. Although this is a U.S.-oriented site and I am a British citizen, the issues I surface here affect all readers, whether living and working inside or outside the United States.

British and European universities are risking their students' security by outsourcing to the cloud. Here's a theoretical case study cross-examined with supporting evidence.

[ See also: USA PATRIOT Act and the repercussions on the cloud, and Safe Harbor principles designed to protect European data from misuse in the United States.]

Taking real world evidence along with testimony from various sources, and printed communiques between various organisations including governments, and those who provide cloud services, this post will provide the relevant evidence to support the case that European data can be vulnerable to U.S. law.

Though written evidence plays a crucial element in this research, these issues are hypothetical. They are likely to remain that way since the Patriot Act operates at the highest level of the legal framework. The law is designed to be theorised, and tested and debated in the courts. This series of posts is designed solely to raise awareness for future discussion.

Though this case study does not focus on one particular institution, it can be applied to any school, college or university outside of the United States, which has an outsourced communications infrastructure - like email - to the cloud.

In Europe, there are at least 300 universities with over 5 million students that have outsourced student and/or staff email to Microsoft's Live@edu service or Google Apps for Education.

A former Microsoft employee explained to me in June 2010 that the UK and the EU believe they have "nothing to worry about" when it comes to the USA PATRIOT Act, because of the "vast geographic distance to the United States". In regards to numbers:

"Uptake in the UK has been huge. It has been one of the most successful Live@edu adoption areas. But there is something amiss about the issues in Canada."

One of Google's customers is the University of Cambridge, which has not only published their contract with Google on its website, but also notes there the existence of the Safe Harbor framework, and the risk to the disclosure of data under US law for 'national security considerations'.

The governing contracts and the laws they follow

The contracts between the universities and the cloud service provider would not only disclose which laws the service would be covered under, but also who would be designated the data controller and the data processor.

It is important to determine who the controller of the data is, and who simply processes the data on the controller's behalf, as under law this determines who is responsible for the security and safe keeping of the data.

The complex business arrangements which the cloud and outsourced infrastructure offers, the distinction between the controller and processor became vague and unclear. The EU Article 29 Working Party issued guidance to reduce legal misinterpretation last year.

Often, a local wholly-owned subsidiary company of a larger US parent company will engage with a customer within their home territory. It would not be uncommon, for example, for many universities and subscribers to cloud services like Live@edu to deal with Microsoft UK Ltd., a wholly-owned subsidiary company of Microsoft Corporation in the United States. Google UK Ltd. is one of many wholly owned subsidiary companies of Google Corporation.

It is not clear whether each contract is specific to the needs of the institution signing up for outsourced cloud services or not. For non-paying educational institutions, it could be that the contract acts as one-size-fits-all.

Yet the University of Cambridge, a Google Apps for Education subscriber, disclosed the contract signed between the two organisations (mirrored here) which clearly states at the start of the contract:

"This Google Apps Education Edition Agreement (the "Agreement") is entered into by and between Google Inc., a Delaware corporation, with offices at 1600 Amphitheatre Parkway, Mountain View, California 94043 ("Google") and The Chancellor, Masters, and Scholars of the University of Cambridge, a University formed under the laws of England and Wales with an address at The University of Cambridge, The Old Schools, Trinity Lane, Cambridge, CB2 1TN ("Customer")."

In this case, Cambridge is entering into a contract directly with a U.S. company, without going through a local UK subsidiary. Further into the agreement at point 14.10 on page 6, stated in capitals:

"14.10 Governing Law. This Agreement is governed by California law, excluding that state's choice of law rules. FOR ANY DISPUTE RELATING TO THIS AGREEMENT, THE PARTIES CONSENT TO PERSONAL JURISDICTION IN, AND THE EXCLUSIVE VENUE OF, THE COURTS IN SANTA CLARA COUNTY, CALIFORNIA."

This contract and service being provided by Google lies directly under California, and therefore U.S. law. Yet Cambridge only currently subscribes to Google Calendar and not the email service.

As Cambridge published the most in-depth FAQ section regarding their services provided by a cloud service provider, it could be argued that Cambridge is aware of the legal implications of outsourcing potentially sensitive email data.

Cambridge still uses an internal, on-campus email solution which has no connection in any way, shape or form to US legal jurisdiction.

However, when speaking to one UK university's IT director via email in regards to the Live@edu rollout at their university, he said:

"Such a move raised questions of whether reliability and security could be preserved and these were looked into and discussed with potential suppliers. Terms and conditions were scrutinised by the University and its lawyers and specific assurances from our eventual supplier sought.

In so doing, the University has received clear and specific assurances from Microsoft that the mailbox data that is being hosted on the Live@edu service is secure and will reside within the EU. The agreement we have with Microsoft is governed by English law."

One vice-chancellor who ultimately authorised the outsourcing of student email to the cloud to Live@edu told me that the contract was under UK law with Microsoft UK Ltd.

Live@edu contracts will probably be under the laws and jurisdictions of the country in which the school is based. However, Google's contract with Cambridge proves otherwise as the legal framework falls under California state law, which ultimately falls into US law.

Does outsourced university cloud data leave the EU?

Microsoft and Google have datacenters in various locations around the world. To comply with European legislation, in essence EU data must remain within the EU. This is why both Microsoft and Google have datacenters in Dublin.

Google is very tight-lipped about its datacenter operations. Microsoft is also sparing in detail, but acknowledges the existence of the Dublin datacenter.

It is rumoured that Google has multiple datacenters across Europe, including one in Ireland, France, Germany and the Netherlands. Google refuses to comment on datacenter practices, which makes it difficult to assess not only where Google Apps for Education data is stored.

Microsoft on the other hand explained in an email that:

"Live@edu is hosted in a regional data center based on the customer's address of record. For instance, if a user is based in the European Union, data about it will be stored in a European data center. Customer data is housed in two data centers to provide geo-redundancy."

Geo-redundancy, a technology which allows data to be backed up and stored in another datacenter to prevent data loss in the case of a disaster or attack, is a vital part of datacenter networking operations.

Microsoft has two datacenters within Europe that they are open about: Dublin and a second in Amsterdam. It is not to say that these datacenters are where Live@edu data is stored, but it is likely.

Yet, a pattern emerged which caught my eye.

Most universities who sign up to outsourced cloud services only upgrade the vast majority of their students - the undergraduates. In most cases, postgraduate research students and PhD students remain tied to an internal email system provided on campus.

Research postgraduates, including PhD students, will in most cases be working under a research contract which can impose restrictions as to where the email and data can be stored. The University of St. Andrews explains this on their FAQ for postgraduates' page:

"SaintMail (hosted by Google) is now provided as the standard email facility for all students at the University of St Andrews, replacing an earlier locally-hosted WebMail facility.

However, some research contracts place restrictions on the transmission or storage of information using external services (such as Google). Such contracts may require all transmission and storage of data to remain within the European Union, or even explicitly within the University.

If you are working under a research contract that imposes such restrictions, then you must not use SaintMail but instead use WebMail."

As many of these services are offered to university alumni too, those users should also be wary of sending and receiving personal, private or secret information using these cloud services. Though it may be used as another email account to communicate with friends, the data that is stored could be vulnerable to the USA PATRIOT Act.

Microsoft emphasized their commitment to privacy and following applicable laws:

"Microsoft will work to be transparent with how we move and store data in many different jurisdictions, and will continue to follow all applicable laws, including data protection laws. Microsoft abides by the Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of data from the European Union, the European Economic Area, and Switzerland."

When I asked which country's law would have grounds to move the data outside the jurisdiction of the customer, Microsoft responded:

"Microsoft believes that its customers should control their own information to the extent possible. Accordingly, if law enforcement approaches Microsoft directly for information hosted on its systems for its enterprise customers, Microsoft will try to redirect law enforcement to the customer to afford it the opportunity to decide how to respond."

Hypothetically, if a National Security Letter or so-called "gagging order" was issued to U.S.-based Microsoft Corporation, the local subsidiary - in this case Microsoft UK Ltd. - may not be allowed under U.S. law to inform the local customer - the university - of this handover of data.

A similar statement forwarded to me from a colleague, attributable to Doug Hauger, General Manager of Windows Azure, said:

"Microsoft will guarantee that the company will not replicate a user's data outside their region of choice unless required by law."

Both Microsoft and Google, as major players in the university outsourcing cloud market in Europe, have not stated which region, state or country's law would suffice to move data outside the customer's locale.

A Microsoft document containing an FAQ used in customer relations states:

Q: Can you ensure that a customer's data never leaves the Data Center assigned to them?

A: Microsoft cannot make any guarantees that data stays in a single jurisdiction, but will comply with all applicable laws regarding cross-border data transfer including EU and US Safe Harbor requirements. There are many reasons we can't provide this type of assurance.

Most importantly, Microsoft must be able to manage our services and move data as necessary to provide our customers with the best possible service. Also, we may be required to move data outside of a Data Center to the extent necessary to respond to a lawful request for production of documents from law enforcement authorities.

While geo-redundancy between two European datacenters complies with EU regulations and is a significant reason for having more than one datacenter in the region in the first place, it also allows for data to be replicated outside of the European zone. By following the Safe Harbor framework, it would be allowed under EU law - and thus the law of the European member state in question, to copy data from an EU datacenter to a U.S. datacenter to ensure that backups were made. This, however, makes the data vulnerable to the Patriot Act as explained in the previous post.

Google refused to comment regarding questions about their datacenters and geo-redundancy, and under whose laws they would be obligated to follow if requested to do so by law enforcement.

However, Microsoft provided a statement from their Legal and Corporate Affairs (LCA) team, in response to the same question posed to Google.

I asked which would take legal precedent: the contractual relationship between the university customer and Microsoft UK Ltd. as the wholly-owned subsidiary company which offers the services, the Safe Harbour agreement, or the Patriot Act:

"Any U.S. company or company with a presence in the U.S. - including Microsoft - is subject to the jurisdiction of the U.S. government. Microsoft sees no conflict between our agreements with users, Microsoft's commitments under Safe Harbor, and U.S. law."

The bottom line is that both Microsoft and Google -- and therefore any other cloud service provider operating in Europe -- cannot provide satisfactory guarantees that data supplied by EU customers and housed in datacenters on European soil will not leave the European Economic Area under any circumstances.

In the case of Google's contract with the University of Cambridge, at point 1.7 it states clearly that:

"As part of providing the Service, Google may store and process Customer Data in the United States or any other country in which Google or its agents maintain facilities. By using the Services, Customer consents to this transfer, processing and storage of Customer Data."

Any company that is wholly-owned by a U.S.-based corporation cannot guarantee that the data will not leave its customer-designated datacenters or servers. Google would not budge from its first and final response, and Microsoft could not offer guarantees to not move data outside the EU under any circumstances.

These subsidiary companies and their U.S.-parent corporations cannot provide the assurances that data is safe in the UK or the EEA, because the USA PATRIOT Act not only affects the U.S.-based corporations but also their worldwide wholly-owned subsidiary companies based within and outside the European Union.

UK Government data protection agency urges caution in outsourcing data to the cloud

The Information Commissioner's Office (ICO) is the data protection authority of the United Kingdom, which regulates the data protection and information laws, and reports directly to the British Parliament on these matters.

The ICO published cautionary words of advice to organisations in the UK regarding the outsourcing of data to non-EEA member state countries, highlighting the legislation and obligations imposed on organisations; in particular, the USA PATRIOT Act.

It states in their good practice guide:

"As part of your assessment as to the adequacy of the protection available for the information being transferred you will need to consider other legislation, any risks this may pose, the likelihood of you or your processor being subject to that legislation and how you will respond if necessary.

You will need to make sure you have procedures and measures in place to deal with any requests for information you or your processor may receive under legislation in the country in which the processor is located.

If either you or your processor receives a request for information from another jurisdiction, you will need to decide whether or not you are able to comply with the request."

Problems in data security may arise when the contract between the university and the cloud service provider states who the data controller and data processor is, or whether the customer and the provider are joint controllers.

All of the universities I have spoken to have declined to share who in their contract is the data controller or the data processor, whether it is Google or Microsoft as the cloud service provider, or the customer themselves.

On the other hand, the University of Huddersfield, which signed up to Microsoft's Live@edu service, stated on their FAQ pages that the university "will remain the custodian of any [email] data", indicating that the university remains the data controller, with Microsoft acting in a capacity as data processor.

Similarly, the University of Warwick also states on its FAQ pages that the university also owns the data, with Microsoft acting with only processing capability. Not only this, the FAQ page states the reasons as to why Microsoft was chosen over Google. It was:

"...because (a) Microsoft commit to keeping our data in the EU (b) we currently run Exchange email for staff, so there is a better technical fit. (c) we valued system administrator and proxy access to accounts, which Microsoft support but Google do not.

"It is important to us for legal reasons that email data is held within the EU rather than the US or elsewhere in the world, and Microsoft's service is the only one which is committed to this approach."

In light of this, Google may not even store the data in an EU datacenter. It is clear that universities are wary of the jurisdiction under which the data they are responsible for is governed, yet disregard the universal concerns with the cloud, by seeming to focus on a single point of law rather than taking into account the wider legal reality.

However, referring back to the contract between Google and the University of Cambridge, it states in 1.11 that:

"Customer, as data controller, instructs Google, as data processor, to provide the Services in accordance with the Agreement."

And in 2.3:

"Customer agrees that Google's responsibilities do not extend to the internal management or administration of Customer's electronic messaging system or messages and that Google is merely a data-processor."

In an email from a senior official from the ICO, the role of the data processor versus the data controller is relatively clear.

"The data processor has to act on the instructions of the data controller, and it is the controller who is liable and responsible for the personal data."

The contract between Cambridge and Google Corporation is under California law. Cambridge is therefore obliged to follow UK and EU data protection laws as the data controller. As the data is stored in the United States under US law, the USA PATRIOT Act supersedes the laws of a foreign entity on its own territory - such as the United Kingdom.

UK data protection agency's concern 'proves' theory

The UK Data Protection Act 1998 was published in accordance with the passing of the EU Directive 95/46/EU, also known as the "Data Protection Directive", which mandated all current and future EEA member states to pass agreed-by-consensus rules into their own respective laws by the end of 1998.

All EEA member states, including the United Kingdom, now share in their own respective laws common elements from the same EU directive. This means while the ICO only officially speaks on behalf of the UK Government in matters of data protection and information privacy, the advice filters through to all EEA member states and can be applied as such.

In an email from a senior official at the ICO, in regards to the USA PATRIOT Act and Microsoft, in this case, the words of caution are clear. This is not only the official standpoint of the British government, but also the most hard hitting of all evidence so far amid this vast investigation:

"This Act is wide-ranging and it is our understanding that the US Government could request information from Microsoft as a US company and that this could include information held outside the EU.

When an organisation is considering whether to disclose personal data, they will take into account whether the legal obligation applies to them, whether there is a court order and so on. If the request is made to Microsoft Ireland, then they will make the decision whether or not to disclose. As part of making that decision, they may contact the organisations who supplied them with the data."

A few months later, the ICO official emailed a reply to clarify a few points I made in regards to EU subsidiary companies, which are wholly owned by U.S.-parent organisations:

"As previously stated, the USA PATRIOT Act could be used to get EU-sourced information from a U.S. company. If the US company approached the EU company with a request for the information, then the EU company would have to consider whether to disclose the data."

It is correct that once the data has been transferred to a U.S. company, that company may be subject to the USA PATRIOT Act. That is one factor for an EU company to consider when deciding to transfer personal data to a U.S. company."

The EU company would have to consider whether to disclose the data. Yet though the U.S. wholly-owned subsidiary company, like Microsoft UK/Ireland Ltd. and Google UK/Ireland Ltd. are based in Europe and fall under European law, they would still be required to comply with their US parent organisations as explained in the previous post.

The Information Commissioner's Office for the UK Government made a clear statement that EU based wholly-owned subsidiary companies are vulnerable to the USA PATRIOT Act.

Continue reading

The final post details the consequences for cloud users in Europe, and further afield, including the possibility one could be turned away at US Border Control for something they may not even know about. Read more.

Leave your comments and thoughts below.