Experts refute Verizon's claim that NSA can't grab non-U.S. data

What Verizon says and does appears to be in conflict, according to privacy specialists, legal experts, and academics, who argue the U.S. government can demand foreign data held by American telecom and technology companies.
Written by Zack Whittaker, Contributor

Verizon's latest bid to set the record straight after being implicated in the ongoing leaks pertaining to the U.S. government's surveillance programs is being disputed by critics, privacy advocates, experts, and academics.

In a post on its Public Policy blog, Verizon's general counsel Randal Milch said that the U.S. telecom giant thought it was a "good time to dispel ... inaccuracies" about claims "exacerbated" by the U.S. surveillance leaks that threw the National Security Agency (NSA) and its British counterparts under the bus.

Milch wrote:

"Our view on the matter is simple: The U.S. government cannot compel us to produce our customers' data stored in datacenters outside the U.S., and, if it attempts to do so, we would challenge that attempt in court."

But those claims, along with other comments he made, have been questioned by some of the leaders in the academic, international privacy, and legal fields, particularly in regards to Silicon Valley companies.

"Verizon's lawyer is arguing the international legal position, but he seems to assume that the U.S. courts — in particular, the Foreign Intelligence Surveillance (FISA) Court — is going to be as respectful of international sovereignty as international law would like the U.S. to be," according to Douwe Korff, professor of international law at London Metropolitan University, who spoke to ZDNet on the phone on Sunday.

While the legal bickering can be a bit much, the issue over foreign data is of significant importance for global companies increasingly moving to cloud services from telecom giants and other large technology vendors.

In June, the first Edward Snowden-leaked document disclosed that a secret Washington court forced Verizon to hand over business records (more on this later) and other customer data to the NSA for intelligence purposes. ZDNet obtained a copy of the memo Milch sent to employees, describing how the "alleged" court order "forbids Verizon from revealing the order's existence."

But we all saw it. And the company said it had "no comment" on whether it would challenge the order that may or may not exist.

Verizon has faced extreme scrutiny in recent months, following the Snowden disclosures, but the company giant made an unprecedented move to be the first telecom company to disclose a transparency report on government data requests. It was partly in response to investors attempting to force the matter at the shareholder level. AT&T shareholders demanded a similar response. After the report was published, some said it fell short of expectations in regards to "national security requests."

Academics, privacy experts, legal specialists, and lawyers speaking to ZDNet dispute the telecom giant's claims, and suggest the company — and other Silicon Valley companies — are all just as vulnerable to U.S. government surveillance.

Korff said that he is "certain" the secretive FISA Court, titled after its namesake 1978 statute, which authorizes the secret snooping orders for the National Security Agency, would by virtue of its role in the government surveillance machine take domestic priorities over international obligations.

"Surveillance of data stored in Europe in particular is in my view clearly contrary to public international law, unless there are treaties." — prof Douwe Korff,
London Met University

"If that's the case, then Verizon is right in terms of what the law should be, but [Milch is] totally wrong as to how the law should be applied in practice," he added.

This law, which permits the U.S. government under its own legal jurisdiction to conduct eavesdropping and surveillance overseas, "would be in violation of public international law without a treaty" permitting such activities, according to Korff.

He said there needs to be a clear differentiation between what the U.S. can do under its own law, and what the U.S. can do under public international law — the laws that define the relations between sovereign states.

"If a state takes action that affects the human rights of those in another state, that first state is acting extraterritorially," he said. "And without the consent of the targeted state, that is in violation of public international law."

Verizon "misleading" on customer data access?

Other experts also took issue with Milch's comments, particularly in regard to the bulk metadata collection under Section 215 of the Patriot Act. Indeed, Milch's comments were "carefully crafted to reassure the customer base," according to Axel Arnbak, a research fellow at the Berkman Center at Harvard University and CITP at Princeton University.

In the post, Milch said:

"While Section 215 allows a court to issue an order requiring a company operating in the U.S. to produce certain business records, it does not give the U.S. government the power to act outside the U.S. More importantly, Section 215 does not grant the U.S. government access to customer data stored in the cloud; it only applies to business records of the cloud provider itself."

Arnbak, who was the first academic to acknowledge the extraterritorial effects of U.S. government surveillance and intelligence gathering capabilities on European soil, said the difference is "irrelevant."

"In an amendment to the Patriot Act, the wording was changed from 'business records' to 'tangible things'," he said. "Moreover, before, those data requests had to be connected to specific or articulable facts, but today, a request has to be relevant to an authorized investigation."

More from CBS News


Patriot Act can "obtain" data in Europe, researchers say

European data stored in the "cloud" could be acquired and inspected by U.S. law enforcement and intelligence agencies, despite Europe's strong data protection laws.

This data could be "anything," according to the Electronic Frontier Foundation (EFF).

"Verizon appears to be using the former term, implying some restrictions in Section 215 — a specific set of data. Using the latter term would be correct, meaning any data," Arnbak said. "That, I find misleading," he added.

He wrote in an academic paper in November 2012, following similar work published on ZDNet, that: "If a company is a subsidiary or branch of a U.S.-based company, or if it has one in the United States, it may be assumed that such jurisdiction exists, but jurisdiction may also exist in other, more complex, cases."

This take might not be the news that particularly business and enterprise customers — the core part of Verizon's overseas business — will want to hear, according to Nicole Ozer, Technology and Civil Liberties policy director at the American Civil Liberties Union (ACLU) of Northern California.

"Enterprise customers have been very concerned about their data, and maybe this is to reassure customers that their data hasn't been turned over to the U.S. government. Because enterprise customers may know where their data is stored, and it may be outside the U.S.," she said.

"Whatever data an American company collects, it can be vulnerable to being obtained by the U.S. government. Right now, the government is taking advantage of outdated privacy laws and loopholes to obtain very sensitive information with very little oversight," she added.

"Contrary" to public international law

The crux of Verizon's argument is that the U.S. government cannot acquire foreign data that the company holds in foreign datacenters.

Milch said in his Verizon blog post:

"Where does this leave the government when it wants access to data stored outside the U.S.? The short answer is the Mutual Legal Assistance Treaty process, which the U.S. government can — and we understand does — use to request assistance from local, in-country law enforcement, just as other governments around the world do.

Jennifer Granick, director of Civil Liberties at the Stanford Center for Internet and Society, said that in the intelligence world, "America gets our friends — like Canada or the U.K. — to conduct surveillance, and they give us that information while we give them information."

She noted that companies, such as Verizon, may choose to accept formal and informal requests for customer data, such as foreign court orders, even if they haven't gone through a mutual legal assistance channel.

These treaties, the experts warned, can be used to circumvent countries conducting domestic surveillance on their own citizens.

Milch concluded his legal argument with:

"Finally, Section 702 of the Patriot Act also is not an option for the U.S. government to compel a U.S. company to turn over customer data stored in a datacenter outside the U.S., because the U.S. company does not have possession, custody, or control of that data."

The latest iteration of the U.S.' surveillance laws, brought into force in 2008, protect U.S. citizens and legal residents from government surveillance, no matter where they are in the world. Commonly known as Section 702 of the FISA Amendments Act (FAA) 2008, it allows the U.S. government to specifically target non-U.S. persons for almost any reason it suspects.

Section 702 is best known for authorizing the PRISM program, used by the NSA. According to EFF staff attorney Mark Rumold, speaking to ZDNet in late January, it specifically "restricts who the government can target (non-U.S. persons), when they can target them, when they're 'reasonably believed to be located outside the United States', and for what purposes."

While with Section 702, he explained, the law allows the U.S. government to implant surveillance devices on U.S. soil, the NSA's targets "must actually be physically located overseas."

"Surveillance of data stored in Europe in particular is in my view clearly contrary to public international law, unless there is consent of the targeting state, such as in forms of treaties," Korff added. There are "largely still secret" treaties between the U.S. and other countries and European countries, not least the UKUSA Agreement, which expanded to Canada, Australia, and New Zealand.

Often, these "mutual legal assistance treaties," designed to be the basis of inter-governmental help and support in law enforcement cases and intelligence matters, are old and decadent. In recent months, following the revelations and allegations leaked by Snowden, the technology industry has been left calling for change.

Microsoft's general counsel Brad Smith echoed similar sentiments felt within the technology industry in a recent Financial Times interview (via CNBC) that mutual legal assistance is outdated, saying it "needs to be modernized or replaced."

"I'm absolutely certain that the U.S. is bypassing mutual legal assistance treaties based on the Snowden revelations," he said, adding: "If the arrangement comes up where the U.S. company under its own internal rules cannot drum up the data from its European subsidiary, then the U.S. company might argue it doesn't have possession or control of the data."

"Without a systemic overhaul of these laws, I have a hard time seeing how the current practices can be justified on a constitutional, ethical, and democratic grounds," Arnbak told me.

In response to questions, Verizon spokesperson Ed McFadden said Verizon will "let the report stand on its own," and did not comment further.

Based on the academics, privacy experts, and legal specialists and lawyers, it appears that it may not.

Editorial standards