Microsoft's pledge to 'shield foreign data' may increase NSA surveillance, experts suggest

Microsoft's efforts to allow foreign customers to move their data to non-U.S. regional datacenters could increase the scope of NSA surveillance, academics and lawyers suggest.
Written by Corinne Reichert, Contributor and  Zack Whittaker, Contributor

In efforts to appease international customers amid a spate of intelligence leaks that implicated Microsoft in the PRISM scandal, the software giant is offering to store foreign data outside the U.S.

But international law specialists, privacy experts, and academics alike have suggested that in the wake of such broad U.S. government surveillance, allowing customers to make a move like this could put foreign customer data, stored in the European Union and further afield in Asia and Australia, more at risk from U.S. surveillance.

First reported by the Financial Times (via CNBC), Microsoft general counsel Brad Smith said the move was "necessary" following the leaks that showed the U.S. National Security Agency (NSA) had been monitoring data of foreign citizens across the EU and beyond.

"People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country, and should have the ability to make an informed choice of where their data resides," Smith told the London financial newspaper.

"The events of the last year undermine some of that trust; that is one of the reasons new steps are needed to address it," he added, referring to the Snowden leaks.

Microsoft spokesperson Kathy Roeder confirmed that the quotes were accurate, but was not able to explain whether this would affect consumers or business users.

The issues surrounding outsourcing and data sovereignty has, thanks to the Snowden disclosures, became a top corporate concern. Yet, attempts by technology companies and telecoms giants to reassure customers in the wake of the leaks appear to be more concerned with mitigating the damage from the NSA fallout, rather than protecting their customers' data.

All roads lead back to America

In discussions between ZDNet and academics, privacy experts, legal specialists, and lawyers, the consensus is clear: Foreign-stored data can be just as vulnerable to U.S. government surveillance, and in some cases more so than if it were stored in the United States.

"Whatever data an American company collects, it can be vulnerable to be obtained by the U.S. government," said Nicole Ozer, Technology and Civil Liberties policy director at the American Civil Liberties Union (ACLU) of Northern California.

"Right now, the government is taking advantage of outdated privacy laws and loopholes to obtain very sensitive information with very little oversight." — Nicole Ozer, ACLU (N. CA)

Speaking to ZDNet in a telephone interview on Sunday, Douwe Korff, professor of international law at London Metropolitan University, said that if the U.S. government were to use these laws to conduct eavesdropping and surveillance overseas, it would be in breach of international law.

"If a state takes action that affects the human rights of those in another state, that first state is acting extraterritorially," he said. "And without the consent of the targeted state, that is in violation of public international law."

In terms of Microsoft's structure, with subsidiary offices around the globe, Korff explained that the relationship between parent companies and their international subsidiaries holds the key to the U.S. government's ability to access foreign data outside of the international legal channels.

"If a U.S. company stores customer data in a datacenter — wherever it is — and can retrieve it from that datacenter and move it to somewhere else of its choosing, which could be in the U.S., I would certainly see that as showing that it had control and quite possibly custody and possession of the data," he said.

This, he added, would be enough for the U.S. government to force the U.S. parent company with adequate powers to instruct its European subsidiary to comply with data-requesting court orders.

Korff's comments resonate with the news first published by ZDNet before the Edward Snowden leaks confirmed the foreign spying machinery of the U.S. government, and work by Dutch academics published exclusively by sister-site CBS News in December 2012.

On Tuesday, ZDNet reported comments made by Verizon's chief counsel Randal Milch in late January, following the release of its first transparency report, which claimed that the U.S. government "cannot compel us to produce our customers' data stored in datacenters outside the U.S., and, if it attempts to do so, we would challenge that attempt in court."

Those claims were refuted by leading experts on Tuesday, who said that Milch's comments were "misleading," and that international treaties designed to govern transnational data transfers for law enforcement purposes are being bypassed.

Verizon spokesperson Ed McFadden declined to comment on the report.

Bypassing the international legal channels

Under Microsoft's plan to "shield foreign users' data," the data would become available for the government of the country that it is located in. For Europeans, that would most likely be where the company's Dublin datacenter is located, falling under Irish law.

In this case, European data protection and privacy law would apply. However, based on the Snowden leaks, many of the NSA programs have been found to have fallen afoul of apparently strong European laws.

European Justice Commissioner Viviane Reding warned U.S. Attorney General Eric Holder in a strongly worded letter, not long after details of the PRISM program broke, of "grave adverse consequences" in U.S.-EU relations. In doing so, she argued that European law had not been as effective as it should have been, partly down to the U.S. government not having "respect for fundamental rights and the rule of law."

These so-called mutual legal assistance treaties, which are designed to help law enforcement and intelligence agencies in one country seek data from an allied nation elsewhere for investigative purposes, are often old, outdated, and decadent. Not least of these is the well-known post-World War II treaty, the UKUSA Agreement, which was eventually expanded to Canada, Australia, and New Zealand.

Smith himself said in the Financial Times article that these treaties should be "modernized or replaced."

While Reding has echoed similar statements that U.S. authorities "have to use existing channels of cooperation and mutual legal assistance agreements" as the only avenues for data requests, Korff told ZDNet that based on the Snowden leaks, he is "absolutely certain" that the U.S. government is bypassing these treaties with its own intelligence gathering laws.

This was the foundation principle of the work conducted by Dutch researchers at the University of Amsterdam's Institute for Information Law more than six months before the first batch of Snowden documents were leaked.

Arnbak said in an academic paper in November 2012, following similar work published on ZDNet, that: "If a company is a subsidiary or branch of a U.S.-based company, or if it has one in the United States, it may be assumed that such jurisdiction exists, but jurisdiction may also exist in other, more complex, cases."

Much can be said about countries and regions outside the European Union, including Asia and Australia, and other places where Microsoft has subsidiary offices and datacenters.

"In any event, the location where the data are stored is not decisive for determining whether a cloud provider is subject to FISA jurisdiction and statutory powers concerning access to data," the paper stated.

Updated in 2008, following earlier disclosures of President George W. Bush's domestic intelligence program, the FISA Amendments Act (FAA) 2008 is one of the strongest intelligence-gathering weapons in the government's surveillance arsenal. Particularly in so-called Section 702, the U.S. government is granted by Congress the power to specifically target non-U.S. persons for almost any reason it suspects, while protecting the rights of U.S. citizens no matter where they are in the world.

According to Electronic Frontier Foundation (EFF) staff attorney Mark Rumold, in an email to ZDNet in late January, Section 702 restricts the NSA's targets to those who are "physically located overseas."

But Jennifer Granick, director of Civil Liberties at the Stanford Center for Internet and Society, explained in a call on Monday that the U.S. government is "virtually unregulated in terms of what it can do and where collection takes place overseas — particularly if there isn't a U.S. target."

"For every piece of information, the NSA has multiple technical points at which it can collect it, and multiple legal authorities to do so, so there's almost certainly another way around forcing a subsidiary into handing over data," she said.

Foreign data "fair game" for NSA

For the U.S. government to acquire data, whether it's through mutual legal assistance channels — or by approaching the U.S. parent company as Korff and Arnbak described — a FISA court order would be significantly easier to get if the majority of the data was foreign users' data located outside the United States.

By virtue of being an overseas datacenter, whether in Ireland, Asia, or Australia, more than 51 percent of all stored information will be non-U.S. data in order to accommodate local laws and regulations, and also increase data access speeds and decrease latency and delays.

"U.S. intelligence agencies ... are virtually unregulated in terms of what they do and where collection takes place overseas." — Jennifer Granick, Stanford Center

"If you're a U.S. person communicating with someone overseas, who is related to or talking about something of foreign intelligence interest, the statute here allows the NSA to collect that information," Granick said. "That’s allowed."

The leaks have shown that this may not strictly be the case, however.

According to The Guardian, which first broke the "minimization" story, the FISA Court-approved rules allow the U.S. government to collect, retain, and use U.S. communications under certain circumstances. This includes data on "usable intelligence, information on criminal activity, [or] threat of harm to people or property [that] are encrypted, or are believed to contain any information relevant to cybersecurity."

Perhaps more worryingly, the documents add: "In the absence of specific information regarding whether a target is a United States person ... a person reasonably believed to be located outside the United States or whose location is not known will be presumed to be a non-United States person, unless such person can be positively identified as a United States person."

The NSA also has additional tools that can be used to acquire foreign data, which is permitted under U.S. law — however, as stated by Korff, this is in breach of international law.

Other Snowden documents confirmed that the NSA can not only tap the fiber cable links between Google and Yahoo datacenters, but, with the British GCHQ's help, the intelligence agencies can also break common encryption standards that are used to secure data — codenamed MUSCULAR and BULLRUN, respectively.

It's not clear whether other companies, including Microsoft, are vulnerable to similar data intercepting tactics as their Silicon Valley rivals.

The privately owned fiber links between datacenters being tapped, first disclosed by The Washington Post, were located in Ireland, where many technology giants house their European data, according to one source familiar with the matter, who declined to be named.

Following the MUSCULAR disclosure, Microsoft said it would follow Yahoo's trail and encrypt the network traffic that flows over its own datacenter links. This suggests that the company's own private fiber links are not already encrypted, under the assumption that they are not being tapped.

Microsoft did not say when it would begin encrypting international data traffic, however.

Arnbak, who is particularly critical of the secret interpretations of U.S. surveillance statutes, said in an email: "Legality and oversight are consistently referred to by authority and industry to keep the surveillance system under control, but have failed on the most fundamental levels imaginable."

Without U.S. legal reform, Microsoft's efforts do not necessarily help anyone. Indeed, under certain circumstances — notably, U.S. persons overseas and foreigners with equally surveilling governments — this could leave it more vulnerable to NSA data interception.

Editorial standards