Yes, U.S. authorities can spy on EU cloud data. Here's how

EU citizens and businesses are warned against using the cloud over the risk that U.S. law enforcement and intelligence agencies can obtain your personal records. Here's how the U.S. can acquire your data, even if you're based in the EU.
Written by Zack Whittaker, Contributor
patriot-act-banner-btl-zaw2 (1)

The U.S. government's law enforcement and intelligence agencies can access cloud stored files in Europe—such as medical and financial records, business secrets and dealings, and even government documents—in spite of seemingly strong EU data protection laws.

Sound vaguely familiar?

Former Microsoft privacy chief Caspar Bowden, speaking at a panel discussion in Brussels this week, warned that U.S. law allows the government to spy on non-U.S. citizens files and documents, and that new Europe-wide data protection law proposals specifically allow such surveillance.

More from CBS News


Patriot Act can "obtain" data in Europe, researchers say

Dutch researchers believe EU data stored on the Web can be obtained by U.S. authorities, despite EU data protection laws

Bowden told the panel that anyone outside the U.S. who uses cloud products—such as Amazon, Apple, Microsoft, Google products, including businesses that outsource their infrastructures to keep costs down—are at risk of being spied on by the U.S. government.

"It doesn’t have to be a political party," he told attendees. "It can be an activist group or anybody engaged in political activity, or even just data from a foreign territory that relates to the conduct of foreign affairs in the United States."

He also warned that the new EU Data Protection Regulation, which will be voted on by members of the European Parliament later this year, introduces "loopholes" that permit foreign state spying. He warned that U.S.-based Internet giants—such as the aforementioned, are forced into handing over data on European citizens when required, or they could face sanctions or prosecution.

But, it's actually not that much of a secret anymore.

After close to two years of research in the land of 'extra-territorial' legalese, I published a well-thought out theory, which closely detailed how a European company could be forced to hand over data to a third-country, such as the United States, without going through the proper legal channels.

This would, if proven correct at the so-called "World Court," the International Court of Justice in The Hague, be a breach of international law.

The reason is that law enforcement or government agencies must use so-called "mutual legal assistance" (MLA), the formal process of asking a foreign government for citizen data to help with an active law enforcement investigation. Many countries have MLA treaties in place to help other countries out with investigations in their own countries.

But in doing so, it would mean that the requesting government may have to dish out even a small amount of intelligence to suggest that something, like a terrorist attack, could be in the works. And, governments like the U.K. and U.S., like to hold their intelligence cards closely to their chest. 

According to a European Commission spokesperson:

No legal acts of a third country as such can legally overrule the relevant EU legislation or Member State legislation, and this includes data protection rules. Any processing of personal data in the EU has to respect the applicable EU data protection law.

If, for example, a U.S. law enforcement authority requires information from companies operating in the European Union, whatever the nationality of those companies, they have to use existing channels of cooperation and mutual legal assistance agreements

In a nutshell: Use the official mutual legal assistance channels, or don't bother at all.

After this was published, Microsoft U.K. managing director Gordon Frazer became the first European regional chief of a major technology company to admit that no company could guarantee that data stored in Europe would not be transferred out of the 27 member state bloc under a third-country government's request. 

Theory proved, one thought. But that wasn't enough.

A group of Dutch law academics at the University of Amsterdam's Law School also took this theory and ultimately concluded that it was accurate. A country outside the EU—such as the U.S.—are able to 'steal' sensitive and personal data from a European company and pass it back to their own government for their intelligence services to sift through.

For whatever reason, it doesn't matter. Intelligence services do a lot of strange things, such as planting cupcake recipes on terrorist's bomb-making forums.

Before we get on to the "how," it's worth exploring the "why." 

A brief history lesson

The key to the U.S.' power to access cloud-based content abroad? The Foreign Intelligence Surveillance Act, or FISA, first passed by Congress in 1978 and amended by the Patriot Act in 2001, just a month after the September 11 terrorist attacks, gives the U.S. government even more power to acquire data on U.S. citizens and those abroad. The law was created at a time before cloud computing even existed.

But the problems began, unwittingly, when a disparity in the law quietly emerged in 1995 when the European Commission ratified the European Data Protection Directive, which was meant to protect the 500 million strong population of the European Union against third-country laws. 

When FISA was last amended in 2008, a bevy of provisions were added that gave the U.S. government the power of mass surveillance, and specifically targeting data outside the U.S. on non-U.S. citizens. This power, known as 'section 1881a', also applied to cloud computing, and according to the American Civil Liberties Union (ACLU) it targeted citizens "without any individualized review, and without any finding of wrongdoing."

Most of these powers in section 1881a were already defined in earlier versions of FISA, according to a report by the European Parliament last year, but the "conjunction of all of these elements was new." The amendments were set at the end of 2012, but were extended by Congress with only hours to spare.

According to the Electronic Frontier Foundation (EFF), in 2007 there were 2,370 applications for wiretaps under FISA. While the "FISA wiretap risk is very low, as is the risk of being subjected to a secret physical search under FISA," the privacy organization says: "The risk of having records about you secretly subpoenaed under FISA is much higher, but if it's your communications records the government is after, they're more likely to use a [gag order]."

Section 1881a remains the legal playbook in which the U.S. government and its law enforcement agencies are allowed to acquire data on non-U.S. citizens, so long as they can reasonably access it.

In a nutshell, if you live in Europe or anywhere else outside the U.S. but use services that are based in, or by a U.S.-based company, such as Apple's iCloud, Google Drive, or even Facebook, then your data is free for inspection by U.S. authorities.

The trouble is nobody in power in Europe knew about this until Microsoft U.K.'s managing director inadvertently said something that pricked up the ears of journalists in the room, ironically at the launch of the software giant's cloud productivity suite, Office 365, in London two years ago.

You might think, "ah, but my data is stored in an European data center." Correct, but f you're a European citizen or a resident in one of the 27 member states, it's likely that your data that is hosted by a U.S. provider has your data on European soil.

But it doesn't mean you're safe from third-country snooping. It just means other governments have to use a slightly less international legal method of acquiring that data. 

Here's how it works

Let's take a fake company—not just to avoid getting sued—but also for the sake of simplicity and playing fair. After all, this applies to any U.S.-based company with a presence in Europe or further afield, such as the aforementioned Amazon, Apple, Google, Microsoft, Facebook, and even Twitter.

Slicklizzard U.S. Corp. is a U.S.-based technology giant that focuses its efforts in providing data storage to companies in the northern hemisphere. Its headquarters contains a U.S. data center for North American customers. To serve its European counterparts and to comply with EU laws—essentially keeping EU data within the 27 member state bloc—the company has a wholly owned London, U.K.-based subsidiary called Slicklizzard U.K. Ltd., which owns a data center in Dublin, Ireland, a European Union member state. 

This set up may be familiar to those using services from real-life companies.

The U.S. government sends a FISA warrant to Slicklizzard U.S. Corp. A FISA court, which has no public record and convenes in secret, must receive "probable cause," which could be as simple as requesting documents or records "for" an intelligence or terrorism investigation. In reality, these warrants could be for people even multiple degrees of separation from a "suspected"—not convicted—terrorist.

Attached to the warrant is a so-called National Security Letter (NSL), which is for all intents and purposes a 'gagging order,' preventing the company from disclosing the warrant to anyone—including its subsidiaries or offices around the world. 

Slicklizzard U.S. Corp. can either do one of two things: fight the warrant and argue it's a violation of First Amendment rights, which some courts have found and have overturned the gag order; or do nothing and simply comply with the order.

It's far easier and simpler to go with the latter. After all, there's a gag order in place. Nobody will find out.

The FISA warrant is requesting details of a "suspect," for now, let's call him John Doe, who the U.S. government's law enforcement agencies want to investigate as part of a terrorism investigation, a common request under FISA.

John Doe lives in Germany and hosts his private and confidential data in Slicklizzard U.K. Ltd's data center in Dublin, because Doe is a European citizen. Seemingly, the FISA warrant cannot reach Doe because it is outside of the jurisdiction of the U.S. company, but it's not. 

Slicklizzard U.S. Corp. is obliged to carry out the warrant, or face sanctions to its U.S. office. It can either face prosecution by U.S. authorities or a minor slap on the wrist and a meager fine from EU authorities if they find out, but because there's a gagging order in place, how could they?

So, Slicklizzard U.S. Corp. instructs its subsidiary—which it wholly owns, and therefore can order its London-based subsidiary to carry out actions, without reason or prior warning, to send all of Doe's data from its Dublin data center to its U.S.-based data center. All this, and it can't tell its London subsidiary what it's for or face sanctions in the U.S. for breaking the gagging order.

This is legal through the U.S.—EU Safe Harbor agreement, in which a U.S. company must treat the data with the same level of protection as the EU-based company. However, Safe Harbor does not protect against FISA warrants. 

The moment it lands in that U.S. data center, it falls under U.S. legal jurisdiction and can be acquired by U.S. authorities. The data is then sent to the requesting agency which requires the data.

And that's how the U.S. government, and other governments where their laws can supersede the laws of others, particularly if that company can face sanctions under that state's laws, can acquire data on Europeans and further afield without using the internationally legal "mutual legal assistance" treaties.

Now apply this scenario—actually, quite a simple scenario—to any of the aforementioned companies. From your iTunes collection to your personal Dropbox storage, your Google Gmail or Microsoft Office 365 company data, all the way through to your hidden Facebook and Twitter information, activity and searches. 

We don't know if it has happened or will happen, because these FISA warrants are secret and data is limited. All we do know, however, is that it can happen.

Think twice before you put your data in the cloud. 

Editorial standards