Personal information belonging to EU users of US-owned cloud-based services could be shared with US law enforcers without the user being informed, Microsoft has said. The software giant said it could not guarantee that it would not have to hand over EU customers' data on a new cloud service it has developed whilst keeping …
These EU provisions might conflict with obligations US-based firms
If you can't obey EU data protection laws then you shouldn't be allowed to trade in the EU.
That should put the cat among the pidgins :-)
They could find some way of offering overseas companies the ability to store their data in an encrypted container. That way at least there's some work to be done which would thin out phishing trips by the authorities. This just sounds like state-sponsored corporate espionage otherwise.
Re: Cat amongst the pidgins
No it won't.
MS have simply pointed out that as a US company they are bound by US law. This is not a new phenomenon. Multinational companies have always had to square their obligations in several jurisdictions at once. The cloud (as ever) adds nothing qualitatively new to this old problem. It merely makes it easier to get confused about "where" a given transaction takes place.
It is easy to imagine situations where it is impossible to grant freedoms enshrined by law in one country and simultaneously protect rights guaranteed by law in another country, so the hard line you advocate is pretty much a ban on the existence of multinational companies. Since such companies clearly exist, I assume that the lawyers, courts and politicians have seen sense and take a more moderate view.
Re: an encrypted container
This is fine, as long as data storage is the only service you are getting from the cloud. Sadly, I think you will find it is quite hard to perform computations directly on encrypted data (*). In practice, you'd have to decrypt it, perform your computation and then encrypt the results -- all on a CPU that is owned by that US company and therefore subject to US laws on snooping.
(* Off the top of my head I can't think of a simple proof that this is impossible, but equally I'm not aware of any way of doing it.)
Re: Cat amongst the pidgins
"It is easy to imagine situations where it is impossible to grant freedoms enshrined by law in one country and simultaneously protect rights guaranteed by law in another country,...."
Conventionally, multinationals obey the local laws in each country in which they operate, for their activities within that country's jurisdiction. Walmart sells guns in their stores in the USA but not in Europe. Supermarkets in the UK sell things like ibuprofen and cold remedies but their counterparts in Germany cannot.
The difference in this case is that US legislation appears to overstretch itself to include the activities of Microsoft (and others) well outside of US jurisdiction. By the same thinking, a court in Saudi Arabia might prosecute an multinational online book retailer for selling bibles in the USA and Europe.
Perhaps the EU agreed to this arrangement with the USA to favour cloud providers entirely based in Europe...
Alright here's a fucking title then.
"They could find some way of offering overseas companies the ability to store their data in an encrypted container."
Trusting "them" to provide proper encryption is exactly as effective as trusting "them" not to peek at your data in the first place. Do your own encryption or don't play would be my advice.
Also - performing calculations with encrypted data: You can either bring back the required bit; decrypt it locally; perform your calculation locally; re-encrypt it locally; then send it back up. That's one approach. Or -if the calculation would be sufficiently obscure out of context- you could maybe do the processing part on another (or several) different parts of the cloud; ideally with business rivals/countries at war to lessen the odds of the data being shared and reconstructed...a "cell organisation" for your data. If the data is that secret though, it shouldn't be on somebody else's server.
Re: Cat amongst the pidgins
And it won't stop Microsoft from moving data in the EU to the US so that the FBI et al can peruse it.
...is this story about the USA or China? It's hard to tell sometimes.
How to tell...
If they say "We used to be worse, but are getting better" then it is China.
If they say "We used to be free, but are getting worse", then it is US of A
Easy to tell the difference
If the Government is saying "this draconian measure is to protect us" it is China.
If the Government is saying "this draconian measurels to protect you" it is the US.
Easy to tell
The Americans tell you this snooping, prying and the restrictions are to protect your freedom, the Chinese just get on and do it without telling pork pies.
So that would be where Lulzsec could have got the UK census data from then?
If they had indeed done so (subsequently denied/refuted).
Not from a blu-ray* disk left on a train but from the US Gov copy obtained for National Security reasons from Lockheed Martin.
Lets face it if McKinnon could find DoD computers without much protection, they're hardly going to worry about the security of data of the civilians on board their Eastern Altantic ("Unsinkable") Aircraft Carrier are they?
*or HD-DVD, the UK Gov beleiving in security by obscurity
The UK census was carried out by a US company (paid handsomly by UK tax payers)
This means that the USA government had access to the data before our own one!
Why? Because somehow the stupid idiots who think they are clever (politicians) couldn't work out that paying British workers with British tax payers money to produce goods/services for Britain was cheaper than giving a stack of dosh to a bunch of foreigners. We must be the ONLY country in the world where the tax payer funded police, prime minister, ambulance, army, airforce, navy, fire service run around with foreign equipment while their country men sit on the dole. Certainly the French don't have MAN lorries for their army, the Germans don't have Renault ambulances, the Americans won't by EADS planes.... The British on the other hand won't buy anything at all that might possibly have been made in Britain.
How does this affect ISO27001/2 ? Implications for UK companies
we're currently looking at SaaS hosted solutions for HR, Payroll, and Learning and development. We've already got a (US) hosted recruitment solution, which was signed off by our data security officer.
Without pandering to conspiracy-centric loons, the most important question, is "what does this story mean for UK companies who might outsource and have US accessible data ?". Does it create a legal liability, that they can't escape. If so, then there will be a massive halt on all SaaS projects, if there is a hint the data could be routed via a US-bound company.
Or can the liability be managed with consumer consent ?
I suspect we'll end up with the latter - effectively putting the onus on the consumer to object (by refusing to use companies that do use such services). This is one issue I would like to see the EU grow a pair on, and declare it unlawful for EU companies to use such systems. Or, alternatively, pass an EU-wide equivalent to the Patriot Act, and data-slurp the merkins, for a change.
I really don't know way the EU acts so lame sometimes. Depsite what you may think, the US is very aware of the implications of a single trading block of 350+ million consumers. They are also aware that the more socialist nature of the EU gives it a massive advantage in dictating standards and forcing progression, rather than relying on the "free market", which saddled the US with NTSC while we (mostly) got PAL. I recall watching a business report years ago, where US businesses were terrrified that while they argued over HD standards, the EU and Japan would simply pick one, and work to it, leaving them behind.
It puts you up ***t creek
>> Does it create a legal liability, that they can't escape. If so, then there will be a massive halt on all SaaS projects, if there is a hint the data could be routed via a US-bound company.
>> Or can the liability be managed with consumer consent ?
Taking the latter bit first, no you can't - not fully. You cannot (for example) just insist that every employee and applicant signs a privacy document allowing you to export the data outside of EU data protection. I'm fairly certain that would be considered unlawful since that permission would not have been freely given - as in "agree to this or don't have a job" does not make for a free choice.
So having ruled out compliance by data subject agreement, I believe you are now up the proverbial brown tributary without propulsion. If the data you wish to store and process is considered personal (which HR, Payroll, and Learning and development would), then you are stuck because you can't store that data on any server under the control of a US owned business. To do so means you cannot give the guarantees of privacy required of EU law.
That's my interpretation anyway.
Having said that, it may be possible. It may be worth having a look at the privacy stuff related to the Census. It you trawl around their website hard enough, there is a document explaining how they've (so they claim) been able to guarantee privacy from US snooping while employing a US contractor. IIRC it involves several entities connected in such a way that no-one covered by the US Patriot act actually has any access to the data or the system it's stored on. It;s one thing doing that when the company concerned is a contractor and you own the kit - but that's more or less the reverse of the situation with cloud.
But possibly still worth a look.
Who's Zoomin' Who?
On first blush, I thought you wholly upended your tit-for-tat legislative suggestion at the end of paragraph 4 but then I remembered 'merkins' carry two meanings. Your take stands up to America; mine suggests delighting Lady Liberty......
Actually, no - EU law prohibits implied consent
"I suspect we'll end up with the latter - effectively putting the onus on the consumer to object"
I do cross-border privacy for a living. EU laws do not permit implied permission (i.e. embedded in the small print of some contract), data protection permissions must always be given explicitly (i.e. separately described and authorised) - that's also why a default opt-in is actually somewhere between frowned upon practice to downright illegal depending on the specific nation's implementation of EU laws.
The problem isn't the laws - it's the abuse thereof. Especially the US seems to be hell bent on abusing privileges or even simply breaking agreements when it suits them. The results is a problem that pervades business there to the point of companies involved in serious Intellectual Property development now actively avoiding the US as a place of business until development is complete. It's ridiculous that a nation who alleges to be the land of freedom has acquired a reputation for being less safe than China or Russia, but that's the reality of today: Safe Harbour very definitely isn't.
Your primary problem with SaaS is where the data resides, because that's where legal access will first be attempted. This is the situation with legal firms in the UK who outsource their IT as well: their data may be backdoored due to a warrant served on the provider, and the intercept laws (in the UK that's RIPA 1998) do not permit to inform the data owner of the backdoor).
We advise people and companies on these issues, and generally exploit cross border differences to improve security and privacy protection - cross border abuse of privacy laws leaves an audit and paper trail exposure that abusers don't like as it provides court admissible evidence of abuse.
By the way, this has little to do with "conspiracy theories", but with offsetting liabilities. Unless you can point the finger elsewhere, a leak or breach means your company ends up with the liability. If you're a major law firm handling a shipping claim you're talking about *VERY* large numbers..
The PATRIOT Act
Every f**king time.
"We're just like EU companies in our data protection (*unless* any federal law enforcement person waves this under noses and then we just bend you over and grease your cheeks)"
No they are *not* like the EU. It's time to stop pretending they are.
Security reasons only?
This would make a great fishing ground and Micrsoft must have been very unhappy in order to make a statement like this.
Yet another reason NOT to use the cloud.
Not cloud, US companies
Is more an issue of not using US owned companies surely?
Be interesting to see the ramifications for those using Amazon's services which have backup in multiple zones. For instance what is controlled by elements in the US and how does data move around their networks? If it touches their US datacentres in any way there's the possibility of a quick slurp. I seem to remember an article about a European bank (Paribas maybe?) using Amazon's services (I think) for performing their risk calculations. You wouldn't touch them with a shitty stick after this statement.
I read it differently...
... I thought it read as, if the company is registered as a US company then it doesn't matter where the data is stored their snooping gov can ask for the data no matter what.
I haven't checked but I'm assuming Amazon is a US registered company.
"regardless of where it is stored in the world"
that's the kicker. According to the US, if the co. is registered with them, all data they hold anywhere is fair game for a slurp.
large organisations like to split themselves up in to lots of smaller companies for tax purposes, why not have the EU data centres owned by a wholly owned subsidiary Microsoft Datacentres Europe registered out of Ireland (seems popular) for example? then if Microsoft US gets a request their response would be "sorry that data isn't held by us, you might want to try directing your request to Microsoft Datacentres Europe who run those datacentres"?
That's assuming they want businesses from the EU to be allowed to be their customers...
wholly owned subsidiary
Is still US owned. They would have to outsource to a EU owned company.
splitting up large organizations
Would do squat to keep the nosy Feds away?
As long as any of these "region specific" companies has a US registered company as an owner, the Feds will use the PATRIOT Act to slurp as much data as they can get away with.
There is only one way to prevent that, and that is to insure that a "region specific" company HAS NO US BASED OWNERS, and the data never sees US territory. When the Feds come calling, the proper and appropriate response would be the "erect middle finger".
If they have a EU back end, the main company gets served for access. If they have an EU front but a US back end, the back end gets served. The bottom line is that any part on US soil is a liability.
As I said in another post, the problem is not the laws per sé, it's the abuse thereof (and, I may add; the total lack of transparency and oversight which has allowed this abuse to mushroom to the point of destroying trust in any US located partner).
If the US doesn't start reigning in its own paranoia and the abuse it allows their services to make of privacy they will no longer be able to contain the resulting economic damage. I am 100% in agreement with properly controlled access privileges to fight crime, but with transparency and oversight. Without it, you get the sort of abuse visible today..
...it's a cover up
MS Need to avoid this
It will impact their business in Europe. They need to set up a European based company or find a suitable partner here who can run an equivalent, perhaps even integrated system, but under EU law.
I always thought that the US gov and MS were good friends. But apparently the US gov thinks friendship only works one way. So no change there, then.
Call me old-fashioned
but i prefer a simple ftp-server, thank you very much.
Still, any non-US based cloud-services out there?
Only thing that comes to mind is Ubuntu One, any others?
diino - I think
Have a looksee at
Too late for this stable door...
Do Virgin Media, O2 (Telefonica) or any other EU companies listed on US stock exchanges have to comply with the Patriot act? They have comply with Sarbanes-Oxley...
What's the situation
with *properly* encrypted data. Does the Patriot act give the US RIPA-type powers to extract the decryption keys by thumbscrew ?
More to the point, if a UK (there is a reason why I say UK, not EU) company were to store it's data encrypted, in the cloud, and Uncle Sam decided he wanted to see it, and discovers it's encrypted, then can they issue a demand the owner provides it decrypted ?
If the owner refuses, do they have criminal penalties ?
Because with the UK->US extradition treaty, you might find yourself on a flight to JFK without a fight.
The point with encrypted data is that either they've already got the resources to decrypt it, so you'll be none the wiser, or they have to ask you for the keys. At that point, at least you know they're up to something, whereas the point of this article is to show that for unencrypted data they can get it without you knowing.
Not that I've ever trusted the cloud anyway, and this sort of thing just reinforces it. They probably already have information on me, but why make it easy for them to get more?
which is why they said
"Properly" encrypted - requiring more than a dictionary attack. As for the article's point ... if that was the point of the article, then it's rather a non-story, it rather boils down to:
"Unencrpted data can be read by anyone",
although you can argue about adding "without your knowing", but any decent system achitecture should start with the assumption that unencrypted data can be read without audit anyway. This leads to a design where the important bits are properly protected. Either by physical security (can only be accessed from certain locations) or encryption.
As pointed out the extradition is one sided. This is the case all the way through... even ww1 showed the Americans do nothing thats not to their direct advantage, they screwed the UK in ww2 (leaky wrecks of destroyers in exchange for every ounce of gold, every piece of land and every company you possess).
We would have been better off ignoring all the ww1 treaties and building ourselves decent defence so we didn't need to rely on a 'friend' who was no friend at all... we should remember that thought right now.
BTW I'm not actually saying the Americans are wrong here, they are looking after their own, just as it should be. What is very wrong is that neither Conservative or Labour governments in the UK will look after us!
Properly vs non-properly encrypted - no difference
Well, only in the size of the machine needed to break it. Do you believe the US government allows software with sufficiently robust encryption that they can't decrypt? Not a chance. They won't admit what they can read but you can bet your bottom dollar that if an American company has produced the software the American company can read the encrypted data. You can be pretty damned sure that the same applies in all 'friendly' nations (Europe...)
It may be (only may be) that China, Russia or some 'rogue' state / private individual has produced something they can't decode immediately, but they do have enough computing power to break that as well.
The controversial law was established as an anti-terrorism tool.
Was that meant to read "The controversial law was established as an industrial espionage tool"?
RE: anti-terrorism tool
No, No, No, you have that wrong.
It was established as a means to bilk the taxpayers out of billions and transfer that wealth to vartious defense related industries.
It was also established to run roughshod over civil liberties; and one would think (and here I am standing on quicksand) the "Tea Partiers", who espouse LESS government regulation, would have done more to see that this abomination was allowed to die. But, when a "Tea Partier" is confronted with two equally disgusting choices; one being to do away with the PATRIOT Act, and restore civil liberties; versus creating ever greater profits for big mega-corps; we know where they stand.
And merkins get their civil liberties shit upon - daily.
Heard recently from a airline traveler: "How do you say TSA security screener in German?"
Another fine reason to put your data on someone else's servers!
They are openly saying they will break EU law? Makes the due diligence easier, just say no. Clearly good scope for EU companies in this market then.
If I am a customer of the EU company that puts its data on a cloud server that the US can read, do I have the chance to sue them for improperly making my data available?
And we're surprised how?
Store your shit on a Yank server and expect to lose even the veneer of privacy.
Surely everyone's known this for years?
No surprise there
but the gist of the article is actually "store your shit on a server ANYWHERE yanks have a finger in the pie and expect to lose even the veneer of privacy."
Verisign: .com .net
The Telegraph reports today ("British website owners targeted by US anti-piracy officials") that a director of a customs enforcement agency "said that all “.com” or “.net” websites were fair game" because if they touch Verisign's space they are subject to US law.
My technical knowledge is sketchy, but isn't this a more sweeping jurisdiction grab than that done by accessing various clouds?
It's also bullshit
In theory, all they *could* do with a .com is ask the registrar to manipulate DNS records so you route site traffic through a proxy, but that's technically complicated - they tend to be too lazy and incompetent to do that normally (low ROI). Besides, if your actual host is outside the US it's a matter of using IP based VPNs or SSH tunnels and they won't stand a chance.
You're more likely to get data through the usual manipulation of BGP routing tables, but that's done by a club that won't hand off information just for prosecuting some spotty teenager - they cannot afford to expose their presence or the quality and depth of their SIGINT in a public ourt of law - you have to stay realistic here and separate fact from scare story.
The .com/.net argument is pure, raw and unadulterated bullshit aimed at scaring people. To me, it just shows the spokesperson is suffering a severe case of cranial invasion of the rectal cavity..
Might this not be a bit of a spin/ploy by MS
If MS are not as far down the SaaS and Cloud route as say Facebook, Google, Oracle, IBM, Apple and Amazon - to name but 6 - then anything that can crimp their competitors business and add costs to them has to be a good thing. Especially if MS already has a solution... Not suggesting for one moment that they would throw out such a confidence bashing line just for purely commercial purposes.... They obviously have their customers interests at heart!
Just a thought.
Or, maybe: MS are alerting their customers to the fact that this law applies to them.
Never expect a conspiracy when there is a much more likely explanation, no matter how unpalatable it may be.
"Or, maybe: MS are alerting their customers to the fact that this law applies to them."
Of course, you don't even need to credit MS with great sensitivity either, since this law also applies to their principal competitors. As a result, warning customers carries no great competitive risk and clearly covers Microsoft's ass for when the government come asking questions.
But yes, the smart money favours cock-up over conspiracy every time, because most human beings just aren't smart enough to do a proper conspiracy, but cock-ups are easy.
- Analysis Oh no, Joe: WinPhone users already griping over 8.1 mega-update
- Leaked pics show EMBIGGENED iPhone 6 screen
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning
- OK, we get the message, Microsoft: Windows Defender splats 1000s of WinXP, Server 2k3 PCs
- Episode 4 BOFH: Oh DO tell us what you think. *CLICK*