These EU provisions might conflict with obligations US-based firms
If you can't obey EU data protection laws then you shouldn't be allowed to trade in the EU.
That should put the cat among the pidgins :-)
Personal information belonging to EU users of US-owned cloud-based services could be shared with US law enforcers without the user being informed, Microsoft has said. The software giant said it could not guarantee that it would not have to hand over EU customers' data on a new cloud service it has developed whilst keeping …
This is fine, as long as data storage is the only service you are getting from the cloud. Sadly, I think you will find it is quite hard to perform computations directly on encrypted data (*). In practice, you'd have to decrypt it, perform your computation and then encrypt the results -- all on a CPU that is owned by that US company and therefore subject to US laws on snooping.
(* Off the top of my head I can't think of a simple proof that this is impossible, but equally I'm not aware of any way of doing it.)
"They could find some way of offering overseas companies the ability to store their data in an encrypted container."
Trusting "them" to provide proper encryption is exactly as effective as trusting "them" not to peek at your data in the first place. Do your own encryption or don't play would be my advice.
Also - performing calculations with encrypted data: You can either bring back the required bit; decrypt it locally; perform your calculation locally; re-encrypt it locally; then send it back up. That's one approach. Or -if the calculation would be sufficiently obscure out of context- you could maybe do the processing part on another (or several) different parts of the cloud; ideally with business rivals/countries at war to lessen the odds of the data being shared and reconstructed...a "cell organisation" for your data. If the data is that secret though, it shouldn't be on somebody else's server.
No it won't.
MS have simply pointed out that as a US company they are bound by US law. This is not a new phenomenon. Multinational companies have always had to square their obligations in several jurisdictions at once. The cloud (as ever) adds nothing qualitatively new to this old problem. It merely makes it easier to get confused about "where" a given transaction takes place.
It is easy to imagine situations where it is impossible to grant freedoms enshrined by law in one country and simultaneously protect rights guaranteed by law in another country, so the hard line you advocate is pretty much a ban on the existence of multinational companies. Since such companies clearly exist, I assume that the lawyers, courts and politicians have seen sense and take a more moderate view.
"It is easy to imagine situations where it is impossible to grant freedoms enshrined by law in one country and simultaneously protect rights guaranteed by law in another country,...."
Conventionally, multinationals obey the local laws in each country in which they operate, for their activities within that country's jurisdiction. Walmart sells guns in their stores in the USA but not in Europe. Supermarkets in the UK sell things like ibuprofen and cold remedies but their counterparts in Germany cannot.
The difference in this case is that US legislation appears to overstretch itself to include the activities of Microsoft (and others) well outside of US jurisdiction. By the same thinking, a court in Saudi Arabia might prosecute an multinational online book retailer for selling bibles in the USA and Europe.
Perhaps the EU agreed to this arrangement with the USA to favour cloud providers entirely based in Europe...
If they had indeed done so (subsequently denied/refuted).
Not from a blu-ray* disk left on a train but from the US Gov copy obtained for National Security reasons from Lockheed Martin.
Lets face it if McKinnon could find DoD computers without much protection, they're hardly going to worry about the security of data of the civilians on board their Eastern Altantic ("Unsinkable") Aircraft Carrier are they?
*or HD-DVD, the UK Gov beleiving in security by obscurity
The UK census was carried out by a US company (paid handsomly by UK tax payers)
This means that the USA government had access to the data before our own one!
Why? Because somehow the stupid idiots who think they are clever (politicians) couldn't work out that paying British workers with British tax payers money to produce goods/services for Britain was cheaper than giving a stack of dosh to a bunch of foreigners. We must be the ONLY country in the world where the tax payer funded police, prime minister, ambulance, army, airforce, navy, fire service run around with foreign equipment while their country men sit on the dole. Certainly the French don't have MAN lorries for their army, the Germans don't have Renault ambulances, the Americans won't by EADS planes.... The British on the other hand won't buy anything at all that might possibly have been made in Britain.
we're currently looking at SaaS hosted solutions for HR, Payroll, and Learning and development. We've already got a (US) hosted recruitment solution, which was signed off by our data security officer.
Without pandering to conspiracy-centric loons, the most important question, is "what does this story mean for UK companies who might outsource and have US accessible data ?". Does it create a legal liability, that they can't escape. If so, then there will be a massive halt on all SaaS projects, if there is a hint the data could be routed via a US-bound company.
Or can the liability be managed with consumer consent ?
I suspect we'll end up with the latter - effectively putting the onus on the consumer to object (by refusing to use companies that do use such services). This is one issue I would like to see the EU grow a pair on, and declare it unlawful for EU companies to use such systems. Or, alternatively, pass an EU-wide equivalent to the Patriot Act, and data-slurp the merkins, for a change.
I really don't know way the EU acts so lame sometimes. Depsite what you may think, the US is very aware of the implications of a single trading block of 350+ million consumers. They are also aware that the more socialist nature of the EU gives it a massive advantage in dictating standards and forcing progression, rather than relying on the "free market", which saddled the US with NTSC while we (mostly) got PAL. I recall watching a business report years ago, where US businesses were terrrified that while they argued over HD standards, the EU and Japan would simply pick one, and work to it, leaving them behind.
>> Does it create a legal liability, that they can't escape. If so, then there will be a massive halt on all SaaS projects, if there is a hint the data could be routed via a US-bound company.
>> Or can the liability be managed with consumer consent ?
Taking the latter bit first, no you can't - not fully. You cannot (for example) just insist that every employee and applicant signs a privacy document allowing you to export the data outside of EU data protection. I'm fairly certain that would be considered unlawful since that permission would not have been freely given - as in "agree to this or don't have a job" does not make for a free choice.
So having ruled out compliance by data subject agreement, I believe you are now up the proverbial brown tributary without propulsion. If the data you wish to store and process is considered personal (which HR, Payroll, and Learning and development would), then you are stuck because you can't store that data on any server under the control of a US owned business. To do so means you cannot give the guarantees of privacy required of EU law.
That's my interpretation anyway.
Having said that, it may be possible. It may be worth having a look at the privacy stuff related to the Census. It you trawl around their website hard enough, there is a document explaining how they've (so they claim) been able to guarantee privacy from US snooping while employing a US contractor. IIRC it involves several entities connected in such a way that no-one covered by the US Patriot act actually has any access to the data or the system it's stored on. It;s one thing doing that when the company concerned is a contractor and you own the kit - but that's more or less the reverse of the situation with cloud.
But possibly still worth a look.
"I suspect we'll end up with the latter - effectively putting the onus on the consumer to object"
I do cross-border privacy for a living. EU laws do not permit implied permission (i.e. embedded in the small print of some contract), data protection permissions must always be given explicitly (i.e. separately described and authorised) - that's also why a default opt-in is actually somewhere between frowned upon practice to downright illegal depending on the specific nation's implementation of EU laws.
The problem isn't the laws - it's the abuse thereof. Especially the US seems to be hell bent on abusing privileges or even simply breaking agreements when it suits them. The results is a problem that pervades business there to the point of companies involved in serious Intellectual Property development now actively avoiding the US as a place of business until development is complete. It's ridiculous that a nation who alleges to be the land of freedom has acquired a reputation for being less safe than China or Russia, but that's the reality of today: Safe Harbour very definitely isn't.
Your primary problem with SaaS is where the data resides, because that's where legal access will first be attempted. This is the situation with legal firms in the UK who outsource their IT as well: their data may be backdoored due to a warrant served on the provider, and the intercept laws (in the UK that's RIPA 1998) do not permit to inform the data owner of the backdoor).
We advise people and companies on these issues, and generally exploit cross border differences to improve security and privacy protection - cross border abuse of privacy laws leaves an audit and paper trail exposure that abusers don't like as it provides court admissible evidence of abuse.
By the way, this has little to do with "conspiracy theories", but with offsetting liabilities. Unless you can point the finger elsewhere, a leak or breach means your company ends up with the liability. If you're a major law firm handling a shipping claim you're talking about *VERY* large numbers..
large organisations like to split themselves up in to lots of smaller companies for tax purposes, why not have the EU data centres owned by a wholly owned subsidiary Microsoft Datacentres Europe registered out of Ireland (seems popular) for example? then if Microsoft US gets a request their response would be "sorry that data isn't held by us, you might want to try directing your request to Microsoft Datacentres Europe who run those datacentres"?
That's assuming they want businesses from the EU to be allowed to be their customers...
Be interesting to see the ramifications for those using Amazon's services which have backup in multiple zones. For instance what is controlled by elements in the US and how does data move around their networks? If it touches their US datacentres in any way there's the possibility of a quick slurp. I seem to remember an article about a European bank (Paribas maybe?) using Amazon's services (I think) for performing their risk calculations. You wouldn't touch them with a shitty stick after this statement.
If they have a EU back end, the main company gets served for access. If they have an EU front but a US back end, the back end gets served. The bottom line is that any part on US soil is a liability.
As I said in another post, the problem is not the laws per sé, it's the abuse thereof (and, I may add; the total lack of transparency and oversight which has allowed this abuse to mushroom to the point of destroying trust in any US located partner).
If the US doesn't start reigning in its own paranoia and the abuse it allows their services to make of privacy they will no longer be able to contain the resulting economic damage. I am 100% in agreement with properly controlled access privileges to fight crime, but with transparency and oversight. Without it, you get the sort of abuse visible today..
Would do squat to keep the nosy Feds away?
As long as any of these "region specific" companies has a US registered company as an owner, the Feds will use the PATRIOT Act to slurp as much data as they can get away with.
There is only one way to prevent that, and that is to insure that a "region specific" company HAS NO US BASED OWNERS, and the data never sees US territory. When the Feds come calling, the proper and appropriate response would be the "erect middle finger".
It will impact their business in Europe. They need to set up a European based company or find a suitable partner here who can run an equivalent, perhaps even integrated system, but under EU law.
I always thought that the US gov and MS were good friends. But apparently the US gov thinks friendship only works one way. So no change there, then.
with *properly* encrypted data. Does the Patriot act give the US RIPA-type powers to extract the decryption keys by thumbscrew ?
More to the point, if a UK (there is a reason why I say UK, not EU) company were to store it's data encrypted, in the cloud, and Uncle Sam decided he wanted to see it, and discovers it's encrypted, then can they issue a demand the owner provides it decrypted ?
If the owner refuses, do they have criminal penalties ?
Because with the UK->US extradition treaty, you might find yourself on a flight to JFK without a fight.
The point with encrypted data is that either they've already got the resources to decrypt it, so you'll be none the wiser, or they have to ask you for the keys. At that point, at least you know they're up to something, whereas the point of this article is to show that for unencrypted data they can get it without you knowing.
Not that I've ever trusted the cloud anyway, and this sort of thing just reinforces it. They probably already have information on me, but why make it easy for them to get more?
"Properly" encrypted - requiring more than a dictionary attack. As for the article's point ... if that was the point of the article, then it's rather a non-story, it rather boils down to:
"Unencrpted data can be read by anyone",
although you can argue about adding "without your knowing", but any decent system achitecture should start with the assumption that unencrypted data can be read without audit anyway. This leads to a design where the important bits are properly protected. Either by physical security (can only be accessed from certain locations) or encryption.
Well, only in the size of the machine needed to break it. Do you believe the US government allows software with sufficiently robust encryption that they can't decrypt? Not a chance. They won't admit what they can read but you can bet your bottom dollar that if an American company has produced the software the American company can read the encrypted data. You can be pretty damned sure that the same applies in all 'friendly' nations (Europe...)
It may be (only may be) that China, Russia or some 'rogue' state / private individual has produced something they can't decode immediately, but they do have enough computing power to break that as well.
As pointed out the extradition is one sided. This is the case all the way through... even ww1 showed the Americans do nothing thats not to their direct advantage, they screwed the UK in ww2 (leaky wrecks of destroyers in exchange for every ounce of gold, every piece of land and every company you possess).
We would have been better off ignoring all the ww1 treaties and building ourselves decent defence so we didn't need to rely on a 'friend' who was no friend at all... we should remember that thought right now.
BTW I'm not actually saying the Americans are wrong here, they are looking after their own, just as it should be. What is very wrong is that neither Conservative or Labour governments in the UK will look after us!
No, No, No, you have that wrong.
It was established as a means to bilk the taxpayers out of billions and transfer that wealth to vartious defense related industries.
It was also established to run roughshod over civil liberties; and one would think (and here I am standing on quicksand) the "Tea Partiers", who espouse LESS government regulation, would have done more to see that this abomination was allowed to die. But, when a "Tea Partier" is confronted with two equally disgusting choices; one being to do away with the PATRIOT Act, and restore civil liberties; versus creating ever greater profits for big mega-corps; we know where they stand.
And merkins get their civil liberties shit upon - daily.
Heard recently from a airline traveler: "How do you say TSA security screener in German?"
The Telegraph reports today ("British website owners targeted by US anti-piracy officials") that a director of a customs enforcement agency "said that all “.com” or “.net” websites were fair game" because if they touch Verisign's space they are subject to US law.
My technical knowledge is sketchy, but isn't this a more sweeping jurisdiction grab than that done by accessing various clouds?
In theory, all they *could* do with a .com is ask the registrar to manipulate DNS records so you route site traffic through a proxy, but that's technically complicated - they tend to be too lazy and incompetent to do that normally (low ROI). Besides, if your actual host is outside the US it's a matter of using IP based VPNs or SSH tunnels and they won't stand a chance.
You're more likely to get data through the usual manipulation of BGP routing tables, but that's done by a club that won't hand off information just for prosecuting some spotty teenager - they cannot afford to expose their presence or the quality and depth of their SIGINT in a public ourt of law - you have to stay realistic here and separate fact from scare story.
The .com/.net argument is pure, raw and unadulterated bullshit aimed at scaring people. To me, it just shows the spokesperson is suffering a severe case of cranial invasion of the rectal cavity..
If MS are not as far down the SaaS and Cloud route as say Facebook, Google, Oracle, IBM, Apple and Amazon - to name but 6 - then anything that can crimp their competitors business and add costs to them has to be a good thing. Especially if MS already has a solution... Not suggesting for one moment that they would throw out such a confidence bashing line just for purely commercial purposes.... They obviously have their customers interests at heart!
Just a thought.
The US Gov wants global access to HTTPS Google searches, Skype convo's, TOR, PGP emails, Hushmail and every other source of confidential or encrypted communications that businesses and private individuals have. They have wanted this since those technologies were introduced and the brighter ones among you will realize this predates 9-11 by many moons.
Cloud computing's big marketing push is based on "convenience". Only the truly naive will imagine the US Gov holding up its imperious hand and saying "No-no, we do not want access to your medical records, lists of music, documents, friends, family, travel data and other personal information stored in the cloud."
“These EU provisions might conflict with obligations US-based firms, such as Microsoft, face under US law. “
Unfortunately they don't conflict as much as we would hope, because the EU provisions already have small print allowing law enforcement access to the data. For example, EU grounds for processing personal data include:
“Processing is required by a legal obligation;” … and “Such exceptions are permitted if, among other things, it is necessary on grounds of national security, defence, crime detection, enforcement of criminal law, or to protect data subjects or the rights and freedom of others.”
Unfortunately if a government wants to look at our cloud data, then they will just play their usual “national security & defence” or “law enforcement so legal obligation” joker cards, so they can gain access to whenever they want. Sadly its already allowed in the small print of the EU provisions.
Plus make no mistake, governments will abuse cloud data assuming its their right to access it for an ever increasing number of reasons. Low hanging fruit so to speak, will be to scan for terrorism and before you know it, it'll be scanning for everything.
The simple truth is, we cannot trust governments to stay out of the cloud. Governments have small print in everything they do. For example, article 12, of the human rights act sounds like it should protect us, as it states:" No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks." … But of course, the small print is “arbitrary interference” … so therefore define “arbitrary interference”. A legal obligation is being argued its not arbitrary, therefore they argue they are not violating article 12, therefore article 12 is meaningless in practice. It won't protect us from state overview of anything they define as legal obligation and they will abuse that over time to mean anything they want it to mean as legal obligation.
Plus don't forget we have seen laws abused to mean totally different things over time before. For example, just look at how the insane UK to US extradition ruling has been abused out of all proportion from what it was originally intended for. It was started to help stop terrorism and yet now, its being turned into anything including trying to extradite a kid for just linking to sites which violate copyright!
Cloud data will be utterly abused by governments and they have small print ready and waiting to be exploited for them to continue to find reasons to access the cloud data. Plus these companies offering this Cloud are not doing it out of the goodness of their hearts. They also want to scan and spy on the data.
Exploiting our privacy is turning into a free for all gold rush for corporations and governments and they are trying to lie to us to fool us into believing we should just give up our privacy to put it all in the cloud. Because ultimately violating our privacy is very valuable to the corporations and governments.
There are good reasons why people fight to stop state intrusion into their privacy. History has shown this so many times and if that isn't enough, then look at the revolutions this year, where people are still dying to this very day, as they fight to try to stop state intrusion and control over their lives. We are not all fools who believe in the cloud. The cloud cannot be trusted because ultimately governments cannot be trusted.
Biting the hand that feeds IT © 1998–2019