backtop


Print 71 comment(s) - last by Bad-Karma.. on Jul 11 at 3:41 AM


Microsoft warns that the PATRIOT Act, recent renewed by President Obama, will allow the U.S. to invade EU citizens' private data without notification.  (Source: Paramount Pictures)

The revelation could lead the EU to forcing Facebook, Google, Microsoft, and others to adopt isolated hosting in Europe for European services. Currently much of the hosting for European users is handled in America, exposing their data to invasive U.S. laws.  (Source: Flickr/TJCrowley)

Senators John McCain (R-Ariz.) and John Kerry (D-Mass.) have proposed a privacy bill that may help fix the awkward standoff.  (Source: AP Photo)
Microsoft tipped off the EU about possible data grab

The European Union (EU) is a little bit upset with the United States federal government after it caught wind of a possible plan to swipe EU citizens' private data from cloud service providers, in violation of EU laws.  And the U.S. government can blame software giant Microsoft Corp. (MSFT) for letting the secret out of the bag.

I. PATRIOT Act: Policing the World

People often get caught up in possible domestic spying issues of the "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001" (USA PATRIOT Act of 2001) as it authorizes the gathering of "foreign intelligence information" from U.S. citizens.

But the bill, which was renewed for four years by President Barack Obama in 2011, is primarily aimed at gathering intelligence from foreign nations.  In that regard, much of its authorizations deal with "spying" on foreign nations -- not solely U.S. citizens.

With citizens in the U.S. and Europe increasingly using "the cloud" -- services from companies like Microsoft, Facebook, Google Inc. (GOOG), and Apple, Inc. (AAPL) -- the question becomes how secure these resources are.

While the U.S. does not guarantee the privacy of its citizens online, the EU has a law titled the Data Protection Directive, which mandates that the EU protect the privacy of its citizens.  The Directive demands that citizens be informed any time private data is obtained.  The problem is that mandate does little to stop the U.S. from secretly seizing cloud data in the name of the PATRIOT Act according to warnings from Microsoft and top lawyers.

II. Our Laws Are Greater Than Yours

Microsoft warns that under the PATRIOT Act, it might not only be forced to hand over EU citizens' data; it might also be forced to do so secretly, without informing the EU.  This would directly violate the privacy protections the EU promises to enforce.

The company writes, "In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft."

Sophia In't Veld (Netherlands) an EU parliamentarian, voiced outrage at the prospect, stating, "Does the Commission consider that the U.S. PATRIOT Act thus effectively overrules the E.U. Directive on Data Protection? What will the Commission do to remedy this situation, and ensure that E.U. data protection rules can be effectively enforced and that third country legislation does not take precedence over E.U. legislation?"

"I hope Commissioner Reding will respond soon, as this is really a key issue. Essentially what is at stake is whether Europe can enforce its own laws in its own territory, or if the laws of a third country prevail. I hope the Commissioner will ensure that the U.S. and other countries respect E.U. laws in E.U. territory. I don't think the U.S. would be amused if Europeans (or other non-U.S. authorities) were to get access to databases located within U.S. jurisdiction."

The EU and the U.S. already have an agreement called Safe Harbor, which allows for the sharing of data under certain restrictions such as the promise of reasonable data security, and clearly defined and effective enforcement.  In these cases the EU is informed of the request, so it can inform the affected citizens about it.

The problem is that the PATRIOT Act offers a far easier secret backdoor to the same information.  And there's little the EU can do to stop it.

Theo Bosboom, IT lawyer with Dirkzager Lawyers comments, "I'm afraid that Safe Harbor has very little value anymore, since it came out that it might be possible that U.S. companies that offer to keep data in a European cloud are still obliged to allow the U.S. government access to these data on basis of the PATRIOT Act. Europeans would be better to keep their data in Europe. If a European contract partner for a European cloud solution, offers the guarantee that data stays within the European Union, that is without a doubt the best choice, legally."

That could spell big trouble for companies like Google, Facebook, Microsoft, and Apple should the EU decide to apply restrictions or mandates to their services in order to protect its citizens' privacy from foreign powers.  Such restrictions could for the companies to switch to local, isolated serving to prevent the U.S. from having access to the data.  However, such schemes would be pricey to implement.

III. Does U.S. Privacy Bill Provide an Answer?

One potential solution may lie with the pending online privacy protection legislation proposed by Senators John Kerry (D-Mass.) and John McCain (R-Ariz.).  

The bill has received much resistance from the online data mining and advertising community, as it suggests the creation of a mandatory opt-out of data gathering.  Such an opt-out could be cost-prohibitive for smaller sites and could seriously undermine online advertising's profitability.

The bill could also make it harder to use the PATRIOT Act to grab information without public notification.

States EU Data Protection Commissioner Viviane Reding, "I welcome a draft Bill of Rights just introduced in the U.S. Congress as a bipartisan initiative of Democrats and Republicans. The Commission also shares the main objective of the Bill: strengthening individuals' trust in new technologies through compatible standards."

A compromise may be reached, but it's doubtful this will be the last we hear of this controversy.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

By BloodSquirrel on 7/6/2011 2:40:04 PM , Rating: -1
quote:
Does the Commission consider that the U.S. PATRIOT Act thus effectively overrules the E.U. Directive on Data Protection?


Overrules? Try "E.U. Directives carry no legal weight in the United States."

If the data is being stored in the US, or if the data can be accessed normally from the US, then your laws no longer apply to it. It has crossed your borders, and you have no more legal authority over it than the US has over what happens in your country now. You might as well be trying to claim that EU citizens visiting the US don't have to obey US laws, only EU ones.

Europeans really need to dig themselves out of their own asses sometimes.




By PReiger99 on 7/6/2011 3:04:42 PM , Rating: 1
quote:
...you have no more legal authority over it than the US has over what happens in your country now.

Really?

http://torrentfreak.com/pirate-admins-sweat-as-ice...


By BloodSquirrel on 7/6/2011 3:13:28 PM , Rating: 2
You do know that extradition requires cooperation from the country that you're being extradited from, right? And not one country simply saying "We've decided that these laws apply to your citizens- now start handing them over!"


By michael67 on 7/7/2011 2:05:25 AM , Rating: 5
Are you clueless what cloud is, and just post here to hear your own voice ???

EU law prohibits EU country's to snoop in on privet data with out a warrant, domestic or foreign.

Now US PATRIOT Act allows the US to snoop actively in on privet data with out a warrant, domestic or foreign.

Now these are to totally different approaches that are not compatible.

The comes the new idea of cloud, and it is that data that is stored in the cloud can be safely accessed from every ware in the world as long as you have a internet connection.

This is of course very interesting for companies, as they don't have to maintain there own storage and backup servers.

And big companies like MS, IBM start to pitch the idea to everyone, “hey have you heard of this new service we have, and yeah its totally save oops not really do from the US government!

And they start rolling out the service, now everyone is saying how great this is, only some lawyers start to think what about the “PATRIOT Act” ?

We are making these nice contracts ware we guarantee data safety but the we can not do that, because the servers stand on US soil so we have to follow US law, what means we are in breach of contract.

Now the EU has no problem with the US purely snooping in to data for anti terrorism purpose, its just we don't trust you to just only do that.
We don’t trust our own governments not to do that, we trust the US even less, as they even are prohibited to tell to there costumers that the US government has bin snooping in there privet data.
(no offence but reading the sentiment here on DT the feeling is mutual, but if the servers stand in the EU, US data would be safe by by EU law)

And do you really that its strange that data that was before governed by local law, that now because of cloud services, and is suddenly is accessible by the US government.
That EU or what ever other country is saying hey hold on, unless you guaranty the data on your servers follows our law you are not allowed to use them.

So even do cloud is a good idea, laws like the “PATRIOT Act” make it impossible to use, as when ever a company finds out that the US government has bin snooping in there data, they can be sued for breach of contract!, and that then, can become very costly.

And I only see 3 solutions!

1 change the “PATRIOT Act” so no warrant-less snooping can be done on foreign data.
2 Move (part of) the severs to the EU.
3 Make a deal whit the EU and let a EU government buy the ground of the datacenter and make it a consulate.
(Nr1 at least not without consent of the companies government, Nr3 is very theoretical ^_^)

So yes, cloud is very nice idea, but the implementation of international law makes it very complicated.


By frobizzle on 7/7/2011 8:14:56 AM , Rating: 3
quote:
And I only see 3 solutions!
1 change the “PATRIOT Act” so no warrant-less snooping can be done on foreign data.
2 Move (part of) the severs to the EU.
3 Make a deal whit the EU and let a EU government buy the ground of the datacenter and make it a consulate.
(Nr1 at least not without consent of the companies government, Nr3 is very theoretical ^_^)

There is one more option:
4. Repeal the useless and invasive "PATRIOT Act"


By michael67 on 7/7/2011 8:45:15 AM , Rating: 2
quote:
There is one more option: 4. Repeal the useless and invasive "PATRIOT Act"

I would agree whit that, but as European citizens, its not up to us to change US law, but if a US law has a negative impact on us I think, I think we should do all to that is possible to counter that negative impact as good and bad as possible.


By BloodSquirrel on 7/7/2011 9:59:30 AM , Rating: 3
I see a lot of ranting here, and no sign that you actually know what you're talking about.

quote:
So yes, cloud is very nice idea, but the implementation of international law makes it very complicated.


No, what makes it complicated is the absurd expectation that you can govern data that is being placed beyond your national borders. It's a perfect example of people writing laws being behind the times and not understanding what they're trying to govern.

If you put your data on an international network, you can only expect it to be accessed by international interests. Expecting anything else is unrealistic. Your only real option is to keep the data that you want to be secured secure yourself and accept that data placed out into the wild can be accessed by those who want to.


By michael67 on 7/7/2011 12:06:39 PM , Rating: 2
quote:
No, what makes it complicated is the absurd expectation that you can govern data that is being placed beyond your national borders.

Not complicated at all, if I live in Sweden and place data on a server in Germany, the German government is not allowed to see my private data without a court order.

And if they just hand over my data without warning me, unless the warrant specify they have to because of special reasons (think terrorist or child porn), they breach EU privacy law and will be fined, and can even go to jail for it.
As warrant less collection of data is prohibited in the EU period!

And that is even the same for foreign data.


By ShaolinSoccer on 7/8/2011 11:06:21 PM , Rating: 2
@michael67

As a US citizen, I have to say you should be rated +6.

Even with all the bad spelling lol


By drycrust3 on 7/7/2011 3:25:01 AM , Rating: 5
quote:
Try "E.U. Directives carry no legal weight in the United States."

The corollary is that US laws carry no legal weight in Europe, nor almost anywhere else for that matter. If Microsoft wants to do business in Europe then it has to abide by the laws there.


By BloodSquirrel on 7/7/2011 10:11:30 AM , Rating: 3
I'm sure that MS is hyper-aware of that, considering how much money the EU has wrung out of them for crimes like including a browser with their OS.

If the EU wants to control it's citizens' data, it needs to design laws enforceable from the EU. Not laws that try to reach overseas to control the data after it's left their borders.


By Spoelie on 7/7/2011 8:00:45 AM , Rating: 2
"if the data can be accessed normally from the US, then your laws no longer apply to it."

So you agree that because data is technically reachable from a location, the government from that location can claim that data? It would be OK for Europe, Iraq, .. to force hosting companies to hand over data from any US company or citizen solely because of the existence of the internet?

Wow you're thick.


By BloodSquirrel on 7/7/2011 9:28:18 AM , Rating: 2
If that data is being stored in their country or can be accessed from their country? Then, yes, then can. They can make whatever demands they want from whatever company is operating within their borders.

"Thick" is people like you who have this incredibly naive expectation of privacy for data that you're freely throwing out into the world. You're basically the kid who's just posted pictures of himself breaking the law on facebook and is now surprised that his parents found out about it.


By michael67 on 7/7/2011 12:15:43 PM , Rating: 1
"Stupid" is people like you who have this incredibly tolerance of what your government is doing whit your privacy, if that's for data that you're not freely throwing out into the world, but on a server from a partner company, that made a contract with you that they guarantee the integrity of your data.

Ware the US government has no respect for your private rights, and can with no proper cause, can just snoop your data without you even knowing it!


By Spoelie on 7/8/2011 6:33:52 AM , Rating: 2
1. We're not talking about data *stored* in the US. It would be a non-issue to localize foreign data in foreign "clouds" if that would protect it from the PATRIOT act.
2. The data we're talking about is not "freely available" on the internet. It is secured, private and owned by foreign entities. Don't compare it to some facebook picture.

We live in a globalized economy with companies operating internationally.

The idea of any government claiming control of private data, owned by foreign entities, stored in another country - just because the handler (!= owner) of the data operates within its borders - is the idea you are defending.

Come again?


By Some1ne on 7/7/2011 8:51:26 AM , Rating: 2
quote:
... if the data can be accessed normally from the US, then your laws no longer apply to it.


Do you somehow fail to understand what complete nonsense that is? Pretty much everything on the Internet can, by virtue of being on the Internet, be "accessed normally from the U.S.". You therefore think that U.S. laws should apply to that data, and that everybody else's laws are garbage? What exactly gives the U.S. jurisdiction over data that is hosted on a server in France, or Russia, or South Africa?

You're the kind of person who gives Americans a bad name overseas. You make us all look like arrogant, self-centered morons who think we're entitled to dictate how the entire world works.


By BloodSquirrel on 7/7/2011 10:07:01 AM , Rating: 2
quote:
What exactly gives the U.S. jurisdiction over data that is hosted on a server in France, or Russia, or South Africa?


It's pretty clear that you don't understand the fundamental problem here-

Nobody has sole jurisdiction over data that has been placed out in the open. If you put data in a place where you don't have total control over it, then no law you pass is going to force other countries to act like you have.

Oh, and if Europeans want me to care what they think about me, they need to get over themselves first. I'm not going to take continuous abuse from self-important assholes because they're threatening to not like me if I don't.


By Hieyeck on 7/7/2011 9:05:07 AM , Rating: 3
Really? You self-centered arse. Try "United States acts carry no legal weight in the EU."

No one in the EU, or anywhere else in the world, cares for the PATRIOT act. Personally, I think everyone has failed to grasp the complexity of the problem. As you said yourself, the data has crossed borders and anything shy of international law and UN directives have the least bit of effect - and we all know how effective those tend to be.

It's a straight up, bloody mess, to put it mildly.


By michael67 on 7/7/2011 6:18:25 PM , Rating: 3
quote:
that I called Europeans out on their typical "We still think we own the world" conceit?

Seriously, we don't call our self, or even try to police the world, announce our presidents the leader of the free world or any of that crap.

We learned the hard way in Europe that we have to work together, to bad the US has forgotten that.

A law like the PATRIOT act, is impossible to think of here in the EU, and at least in our eyes makes the US a untrustworthy partner as you can "possible" snoop data and then forbid the company ware you did it, to report that you did it, its just feels very sneaky imho.


"We can't expect users to use common sense. That would eliminate the need for all sorts of legislation, committees, oversight and lawyers." -- Christopher Jennings














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki