Forgot your password?
typodupeerror
Cloud EU Government Privacy United States

Researchers: PATRIOT Act Can 'Obtain' Data In Europe 133

Posted by Soulskill
from the otherwise-the-terrists-win dept.
An anonymous reader writes "U.S. law enforcement and intelligence services can use the PATRIOT Act/FISA to 'obtain' EU-stored data for snooping, mining and analysis, despite strong EU data and privacy laws, according to a recent research paper. One of the paper's authors, Axel Arnbak, said, 'Most cloud providers, and certainly the market leaders, fall within the U.S. jurisdiction either because they are U.S. companies or conduct systematic business in the U.S. In particular, the Foreign Intelligence Surveillance Amendments (FISA) Act makes it easy for U.S. authorities to circumvent local government institutions and mandate direct and easy access to cloud data belonging to non-Americans living outside the U.S., with little or no transparency obligations for such practices -- not even the number of actual requests.' Arnback added, 'These laws, including the Patriot Act, apply as soon as a cloud service conducts systematic business in the United States. It's a widely held misconception that data actually has to be stored on servers physically located in the U.S.'"
This discussion has been archived. No new comments can be posted.

Researchers: PATRIOT Act Can 'Obtain' Data In Europe

Comments Filter:
  • by Intrepid imaginaut (1970940) on Wednesday December 05, 2012 @09:19AM (#42190659)

    I guess the same thing applies elsewhere too, like China or Saudi Arabia. If a company wants to conduct business in a country it has to comply with the laws of the country. The main difference is the US is such a huge market that most companies would rather hand over the data than be shut out of it. In a situation where the laws of two different large markets are in direct conflict, it probably becomes a question of "can we get away with it".

    • Could they encrypt they data? And only a subsidiary who only work for the provider have the keys? That way, they can ask the datas, but not the keys because the company holding the keys doesn't work in the states...

      • by RobertLTux (260313) <robert AT laurencemartin DOT org> on Wednesday December 05, 2012 @09:50AM (#42190905)

        and then be accused of having ties to Terrorists/ Child Slavery/Whatever and then everything held by the company remotely "US based" gets seized.

      • by Anonymous Coward

        Could they encrypt they data? And only a subsidiary who only work for the provider have the keys? That way, they can ask the datas, but not the keys because the company holding the keys doesn't work in the states...

        Subsidiaries work fine against civil claims, but they are not effective against this sort of criminal law. The US can apply great pressure on the people who run the US holding company to get the data for them. The board of the subsidiary will normally be made up of people from the holding company. Even if it isn't, because the board of the holding company control the shares of the subsidiary, they can replace the subsidiary's directors.

        You could put your faith in the local subsidiary staff to resist any req

      • by hawguy (1600213)

        Could they encrypt they data? And only a subsidiary who only work for the provider have the keys? That way, they can ask the datas, but not the keys because the company holding the keys doesn't work in the states...

        Rather than handing the keys over to the hosting company, the company should hold their own encryption keys - then no one can access their data without permission, not even the hosting company. (well at least not data at rest - the hosting company can still intercept web traffic, scrape server memory, etc).

      • A large UK based multi-national org that I've worked for has the exact problem of hosting all its data centres in the USA. The big problem is that there are USA laws that apply that there is no equivalent in the UK/EU and there are contradictory laws where a lawyer would just choose the best jurisdiction. With-holding keys would be an offence under UK law (RIPA) but not under USA law.

        e.g. in the UK, Freedom of Information only applies to government entities.

        So, If a UK consumer (who knew the data was host

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      So, uh, what about complying with EU laws by not handing over the data to America?

      • Then the US will ask your extradition to be judged for helping a terrorist organisation by not providing them the requested datas.... Whatever you do, you are fucked :-/

        • But at least the extradiction request would have to be made in the open -- so it could not be done in secret as can be done under the patriot act. If enough fuss is made then local (non USA) politicians might get enough complains to do something about it.
    • by Zemran (3101)

      China is a bigger market and American companies are just as prepared to do business there regardless of the implications. The more we extend our laws the less argument we have when someone is arrested on a business trip to China* and put in some hell hole for something that they did not realise was illegal.

      *For China, also read Saudi, Russia etc.

  • by stiggle (649614) on Wednesday December 05, 2012 @09:20AM (#42190665)

    Host your own data. Do not trust the cloud.

    • by OzPeter (195038)

      Host your own data. Do not trust the cloud.

      Hosting your own data isn't hard to do. What I see as more of an issue is how do you build and host your own Internet? (and ensure that only people you "trust" get access to it).

      • by edrawr (1572199)
        With the proliferation of MPLS networks, this would not be all that hard to do on an organizational level. Host your servers in [Generic Non-Extradition Country] and link all of your sites/users via MPLS or VPN to your MPLS network, as well as any other "trusted" entities.
    • by captainpanic (1173915) on Wednesday December 05, 2012 @09:54AM (#42190939)

      In the Netherlands, we want to host our own data. Some want to build a national database for medical data. However, an American company is developing the software - so that might be enough for the Americans to demand access to whatever is put on that database.

      So, essentially, when any US based company deals with another third party, all the data of this third party does is now declared property of the US.

      This was front page news just a week ago. Not a really good advertisement for US based software developers. For the record, the project manager (who is Dutch) denies that the Americans would get access. And I guess that under the Patriot Act it is also illegal to claim that the US is snooping around. So, for the record, I deny writing this post, since this is hosted on an American server - or at least maintained by people who create American-centric polls.

      Source in Dutch: http://www.metronieuws.nl/nieuws/beheerder-patientendossier-vreest-patriot-act-niet/IWIlkD!AQnwumcZSKxKeH8VP9BZwQ/ [metronieuws.nl]

    • by Darinbob (1142669)

      Agreed. I am surprised because I though Europeans were smart enough to avoid the cloud.

  • by Anonymous Coward

    This is the government CURRENTLY in charge of the freedom of the internet.

    Apparently that means "your data is free to US"...

    • Re: (Score:3, Funny)

      by Anonymous Coward

      It clearly says "All your data are belong to US".

  • by Anonymous Coward

    How about Kalingrad, Russia [google.com]?

    • by Zemran (3101)

      ... or even Moscow, which is also in Europe.

      • by Teun (17872)
        I'm sure when an article mentions European (privacy) law the implication is we're talking about European Union law.
  • Bullshit (Score:5, Interesting)

    by Rakshasa-sensei (533725) on Wednesday December 05, 2012 @09:25AM (#42190701) Homepage

    The EU Data Protection Directive is very specific on this issue; the hosting/cloud company can only locate the data in the US, or even transmit it there, if there is an explicit guarantee that the data has the same level of protection.

    Basically yes, the US could use the Patriot Act to obtain protected EU data from US-based companies. And yes, the company would then have broken the EU directive and would face the courts.

    • Re:Bullshit (Score:4, Interesting)

      by Thiez (1281866) on Wednesday December 05, 2012 @09:35AM (#42190789)

      > And yes, the company would then have broken the EU directive and would face the courts.

      How would the EU courts find out?

      • Re:Bullshit (Score:4, Insightful)

        by Rogerborg (306625) on Wednesday December 05, 2012 @09:44AM (#42190853) Homepage
        Indeed, don't these demands tends to come with "and if you tell anyone we've asked, you win a free one way trip to Guantanamo Bay" condition attached?
      • by Meneth (872868)

        > And yes, the company would then have broken the EU directive and would face the courts.

        How would the EU courts find out?

        They wouldn't.

        • by delt0r (999393)
          Then how can the US use the information?
          • by AHuxley (892839)
            Re use the information?
            Could be as simple as a commercial deal lost. Your EU firm is blacklisted for illegal gov support after some tax records are recovered/shared.
            A request is made to move more work/data to the USA under a 'free trade' deal - yes or no? If "no" your even more suspect.
            Your trade with countries around the world is sorted into areas of interest to the US gov.
            Depends on your links to 2nd and third parties. Cuba? Middle East? Africa? Asia? South America? Stepping on an area the US
        • Cause the top guy in the EU subsidiary, and every single person in the chain down to the guy who gave access to the US, would not mind spending time in jail? Either the top guy knows, or someone else is getting screwed, so someone is going to cover their ass and tell.

          And they're all, more than likely, living in the Europe so the prospect of being wanted in the US versus being in jail in the EU should be an easy choice.

        • I wonder if you could claim polical assylum in your own country to stop yourself being extradicted to the USA ?
      • by mrbester (200927)

        Because it is the law to disclose when that data leaves the EU. So you either break EU law twice or EU and US law once each. Nice choice. One way can get your company fined into oblivion, the other goes after personnel and (allegedly) imprisons them. Guess which will be chosen.

      • My storage provider maintains a warrant canary:

        http://www.rsync.net/resources/notices/canary.txt [rsync.net] ... and since my account is in Zurich, I check the local copy there.

    • by arendjr (673589)

      It's not bullshit at all. But yes, the Data Protection Directive makes it very hard for companies to comply with both PATRIOT and the DPD. In other words, many US companies are excluded by default from providing cloud services to many European agencies.

      • Re:Bullshit (Score:5, Insightful)

        by gstoddart (321705) on Wednesday December 05, 2012 @10:02AM (#42191027) Homepage

        But yes, the Data Protection Directive makes it very hard for companies to comply with both PATRIOT and the DPD.

        No, it makes it impossible. the PATRIOT act says "no matter what local laws say, you are obligated to do this" ... the data protection in other countries says "you are absolutely required to not do that".

        Basically, the Americans are saying their laws trumps everybody else, and the cost of doing "systematic business in the United States" is that their laws trump everybody else.

        Sadly, the US has decided that, the laws of other countries be damned, if you do enough business here you have to do what we say.

        Yet another example of how the US is declining into a xenophobic country, who has no intention of playing nicely with everybody else -- and American businesses might suddenly find themselves as unwelcome entities around the world as you pointed out. (Which of course they would probably go to the WTO or say "Waahh, you won't let us play in your sandbox" to try to force those countries to allow American companies to do business despite the fact that they essentially can't be trusted.)

        Essentially the only choice is to treat American owned companies as if they're agents of a hostile, totalitarian state -- because if any other country passed a law that said "if you do systematic business here, you must hand over your data to our government", the US would be up in arms talking about the freedoms they're not prepared to extend to other countries.

        I know here in Canada, US owned companies are precluded from some government contracts for this very reason, and pretty much all cloud providers which could host data there are not legally allowed because they open the risk of sensitive data being handed to the Americans without anybody knowing.

        I think this will pretty much be the point at which a lot of these US companies who could be in this position will suddenly start finding a lot of doors closed in their face with a "Oh, sorry, since we can't trust you or your government, you can't come in".

        • by drinkypoo (153816)

          Yet another example of how the US is declining into a xenophobic country, who has no intention of playing nicely with everybody else

          Declining into? You haven't read about the history of United Fruit Company, have you? I recommend Bananas (the book, not the fruit, though the fruit is delicious.)

          • by Darinbob (1142669)

            That's not unique to the US though, many European countries had been doing similar things in other parts of the world at the same time but for a much longer period of time. Doesn't excuse any of it of course. Morals are things that happen when there's no money at stake.

            • by drinkypoo (153816)

              That's not unique to the US though

              I certainly don't believe it is, we're simply the most successful current example. History is replete with examples of misconduct by and/or in support of the nation's (geographical) other nation company. The point was not to single out the USA as being the paragon of evil, but to forestall any pro-US cheerleading on this account.

        • by Anonymous Coward

          As one of 'the Americans', I'd like to apologize for the theft of Canadian data. I can say with confidence that most of us don't want your data. It is unfortunate that a small but powerful segment of our population have done this in the name of us all.

        • by Thaelon (250687)

          Essentially the only choice is to treat American owned companies as if they're agents of a hostile, totalitarian state

          As if?

        • Basically, the Americans are saying their laws trumps everybody else, and the cost of doing "systematic business in the United States" is that their laws trump everybody else. Sadly, the US has decided that, the laws of other countries be damned, if you do enough business here you have to do what we say.

          Yes, if you do business in the US (any business) you need to comply with US law. It works the same for Europe and other places. The only difference is that the US market is so important that companies can't

          • Re:Bullshit (Score:4, Insightful)

            by NatasRevol (731260) on Wednesday December 05, 2012 @12:17PM (#42192531) Journal

            Wow, that's seriously missing the discussion.

            Do US laws apply to EU companies, IN the EU, just because they have a US branch?

            No, they don't. Even if the US thinks they do.

            Just in case you're unclear, try switching the US and the EU, see how that feels.

            • Do US laws apply to EU companies, IN the EU, just because they have a US branch?

              Yes, they do, because if they have a US branch, the US can enforce judgments against those companies. That's how laws and jurisdictions work. It works the other way around too.

              Just in case you're unclear, try switching the US and the EU, see how that feels.

              You mean, the kind of self-serving arrogance with which Europeans have been imposing their cultures, languages, laws, and businesses on the rest world since the 15th century?

              • 1. Enforcing judgements is not the same as knocking on some business' door in Brussels and saying give us your data, or else.

                2. Yes, exactly like that. It was bad then, it's just as bad now.

                • 1. Enforcing judgements is not the same as knocking on some business' door in Brussels and saying give us your data, or else.

                  Actually, the set of laws you can meaningfully pass is the same as the set of laws you can meaningfully enforce.

                  2. Yes, exactly like that. It was bad then, it's just as bad now.

                  Nonsense. Europeans forced other nations to comply with their self-serving laws at the barrel of a gun. The US is engaged in law enforcement and anti-terrorism activity, and any company that doesn't want to com

                  • Wow, that's a lot of delusion for three sentences.

                    • Because US laws don't apply to EU based companies, whose operations being raided are in the EU, but have a US branch which somehow makes it ok?

                      Sure, that's not crazy at ALL.

                    • If Deutsche Telekom bought Yahoo, Yahoo would be a US branch of Deutsche Telekom. You're suggesting that Yahoo then wouldn't have to comply with US laws anymore. That's crazy.

                      A "US branch" is a US corporation, like any other US corporation. The fact that some foreign entity owns the shares makes no difference. If US law enforcement makes a lawful request for information, they have to comply or face the consequences. And that works no differently anywhere else.

                    • No, I'm saying Yahoo branch offices in Germany are not subject to US law.
                      Or that a DT branch in Flagstaff is not subject to German law.

                      Are you not even trying to pay attention to the larger discussion?

          • Sorry, but no other country tries to extend their laws outside their borders as US does. US seems to think that their laws trump any local laws of any other country whenever they see fit. That is a delusion of grandeur that may still prove to be its downfall.
            • Sorry, but no other country tries to extend their laws outside their borders as US does. US seems to think that their laws trump any local laws of any other country whenever they see fit.

              US law applies exactly when the US is in a position to enforce it, just like German law, French law, Russian law, and North Korean law.

              That is a delusion of grandeur that may still prove to be its downfall.

              It's not a "delusion" if you can make it stick.

          • by gstoddart (321705)

            Yes, if you do business in the US (any business) you need to comply with US law. It works the same for Europe and other places.

            Yes, and the key thing to remember here is that if the US forces a company to cough up European data, against European laws, then anybody complying with that demand is violating European law.

            TFA is basically pointing out that the US could well be forcing companies to comply with the Patriot Act, thereby making them violating the laws of where they're doing business.

            So the rational c

        • I see a lot of criticism with regard to the Patriot Act, but a lot of it is due to misinformation and it isn't going to have a practical effect in most cases. The United States has mutual legal assistance treaties with other countries so unless you're storing your data in Venezuela, they'll probably be able to get it if terrorism is suspected. Canada has the Canadian Anti-Terrorism Act, which is very similar to the Patriot Act, except that no one ever talks about it. In the event that there is a bona fid
          • Exactly so. There are treaties which specifically require sharing of intelligence data with the USA (and other countries). These treaties are generally held to trump laws prohibiting the sharing of such data.

            e.g.
            -USA makes request of company x for data.

            -Company x responds that it is not allowed to provide the data, per law y in country z.

            -USA requests that country z provide exception to law y for company x regarding the requested data, per treaty.

            -Country z tells company x to provide the data.

            -Company x p

          • by Cederic (9623)

            There's a massive difference between the US asking Canada to acquire and share data relating to a crime in Canada, and the US forcing companies to break Canadian law to gain access to data relating to activities that may be perfectly legal in Canada.

            One of those approaches respects the sovereignty of other nations and is ethically sound.

            The other appears to be the preferred approach of the US.

      • In other words, many US companies are excluded by default from providing cloud services to many European agencies.

        The DPD should apply not only to European agencies but also citizen of a EU country.
        So companioes like Dropbox should in theory not provide any service in the EU at all.

        I personally am using German hosting providers that state that they only use server located in Germany/Europe.

    • by Alarash (746254)
      That'll be in a Terms of Service or EULA. Larger companies will have lawyers review those, not the average developer or citizen.

      Amazon and Microsoft must love how that part of the Patriot Act fucks their business up. Many European companies, and 100% of the governments, won't subscribe to their service just because US can seize the content. Thanks for boosting our local economies by making it worthwhile for European companies (Thales, Dassault, Bull, Orange) to build their own cloud with no competition fro
    • by Teun (17872)
      This is the problem.

      We use Concur, a US based company, to do our expenses and even travel arrangements.
      We also do business in and with for example Cuba and until last year in Iran, something the US has laws against.
      I can see one of our employees having visited Cuba and done his expense claim via Concur being stopped at some US airport.

      With this in mind and the document to support it I'll use my authority as a works council member to advise the company seek legal advise and possibly to re-evaluate our co

  • .... spent on MAD magazine SPY vs. SPY real life acting outs..... Don't they realize its a comic and all abstract?

  • If you store anything in "the cloud" without strong encryption then you're a moron anyway so who cares ?

    • by 3seas (184403)

      your snail mail box is accessible by the public and so is your P.O.Box is on public property...

      Something to think about.... Having your head in the cloud is no excuse... it only shows you need radar to see past the cloud.

      • your snail mail box is accessible by the public and so is your P.O.Box is on public property..

        Yrs, but it's inefficient for the government to get information by raiding PO boxes.

    • by AHuxley (892839)
      If you are Australian and use an Australian cloud- you fall under Australian law and whatever the NSA can find.
      If you are Australian and use a cloud with links to the USA - you fall under Australian law and whatever any US state or federal agency in the USA feels like looking for.
      Your "strong encryption" lasts the links but in the cloud at some point its like plain text again.
      Welcome to CALEA and many other laws, letters :)
  • by Aethedor (973725) on Wednesday December 05, 2012 @09:41AM (#42190831)
    Don't do business with an American company or a company that has an office in the US if you plan to use its service to store sensitive information. This may sound a bit blunt, but for me it's the only proper answer to the patriot act.
    • I don't do any business with an American company. But my hospital does. It stores all my data in an Electronic Patient Record built by an American company and hosted St. Isidorus knows where. It was already in the news that all our electronic patient records are potentially unsafe because of American law.
  • In Other News.. (Score:5, Insightful)

    by SuperCharlie (1068072) on Wednesday December 05, 2012 @09:51AM (#42190911)
    The US can do whatever they feel like doing because Fuck You. rabble rabble terrorism..rabblerabble child porn rabblerabble security.

    Get used to it... its gonna be a long and twisted road before this crap is over.
    • I like your optimism...

    • by retaj (1020999)
      Somehow Congress passed a law which the president signed declaring that the US Secretary of Transportation can shield U.S. airlines from paying a carbon tax. I suppose we will provide a military escort when they refuse landing?
      • by PPH (736903)
        Oh, they'll let you land all right. Taking off again is another matter.
    • by Thaelon (250687)

      You are correct, but make no mistake, the reason the US will do whatever they feel like is because they have the world's most formidable military by a large margin. Which basically makes it the world's largest terrorist organization. What else do you call it when you have the biggest stick on the planet and the mere threat of it is enough to make other countries do as you please? It is textbook terrorism.

      And you know that it is a totalitarian regime when millions of its citizens are out of work, homeless, s

      • by grenadeh (2734161)
        We have the best technology. Not really the best anything else. T99s are better than Abrahms - we'll see if the M3 gives us the edge again. Our infantry rifles, while decent, are still 50 years old. We've attempted to replace them several times and have turned down superior weapons like the M416. Our active military is still smaller than North Korea and China. Countries hardly do as we please. All we do is piss everyone off and shit down their throats and then the government, for the benefit of the sheep,
        • by Thaelon (250687)

          We also have the most of it. Though tanks and rifles are practically irrelevant. We live on a water planet. Therefore its the Navy this is of the most concern, and we have eight Nimitz class aircraft carriers complete with, I assume, long range fighters, not to mention drones, with presumably medium to long range missiles in addition to their support fleets.

          One of those floating fortresses can easily subdue most countries entire military without the use of ground forces. Though there are really only a handf

    • The US can do whatever they feel like doing because Fuck You

      Well, Europe dropped the ball in the 20th century, so it got stuck taking care of all these problems. If Europe doesn't like the way the US handles it, all it has to do is get its shit together.

      Get used to it... its gonna be a long and twisted road before this crap is over.

      Well, it sure beats the "crap" that was going on before. And the way things are going, this will be "over" when the US decides its over, given that Europe and Asia are far more a

  • Europe is foreign soil, US law does not really care what you do outside of its jurisdiction.

  • European authorities can get personal data on Americans under Europe's (rather bad) laws when that data is hosted on European servers.It's not America's fault that Europeans have, for the most part, failed to create online services that are attractive to people.

  • The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

    Any act of congress which purports to empower the executive branch to search without probable cause is unconstitutional, and therefore not a law at all.

    -jcr

  • The NSA is welcome to my emails, if I can have free email :)
    But maybe they are subsidising gmail and hotmail anyway ...

  • because the main reason for servers there was, that most eu companys need to ensure, that their data is not accessed from countries without reasonable data privacy laws.
    But it will freshen the cloud market, because eu companies will get a bigger share, which will lead to more competition.

"Wish not to seem, but to be, the best." -- Aeschylus

Working...