Researchers: PATRIOT Act Can 'Obtain' Data In Europe 133
An anonymous reader writes "U.S. law enforcement and intelligence services can use the PATRIOT Act/FISA to 'obtain' EU-stored data for snooping, mining and analysis, despite strong EU data and privacy laws, according to a recent research paper. One of the paper's authors, Axel Arnbak, said, 'Most cloud providers, and certainly the market leaders, fall within the U.S. jurisdiction either because they are U.S. companies or conduct systematic business in the U.S. In particular, the Foreign Intelligence Surveillance Amendments (FISA) Act makes it easy for U.S. authorities to circumvent local government institutions and mandate direct and easy access to cloud data belonging to non-Americans living outside the U.S., with little or no transparency obligations for such practices -- not even the number of actual requests.' Arnback added, 'These laws, including the Patriot Act, apply as soon as a cloud service conducts systematic business in the United States. It's a widely held misconception that data actually has to be stored on servers physically located in the U.S.'"
Same applies elsewhere? (Score:5, Interesting)
I guess the same thing applies elsewhere too, like China or Saudi Arabia. If a company wants to conduct business in a country it has to comply with the laws of the country. The main difference is the US is such a huge market that most companies would rather hand over the data than be shut out of it. In a situation where the laws of two different large markets are in direct conflict, it probably becomes a question of "can we get away with it".
Re: (Score:2)
Could they encrypt they data? And only a subsidiary who only work for the provider have the keys? That way, they can ask the datas, but not the keys because the company holding the keys doesn't work in the states...
Re:Same applies elsewhere? (Score:4, Interesting)
and then be accused of having ties to Terrorists/ Child Slavery/Whatever and then everything held by the company remotely "US based" gets seized.
Re: (Score:1)
Could they encrypt they data? And only a subsidiary who only work for the provider have the keys? That way, they can ask the datas, but not the keys because the company holding the keys doesn't work in the states...
Subsidiaries work fine against civil claims, but they are not effective against this sort of criminal law. The US can apply great pressure on the people who run the US holding company to get the data for them. The board of the subsidiary will normally be made up of people from the holding company. Even if it isn't, because the board of the holding company control the shares of the subsidiary, they can replace the subsidiary's directors.
You could put your faith in the local subsidiary staff to resist any req
Re: (Score:2)
Could they encrypt they data? And only a subsidiary who only work for the provider have the keys? That way, they can ask the datas, but not the keys because the company holding the keys doesn't work in the states...
Rather than handing the keys over to the hosting company, the company should hold their own encryption keys - then no one can access their data without permission, not even the hosting company. (well at least not data at rest - the hosting company can still intercept web traffic, scrape server memory, etc).
Re: (Score:3)
A large UK based multi-national org that I've worked for has the exact problem of hosting all its data centres in the USA. The big problem is that there are USA laws that apply that there is no equivalent in the UK/EU and there are contradictory laws where a lawyer would just choose the best jurisdiction. With-holding keys would be an offence under UK law (RIPA) but not under USA law.
e.g. in the UK, Freedom of Information only applies to government entities.
So, If a UK consumer (who knew the data was host
Re: (Score:2, Interesting)
So, uh, what about complying with EU laws by not handing over the data to America?
Re: Same applies elsewhere? (Score:2)
Then the US will ask your extradition to be judged for helping a terrorist organisation by not providing them the requested datas.... Whatever you do, you are fucked :-/
Re: (Score:2)
Re: (Score:2)
China is a bigger market and American companies are just as prepared to do business there regardless of the implications. The more we extend our laws the less argument we have when someone is arrested on a business trip to China* and put in some hell hole for something that they did not realise was illegal.
*For China, also read Saudi, Russia etc.
Re: (Score:2)
Yes.
No*
*Not until they pass a similar PATRIOT Act.
But then, that's why we haven't done it to China companies. Because the blowback would get messy. EU companies are already our bitch.
So what we learn from this is.... (Score:5, Insightful)
Host your own data. Do not trust the cloud.
Re: (Score:2)
Host your own data. Do not trust the cloud.
Hosting your own data isn't hard to do. What I see as more of an issue is how do you build and host your own Internet? (and ensure that only people you "trust" get access to it).
Re: (Score:1)
Re:So what we learn from this is.... (Score:5, Informative)
In the Netherlands, we want to host our own data. Some want to build a national database for medical data. However, an American company is developing the software - so that might be enough for the Americans to demand access to whatever is put on that database.
So, essentially, when any US based company deals with another third party, all the data of this third party does is now declared property of the US.
This was front page news just a week ago. Not a really good advertisement for US based software developers. For the record, the project manager (who is Dutch) denies that the Americans would get access. And I guess that under the Patriot Act it is also illegal to claim that the US is snooping around. So, for the record, I deny writing this post, since this is hosted on an American server - or at least maintained by people who create American-centric polls.
Source in Dutch: http://www.metronieuws.nl/nieuws/beheerder-patientendossier-vreest-patriot-act-niet/IWIlkD!AQnwumcZSKxKeH8VP9BZwQ/ [metronieuws.nl]
Re:So what we learn from this is.... (Score:5, Insightful)
The cloud does offer lots of advantages.
I can't remember where I saw it, but someone suggested that wherever you see the phrase "the cloud", replace it with "someone else's computer" and see how that changes the context.
Re: (Score:2)
Agreed. I am surprised because I though Europeans were smart enough to avoid the cloud.
What was that about nefarious UN? (Score:1)
This is the government CURRENTLY in charge of the freedom of the internet.
Apparently that means "your data is free to US"...
Re: (Score:3, Funny)
It clearly says "All your data are belong to US".
Not all of Europe (Score:1)
How about Kalingrad, Russia [google.com]?
Re: (Score:2)
... or even Moscow, which is also in Europe.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Of course, almost no US companies does business with China, so no worries there.
Re: (Score:3)
So, when China or someone else passes a similar law, the US will accept that their companies have to hand over the data to the local government because that's how it works?
Or will they basically say their laws and interests trumps everybody else's, and too bad? Because I can't see other sovereign nations accepting that.
Re: (Score:2)
US companies may however be more willing to secretly break EU law by handing data to US, than breaking US law by handing data to China...
All this is theoretical, based on a research paper. If proof surfaces that Amazon, Google et al. passes European Data to the US Governemnt against EU privacy regulations, it would be headline stuff for a long time, weeks and have huge international diplomatic and business repercussions.
Re: (Score:2)
Bullshit (Score:5, Interesting)
The EU Data Protection Directive is very specific on this issue; the hosting/cloud company can only locate the data in the US, or even transmit it there, if there is an explicit guarantee that the data has the same level of protection.
Basically yes, the US could use the Patriot Act to obtain protected EU data from US-based companies. And yes, the company would then have broken the EU directive and would face the courts.
Re:Bullshit (Score:4, Interesting)
> And yes, the company would then have broken the EU directive and would face the courts.
How would the EU courts find out?
Re:Bullshit (Score:4, Insightful)
Re: (Score:3)
> And yes, the company would then have broken the EU directive and would face the courts.
How would the EU courts find out?
They wouldn't.
Re: (Score:2)
Re: (Score:3)
Could be as simple as a commercial deal lost. Your EU firm is blacklisted for illegal gov support after some tax records are recovered/shared.
A request is made to move more work/data to the USA under a 'free trade' deal - yes or no? If "no" your even more suspect.
Your trade with countries around the world is sorted into areas of interest to the US gov.
Depends on your links to 2nd and third parties. Cuba? Middle East? Africa? Asia? South America? Stepping on an area the US
Re: (Score:3)
Cause the top guy in the EU subsidiary, and every single person in the chain down to the guy who gave access to the US, would not mind spending time in jail? Either the top guy knows, or someone else is getting screwed, so someone is going to cover their ass and tell.
And they're all, more than likely, living in the Europe so the prospect of being wanted in the US versus being in jail in the EU should be an easy choice.
Re: (Score:3)
Re: (Score:2)
Because it is the law to disclose when that data leaves the EU. So you either break EU law twice or EU and US law once each. Nice choice. One way can get your company fined into oblivion, the other goes after personnel and (allegedly) imprisons them. Guess which will be chosen.
Re: with a Warrant Canary (Score:1)
My storage provider maintains a warrant canary:
http://www.rsync.net/resources/notices/canary.txt [rsync.net] ... and since my account is in Zurich, I check the local copy there.
Re: (Score:2)
Re:Bullshit (Score:5, Insightful)
No, it makes it impossible. the PATRIOT act says "no matter what local laws say, you are obligated to do this" ... the data protection in other countries says "you are absolutely required to not do that".
Basically, the Americans are saying their laws trumps everybody else, and the cost of doing "systematic business in the United States" is that their laws trump everybody else.
Sadly, the US has decided that, the laws of other countries be damned, if you do enough business here you have to do what we say.
Yet another example of how the US is declining into a xenophobic country, who has no intention of playing nicely with everybody else -- and American businesses might suddenly find themselves as unwelcome entities around the world as you pointed out. (Which of course they would probably go to the WTO or say "Waahh, you won't let us play in your sandbox" to try to force those countries to allow American companies to do business despite the fact that they essentially can't be trusted.)
Essentially the only choice is to treat American owned companies as if they're agents of a hostile, totalitarian state -- because if any other country passed a law that said "if you do systematic business here, you must hand over your data to our government", the US would be up in arms talking about the freedoms they're not prepared to extend to other countries.
I know here in Canada, US owned companies are precluded from some government contracts for this very reason, and pretty much all cloud providers which could host data there are not legally allowed because they open the risk of sensitive data being handed to the Americans without anybody knowing.
I think this will pretty much be the point at which a lot of these US companies who could be in this position will suddenly start finding a lot of doors closed in their face with a "Oh, sorry, since we can't trust you or your government, you can't come in".
Re: (Score:3)
Yet another example of how the US is declining into a xenophobic country, who has no intention of playing nicely with everybody else
Declining into? You haven't read about the history of United Fruit Company, have you? I recommend Bananas (the book, not the fruit, though the fruit is delicious.)
Re: (Score:2)
That's not unique to the US though, many European countries had been doing similar things in other parts of the world at the same time but for a much longer period of time. Doesn't excuse any of it of course. Morals are things that happen when there's no money at stake.
Re: (Score:2)
That's not unique to the US though
I certainly don't believe it is, we're simply the most successful current example. History is replete with examples of misconduct by and/or in support of the nation's (geographical) other nation company. The point was not to single out the USA as being the paragon of evil, but to forestall any pro-US cheerleading on this account.
Re: (Score:1)
As one of 'the Americans', I'd like to apologize for the theft of Canadian data. I can say with confidence that most of us don't want your data. It is unfortunate that a small but powerful segment of our population have done this in the name of us all.
Re: (Score:3)
As if?
Re: (Score:1)
Yes, if you do business in the US (any business) you need to comply with US law. It works the same for Europe and other places. The only difference is that the US market is so important that companies can't
Re:Bullshit (Score:4, Insightful)
Wow, that's seriously missing the discussion.
Do US laws apply to EU companies, IN the EU, just because they have a US branch?
No, they don't. Even if the US thinks they do.
Just in case you're unclear, try switching the US and the EU, see how that feels.
Re: (Score:1)
Yes, they do, because if they have a US branch, the US can enforce judgments against those companies. That's how laws and jurisdictions work. It works the other way around too.
You mean, the kind of self-serving arrogance with which Europeans have been imposing their cultures, languages, laws, and businesses on the rest world since the 15th century?
Re: (Score:2)
1. Enforcing judgements is not the same as knocking on some business' door in Brussels and saying give us your data, or else.
2. Yes, exactly like that. It was bad then, it's just as bad now.
Re: (Score:2)
Actually, the set of laws you can meaningfully pass is the same as the set of laws you can meaningfully enforce.
Nonsense. Europeans forced other nations to comply with their self-serving laws at the barrel of a gun. The US is engaged in law enforcement and anti-terrorism activity, and any company that doesn't want to com
Re: (Score:2)
Wow, that's a lot of delusion for three sentences.
Re: (Score:2)
Because US laws don't apply to EU based companies, whose operations being raided are in the EU, but have a US branch which somehow makes it ok?
Sure, that's not crazy at ALL.
Re: (Score:2)
If Deutsche Telekom bought Yahoo, Yahoo would be a US branch of Deutsche Telekom. You're suggesting that Yahoo then wouldn't have to comply with US laws anymore. That's crazy.
A "US branch" is a US corporation, like any other US corporation. The fact that some foreign entity owns the shares makes no difference. If US law enforcement makes a lawful request for information, they have to comply or face the consequences. And that works no differently anywhere else.
Re: (Score:2)
No, I'm saying Yahoo branch offices in Germany are not subject to US law.
Or that a DT branch in Flagstaff is not subject to German law.
Are you not even trying to pay attention to the larger discussion?
Re: (Score:2)
Re: (Score:2)
US law applies exactly when the US is in a position to enforce it, just like German law, French law, Russian law, and North Korean law.
It's not a "delusion" if you can make it stick.
Re: (Score:2)
Yes, and the key thing to remember here is that if the US forces a company to cough up European data, against European laws, then anybody complying with that demand is violating European law.
TFA is basically pointing out that the US could well be forcing companies to comply with the Patriot Act, thereby making them violating the laws of where they're doing business.
So the rational c
Re: (Score:2)
If the Saudis want to impose this condition on Ford, Ford has a clear choice: sell cars in Saudi Arabia and comply with their laws, or sell cars in the US and comply with US laws. It can't to both. Where's the problem?
You can join everybody
Re: (Score:2)
Re: (Score:2)
Exactly so. There are treaties which specifically require sharing of intelligence data with the USA (and other countries). These treaties are generally held to trump laws prohibiting the sharing of such data.
e.g.
-USA makes request of company x for data.
-Company x responds that it is not allowed to provide the data, per law y in country z.
-USA requests that country z provide exception to law y for company x regarding the requested data, per treaty.
-Country z tells company x to provide the data.
-Company x p
Re: (Score:2)
There's a massive difference between the US asking Canada to acquire and share data relating to a crime in Canada, and the US forcing companies to break Canadian law to gain access to data relating to activities that may be perfectly legal in Canada.
One of those approaches respects the sovereignty of other nations and is ethically sound.
The other appears to be the preferred approach of the US.
Re: (Score:2)
In other words, many US companies are excluded by default from providing cloud services to many European agencies.
The DPD should apply not only to European agencies but also citizen of a EU country.
So companioes like Dropbox should in theory not provide any service in the EU at all.
I personally am using German hosting providers that state that they only use server located in Germany/Europe.
Re: (Score:1)
Amazon and Microsoft must love how that part of the Patriot Act fucks their business up. Many European companies, and 100% of the governments, won't subscribe to their service just because US can seize the content. Thanks for boosting our local economies by making it worthwhile for European companies (Thales, Dassault, Bull, Orange) to build their own cloud with no competition fro
Re: (Score:2)
We use Concur, a US based company, to do our expenses and even travel arrangements.
We also do business in and with for example Cuba and until last year in Iran, something the US has laws against.
I can see one of our employees having visited Cuba and done his expense claim via Concur being stopped at some US airport.
With this in mind and the document to support it I'll use my authority as a works council member to advise the company seek legal advise and possibly to re-evaluate our co
Why are my tax dollars beings .... (Score:2)
.... spent on MAD magazine SPY vs. SPY real life acting outs..... Don't they realize its a comic and all abstract?
Cloud storage is public, deal with it (Score:1)
If you store anything in "the cloud" without strong encryption then you're a moron anyway so who cares ?
Re: (Score:2)
your snail mail box is accessible by the public and so is your P.O.Box is on public property...
Something to think about.... Having your head in the cloud is no excuse... it only shows you need radar to see past the cloud.
Re: (Score:2)
your snail mail box is accessible by the public and so is your P.O.Box is on public property..
Yrs, but it's inefficient for the government to get information by raiding PO boxes.
Re: (Score:2)
If you are Australian and use a cloud with links to the USA - you fall under Australian law and whatever any US state or federal agency in the USA feels like looking for.
Your "strong encryption" lasts the links but in the cloud at some point its like plain text again.
Welcome to CALEA and many other laws, letters
The only real solution (Score:5, Insightful)
NO real solution (Score:2)
In Other News.. (Score:5, Insightful)
Get used to it... its gonna be a long and twisted road before this crap is over.
Over? (Score:2)
I like your optimism...
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
You are correct, but make no mistake, the reason the US will do whatever they feel like is because they have the world's most formidable military by a large margin. Which basically makes it the world's largest terrorist organization. What else do you call it when you have the biggest stick on the planet and the mere threat of it is enough to make other countries do as you please? It is textbook terrorism.
And you know that it is a totalitarian regime when millions of its citizens are out of work, homeless, s
Re: (Score:1)
Re: (Score:2)
We also have the most of it. Though tanks and rifles are practically irrelevant. We live on a water planet. Therefore its the Navy this is of the most concern, and we have eight Nimitz class aircraft carriers complete with, I assume, long range fighters, not to mention drones, with presumably medium to long range missiles in addition to their support fleets.
One of those floating fortresses can easily subdue most countries entire military without the use of ground forces. Though there are really only a handf
Re: (Score:2)
The Soviet Union lacked the Internet to circumvent authoritarian propaganda. This is going to happen much, much quicker.
Re: (Score:3)
Well, Europe dropped the ball in the 20th century, so it got stuck taking care of all these problems. If Europe doesn't like the way the US handles it, all it has to do is get its shit together.
Well, it sure beats the "crap" that was going on before. And the way things are going, this will be "over" when the US decides its over, given that Europe and Asia are far more a
Re: (Score:2)
Commie in chief? Really?
Really?
Come back when you can tell the difference between actual communism and "I disagree with some of his viewpoints".
Re: (Score:2)
Re: (Score:2)
Oh please, spare me the retoric.
Obama's obviously not the messiah that some people made him up to be, but he's nowhere near Bush in damage dealt to both the US and foreign relations. If you think Obama is the most harmful US president of the last 20 year, you must have been in a coma or just horribly ignorant.
It's true that a lot of the badness enacted by Bush still hasn't been removed by Obama. This is down to political maneuvering of course, but also down to a republican-dominated house hell-bent on screw
Re: (Score:1)
Foreign Soil (Score:2)
Europe is foreign soil, US law does not really care what you do outside of its jurisdiction.
so what? (Score:2)
European authorities can get personal data on Americans under Europe's (rather bad) laws when that data is hosted on European servers.It's not America's fault that Europeans have, for the most part, failed to create online services that are attractive to people.
Re: (Score:2)
What makes you think the EU doesn't do this? Nations like France and Germany probably don't bother with such niceties as legal orders to reveal this data, they just put government operatives into German subsidiaries and have them take whatever they want.
Re: (Score:2)
Will the NSA provide me with free storage, please? (Score:2)
The NSA is welcome to my emails, if I can have free email :) ...
But maybe they are subsidising gmail and hotmail anyway
now amazon can close their datacentre in ireland (Score:2)
because the main reason for servers there was, that most eu companys need to ensure, that their data is not accessed from countries without reasonable data privacy laws.
But it will freshen the cloud market, because eu companies will get a bigger share, which will lead to more competition.
Re: (Score:2)
Re: (Score:2)
Even if they weren't lying when they said it was a temporary measure, I believe violating people's freedoms is unacceptable.