Researchers: PATRIOT Act Can 'Obtain' Data In Europe

An anonymous reader writes "U.S. law enforcement and intelligence services can use the PATRIOT Act/FISA to 'obtain' EU-stored data for snooping, mining and analysis, despite strong EU data and privacy laws, according to a recent research paper. One of the paper's authors, Axel Arnbak, said, 'Most cloud providers, and certainly the market leaders, fall within the U.S. jurisdiction either because they are U.S. companies or conduct systematic business in the U.S. In particular, the Foreign Intelligence Surveillance Amendments (FISA) Act makes it easy for U.S. authorities to circumvent local government institutions and mandate direct and easy access to cloud data belonging to non-Americans living outside the U.S., with little or no transparency obligations for such practices -- not even the number of actual requests.' Arnback added, 'These laws, including the Patriot Act, apply as soon as a cloud service conducts systematic business in the United States. It's a widely held misconception that data actually has to be stored on servers physically located in the U.S.'"

So what we learn from this is....

[stiggle]

Host your own data. Do not trust the cloud.

Re:Same applies elsewhere?

[Anonymous Coward]

I guess the same thing applies elsewhere too, like China or Saudi Arabia. If a company wants to conduct business in a country it has to comply with the laws of the country. The main difference is the US is such a huge market that most companies would rather hand over the data than be shut out of it. In a situation where the laws of two different large markets are in direct conflict, it probably becomes a question of "can we get away with it".

Well, considering that EU is a larger market than the US I would say that we already are at your last point.
US tells companies to hand over the data and the EU tells them not to. It's much easier to verify that the data has been handed over than it is to verify that it hasn't. The way out is to hand over the data silently and hope that EU doesn't find out.

The only real solution

[Aethedor]

Don't do business with an American company or a company that has an office in the US if you plan to use its service to store sensitive information. This may sound a bit blunt, but for me it's the only proper answer to the patriot act.

Re:Bullshit

[Rogerborg]

Indeed, don't these demands tends to come with "and if you tell anyone we've asked, you win a free one way trip to Guantanamo Bay" condition attached?

In Other News..

[SuperCharlie]

The US can do whatever they feel like doing because Fuck You. rabble rabble terrorism..rabblerabble child porn rabblerabble security.

Get used to it... its gonna be a long and twisted road before this crap is over.

Re:Bullshit

[gstoddart]

But yes, the Data Protection Directive makes it very hard for companies to comply with both PATRIOT and the DPD.

No, it makes it impossible. the PATRIOT act says "no matter what local laws say, you are obligated to do this" ... the data protection in other countries says "you are absolutely required to not do that".

Basically, the Americans are saying their laws trumps everybody else, and the cost of doing "systematic business in the United States" is that their laws trump everybody else.

Sadly, the US has decided that, the laws of other countries be damned, if you do enough business here you have to do what we say.

Yet another example of how the US is declining into a xenophobic country, who has no intention of playing nicely with everybody else -- and American businesses might suddenly find themselves as unwelcome entities around the world as you pointed out. (Which of course they would probably go to the WTO or say "Waahh, you won't let us play in your sandbox" to try to force those countries to allow American companies to do business despite the fact that they essentially can't be trusted.)

Essentially the only choice is to treat American owned companies as if they're agents of a hostile, totalitarian state -- because if any other country passed a law that said "if you do systematic business here, you must hand over your data to our government", the US would be up in arms talking about the freedoms they're not prepared to extend to other countries.

I know here in Canada, US owned companies are precluded from some government contracts for this very reason, and pretty much all cloud providers which could host data there are not legally allowed because they open the risk of sensitive data being handed to the Americans without anybody knowing.

I think this will pretty much be the point at which a lot of these US companies who could be in this position will suddenly start finding a lot of doors closed in their face with a "Oh, sorry, since we can't trust you or your government, you can't come in".

Re:So what we learn from this is....

[OzPeter]

The cloud does offer lots of advantages.

I can't remember where I saw it, but someone suggested that wherever you see the phrase "the cloud", replace it with "someone else's computer" and see how that changes the context.

Re:Bullshit

[NatasRevol]

Wow, that's seriously missing the discussion.

Do US laws apply to EU companies, IN the EU, just because they have a US branch?

No, they don't. Even if the US thinks they do.

Just in case you're unclear, try switching the US and the EU, see how that feels.