Wednesday

24th May 2017

US free to grab EU data on American clouds

  • EU data stored on US-based clouds are open to US government scrutiny. (Photo: Bob West)

An obscure section in a US law is said to entitle authorities to access, without a warrant, data stored by any EU citizen on clouds run by American companies.

Although highly controversial for its indirect effects on Americans, the impact of the law appears to have been overlooked by its intended target - everyone else.

Dear EUobserver reader

Subscribe now for unrestricted access to EUobserver.

Sign up for 30 days' free trial, no obligation. Full subscription only 15 € / month or 150 € / year.

  1. Unlimited access on desktop and mobile
  2. All premium articles, analysis, commentary and investigations
  3. EUobserver archives

EUobserver is the only independent news media covering EU affairs in Brussels and all 28 member states.

♡ We value your support.

If you already have an account click here to login.

Rather than case-by-case snooping, the law authorises mass-surveillance of non-Americans, for purely political purposes, said Caspar Bowden who is the former chief privacy adviser to Microsoft, at a panel on cyber security organised by the CPDP conference in Brussels on Friday (25 January).

“It intentionally targets only non-US persons located outside the US and provides for a blanket authorisation to this for one year at a time. There is no individual warrantry,” said Bowden, who is now an independent advocate for information rights.

The section in the so-called Foreign Intelligence Amendments Act (FISAAA) grants the US government sweeping powers to collect foreign intelligence information stored in US Cloud computing providers like Amazon or Google.

The article specifically states the US Attorney General and the Director of National Intelligence may authorise jointly, for a period of up to one year from the effective date of the authorisation, the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.

The amendment cites a number of limitations but Bowden, who also co-authored the ‘Fighting cyber crime and protecting privacy in the cloud’ report for the European Parliament, said FISAAA essentially makes it lawful for the US to conduct purely political surveillance on foreigners' data accessible in US Cloud providers.

“It doesn’t have to be a political party, it can be an activist group or anybody engaged in political activity or even just data from a foreign territory that relates to the conduct of foreign affairs in the United States,” he said.

The EU’s current data reform package is apparently unable to respond to the wording outlined in the US act.

Bowden says "binding corporate rules for data processors" was inserted into the European Commission’s data protection regulation proposal with loopholes built-in which allow for FISAAA surveillance.

The binding corporate rules require cloud providers to hire a private-sector audit company to certify the generic cloud system for security.

But private audit companies, says Bowden, are unable to discover secret wire-tappings ordered by the national security law of another country.

The act may have wide implications on the right to respect for private and family life, reinforced by EU law in the charter for fundamental rights inscribed in the Lisbon Treaty.

'Anger and disbelief'

“When my attention were first drawn to the previsions of FISAAA, I went through a strange sequence of emotional reactions. From sort of laughter, through disbelief, to anger to denial,” said another panellist, Gordon Nardell, a London-based barrister specialising in data protection and data retention in the telecoms sector.

The European Commission, for its part, was unable to provide a comment on FISAAA.

“This [FISAAA] is not something we have any comment about,” said the spokeswoman for the European Commissioner of Justice Viviane Reding in an email.

But the issue is not unknown within the EU institutions.

“If it is a US company it’s the FBI’s jurisdiction and if you are not a US citizen then they come and look at whatever you have if it is stored on a US company server,” stated Estonian president Toomas Hendrik Ilves, who also chairs a commission advisory group on cloud computing, at a separate panel discussion on cyber security held on Wednesday.

A high-ranking EU source told this website that the commission is actively looking into the amendment. The source drew some caution on the wide-spread snooping powers put forward by FISAAA but noted that “it is not outside the realm of possibility.”

The Brussels-based European Data Protection Supervisor also refrained from any official comment though an inside contact said they are too investigating.

Meanwhile, a spokesperson for the United States Department of Justice told this website that the US is committed to privacy rights. "The FISA Amendments Act is not used indiscriminately or for political purposes," said the spokesperson, noting that a special court is used for judicial oversight on the requests.

But the section in FISAAA that is generating controversy is filed under 1881a.

The section expanded in 2008 on a 27-year old definition on “remote computing services” to include any providers of public cloud computing.

The amendment specifically targets data of non-Americans located outside the US and removes previous constraints which hindered continuous data collection and mass-surveillance.

FISAAA also notes that investigations should be conducted in a manner consistent with the US Fourth Amendment which guards against unreasonable searches and seizures.

But a US judiciary subcommittee on FISAAA in 2008 stated that the Fourth Amendment has no relevance to non-US persons.

FISAAA also forces US Internet giants and other tech companies operating clouds in the EU to hand over the data or face sanctions, says Bowden.

“The providers have to give all assistance, facilities, information to accompany this in total secrecy. If that secrecy is breached, it’s a contempt of court and probably a breach of the US espionage act as well,” noted Bowden.

EU visa waiver looms for Russia-annexed Crimeans

Visa liberalisation for Ukrainians entering the EU will also apply to inhabitants of the peninsula taken over by Moscow in 2014. But the issue poses administrative as well as political problems.

News in Brief

  1. Pressure grows on climate impact of EU timber harvesting
  2. US goes after Fiat Chrysler over emissions cheat
  3. Munich police break up Europe-wide burglar clan
  4. Report: VW threatened with €19.7 billion French fine
  5. Turkey begins mass trial of suspected coup leaders
  6. Merkel's CDU consolidates lead in polls
  7. France to host Russian president
  8. Switzerland votes against nuclear power

Stakeholders' Highlights

  1. UNICEFChild Alert on Myanmar: Fruits of Rapid Development yet to Reach Remote Regions
  2. Nordic Council of MinistersBecome an Explorer - 'Traces of Nordic' Seeking Storytellers Around the World
  3. Malta EU 2017Closer Cooperation and Reinforced Solidarity to Ensure Security of Gas Supply
  4. European Healthy Lifestyle AllianceHigh-Intensity Interval Training Is Therapeutic Option for Type 2 Diabetes
  5. Dialogue Platform"The West Must Help Turkey Return to a Democratic Path" a Call by Fethullah Gulen
  6. ILGA-EuropeRainbow Europe 2017 Is Live - Which Countries Are Leading on LGBTI Equality?
  7. Centre Maurits CoppietersWhen You Invest in a Refugee Woman You Help the Whole Community
  8. Eurogroup for AnimalsECJ Ruling: Member States Given No Say on Wildlife Protection In Trade
  9. European Heart NetworkCall for Urgent Adoption of EU-Wide Nutrient Profiles for Nutrition & Health Claims
  10. Counter BalanceInvestment Plan for Europe More Climate Friendly but European Parliament Shows Little Ambition
  11. Mission of China to the EUPresident Xi: China's Belt and Road Initiative Benefits People Around the World
  12. Malta EU 2017EU Strengthens Control of the Acquisition and Possession of Firearms

Latest News

  1. Openness over Brexit is 'political play', says EU ombudsman
  2. Le Pen's EU group in fresh spending scandal
  3. New EU right to data portability to cause headaches
  4. Cyber threats are inevitable, paralyzing impact is not
  5. Transparency complaints keep EU Ombudsman busy
  6. EU sets out criteria for relocating UK agencies
  7. EU states back bill against online hate speech
  8. Dutch coalition talks collapse again

Stakeholders' Highlights

  1. International Partnership for Human RightsThe Cost of Speaking Out: Human Rights Violations Committed in Belarus
  2. ACCABanishing Bias? Audit, Objectivity and the Value of Professional Scepticism
  3. Nordic Council of MinistersNew Oslo Climate Declaration Focuses on Rising Temperatures in the Arctic
  4. European Healthy Lifestyle AllianceAbdominal Obesity: A Causal Risk Factor for Cardiometabolic Diseases
  5. EU Green Week 2017Discuss EU Environmental Policies With Industry Experts and Thought Leaders
  6. GEN Summit 2017Join the World's Leading Media Summit for Thought-Provoking Talks and Experiences
  7. International Partnership for Human RightsTogether for Human Rights: A Year in Review
  8. Malta EU 2017EU All Set for Free Roaming Starting 15 June
  9. Nordic Council of MinistersRefugee Unemployment Biggest Drain on Public Purse, Says New Nordic Studies
  10. Dialogue Platform17,000 Women, 515 Babies in Turkish Prisons, a Report Reveals
  11. European Healthy Lifestyle AllianceCharlotte Hornets' Nicolas Batum Tells Kids to "Eat Well, Drink Well, Move!"
  12. ECR GroupSyed Kamall: We Need a New, More Honest Relationship With Turkey