Posted by Alexander Hanff on March 10, 2015.
Over the past 12 months I have noticed an increasingly worrying trend which is developing in the global technology arena and it is one which in my mind amounts to nothing less than a deliberate attempt to mislead consumers and businesses alike on the legal powers available to US law enforcement and intelligence agencies.
Late last year Amazon announced that they were launching a second EU hub for their AWS cloud infrastructure which would be based in Frankfurt, Germany (note: Amazon’s first EU Hub for AWS was launched in 2007 in Ireland). The timing and nature of the announcement was obviously focused on the ongoing concerns of EU citizens over the reach of the US surveillance machine into many of the popular online services they use on a minute to minute basis. In fact Stefan Reid, Vice President at Forrester Research stated at the time “With the announcement Amazon sets itself up to address not only the typically higher legal compliance and security concerns of European customers, but also gets more credibility with the usually more conservative CIOs across Europe,”.
But Amazon are not the first to do this, Oracle, VMWare and Salesforce (to name just a few) have followed a similar path since the revelations of Edward Snowden had a catastrophic impact on US based cloud providers.
Microsoft recently obtained ISO 27018 “Cloud Privacy/Security” certification and used the opportunity to publish a blog post by Brad Smith, General Counsel and Executive Vice President of Legal and Corporate Affairs in which he states:
We inform you about government access to data. The standard requires that law enforcement requests for disclosure of personally identifiable data must be disclosed to you as an enterprise customer, unless this disclosure is prohibited by law. We’ve already adhered to this approach (and more), and adoption of the standard reinforces this commitment.
The latest of the big tech corps to join this trend is Apple, which at the end of last month announced that it would be spending $1.7B on two new European Data Centers.
Now this is all well and good but it needs to be put into legal context. First and foremost, as has been shown by the ongoing legal case against Microsoft, there are various laws in the United States which provide access to your data irrespective of where it is stored. In the Microsoft case the government have used the Stored Communications Act as their weapon of choice but they could have used a Section 702 FISA order or a Section 215 PATRIOT Act order to achieve the same. In fact way back in 2011, Microsoft stated that EU Cloud Data was not safe from the US surveillance machine (an admission which sparked a diplomatic scandal), so this is not something new for Microsoft.
But where I have a problem is the fact that this trend serves one purpose and that purpose is to mislead European consumers, politicians and corporations – it is sleight of hand. By making these announcements that they are moving EU data into EU Data Centers, these global tech giants are attempting to mitigate some of the damage the Snowden revelations have done to the US cloud industry – but it is absolutely false.
Even as news of Microsoft’s 27018 compliance was making its way across social networks with journalists stating how great this was for privacy – few if any had actually noticed the caveat “unless this disclosure is prohibited by law” which is tagged onto the end of the Microsoft blog post and that is a very important point as many of the legal orders which provide access to this data come with a gagging order attached (that is to say that the company which receives the order is prohibited by law from admitting it has received it).
This is absolutely wrong – it is dangerous for EU consumers and companies who will become complacent thinking that their data is safe with Amazon, Apple, Microsoft etc. and furthermore it creates a competition issue, because these same consumers and companies who now think these EU data centers make it safe to use Microsoft et al. are not looking at alternatives. The reality is that the Snowden revelations should have sparked a boom for EU based cloud companies (and this has been true to a certain extent) but opening these new facilities and cosying up to the press who then go on to misreport the facts, leaves EU consumers and businesses at risk.
So let me end this article by making myself completely clear – it doesn’t matter where an American company stores customer/user data – whether that be in Europe, Brazil or on the bloody Moon – that data is still completely vulnerable to US surveillance and that means it is not safe from surveillance. Don’t be fooled by misleading blog posts, news articles and tweets – if you care about the privacy and security of your cloud data, do not use a company which has any formal ties to the United States.