twitter facebook rss

EU Data Centers are not safe from US Surveillance

Posted by on March 10, 2015.

Over the past 12 months I have noticed an increasingly worrying trend which is developing in the global technology arena and it is one which in my mind amounts to nothing less than a deliberate attempt to mislead consumers and businesses alike on the legal powers available to US law enforcement and intelligence agencies.

Late last year Amazon announced that they were launching a second EU hub for their AWS cloud infrastructure which would be based in Frankfurt, Germany (note: Amazon’s first EU Hub for AWS was launched in 2007 in Ireland).  The timing and nature of the announcement was obviously focused on the ongoing concerns of EU citizens over the reach of the US surveillance machine into many of the popular online services they use on a minute to minute basis.  In fact Stefan Reid, Vice President at Forrester Research stated at the time “With the announcement Amazon sets itself up to address not only the typically higher legal compliance and security concerns of European customers, but also gets more credibility with the usually more conservative CIOs across Europe,”.

But Amazon are not the first to do this, Oracle, VMWare and Salesforce (to name just a few) have followed a similar path since the revelations of Edward Snowden had a catastrophic impact on US based cloud providers.

Microsoft recently obtained ISO 27018 “Cloud Privacy/Security” certification and used the opportunity to publish a blog post by Brad Smith, General Counsel and Executive Vice President of Legal and Corporate Affairs in which he states:

We inform you about government access to data. The standard requires that law enforcement requests for disclosure of personally identifiable data must be disclosed to you as an enterprise customer, unless this disclosure is prohibited by law. We’ve already adhered to this approach (and more), and adoption of the standard reinforces this commitment.

The latest of the big tech corps to join this trend is Apple, which at the end of last month announced that it would be spending $1.7B on two new European Data Centers.

Now this is all well and good but it needs to be put into legal context.  First and foremost, as has been shown by the ongoing legal case against Microsoft, there are various laws in the United States which provide access to your data irrespective of where it is stored.  In the Microsoft case the government have used the Stored Communications Act as their weapon of choice but they could have used a Section 702 FISA order or a Section 215 PATRIOT Act order to achieve the same.  In fact way back in 2011, Microsoft stated that EU Cloud Data was not safe from the US surveillance machine (an admission which sparked a diplomatic scandal), so this is not something new for Microsoft.

But where I have a problem is the fact that this trend serves one purpose and that purpose is to mislead European consumers, politicians and corporations – it is sleight of hand.  By making these announcements that they are moving EU data into EU Data Centers, these global tech giants are attempting to mitigate some of the damage the Snowden revelations have done to the US cloud industry – but it is absolutely false.

Even as news of Microsoft’s 27018 compliance was making its way across social networks with journalists stating how great this was for privacy – few if any had actually noticed the caveat “unless this disclosure is prohibited by law” which is tagged onto the end of the Microsoft blog post and that is a very important point as many of the legal orders which provide access to this data come with a gagging order attached (that is to say that the company which receives the order is prohibited by law from admitting it has received it).

This is absolutely wrong – it is dangerous for EU consumers and companies who will become complacent thinking that their data is safe with Amazon, Apple, Microsoft etc. and furthermore it creates a competition issue, because these same consumers and companies who now think these EU data centers make it safe to use Microsoft et al. are not looking at alternatives.  The reality is that the Snowden revelations should have sparked a boom for EU based cloud companies (and this has been true to a certain extent) but opening these new facilities and cosying up to the press who then go on to misreport the facts, leaves EU consumers and businesses at risk.

So let me end this article by making myself completely clear – it doesn’t matter where an American company stores customer/user data – whether that be in Europe, Brazil or on the bloody Moon – that data is still completely vulnerable to US surveillance and that means it is not safe from surveillance.  Don’t be fooled by misleading blog posts, news articles and tweets – if you care about the privacy and security of your cloud data, do not use a company which has any formal ties to the United States.

4 thoughts on “EU Data Centers are not safe from US Surveillance

  1. This question of jurisdiction and law enforcement action was the subject of one of the CPDP2015 panel that I have reported, with mention to the two pending cases of Microsoft and the Belgium Government and Yahoo email account access.

  2. Can you point to some credible published data supporting the view that the Snowden revelations have, at least to a certain extent, “sparked a boom for EU based cloud companies”? I often hear this, but no one ever seems to have any numbers to back it up. If true it would mark impressive progress for European cloud firms. But my gut feeling (in the absence of data) is that it is not true. I would wager that the combined revenues of the US cloud firms in Europe still exceed those of European providers by a very wide margin. If there is a European cloud firm that has a realistic chance of catching up with Amazon, Google, Microsoft etc. on a global scale, who might that be?

    • Alexander Hanff on said:

      In talking to EU cloud providers they have mentioned an uptick in business since Snowden but I too would doubt that any of the EU providers are in a position to worry the usual suspects. I think what is more concerning for the likes of Amazon and Microsoft is that companies are not adopting cloud over concerns about security and data protection. My point was that we should have seen a much bigger boom for the EU cloud industry but with this false belief that the big 3 (Amazon, Microsoft and Salesforce) are somehow now safe to use because they have EU data centers – this boom is unlikely to happen to a significant extent. This deception is causing competition issues in the market and in my opinion should be tackled on anti-trust grounds as it is a deliberate deception in an attempt to retain market share. That said, corporate and enterprise customers in Europe should do more due diligence on the issue so they can recognise the deception for what it is. But it is not just corporations who are now being offloaded to the cloud – mobile device users (consumer level) are also having their data placed in the cloud often without any knowledge or understanding of what is happening. Apple and Android devices both use cloud by default last I checked and users have to manually turn it off and are actually discouraged from doing so by limiting functionality and the user experience – the Apple news is almost exclusively relevant to the consumer market.

      It is also important to note that the EU cloud industry does not have the exposure of companies like Amazon and Microsoft and until they significantly increase their marketing budget to generate that exposure, many consumers and corporations simply won’t know they exist. That doesn’t excuse the tactics of the US cloud providers but it is an important additional problem which needs to be addressed.

      Furthermore, in my experience, many of the providers within the EU are often simply reselling services from other US companies with US data centers – finding real EU cloud providers is no simple task and I have been arguing that the EU Commission should be investing in EU based technology services for many years now in an attempt to combat this. We need to build infrastructure in order to compete with the US and allow our digital economy to benefit – simply reselling US services does not address the issue at hand and the few EU based providers that can compete on a technology level with the likes of Amazon are often significantly more expensive. Tax incentives would go a long way to manage this issue and would help develop infrastructure and thus allow prices to be lowered and I would very much like to see this approach – it is time we started to incentivise EU companies to use EU infrastructure if we truly want to create real competition in this industry.

    • Alexander Hanff on said:

      It is difficult to find actual figures I will grant you that but there are countless articles which discuss the situation and an increasing library of research from the likes of Forrester, the Cloud Computing Forum etc.

      Here is an article which you might find useful:

      Much of my experience is through talking to providers as opposed to specific reports and figures.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Alexander Hanff, News_cloud, News_politics, News_privacy, News_surveillance | Tags: , , , , , , , , , ,