In efforts to appease international customers amid a spate of intelligence leaks that implicated Microsoft in the PRISM scandal, the software giant is offering to store foreign data outside the U.S.
But international law specialists, privacy experts, and academics alike have suggested that in the wake of such broad U.S. government surveillance, allowing customers to make a move like this could put foreign customer data, stored in the European Union and further afield in Asia and Australia, more at risk from U.S. surveillance.
First reported by the Financial Times (via CNBC), Microsoft general counsel Brad Smith said the move was “necessary” following the leaks that showed the U.S. National Security Agency (NSA) had been monitoring data of foreign citizens across the EU and beyond.
“People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country, and should have the ability to make an informed choice of where their data resides,” Smith told the London financial newspaper.
“The events of the last year undermine some of that trust; that is one of the reasons new steps are needed to address it,” he added, referring to the Snowden leaks.
Microsoft spokesperson Kathy Roeder confirmed that the quotes were accurate, but was not able to explain whether this would affect consumers or business users.
The issues surrounding outsourcing and data sovereignty has, thanks to the Snowden disclosures, became a top corporate concern. Yet, attempts by technology companies and telecoms giants to reassure customers in the wake of the leaks appear to be more concerned with mitigating the damage from the NSA fallout, rather than protecting their customers’ data.
All roads lead back to America
In discussions between ZDNet and academics, privacy experts, legal specialists, and lawyers, the consensus is clear: Foreign-stored data can be just as vulnerable to U.S. government surveillance, and in some cases more so than if it were stored in the United States.
“Whatever data an American company collects, it can be vulnerable to be obtained by the U.S. government,” said Nicole Ozer, Technology and Civil Liberties policy director at the American Civil Liberties Union (ACLU) of Northern California.
“Right now, the government is taking advantage of outdated privacy laws and loopholes to obtain very sensitive information with very little oversight.” — Nicole Ozer, ACLU (N. CA)
Speaking to ZDNet in a telephone interview on Sunday, Douwe Korff, professor of international law at London Metropolitan University, said that if the U.S. government were to use these laws to conduct eavesdropping and surveillance overseas, it would be in breach of international law.
“If a state takes action that affects the human rights of those in another state, that first state is acting extraterritorially,” he said. “And without the consent of the targeted state, that is in violation of public international law.”
In terms of Microsoft’s structure, with subsidiary offices around the globe, Korff explained that the relationship between parent companies and their international subsidiaries holds the key to the U.S. government’s ability to access foreign data outside of the international legal channels.
“If a U.S. company stores customer data in a datacenter — wherever it is — and can retrieve it from that datacenter and move it to somewhere else of its choosing, which could be in the U.S., I would certainly see that as showing that it had control and quite possibly custody and possession of the data,” he said.
This, he added, would be enough for the U.S. government to force the U.S. parent company with adequate powers to instruct its European subsidiary to comply with data-requesting court orders.
Korff’s comments resonate with the news first published by ZDNet before the Edward Snowden leaks confirmed the foreign spying machinery of the U.S. government, and work by Dutch academics published exclusively by sister-site CBS News in December 2012.
On Tuesday, ZDNet reported comments made by Verizon’s chief counsel Randal Milch in late January, following the release of its first transparency report, which claimed that the U.S. government “cannot compel us to produce our customers’ data stored in datacenters outside the U.S., and, if it attempts to do so, we would challenge that attempt in court.”
Those claims were refuted by leading experts on Tuesday, who said that Milch’s comments were “misleading,” and that international treaties designed to govern transnational data transfers for law enforcement purposes are being bypassed.
Verizon spokesperson Ed McFadden declined to comment on the report.
Bypassing the international legal channels
Under Microsoft’s plan to “shield foreign users’ data,” the data would become available for the government of the country that it is located in. For Europeans, that would most likely be where the company’s Dublin datacenter is located, falling under Irish law.
In this case, European data protection and privacy law would apply. However, based on the Snowden leaks, many of the NSA programs have been found to have fallen afoul of apparently strong European laws.
European Justice Commissioner Viviane Reding warned U.S. Attorney General Eric Holder in a strongly worded letter, not long after details of the PRISM program broke, of “grave adverse consequences” in U.S.-EU relations. In doing so, she argued that European law had not been as effective as it should have been, partly down to the U.S. government not having “respect for fundamental rights and the rule of law.”
These so-called mutual legal assistance treaties, which are designed to help law enforcement and intelligence agencies in one country seek data from an allied nation elsewhere for investigative purposes, are often old, outdated, and decadent. Not least of these is the well-known post-World War II treaty, the UKUSA Agreement, which was eventually expanded to Canada, Australia, and New Zealand.
Smith himself said in the Financial Times article that these treaties should be “modernized or replaced.”
While Reding has echoed similar statements that U.S. authorities “have to use existing channels of cooperation and mutual legal assistance agreements” as the only avenues for data requests, Korff told ZDNet that based on the Snowden leaks, he is “absolutely certain” that the U.S. government is bypassing these treaties with its own intelligence gathering laws.
This was the foundation principle of the work conducted by Dutch researchers at the University of Amsterdam’s Institute for Information Law more than six months before the first batch of Snowden documents were leaked.
Arnbak said in an academic paper in November 2012, following similar work published on ZDNet, that: “If a company is a subsidiary or branch of a U.S.-based company, or if it has one in the United States, it may be assumed that such jurisdiction exists, but jurisdiction may also exist in other, more complex, cases.”
Much can be said about countries and regions outside the European Union, including Asia and Australia, and other places where Microsoft has subsidiary offices and data centers.