American law enforcement and intelligence organizations can access the personal data of European individuals and groups through the cloud. This is the confusing case that Zach Whittaker makes on ZDnet’s “Between the Lines” blog.
Speaking at a conference in Brussels, Caspar Bowden, Microsoft’s former head of privacy, warned the attendees that not only does U.S. law allow law enforcement to do so, but that a spate of recent European data protection legislation also allows it.
Use cloud services run by an American company—and that is most of them, he said—and you run the real risk of being spied upon.
The Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008 (FISAAA) grants the attorney general and the head of the National Security Agency the ability to conduct blanket surveillance of any non-U.S. citizen resident outside the U.S. using American data providers, without the need for a specific warrant, for a year at a time.
Furthermore, the new European Union Data Protection Regulation contains loopholes that will allow FISAAA to be used against European cloud users.
The “binding corporate rules for data processors,” according to Nicolaj Nielsen of the EU Observer, “require cloud providers to hire a private-sector audit company to certify the generic cloud system for security. But private audit companies, says Bowden, are unable to discover secret wire-tappings ordered by the national security law of another country.”
Investigations using FISAAA are obliged, theoretically, to accord with the Fourth Amendment, guarding against unreasonable searches and seizures.
However, in a post-Patriot Act America, the definition of “unreasonable” has grown more elastic than it once was. Also, non-U.S. citizens abroad are not protected by the U.S. Constitution, according to a Justice subcommittee.
Regardless, it is not that the U.S. assuredly will comb through European data. It is not even that it can. The problem is that such intrusion is expressly, legally allowed, and therefore far more likely to take place with greater impunity.
Whittaker argues that, were the law to be argued at the International Court of Justice in The Hague, it would likely be found to be a breach of international law. Directly absconding with user data would, he believes, be a subversion of “mutual legal assistance,” a process by which a government must ask for such data through the user’s government in pursuit of an active, open legal investigation.
Governments, in other words, are obliged, according to international law, to utilize pre-existing avenues for data requests and not to do end-runs around them, regardless of the rationale.
FISAAA allows U.S. law enforcement and intelligence to do warrantless surveillance and data capture against any person or agent outside the U.S. who it considers to have information necessary to maintaining security within the country. Although foreign nationals are the primary target, U.S. companies dealing with individuals outside the country may also get swept up in a net the size of FISAAA.
Photo via Mattias/Flickr