Researchers: PATRIOT Act Can 'Obtain' Data In Europe

An anonymous reader writes "U.S. law enforcement and intelligence services can use the PATRIOT Act/FISA to 'obtain' EU-stored data for snooping, mining and analysis, despite strong EU data and privacy laws, according to a recent research paper. One of the paper's authors, Axel Arnbak, said, 'Most cloud providers, and certainly the market leaders, fall within the U.S. jurisdiction either because they are U.S. companies or conduct systematic business in the U.S. In particular, the Foreign Intelligence Surveillance Amendments (FISA) Act makes it easy for U.S. authorities to circumvent local government institutions and mandate direct and easy access to cloud data belonging to non-Americans living outside the U.S., with little or no transparency obligations for such practices -- not even the number of actual requests.' Arnback added, 'These laws, including the Patriot Act, apply as soon as a cloud service conducts systematic business in the United States. It's a widely held misconception that data actually has to be stored on servers physically located in the U.S.'"

Same applies elsewhere?

[Intrepid+imaginaut]

I guess the same thing applies elsewhere too, like China or Saudi Arabia. If a company wants to conduct business in a country it has to comply with the laws of the country. The main difference is the US is such a huge market that most companies would rather hand over the data than be shut out of it. In a situation where the laws of two different large markets are in direct conflict, it probably becomes a question of "can we get away with it".

Re:Same applies elsewhere?

[Chatterton]

Could they encrypt they data? And only a subsidiary who only work for the provider have the keys? That way, they can ask the datas, but not the keys because the company holding the keys doesn't work in the states...

Re:Same applies elsewhere?

So, uh, what about complying with EU laws by not handing over the data to America?

Re:Same applies elsewhere?

I guess the same thing applies elsewhere too, like China or Saudi Arabia. If a company wants to conduct business in a country it has to comply with the laws of the country. The main difference is the US is such a huge market that most companies would rather hand over the data than be shut out of it. In a situation where the laws of two different large markets are in direct conflict, it probably becomes a question of "can we get away with it".

Well, considering that EU is a larger market than the US I would say that we already are at your last point.
US tells companies to hand over the data and the EU tells them not to. It's much easier to verify that the data has been handed over than it is to verify that it hasn't. The way out is to hand over the data silently and hope that EU doesn't find out.

Re: Same applies elsewhere?

[Chatterton]

Then the US will ask your extradition to be judged for helping a terrorist organisation by not providing them the requested datas.... Whatever you do, you are fucked :-/

Re:Same applies elsewhere?

[RobertLTux]

and then be accused of having ties to Terrorists/ Child Slavery/Whatever and then everything held by the company remotely "US based" gets seized.

Re:Same applies elsewhere?

[Zemran]

China is a bigger market and American companies are just as prepared to do business there regardless of the implications. The more we extend our laws the less argument we have when someone is arrested on a business trip to China* and put in some hell hole for something that they did not realise was illegal.

*For China, also read Saudi, Russia etc.

Re:Same applies elsewhere?

So, the FBI could storm into Google's offices in London, and seize the records of millions of Britons, and it'd ostensibly be completely legal because they do business in the US.

So are you suggesting that China could storm into Google's offices in San Francisco and seize the records of millions of Americans?

Re:Same applies elsewhere?

Could they encrypt they data? And only a subsidiary who only work for the provider have the keys? That way, they can ask the datas, but not the keys because the company holding the keys doesn't work in the states...

Subsidiaries work fine against civil claims, but they are not effective against this sort of criminal law. The US can apply great pressure on the people who run the US holding company to get the data for them. The board of the subsidiary will normally be made up of people from the holding company. Even if it isn't, because the board of the holding company control the shares of the subsidiary, they can replace the subsidiary's directors.

You could put your faith in the local subsidiary staff to resist any requests from head office that are illegal under local law. However this has several flaws. Head office may give a better reason for the request other than "we are getting pressured under the Patriot act" so the true use of the data in the US may not be known. The subsidiary is likely to rely on software and services from head office, so that is another avenue for access. Lastly, consider how effective social engineering attacks by outsiders are - imagine how effective a social engineering attack could be from somebody who really is far more senior than anyone in the subsidiary.

This isn't a detailed legal analysis, of course, but I would have no more expect that a US company could put data beyond the reach of the Patriot Act by putting it into a subsidiary than I would expect that they could simply transfer the proceeds of crime into a subsidiary and put it beyond the reach of forfeiture.

Re:Same applies elsewhere?

[NatasRevol]

Yes.

No*

*Not until they pass a similar PATRIOT Act.

But then, that's why we haven't done it to China companies. Because the blowback would get messy. EU companies are already our bitch.

Re:Same applies elsewhere?

[hawguy]

Could they encrypt they data? And only a subsidiary who only work for the provider have the keys? That way, they can ask the datas, but not the keys because the company holding the keys doesn't work in the states...

Rather than handing the keys over to the hosting company, the company should hold their own encryption keys - then no one can access their data without permission, not even the hosting company. (well at least not data at rest - the hosting company can still intercept web traffic, scrape server memory, etc).

Re:Same applies elsewhere?

[rapiddescent]

A large UK based multi-national org that I've worked for has the exact problem of hosting all its data centres in the USA. The big problem is that there are USA laws that apply that there is no equivalent in the UK/EU and there are contradictory laws where a lawyer would just choose the best jurisdiction. With-holding keys would be an offence under UK law (RIPA) but not under USA law.

e.g. in the UK, Freedom of Information only applies to government entities.

So, If a UK consumer (who knew the data was hosted in the USA) wished to find out information that extends further than a DSIR they could get a US Attorney to do a FOI request at the US host and get information that normally they could not get at an EU host.

Re: Same applies elsewhere?

[Alain+Williams]

But at least the extradiction request would have to be made in the open -- so it could not be done in secret as can be done under the patriot act. If enough fuss is made then local (non USA) politicians might get enough complains to do something about it.

So what we learn from this is....

[stiggle]

Host your own data. Do not trust the cloud.

Re:So what we learn from this is....

[OzPeter]

Host your own data. Do not trust the cloud.

Hosting your own data isn't hard to do. What I see as more of an issue is how do you build and host your own Internet? (and ensure that only people you "trust" get access to it).

Re:So what we learn from this is....

[captainpanic]

In the Netherlands, we want to host our own data. Some want to build a national database for medical data. However, an American company is developing the software - so that might be enough for the Americans to demand access to whatever is put on that database.

So, essentially, when any US based company deals with another third party, all the data of this third party does is now declared property of the US.

This was front page news just a week ago. Not a really good advertisement for US based software developers. For the record, the project manager (who is Dutch) denies that the Americans would get access. And I guess that under the Patriot Act it is also illegal to claim that the US is snooping around. So, for the record, I deny writing this post, since this is hosted on an American server - or at least maintained by people who create American-centric polls.

Source in Dutch: http://www.metronieuws.nl/nieuws/beheerder-patientendossier-vreest-patriot-act-niet/IWIlkD!AQnwumcZSKxKeH8VP9BZwQ/

Re:So what we learn from this is....

The cloud does offer lots of advantages. I am concerned with the trend of moving data away from the physical devices we own, however. It sometimes seems more of a limitation than advantage since access to a "cloud" typically requires permission of a third party.

Re:So what we learn from this is....

[OzPeter]

The cloud does offer lots of advantages.

I can't remember where I saw it, but someone suggested that wherever you see the phrase "the cloud", replace it with "someone else's computer" and see how that changes the context.

Re:So what we learn from this is....

[edrawr]

With the proliferation of MPLS networks, this would not be all that hard to do on an organizational level. Host your servers in [Generic Non-Extradition Country] and link all of your sites/users via MPLS or VPN to your MPLS network, as well as any other "trusted" entities.

Re:So what we learn from this is....

[Darinbob]

Agreed. I am surprised because I though Europeans were smart enough to avoid the cloud.

Re:So what we learn from this is....

... replace it with "someone else's computer" and see how that changes the context.

... replace it with "the FBI's computer" and see how that changes the context.

FTFY; because most clouds are are US based/owned/operated.

What was that about nefarious UN?

This is the government CURRENTLY in charge of the freedom of the internet.

Apparently that means "your data is free to US"...

Re:What was that about nefarious UN?

It clearly says "All your data are belong to US".

Not all of Europe

How about Kalingrad, Russia?

Re:Not all of Europe

[Zemran]

... or even Moscow, which is also in Europe.

Re:Not all of Europe

[Teun]

I'm sure when an article mentions European (privacy) law the implication is we're talking about European Union law.

two edged blade

I wonder how long till China will put in place the same "international laws" to happily spy upon the oh-so-high-and-might America ?

Re:two edged blade

[craigminah]

That's why we don't store our data in a cloud hosted in China...

Re:two edged blade

[dk90406]

According to TFA, it does not matter where the data is stored. It matters if you do business with the country issuing the law...
Of course, almost no US companies does business with China, so no worries there.

Re:two edged blade

[gstoddart]

It matters if you do business with the country issuing the law...
Of course, almost no US companies does business with China, so no worries there.

So, when China or someone else passes a similar law, the US will accept that their companies have to hand over the data to the local government because that's how it works?

Or will they basically say their laws and interests trumps everybody else's, and too bad? Because I can't see other sovereign nations accepting that.

Re:two edged blade

[dk90406]

No, the US would not accept that at all. Neither does Europe.

US companies may however be more willing to secretly break EU law by handing data to US, than breaking US law by handing data to China...
All this is theoretical, based on a research paper. If proof surfaces that Amazon, Google et al. passes European Data to the US Governemnt against EU privacy regulations, it would be headline stuff for a long time, weeks and have huge international diplomatic and business repercussions.

Re:two edged blade

Europe already has accepted it, for years now.

Re:two edged blade

[rioki]

Actually no... I read an interesting advisory about the issue. That is why we see cloud providers boast about EU or German only clouds and it works. (As advertised on this very site.) For some companies and professions it would be legal suicide if it ever came out that they needed to comply with the patriot act on data from and about Europeans.

Just another reason....

To NOT put your private/important data in the mighty cloud.

Bullshit

[Rakshasa-sensei]

The EU Data Protection Directive is very specific on this issue; the hosting/cloud company can only locate the data in the US, or even transmit it there, if there is an explicit guarantee that the data has the same level of protection.

Basically yes, the US could use the Patriot Act to obtain protected EU data from US-based companies. And yes, the company would then have broken the EU directive and would face the courts.

Re:Bullshit

[Thiez]

> And yes, the company would then have broken the EU directive and would face the courts.

How would the EU courts find out?

Re:Bullshit

[Rogerborg]

Indeed, don't these demands tends to come with "and if you tell anyone we've asked, you win a free one way trip to Guantanamo Bay" condition attached?

Re:Bullshit

The problem is, how would we know? The FISA espcecially doesn't require any book keeping or informing the clients that data has been looked into.

The real problem here is Megaupload. Where the US declared that a company falls within it juristiction even if no data is kept there, as long as there are 'ties' to the US. It's very vague and in principle _everything_ could be tied to the US. (Your .com hostname is on a US DNS server for example)

This means, even if your cloud company does not keep data on server in the US, but only in the EU, the US government could _still_ legally compell the cloud service to provide the data of the EU servers under law.

There's the real problem. And nobody has to inform the EU or the companies who own the data.

Re:Bullshit

[arendjr]

It's not bullshit at all. But yes, the Data Protection Directive makes it very hard for companies to comply with both PATRIOT and the DPD. In other words, many US companies are excluded by default from providing cloud services to many European agencies.

Re:Bullshit

[Meneth]

> And yes, the company would then have broken the EU directive and would face the courts.

How would the EU courts find out?

They wouldn't.

Re:Bullshit

[delt0r]

Then how can the US use the information?

Re:Bullshit

The only conclusion is that Europeans should not use American based cloud services, otherwise they are breaking the law.

Re:Bullshit

[gstoddart]

But yes, the Data Protection Directive makes it very hard for companies to comply with both PATRIOT and the DPD.

No, it makes it impossible. the PATRIOT act says "no matter what local laws say, you are obligated to do this" ... the data protection in other countries says "you are absolutely required to not do that".

Basically, the Americans are saying their laws trumps everybody else, and the cost of doing "systematic business in the United States" is that their laws trump everybody else.

Sadly, the US has decided that, the laws of other countries be damned, if you do enough business here you have to do what we say.

Yet another example of how the US is declining into a xenophobic country, who has no intention of playing nicely with everybody else -- and American businesses might suddenly find themselves as unwelcome entities around the world as you pointed out. (Which of course they would probably go to the WTO or say "Waahh, you won't let us play in your sandbox" to try to force those countries to allow American companies to do business despite the fact that they essentially can't be trusted.)

Essentially the only choice is to treat American owned companies as if they're agents of a hostile, totalitarian state -- because if any other country passed a law that said "if you do systematic business here, you must hand over your data to our government", the US would be up in arms talking about the freedoms they're not prepared to extend to other countries.

I know here in Canada, US owned companies are precluded from some government contracts for this very reason, and pretty much all cloud providers which could host data there are not legally allowed because they open the risk of sensitive data being handed to the Americans without anybody knowing.

I think this will pretty much be the point at which a lot of these US companies who could be in this position will suddenly start finding a lot of doors closed in their face with a "Oh, sorry, since we can't trust you or your government, you can't come in".

Re:Bullshit

[Alarash]

That'll be in a Terms of Service or EULA. Larger companies will have lawyers review those, not the average developer or citizen.

Amazon and Microsoft must love how that part of the Patriot Act fucks their business up. Many European companies, and 100% of the governments, won't subscribe to their service just because US can seize the content. Thanks for boosting our local economies by making it worthwhile for European companies (Thales, Dassault, Bull, Orange) to build their own cloud with no competition from the US.

Re:Bullshit

[mrbester]

Because it is the law to disclose when that data leaves the EU. So you either break EU law twice or EU and US law once each. Nice choice. One way can get your company fined into oblivion, the other goes after personnel and (allegedly) imprisons them. Guess which will be chosen.

Re:Bullshit

[drinkypoo]

Yet another example of how the US is declining into a xenophobic country, who has no intention of playing nicely with everybody else

Declining into? You haven't read about the history of United Fruit Company, have you? I recommend Bananas (the book, not the fruit, though the fruit is delicious.)

Re:Bullshit

[Rakshasa-sensei]

Cause the top guy in the EU subsidiary, and every single person in the chain down to the guy who gave access to the US, would not mind spending time in jail? Either the top guy knows, or someone else is getting screwed, so someone is going to cover their ass and tell.

And they're all, more than likely, living in the Europe so the prospect of being wanted in the US versus being in jail in the EU should be an easy choice.

Re:Bullshit

[moronoxyd]

In other words, many US companies are excluded by default from providing cloud services to many European agencies.

The DPD should apply not only to European agencies but also citizen of a EU country.
So companioes like Dropbox should in theory not provide any service in the EU at all.

I personally am using German hosting providers that state that they only use server located in Germany/Europe.

Re:Bullshit

Or this could be interpreted as the cost upon a company of fulfilling a PATRIOT act request upon data that is controlled under the EU Data Directive is the cost of extraction + getting fined by the EU and potentially disallowed from trading with EU countries. If a response to a request by the USA government is, "You do realise that if we do this we may have to stop trading in Europe?" It is then up to the USA to decide if screwing over one of their own companies is worth the data they may potentially gain.

Re:Bullshit

As one of 'the Americans', I'd like to apologize for the theft of Canadian data. I can say with confidence that most of us don't want your data. It is unfortunate that a small but powerful segment of our population have done this in the name of us all.

Re:Bullshit

[Teun]

This is the problem.

We use Concur, a US based company, to do our expenses and even travel arrangements.
We also do business in and with for example Cuba and until last year in Iran, something the US has laws against.
I can see one of our employees having visited Cuba and done his expense claim via Concur being stopped at some US airport.

With this in mind and the document to support it I'll use my authority as a works council member to advise the company seek legal advise and possibly to re-evaluate our contracts with US data hosters.

Re:Bullshit

[Thaelon]

Essentially the only choice is to treat American owned companies as if they're agents of a hostile, totalitarian state

As if?

Re:Bullshit

National Security Letter.

Re:Bullshit

[kenorland]

Basically, the Americans are saying their laws trumps everybody else, and the cost of doing "systematic business in the United States" is that their laws trump everybody else. Sadly, the US has decided that, the laws of other countries be damned, if you do enough business here you have to do what we say.

Yes, if you do business in the US (any business) you need to comply with US law. It works the same for Europe and other places. The only difference is that the US market is so important that companies can't ignore it, but that's not America's fault, and the US is under no obligation to weaken its laws just because Europeans can't get their act together on competitiveness.

Re:Bullshit

[dank+zappingly]

I see a lot of criticism with regard to the Patriot Act, but a lot of it is due to misinformation and it isn't going to have a practical effect in most cases. The United States has mutual legal assistance treaties with other countries so unless you're storing your data in Venezuela, they'll probably be able to get it if terrorism is suspected. Canada has the Canadian Anti-Terrorism Act, which is very similar to the Patriot Act, except that no one ever talks about it. In the event that there is a bona fide suspicion of terrorism I don't think the U.S. would have trouble getting access to data in Canada, whether or not the Patriot Act existed.

Re:Bullshit

[NatasRevol]

Wow, that's seriously missing the discussion.

Do US laws apply to EU companies, IN the EU, just because they have a US branch?

No, they don't. Even if the US thinks they do.

Just in case you're unclear, try switching the US and the EU, see how that feels.

Re:Bullshit

[fredprado]

Sorry, but no other country tries to extend their laws outside their borders as US does. US seems to think that their laws trump any local laws of any other country whenever they see fit. That is a delusion of grandeur that may still prove to be its downfall.

Re:Bullshit

Pretty sure Canada isn't saying they can access any data in the US, just because a company has a Canadian branch.

Re:Bullshit

[Local+ID10T]

Exactly so. There are treaties which specifically require sharing of intelligence data with the USA (and other countries). These treaties are generally held to trump laws prohibiting the sharing of such data.

e.g.
-USA makes request of company x for data.

-Company x responds that it is not allowed to provide the data, per law y in country z.

-USA requests that country z provide exception to law y for company x regarding the requested data, per treaty.

-Country z tells company x to provide the data.

-Company x provides the data, and is prohibited from admitting publicly that it did so. National security requirements in the USA (and in the countries which signed these treaties with the USA) make doing otherwise an act of treason.

Re:Bullshit

[Alain+Williams]

I wonder if you could claim polical assylum in your own country to stop yourself being extradicted to the USA ?

Re:Bullshit

[kenorland]

Do US laws apply to EU companies, IN the EU, just because they have a US branch?

Yes, they do, because if they have a US branch, the US can enforce judgments against those companies. That's how laws and jurisdictions work. It works the other way around too.

Just in case you're unclear, try switching the US and the EU, see how that feels.

You mean, the kind of self-serving arrogance with which Europeans have been imposing their cultures, languages, laws, and businesses on the rest world since the 15th century? I don't need to imagine, it's in the history books.

Re:Bullshit

The only difference is that the US market is so important that companies can't ignore it

Well, that, and the fact that while every other country impose their laws on thing happening inside their borders*, the US imposes theirs on things happening outside theirs. And I certainly intent to blame America for that. Or, to use a car analogy, how would you like it if the government of Saudi Arabia could stop your car from working, in case a woman drove it, because that was the price for allowing the car company to also sell cars there?

*Except for laws against molesting children.

Re:Bullshit

[Cederic]

There's a massive difference between the US asking Canada to acquire and share data relating to a crime in Canada, and the US forcing companies to break Canadian law to gain access to data relating to activities that may be perfectly legal in Canada.

One of those approaches respects the sovereignty of other nations and is ethically sound.

The other appears to be the preferred approach of the US.

Re:Bullshit

[gstoddart]

Yes, if you do business in the US (any business) you need to comply with US law. It works the same for Europe and other places.

Yes, and the key thing to remember here is that if the US forces a company to cough up European data, against European laws, then anybody complying with that demand is violating European law.

TFA is basically pointing out that the US could well be forcing companies to comply with the Patriot Act, thereby making them violating the laws of where they're doing business.

So the rational conclusion of anybody who is dealing with an American company is to say "I can only assume you could be bullied into giving up our information, so we won't do business with you".

Yes, you have to adhere to US laws when doing business in the US -- but a US law can't trump a European one when it pertains to a business who is operating there.

The US is free to apply whatever laws they want within their own country. But is is not possible for, say, Microsoft operating cloud services in Europe to guarantee they can be in compliance with both, because it's not possible to be compliant with both.

Months after the research was published, Microsoft U.K. managing director Gordon Frazer was the first to publicly admit that the software giant could not guarantee that European citizen data stored in EU-based data centers would not leave the European Union under any circumstances, including under a Patriot Act request.

"Neither can any other company," Frazer noted.

So you can expect an awful of of European companies to start giving Microsoft UK and other American firms the cold shoulder -- because no matter what you think, the US can't apply their laws to entities in Europe and have them supercede local laws.

The presence of this interpretation if this law makes all US companies into entities you can't trust, because they could be forced to hand over data against the law, and legally compelled to not admit to it. At which point, any of these services are something you simply can't trust with your data.

Re:Bullshit

[Darinbob]

That's not unique to the US though, many European countries had been doing similar things in other parts of the world at the same time but for a much longer period of time. Doesn't excuse any of it of course. Morals are things that happen when there's no money at stake.

Re:Bullshit

[NatasRevol]

1. Enforcing judgements is not the same as knocking on some business' door in Brussels and saying give us your data, or else.

2. Yes, exactly like that. It was bad then, it's just as bad now.

Re:Bullshit

[kenorland]

Or, to use a car analogy, how would you like it if the government of Saudi Arabia could stop your car from working, in case a woman drove it, because that was the price for allowing the car company to also sell cars there?

If the Saudis want to impose this condition on Ford, Ford has a clear choice: sell cars in Saudi Arabia and comply with their laws, or sell cars in the US and comply with US laws. It can't to both. Where's the problem?

And I certainly intent to blame America for that.

You can join everybody from Hitler to Putin in blaming America for everything; Americans don't give a damn.

Re:Bullshit

[kenorland]

1. Enforcing judgements is not the same as knocking on some business' door in Brussels and saying give us your data, or else.

Actually, the set of laws you can meaningfully pass is the same as the set of laws you can meaningfully enforce.

2. Yes, exactly like that. It was bad then, it's just as bad now.

Nonsense. Europeans forced other nations to comply with their self-serving laws at the barrel of a gun. The US is engaged in law enforcement and anti-terrorism activity, and any company that doesn't want to comply simply has to close its US subsidiary.

Re:Bullshit

[kenorland]

Sorry, but no other country tries to extend their laws outside their borders as US does. US seems to think that their laws trump any local laws of any other country whenever they see fit.

US law applies exactly when the US is in a position to enforce it, just like German law, French law, Russian law, and North Korean law.

That is a delusion of grandeur that may still prove to be its downfall.

It's not a "delusion" if you can make it stick.

Re:Bullshit

[NatasRevol]

Wow, that's a lot of delusion for three sentences.

Re:Bullshit

[AHuxley]

Re use the information?
Could be as simple as a commercial deal lost. Your EU firm is blacklisted for illegal gov support after some tax records are recovered/shared.
A request is made to move more work/data to the USA under a 'free trade' deal - yes or no? If "no" your even more suspect.
Your trade with countries around the world is sorted into areas of interest to the US gov.
Depends on your links to 2nd and third parties. Cuba? Middle East? Africa? Asia? South America? Stepping on an area the US sees as it 'zone' gets you deeper.
The 'net' is cast wide and if anyone of interest shows up ...
Your next work related trip to the US results in ever smaller interview rooms at the airport over many hours with your laptop been cloned.
No embassy staff, no legal team -moving form uniformed staff who just want to clear things up so you can be on your way ... to suits without badges and very personal questions :)
If you dont enter the USA, a unique, time limited deal could be introduced to get your boss very interested in sending "you". The locals are asked to interview you on some deep legal issue as a few law enforcement 'guests' sit in with a list of their own questions :)
Failing that and the data found points to something darker, a free flight to the USA can be arranged for you when you go on holiday to a third country.

Re:Bullshit

It's you who is delusional because you deny simple historical and legal facts.

Re:Bullshit

[drinkypoo]

That's not unique to the US though

I certainly don't believe it is, we're simply the most successful current example. History is replete with examples of misconduct by and/or in support of the nation's (geographical) other nation company. The point was not to single out the USA as being the paragon of evil, but to forestall any pro-US cheerleading on this account.

Re:Bullshit

[NatasRevol]

Because US laws don't apply to EU based companies, whose operations being raided are in the EU, but have a US branch which somehow makes it ok?

Sure, that's not crazy at ALL.

Re:Bullshit

[kenorland]

If Deutsche Telekom bought Yahoo, Yahoo would be a US branch of Deutsche Telekom. You're suggesting that Yahoo then wouldn't have to comply with US laws anymore. That's crazy.

A "US branch" is a US corporation, like any other US corporation. The fact that some foreign entity owns the shares makes no difference. If US law enforcement makes a lawful request for information, they have to comply or face the consequences. And that works no differently anywhere else.

Re:Bullshit

[NatasRevol]

No, I'm saying Yahoo branch offices in Germany are not subject to US law.
Or that a DT branch in Flagstaff is not subject to German law.

Are you not even trying to pay attention to the larger discussion?

Why are my tax dollars beings ....

[3seas]

.... spent on MAD magazine SPY vs. SPY real life acting outs..... Don't they realize its a comic and all abstract?

Cloud storage is public, deal with it

[medoc]

If you store anything in "the cloud" without strong encryption then you're a moron anyway so who cares ?

Re:Cloud storage is public, deal with it

[3seas]

your snail mail box is accessible by the public and so is your P.O.Box is on public property...

Something to think about.... Having your head in the cloud is no excuse... it only shows you need radar to see past the cloud.

Re:Cloud storage is public, deal with it

[colinrichardday]

your snail mail box is accessible by the public and so is your P.O.Box is on public property..

Yrs, but it's inefficient for the government to get information by raiding PO boxes.

Re:Cloud storage is public, deal with it

[AHuxley]

If you are Australian and use an Australian cloud- you fall under Australian law and whatever the NSA can find.
If you are Australian and use a cloud with links to the USA - you fall under Australian law and whatever any US state or federal agency in the USA feels like looking for.
Your "strong encryption" lasts the links but in the cloud at some point its like plain text again.
Welcome to CALEA and many other laws, letters :)

The only real solution

[Aethedor]

Don't do business with an American company or a company that has an office in the US if you plan to use its service to store sensitive information. This may sound a bit blunt, but for me it's the only proper answer to the patriot act.

In Other News..

[SuperCharlie]

The US can do whatever they feel like doing because Fuck You. rabble rabble terrorism..rabblerabble child porn rabblerabble security.

Get used to it... its gonna be a long and twisted road before this crap is over.

Re:In Other News..

[jasper160]

In the past 11 years Bush 2 and Bush 3 have decimated civil rights. With the current track record of congress and the commie in chief we should soon expect no privacy.

Re:In Other News..

Really where have you been living? I've expect no privacy already.

Re:In Other News..

[retaj]

Somehow Congress passed a law which the president signed declaring that the US Secretary of Transportation can shield U.S. airlines from paying a carbon tax. I suppose we will provide a military escort when they refuse landing?

Re:In Other News..

[KozmoStevnNaut]

Commie in chief? Really?

Really?

Come back when you can tell the difference between actual communism and "I disagree with some of his viewpoints".

Re:In Other News..

I see how much your man, Obama, has done to retract the Patriot Act? If you could vote for him again, you would, wouldn't you? So we go broke, and allow the totalitarian society to commence in full.

Briiliiant.

Re:In Other News..

[Thaelon]

You are correct, but make no mistake, the reason the US will do whatever they feel like is because they have the world's most formidable military by a large margin. Which basically makes it the world's largest terrorist organization. What else do you call it when you have the biggest stick on the planet and the mere threat of it is enough to make other countries do as you please? It is textbook terrorism.

And you know that it is a totalitarian regime when millions of its citizens are out of work, homeless, starving, lacking medical care, etc, yet reducing the budget doublethink-named "Department of Defense" (complete with eight, going on 11 Nimitz class "floating fortresses") is never even considered. Hell, they would rather cut social reinvestment programs like fucking healthcare first!

The whole "but they cannot be a totalitarian regime because the government is controlled by two competing political parties" simply doesn't hold either. Both parties are largely funded by the same plutocracy. They cooperate on everything that benefits the plutocracy (tax cuts for the rich, bank bailout etc, taking on more national debt), and stall on everything that benefits the proletariat (healthcare reform, socialized medicine etc). Hell, the presidential debates have been jointly run by the two supposedly opposed parties for decades - which explains why you did not see the Green Party or Libertarian parties even represented at the 2012 Presidential debates, in fact, Jill Stein, the Green Party candidate was arrested and detained without due process by the Department of Homeland Security and the Secret Service for the political crime of trying to attend the debates for the political office she legally running for!

Do I even need to mention the NSA's Total Information program? The open mockery of the 4th Amendment that is the Transportation Security Administration? Or the Department of Homeland Security whose very existence ought to be redundant given that we already have an oversized military, a national guard, and a police force?

This country is so fucked, and the collapse is coming. It simply is not sustainable as is.

Re:In Other News..

[kenorland]

The US can do whatever they feel like doing because Fuck You

Well, Europe dropped the ball in the 20th century, so it got stuck taking care of all these problems. If Europe doesn't like the way the US handles it, all it has to do is get its shit together.

Get used to it... its gonna be a long and twisted road before this crap is over.

Well, it sure beats the "crap" that was going on before. And the way things are going, this will be "over" when the US decides its over, given that Europe and Asia are far more aggressive in restricting the liberty and privacy of their citizens.

Re:In Other News..

[grenadeh]

Don't participate in arguments you're unqualified for. Communist? No. All his viewpoints? Wrong. They aren't even his viewpoints, Romney and Obama and even Clinton and Bush were and are all pawns controlled by globalists. Yea, not actual communism, no one understand what the actual concept of communism is of course. That doesn't excuse that he has done more damage than 16 years of Bush/Clinton combined (not that Clinton did too much, he actually had a budget surplus).

Re:In Other News..

This country is so fucked, and the collapse is coming. It simply is not sustainable as is.

The Soviet Union took 70 years to crumble, and it was way way worse than modern day US.
So be prepared to wait a while, maybe your children or your grand children will witness the complete collapse of the US of A.

Re:In Other News..

Not if you continue to destroy yourselves like that.

I don't think the US has more than 10 years before it descends into a Nazi Germany equivalent (Including the embargoes. The concentration camps and the surveillance are already there). 15 years before it’s a god state like Pakistan/Iran.
20-25 before it's a nuked wasteland with only troglodytes living there... cut off from the civilized world.

Re:In Other News..

[Thaelon]

The Soviet Union lacked the Internet to circumvent authoritarian propaganda. This is going to happen much, much quicker.

Re:In Other News..

[jasper160]

Obama=Bush 3. Neither was "my man"

Re:In Other News..

[PPH]

Oh, they'll let you land all right. Taking off again is another matter.

Re:In Other News..

[grenadeh]

We have the best technology. Not really the best anything else. T99s are better than Abrahms - we'll see if the M3 gives us the edge again. Our infantry rifles, while decent, are still 50 years old. We've attempted to replace them several times and have turned down superior weapons like the M416. Our active military is still smaller than North Korea and China. Countries hardly do as we please. All we do is piss everyone off and shit down their throats and then the government, for the benefit of the sheep, spins it to say things like "They attacked us because they hate our freedom." No, they attacked us because we deserve it and we started it. My roommate who is an army veteran, former Signal, always insists military technology is decades ahead of civillians. Bullshit. While it's more advanced - in a lab somewhere, a DARPA facility - it's not really in use and it's not that advanced. Our military is technologically superior but it's also held together with duct tape made by the lowest bidder. I wouldn't expect it to fare any better in a real war than it did in WW2. As far as the country being fucked and impending collapse, that already happened. It's just a matter of time at this point before citizens are rounded up into internment camps and the military roams the streets.

Re:In Other News..

[Thaelon]

We also have the most of it. Though tanks and rifles are practically irrelevant. We live on a water planet. Therefore its the Navy this is of the most concern, and we have eight Nimitz class aircraft carriers complete with, I assume, long range fighters, not to mention drones, with presumably medium to long range missiles in addition to their support fleets.

One of those floating fortresses can easily subdue most countries entire military without the use of ground forces. Though there are really only a handful of countries that could mount significant resistance.

Re:In Other News..

[KozmoStevnNaut]

Oh please, spare me the retoric.

Obama's obviously not the messiah that some people made him up to be, but he's nowhere near Bush in damage dealt to both the US and foreign relations. If you think Obama is the most harmful US president of the last 20 year, you must have been in a coma or just horribly ignorant.

It's true that a lot of the badness enacted by Bush still hasn't been removed by Obama. This is down to political maneuvering of course, but also down to a republican-dominated house hell-bent on screwing over every single Obama initiative for idiotic party line reasons.

He's still politician and politicians are dirty by nature. But in both elections, he has been the least bad candidate with an actual chance of winning by far.

Dutch EMR initiative also susceptible

It was recently revealed that one of the companies that handles (some of?) the data for the controversial Dutch EMR (electronical medical record) initiative was US-based and probably also couldn't guarantee that it wouldn't be required to disclose data to the US gorvernment if requested under the PATRIOT act. So there was this big brouhaha about it and now they're finally seeing that US companies really can't be trusted due to this law. Also gives a pretty handy excuse to make sure no taxpayer money goes overseas, I guess :D

It is called a "Virtual Private Network"

It is called a "Virtual Private Network", or VPN for short... :)

Consult with your own Legal Counsel

Our Canadian based organization is quite paranoid about the Patriot Act.

After much research, we discovered that most countries have similar over reaching laws, and that geographical location of data centers is not the only determinant, but the legal jurisdiction of associated parent companies.

Our non-cloud physical data centre is managed by a third party, who was recently bought out by an...american company. There were concerns about the Patriot Act, but our Legal Counsel considered the risk relatively low and not an issue.

YMMV. Let the lawyers do the lawyering.

Over?

[DarthVain]

I like your optimism...

Foreign Soil

[wisnoskij]

Europe is foreign soil, US law does not really care what you do outside of its jurisdiction.

Re:Foreign Soil

So, this is what total and complete delusion looks like.

Re:Foreign Soil

Europe is foreign soil, US law does not really care what you do outside of its jurisdiction.

Tell that to Richard O'Dwyer.

Re:Foreign Soil

And the US jurisdiction is the whole world judging by its actions.

We finally need a complete embargo...

... on terror states like the US and Israel, just like on Iran, China, etc.

This is a clear declaration of war on European countries!

broken Patriot Act expiration promise

Wasn't the Partiot Act supposed to be a temporary measure and set to expire? Wasn't there a clear promise and haven't most of our honorable "representatives" also made those promises? I wonder how much more people can let themselves get screwed by the very same politicians that are supposed to represent our interests before speaking up.

Re:broken Patriot Act expiration promise

[jcr]

Wasn't the Partiot Act supposed to be a temporary measure and set to expire?

Yeah, just like income tax withholding.

-jcr

Re:broken Patriot Act expiration promise

[cheekyjohnson]

Even if they weren't lying when they said it was a temporary measure, I believe violating people's freedoms is unacceptable.

SWIFT says that's irrelevent

They broke the EU directive when SWIFT handed all Europes banking data to the USA and USA data mined it.

Then end result? The current EU Commissionner, simply pretended that he had the right to waive the privacy right and waived it. So we have the right of privacy, and there's strict laws, and if you break the laws? Well EU Commission will not enforce squat.

What about NSA Warrantless surveillance of USA citizens? Look what happened there. AT&T let them have direct taps onto everyone's data, Republicans gave them immunity when they got caught. Now they're free to hand over any data, regardless of privacy laws, knowing they can just get a political stoog into power, to give them immunity.

Take a look at extradition laws

Or indeed international law.

USA: Only if we want it to apply will it.

The USA will not allow a company to give China data.

The USA will not allow a company to withold data to them.

It's called hypocrisy.

Obvious

This seems really obvious.
The company should either make it so they can't look into your data (which they probably don't want), or they should host the data of each person in the country that person lives.
Or simply structure the company in such a way that a separate company that is not based in the US is responsible for the data of foreigners.
The same way they do this for tax purposes.
Of course, companies really don't give a shit about any of this and will just hand your data over, because what's in it for them?

so what?

[kenorland]

European authorities can get personal data on Americans under Europe's (rather bad) laws when that data is hosted on European servers.It's not America's fault that Europeans have, for the most part, failed to create online services that are attractive to people.

Re:so what?

European authorities can get personal data on Americans under Europe's (rather bad) laws when that data is hosted on European servers.

Utter bullshit

Re:so what?

You are missing the point. The equivalent would be for the EU to demand that a US company, holding data on US citizens or businesses, hosted in the US, should hand over that data to the EU, if that company has a subsidiary that does any business in the EU.

Re:so what?

Oops, comment applies to parent's post.

Re:so what?

[kenorland]

What makes you think the EU doesn't do this? Nations like France and Germany probably don't bother with such niceties as legal orders to reveal this data, they just put government operatives into German subsidiaries and have them take whatever they want.

Reddit

http://www.reddit.com/r/worldnews/duplicates/14bp4t/patriot_act_can_obtain_data_in_europe_researchers/

We discussed the matter in our company months ago

Since we are legally screwed if our customer data leaks out of our systems, every company that has to comply to the patriot act can't be considered to host our data.

duh.

duh. Captain obvious.

I hate what the USA is doing. I don't know how to get the current politicians out. My votes haven't helped the last 25 yrs.

OTOH, we aren't the only place in the world with less than desireable laws.

Re: with a Warrant Canary

[enselsharon]

My storage provider maintains a warrant canary:

http://www.rsync.net/resources/notices/canary.txt ... and since my account is in Zurich, I check the local copy there.

Two versions of the same theme

People in US: "The Chinese are infiltrating our networks and stealing our data"
People in Europe "The Americans are infiltrating our networks and stealing our data" ... so we have to conclude that the Chinese are doing it to find out about Europeans?

NO real solution

[Errol+backfiring]

I don't do any business with an American company. But my hospital does. It stores all my data in an Electronic Patient Record built by an American company and hosted St. Isidorus knows where. It was already in the news that all our electronic patient records are potentially unsafe because of American law.

Re: with a Warrant Canary

If they were hit with a national security letter, they could be required to keep posting those. IIRC, come library had "we have not been searched by the FBI this week" signs. It turned out that if they ever were hit with a NSL, it would be illegal for them to take down the sign. Perhaps it is different if putting up the sign is an active act, but I wouldn't think so.

Let's see what the fourth amendment has to say...

[jcr]

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Any act of congress which purports to empower the executive branch to search without probable cause is unconstitutional, and therefore not a law at all.

-jcr

Fsck the US Empire

No execution by drone without representation.

French sovereign Cloud

This is exactly why the French launched the Androméde project to have cloud ressources in France, controlled by French companies governed by French laws. See the reference

http://www.lesechos.fr/entreprises-secteurs/tech-medias/actu/0202251560356-le-cloud-computing-prend-un-nouveau-virage-en-france-359665.php

if you can read French.

D.

Will the NSA provide me with free storage, please?

[ehack]

The NSA is welcome to my emails, if I can have free email :)
But maybe they are subsidising gmail and hotmail anyway ...

America, Fuck Yeah!

America, Fuck Yeah!

Old, old news

Microsoft already warned about it in June, 2011 - 17 months ago.
http://www.zdnet.com/blog/igeneration/microsoft-admits-patriot-act-can-access-eu-based-cloud-data/11225

now amazon can close their datacentre in ireland

[allo]

because the main reason for servers there was, that most eu companys need to ensure, that their data is not accessed from countries without reasonable data privacy laws.
But it will freshen the cloud market, because eu companies will get a bigger share, which will lead to more competition.