Researchers: PATRIOT Act Can 'Obtain' Data In Europe

An anonymous reader writes "U.S. law enforcement and intelligence services can use the PATRIOT Act/FISA to 'obtain' EU-stored data for snooping, mining and analysis, despite strong EU data and privacy laws, according to a recent research paper. One of the paper's authors, Axel Arnbak, said, 'Most cloud providers, and certainly the market leaders, fall within the U.S. jurisdiction either because they are U.S. companies or conduct systematic business in the U.S. In particular, the Foreign Intelligence Surveillance Amendments (FISA) Act makes it easy for U.S. authorities to circumvent local government institutions and mandate direct and easy access to cloud data belonging to non-Americans living outside the U.S., with little or no transparency obligations for such practices -- not even the number of actual requests.' Arnback added, 'These laws, including the Patriot Act, apply as soon as a cloud service conducts systematic business in the United States. It's a widely held misconception that data actually has to be stored on servers physically located in the U.S.'"

Same applies elsewhere?

[Intrepid+imaginaut]

I guess the same thing applies elsewhere too, like China or Saudi Arabia. If a company wants to conduct business in a country it has to comply with the laws of the country. The main difference is the US is such a huge market that most companies would rather hand over the data than be shut out of it. In a situation where the laws of two different large markets are in direct conflict, it probably becomes a question of "can we get away with it".

Re:Same applies elsewhere?

So, uh, what about complying with EU laws by not handing over the data to America?

Re:Same applies elsewhere?

[RobertLTux]

and then be accused of having ties to Terrorists/ Child Slavery/Whatever and then everything held by the company remotely "US based" gets seized.

Re:Same applies elsewhere?

[rapiddescent]

A large UK based multi-national org that I've worked for has the exact problem of hosting all its data centres in the USA. The big problem is that there are USA laws that apply that there is no equivalent in the UK/EU and there are contradictory laws where a lawyer would just choose the best jurisdiction. With-holding keys would be an offence under UK law (RIPA) but not under USA law.

e.g. in the UK, Freedom of Information only applies to government entities.

So, If a UK consumer (who knew the data was hosted in the USA) wished to find out information that extends further than a DSIR they could get a US Attorney to do a FOI request at the US host and get information that normally they could not get at an EU host.

So what we learn from this is....

[stiggle]

Host your own data. Do not trust the cloud.

Re:So what we learn from this is....

[captainpanic]

In the Netherlands, we want to host our own data. Some want to build a national database for medical data. However, an American company is developing the software - so that might be enough for the Americans to demand access to whatever is put on that database.

So, essentially, when any US based company deals with another third party, all the data of this third party does is now declared property of the US.

This was front page news just a week ago. Not a really good advertisement for US based software developers. For the record, the project manager (who is Dutch) denies that the Americans would get access. And I guess that under the Patriot Act it is also illegal to claim that the US is snooping around. So, for the record, I deny writing this post, since this is hosted on an American server - or at least maintained by people who create American-centric polls.

Source in Dutch: http://www.metronieuws.nl/nieuws/beheerder-patientendossier-vreest-patriot-act-niet/IWIlkD!AQnwumcZSKxKeH8VP9BZwQ/

Re:So what we learn from this is....

[OzPeter]

The cloud does offer lots of advantages.

I can't remember where I saw it, but someone suggested that wherever you see the phrase "the cloud", replace it with "someone else's computer" and see how that changes the context.

Bullshit

[Rakshasa-sensei]

The EU Data Protection Directive is very specific on this issue; the hosting/cloud company can only locate the data in the US, or even transmit it there, if there is an explicit guarantee that the data has the same level of protection.

Basically yes, the US could use the Patriot Act to obtain protected EU data from US-based companies. And yes, the company would then have broken the EU directive and would face the courts.

Re:Bullshit

[Thiez]

> And yes, the company would then have broken the EU directive and would face the courts.

How would the EU courts find out?

Re:Bullshit

[Rogerborg]

Indeed, don't these demands tends to come with "and if you tell anyone we've asked, you win a free one way trip to Guantanamo Bay" condition attached?

Re:Bullshit

[Meneth]

> And yes, the company would then have broken the EU directive and would face the courts.

How would the EU courts find out?

They wouldn't.

Re:Bullshit

[gstoddart]

But yes, the Data Protection Directive makes it very hard for companies to comply with both PATRIOT and the DPD.

No, it makes it impossible. the PATRIOT act says "no matter what local laws say, you are obligated to do this" ... the data protection in other countries says "you are absolutely required to not do that".

Basically, the Americans are saying their laws trumps everybody else, and the cost of doing "systematic business in the United States" is that their laws trump everybody else.

Sadly, the US has decided that, the laws of other countries be damned, if you do enough business here you have to do what we say.

Yet another example of how the US is declining into a xenophobic country, who has no intention of playing nicely with everybody else -- and American businesses might suddenly find themselves as unwelcome entities around the world as you pointed out. (Which of course they would probably go to the WTO or say "Waahh, you won't let us play in your sandbox" to try to force those countries to allow American companies to do business despite the fact that they essentially can't be trusted.)

Essentially the only choice is to treat American owned companies as if they're agents of a hostile, totalitarian state -- because if any other country passed a law that said "if you do systematic business here, you must hand over your data to our government", the US would be up in arms talking about the freedoms they're not prepared to extend to other countries.

I know here in Canada, US owned companies are precluded from some government contracts for this very reason, and pretty much all cloud providers which could host data there are not legally allowed because they open the risk of sensitive data being handed to the Americans without anybody knowing.

I think this will pretty much be the point at which a lot of these US companies who could be in this position will suddenly start finding a lot of doors closed in their face with a "Oh, sorry, since we can't trust you or your government, you can't come in".

Re:Bullshit

[drinkypoo]

Yet another example of how the US is declining into a xenophobic country, who has no intention of playing nicely with everybody else

Declining into? You haven't read about the history of United Fruit Company, have you? I recommend Bananas (the book, not the fruit, though the fruit is delicious.)

Re:Bullshit

[Rakshasa-sensei]

Cause the top guy in the EU subsidiary, and every single person in the chain down to the guy who gave access to the US, would not mind spending time in jail? Either the top guy knows, or someone else is getting screwed, so someone is going to cover their ass and tell.

And they're all, more than likely, living in the Europe so the prospect of being wanted in the US versus being in jail in the EU should be an easy choice.

Re:Bullshit

[Thaelon]

Essentially the only choice is to treat American owned companies as if they're agents of a hostile, totalitarian state

As if?

Re:Bullshit

[NatasRevol]

Wow, that's seriously missing the discussion.

Do US laws apply to EU companies, IN the EU, just because they have a US branch?

No, they don't. Even if the US thinks they do.

Just in case you're unclear, try switching the US and the EU, see how that feels.

Re:Bullshit

[Alain+Williams]

I wonder if you could claim polical assylum in your own country to stop yourself being extradicted to the USA ?

Re:Bullshit

[AHuxley]

Re use the information?
Could be as simple as a commercial deal lost. Your EU firm is blacklisted for illegal gov support after some tax records are recovered/shared.
A request is made to move more work/data to the USA under a 'free trade' deal - yes or no? If "no" your even more suspect.
Your trade with countries around the world is sorted into areas of interest to the US gov.
Depends on your links to 2nd and third parties. Cuba? Middle East? Africa? Asia? South America? Stepping on an area the US sees as it 'zone' gets you deeper.
The 'net' is cast wide and if anyone of interest shows up ...
Your next work related trip to the US results in ever smaller interview rooms at the airport over many hours with your laptop been cloned.
No embassy staff, no legal team -moving form uniformed staff who just want to clear things up so you can be on your way ... to suits without badges and very personal questions :)
If you dont enter the USA, a unique, time limited deal could be introduced to get your boss very interested in sending "you". The locals are asked to interview you on some deep legal issue as a few law enforcement 'guests' sit in with a list of their own questions :)
Failing that and the data found points to something darker, a free flight to the USA can be arranged for you when you go on holiday to a third country.

Re:What was that about nefarious UN?

It clearly says "All your data are belong to US".

The only real solution

[Aethedor]

Don't do business with an American company or a company that has an office in the US if you plan to use its service to store sensitive information. This may sound a bit blunt, but for me it's the only proper answer to the patriot act.

In Other News..

[SuperCharlie]

The US can do whatever they feel like doing because Fuck You. rabble rabble terrorism..rabblerabble child porn rabblerabble security.

Get used to it... its gonna be a long and twisted road before this crap is over.

Re:In Other News..

[Thaelon]

You are correct, but make no mistake, the reason the US will do whatever they feel like is because they have the world's most formidable military by a large margin. Which basically makes it the world's largest terrorist organization. What else do you call it when you have the biggest stick on the planet and the mere threat of it is enough to make other countries do as you please? It is textbook terrorism.

And you know that it is a totalitarian regime when millions of its citizens are out of work, homeless, starving, lacking medical care, etc, yet reducing the budget doublethink-named "Department of Defense" (complete with eight, going on 11 Nimitz class "floating fortresses") is never even considered. Hell, they would rather cut social reinvestment programs like fucking healthcare first!

The whole "but they cannot be a totalitarian regime because the government is controlled by two competing political parties" simply doesn't hold either. Both parties are largely funded by the same plutocracy. They cooperate on everything that benefits the plutocracy (tax cuts for the rich, bank bailout etc, taking on more national debt), and stall on everything that benefits the proletariat (healthcare reform, socialized medicine etc). Hell, the presidential debates have been jointly run by the two supposedly opposed parties for decades - which explains why you did not see the Green Party or Libertarian parties even represented at the 2012 Presidential debates, in fact, Jill Stein, the Green Party candidate was arrested and detained without due process by the Department of Homeland Security and the Secret Service for the political crime of trying to attend the debates for the political office she legally running for!

Do I even need to mention the NSA's Total Information program? The open mockery of the 4th Amendment that is the Transportation Security Administration? Or the Department of Homeland Security whose very existence ought to be redundant given that we already have an oversized military, a national guard, and a police force?

This country is so fucked, and the collapse is coming. It simply is not sustainable as is.

Re:In Other News..

[kenorland]

The US can do whatever they feel like doing because Fuck You

Well, Europe dropped the ball in the 20th century, so it got stuck taking care of all these problems. If Europe doesn't like the way the US handles it, all it has to do is get its shit together.

Get used to it... its gonna be a long and twisted road before this crap is over.

Well, it sure beats the "crap" that was going on before. And the way things are going, this will be "over" when the US decides its over, given that Europe and Asia are far more aggressive in restricting the liberty and privacy of their citizens.

Re:In Other News..

[grenadeh]

Don't participate in arguments you're unqualified for. Communist? No. All his viewpoints? Wrong. They aren't even his viewpoints, Romney and Obama and even Clinton and Bush were and are all pawns controlled by globalists. Yea, not actual communism, no one understand what the actual concept of communism is of course. That doesn't excuse that he has done more damage than 16 years of Bush/Clinton combined (not that Clinton did too much, he actually had a budget surplus).

Re:two edged blade

[gstoddart]

It matters if you do business with the country issuing the law...
Of course, almost no US companies does business with China, so no worries there.

So, when China or someone else passes a similar law, the US will accept that their companies have to hand over the data to the local government because that's how it works?

Or will they basically say their laws and interests trumps everybody else's, and too bad? Because I can't see other sovereign nations accepting that.

Re:Not all of Europe

[Teun]

I'm sure when an article mentions European (privacy) law the implication is we're talking about European Union law.