Slashdot Mirror
EU Citizens Warned Not To Use US Cloud Services Over Spying Fears
Diamonddavej writes "Leading privacy expert Caspar Bowden warned European citizens not to use cloud services hosted in the U.S. over spying fears. Bowden, former privacy adviser to Microsoft Europe, explained at a panel discussion hosted at the recent Computers, Privacy and Data Protection conference in Brussels, that a section in the Foreign Intelligence Surveillance Act Amendments Act 2008 (FISAAA) permits U.S. intelligence agencies to access data owned by non-U.S. citizens on cloud storage hosed by U.S. companies, if their activity is deemed to affect U.S. foreign policy. Bowden claimed the Act allows for purely political spying of activists, protesters and political groups. Bowden also pointed out that amendments to the EU's data protection regulation proposal introduce specific loopholes that permit FISAAA surveillance. The president of Estonia, Toomas Hendrik Ilves (at a separate panel discussion) commented, 'If it is a U.S. company it's the FBI's jurisdiction and if you are not a U.S. citizen then they come and look at whatever you have if it is stored on a U.S. company server.' The European Data Protection Supervisor declined to comment but an insider indicated that the authority is looking into the matter."
ah, the good ol' patriot act.
Got news for him, even if you ARE a US citizen they look at whatever you have stored.
Run for your life, the Cloud is falling, the Cloud is falling!
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
Several EU member states have been cooperating with us to spy on their citizens since WWII. You're connected to a global network that provides instantanious monitoring of millions of communications in realtime; We peer our data with you. Our GPS satellites and cell phone technology can pinpoint where most of your citizens are at any given point in time and you thanked us for providing that technology under the guise of preventing terrorism, homeland security, tracking down neo nazis, or dozens of other groups.
And now, after decades of cooperation, you're being warned not to use... our cloud services. That's like this (holds up cell phone)... Not that impressive compared to that (points to a 100 story tall, 20 block wide, datacenter labelled 'EVERYTHING. EVER.') Seriously now, where are your brains? This is just a stunt to try and get your own domestic cloud services launched, I'm sure of it. So which one was it? Comeon, fess up.
#fuckbeta #iamslashdot #dicemustdie
Oh well back to easvsdropping on countries with actual economies.
Captcha: Sincere
Wanna see some?
-Hu Jintao
The Bill of Rights is peculiar in that it does not say "no citizen", but it says "no person."
Can someone explain how nearly 250 years of common law has managed to change the definition of a "person" to include US companies, but not foreign citizens utilizing services within the US?
"hosed by U.S. companies"
a friend of mine made a freedom of information request recently, and was surprised to find that his question was responded to using zendesk. so he looked up the IP address and, on discovering that the IP address was in the U.S., made some pointed enquiries as to why his confidential details, as well as UK Government matters, were being stored in a jurisdiction outside of the sovereignty of the UK.
the best one though was learning that UK MPs have been issued with ippads. which is great. confidential UK business can be snooped on by not just the U.S. govt but by a U.S. Corporation, and UK MPs can be "advertised at", and sold commercial music and entertainment services that they have absolutely no business letting in to Parliament.
all good fun, eh?
Taking Google's service as an example, how is the FBI to know whether john.doe@gmail.com is a U.S. citizen or not? When signing up for service, all Google asks for is the location, not the country of citizenship.
Even if John Doe accesses his email from a non-US ISP, he might well be a citizen traveling abroad.
Microsoft has been harping on about this before. They previously said they themselves couldn't promise to keep their users' data private to the degree required by EU law.
As I see it, what they're doing is trying to poison the whole idea of cloud services, because in poisoning their own market they also poison Google's. And while to Microsoft, 'cloud services' are an expensive and annoying distraction, to Google it's central to their entire business strategy.
I mean, everyone outside the US has known since the mid-2000's that the American Gov't has absolutely ZERO compunction about spying on ANYTHING within it's borders.
Even "secretly" wire-tapping it's own citizens.
In Canada we have distinct and fairly robust privacy legislation, and I'm constantly warning businesses to avoid storing anything in the cloud that could potentially contain affected info (customer data primarily, but also patient data in doctor's offices and other medical professionals). Simply uploading ANY of that data to the cloud COULD put you in violation of the law since you can no-longer provide ANY ASSURANCE WHATSOEVER that it hasn't been viewed or shared with unauthorized parties.
Furthermore, I personally just assume, straight-up, that ANYTHING that Facebook, Google, Amazon or Microsoft host is de rigueur scanned, indexed and cataloged.
This also applies to anything done in Chrome, or Android (vis a vis Google) or if you've installed any of Google's personal-search tools. It just doesn't make sense NOT to assume that the worst thing you can imagine happening in these cases either is-already, or will-eventually-be, happening.
I single-out Google and it's many tools at the moment because hoarding information about you (and then selling it) IS the basis of their business model. The more information they can harvest about you personally, the more valuable their product is. Therefore, the greater their incentive is/will-be to accrue and store as much information as they possibly can about every single thing you do, place you go, thing you think... If they're not doing it already, the past history of American Corporocratic greed compels me to believe that they will eventually...
Still, it's hard to believe that any of this would be considered "new" news in 2013.
-AC
The US is driving business away with a weighted stick.
People hold beliefs about other countries and people for a very long time; in many cases, long after the belief has had any meaning. For example, "the French surrendered", "Germans are Nazis", "Chinese products are crappy", "Japanese cars are like finely-tuned watches", and so on. Think of any nation and it comes with a satchel of beliefs held about its people.
The US is getting an odius reputation for business and tourism. The overall message we send is: "don't come to the US for anything". Businesses are leaving the US in droves, preferring to operate in more friendly areas.
When the US is known worldwide as "business unfriendly", it'll be nigh impossible to turn that around even if the situation changes.
This is what our government is doing for us. It's effect on productivity (and employment) is obvious.
(As a personal anecdote, I recently registered a .net domain, and the registrar (in France) had me click through a strongly worded message stating that the US could demand all sorts of privileges from the domain. Essentially, they stated that they could not guarantee my privacy or the safety of my data when registering a .net domain.)
Think about it a moment. The Hollywood ... er ... US Government seized all servers and data on a flimsy warrant and trumped-up charges, including the accusation that Megaupload had retained data on its servers even after takedown notice(s). It has since emerged that the government specifically requested that they leave those files up for "investigation." One guy trusted his business data and property to the service and he's *still* fighting to get it back, despite the fact that it was un-shared and 100% his own legal property.
Cloud services effectively died that day. Why trust any service when a third party can cut you off at any time from your own property without let or recourse?
Methinks you can count on Europe to eventually get this right.
Twitter getting sued and losing to France's Jew student union over obnoxious hashtags is just the high profile round two of the same joust they had with Yahoo over nazi artifacts getting auctioned over a decade ago. They won last time; they'll win this time. And US companies will comply to French law on this matter just like last time. I suspect that the pitiful €1k/day fine is going to quickly balloon to obscene amounts of money until the courts get a reaction from Twitter.
In Germany, users are suing Facebook over the right to get deleted, and while they were the first, in typical German grassroots achievements, they no longer are the only ones. This is simply going to win, and they're just getting started. Sure enough, the Irish subsidiary is dragging its feet to comply. Presumably to Zuck's despair -- here's a continent with over 600M people willing not only in fighting for the right to be deleted but also in actually enforcing it. In the end, sane views will prevail, and the US laws will get kicked back across the Atlantic where they belong -- for US citizens to debate further, hopefully with new, more enlightened insights.
The same could arguably be told of countries like China, Egypt or Iran: ironically, US firms are made to comply with local law over there, plain and simple, much faster then they are to EU laws. But the EU is hopefully similar enough to the US that the latters' citizens will not shrug that the former are merely uneducated barbarians when their laws are sent back for review.
If you've been reading Privacy Policies for awhile
you've noticed them becoming more intrusive.
To me posting to a cloud is the same as to a newsgroup,
public domain, no matter what's said.
Here is a report for the European Parliament (Pdf) about cyber crime and privacy of Cloud services, co-written by Caspar Bowden, it discusses the ramifications of FISAAA. The salient section is "3.4. The inter-state/states/companies relation" on page 34.
http://www.europarl.europa.eu/committees/en/studiesdownload.html?languageDocument=EN&file=79050
Furthermore, proposed changes to the EU's data protection regulations will facilitate FISAAA. Specifically, if a Security Companies' audit of a Cloud Service uncovers U.S. spying, they will be obligated not to inform an affected EU company. I wonder what pressure the U.S. is applying to get this passed...
US lobbying waters down EU data protection reform
"For example, IMCO voted to allow easier profiling of users by companies, and lessen the importance of reporting personal data breaches as soon as they occur. At the same time, most proposals to strengthen regulation were rejected.
No matter where that cloud is stationed, putting stuffs that are sensitive in nature is never a good idea.
Muchas Gracias, Señor Edward Snowden !
I just now searched my browser history & couldn't find the message. (I'd love a Memex plugin for Firefox.)
My registrar gets .net domains through Verisign, which is a US company, and I believe that's the issue. They had a nice diagram showing ICANN -> Verisign -> (My Registrar) which shows the problem.
I believe the text also read something like "these agreements bind you to Verisign and ICANN", then went on to explain how Verisign is a US company, how the government could step in and do nasty things, you have agreed to this situation, &c. The note mentioned ".net" and ".com" domains.
Are there alternatives? Dropbox is US, Google Drive is US, I would assume Skydrive is US... What else will they use?
If you look at, for example, the data protection laws here in Germany, the German government can get at my data even more easily than the FBI can get at data in the US. What I'm asking myself is: assuming that any government can look at data within its borders anyway, what's the best place to store my data? Good attributes for such a place are: I'm not living there, I don't want to travel there, and they aren't really on good terms with my government.
I think what the EU representatives are really saying in so many words is: "don't store your data in the US, where European governments have a harder time getting at it, store it in Europe where we can get at it easily (but you can trust us!)".
Any business leaving the U.S. is doing so strictly for the minimization of costs associated with labor & taxes. You don't see them relocating to wealthy European countries. Ireland gave huge subsidies to attract telecom CS centers and Intel chip fabs, and the boom last not even 10 years.
If you think they're moving operations to Phillipines, Malaysia, Mexico, China or India for friendship then you're smoking crack and mistaking the $'s for little green men.
Remember Skype the other day? when was the last time you heard FBI complain it couldn't get Skype intercepts because of its P2P nature? Now they're *using* Skype intercepts in prosecutions! So our private calls are also intercepted now. I think the routing comes from an MS server and they simply route it through an intercept.
In the latest financials, I see Facebook has substantial 'fees' income, separate from advertising. At first I thought it was for the charges they make for contacting your friends list, but that doesn't explain it, the fees go back before the introduced that charge.
I think they sell NSA access. I think a substantial portion of that fee is to give NSA access to all the private profile information, all the non public graph data.
I find it difficult to imagine a situation where Facebook has secret info, Facebook wants money, NSA has money, NSA wants info, there's no law stopping them getting it, even on US citizens, (cloud stuff greater than 6 months on USA citizens is not considered private, even if its private email, cloud stuff on non US citizens is fair game). Hence Facebook must be selling data to NSA by Occam's razor.
as a US Citizen I don't use them.
What's new here? I remember that most EU states agreed to handover data about its citizens to USA anyway, so we're fckuedup anyway.
How would the gov differentiate between US citizens' and non-US citizens' data? I'm a US citizen living in Germany. Am I and others like me safe? Why does the US gov have such contempt for the rights of non-US citizens anyway?
How oh how is this in 2013, news? The Patriot Act (Enacted into US law just slightly post 9/11/2001), allows the US government to access any data from any source held by a US company, whether that companies operations are within the United States, or located in a foreign country (any other country). The act also requires the company to provide all information requested by the US government, and requires the company *NOT* to disclose to any party their actions on behalf of the US Government. So it's not just data stored on US servers, the servers can belong to people in other countries, with the server physically located not in the United States. It basically makes all US companies with access to data spies for the US government under US law. There are fines, penalties (including prison) for companies disclosing that the US Government is snooping for information, and likewise for non-compliance. That members of the EU are just discovering this now is quite surprising.
to warn all people about US cloud services and not just EU people?
or did he make a balls of the write-up?
Yeah, but that's not a problem for European citizens...
No matter the intent, the issue is still valid.
The german governement can require your data in germany but with a warrant. they CANNOT snoop permanentely over all the data , index it, and use it for whatever purpose. Whereas it is true there is a data rentention, there is no *looking* at that data without warrant.
The US move mentionned above is *different*. They can legally snoop your data in real time, take everything they want, and even use it agaisnt you for their own political/economic advantage.
If you are really thinking both are identical, then you can't beb helped.