Slashdot Mirror

← Back to Stories (view on slashdot.org)

EU Citizens Warned Not To Use US Cloud Services Over Spying Fears

Posted by timothy on from the oh-don't-you-worry dept.

Diamonddavej writes "Leading privacy expert Caspar Bowden warned European citizens not to use cloud services hosted in the U.S. over spying fears. Bowden, former privacy adviser to Microsoft Europe, explained at a panel discussion hosted at the recent Computers, Privacy and Data Protection conference in Brussels, that a section in the Foreign Intelligence Surveillance Act Amendments Act 2008 (FISAAA) permits U.S. intelligence agencies to access data owned by non-U.S. citizens on cloud storage hosed by U.S. companies, if their activity is deemed to affect U.S. foreign policy. Bowden claimed the Act allows for purely political spying of activists, protesters and political groups. Bowden also pointed out that amendments to the EU's data protection regulation proposal introduce specific loopholes that permit FISAAA surveillance. The president of Estonia, Toomas Hendrik Ilves (at a separate panel discussion) commented, 'If it is a U.S. company it's the FBI's jurisdiction and if you are not a U.S. citizen then they come and look at whatever you have if it is stored on a U.S. company server.' The European Data Protection Supervisor declined to comment but an insider indicated that the authority is looking into the matter."

38 of 138 comments (clear)

  1. Really? by Anonymous Coward · · Score: 5, Insightful

    Got news for him, even if you ARE a US citizen they look at whatever you have stored.

    1. Re:Really? by Zontar+The+Mindless · · Score: 2

      Being a multinational means you get to say, "We're based in [place that's to our advantage in this instance]."

      And it can be a different place next time you say it.

      --
      Il n'y a pas de Planet B.
    2. Re:Really? by davester666 · · Score: 2

      That's what they are looking for.

      --
      Sleep your way to a whiter smile...date a dentist!
    3. Re:Really? by gstoddart · · Score: 3, Informative

      "Got news for him, even if you ARE a US citizen they look at whatever you have stored."

      Where is evidence?

      Under the PATRIOT act, they can't show that to you.

      The fact remains, they've been increasingly looking at people's things, bypassing judicial oversight, and generally running rough shod over parts of the Constitution with "Free Speech Zones", warrantless wiretaps and the ability to do "border stops" 100 miles from the border.

      Seriously, have you not even been paying attention? This shit's been all over the news.

      --
      Lost at C:>. Found at C.
  2. Oh Noze! by flyneye · · Score: 3, Funny

    Run for your life, the Cloud is falling, the Cloud is falling!

    --
    *Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
  3. Anyone ever read the constitution? by Midnight_Falcon · · Score: 5, Insightful

    The Bill of Rights is peculiar in that it does not say "no citizen", but it says "no person."

    Can someone explain how nearly 250 years of common law has managed to change the definition of a "person" to include US companies, but not foreign citizens utilizing services within the US?

    1. Re:Anyone ever read the constitution? by SteveFoerster · · Score: 4, Insightful

      Hence the saying that the Constitution may not be perfect, but it's better than what we have now.

      --
      Space game using normal deck of cards: http://BattleCards.org
    2. Re:Anyone ever read the constitution? by s.petry · · Score: 5, Insightful

      Do you want the real answer or some spiffy rhetorical bullshit? Save that, I'll give you the real answer. My apologies in advance too, since I'm guessing you already know what follows and are simply asking the rhetorical question. This is really for those that are still sleeping.

      The real answer is that the people currently sitting in offices don't give a rats ass about their own Constitution. Don't look at what they say, look at what they do! The Patriot act has not been diminished, it's been extended. Hidden clauses in executive orders remove things from view, and public support. Lets not kid each other, that is a symptom of a much larger problem and not the problem.

      Socrates warned that citizens must guard against people in political offices that demand increasing amounts of power. He was the first, but definitely not the last. That quest for power can quickly turn any form of Government into a tyranny.

      Now many will say "doom and gloom nonsense", and those people are simply ignorant. They have no idea how much snooping the NSA currently does on them, nor how much that will expand this summer when the new super computer complex opens (which has been designed for exactly the purpose of snooping and reporting on citizens). They have no idea how much of that data is requested and granted currently (in secrecy) to other government agencies, like the CIA, FBI, TSA, DHS, DOJ, ATF, etc.. Nobody in the public does, because our government refuses to provide any information at all. Even to the point where they refuse to admit it happens. We know it happens based on events and court cases, not because it's admitted.

      This is by the same people in office that will tell you to your face that they want to be open and honest. Does the term "pathological liar" not bother you?

      So if the Government ignores the Constitution and Bill of Rights when dealing with it's own citizens do you really expect them to honor the words with non-citizens? The constitution is the foundation for every other aspect of our Government.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    3. Re:Anyone ever read the constitution? by BeerCat · · Score: 2

      And therein lies the problem with the Oath of Office:

      John Q Public: Go after than person. Their actions clearly show that they are an enemy of the US constitution!
      US Politico: Um, no. They're your enemy, not mine. In fact, I rather like them (because they keep me in power) Have a nice day y'all

      --
      "She's furniture with a pulse"
    4. Re:Anyone ever read the constitution? by Anonymous Coward · · Score: 2, Insightful

      The Bill of Rights is peculiar in that it does not say "no citizen", but it says "no person."

      Ah, but are foreign nationals actually people?

      The answer isn't obvious when you consider that slaves weren't full people as per the original document.

    5. Re:Anyone ever read the constitution? by stephanruby · · Score: 2

      Lucky for me as a US citizen, whether at home or abroad, I just tag all my content and my emails with my US social security number and my date of birth.

      For phone calls, it does get a little bit trickier, I just say my social security number, my full name, and my date of birth out loud as clearly as I can to every person that I talk to on the telephone. This signals to the NSA that they should just hit the stop recording button, so that they don't accidentally record/transcribe/index my conversation with that person on their Echelon clouds (or that at least if I'm speaking to a foreigner, that they make the effort to filter out my voice from the recording leaving only the voice of the foreigner on there).

    6. Re:Anyone ever read the constitution? by Genda · · Score: 3, Insightful

      The problem is the difference between the letter and the spirit of the law. A well educated third grader can interpret the spirit of the oath of office.

      But a President today can simply puts a Scalia onto the bench of the Supreme Court, who will gladly interpret the Constitution in a way that sounds more like Mein Kampf. We are drowning in lawyers, making noises like Bill Clinton's "...that depends what "IS" is..". Duplicitous self serving scumbags who will print the Bill of Rights on rolls that are squeezably soft, while kissing babies and glad handing corporate giants holding fat checks. We've been bought and sold by little men.

      Doom and Gloom would be letting this lie. Nonsense, would be ignoring the vital need to take back what is our God given liberty in the face of our culture being destroyed one word at a time. It is the government that must stand transparent, naked before the people, and not the other way.

    7. Re:Anyone ever read the constitution? by Genda · · Score: 3, Insightful

      That's okay, recent changes in the law now make it possible to do anything we do to foreign nationals to be done to our own citizens. What could be fairer?

    8. Re:Anyone ever read the constitution? by Genda · · Score: 2

      And when done traveling abroad you return home how? By ruby slipper?

      The NSA has a massive listening post in England. Guess what? They've been listening to U.S Domestic calls for most of 20 years. You can tag all your correspondences with "Don't shoot, I'm one of you!" too. Good luck with that.

  4. US hosed our servers by AaronLS · · Score: 3, Funny

    "hosed by U.S. companies"

  5. UK Govt using zendesk?? by lkcl · · Score: 5, Interesting

    a friend of mine made a freedom of information request recently, and was surprised to find that his question was responded to using zendesk. so he looked up the IP address and, on discovering that the IP address was in the U.S., made some pointed enquiries as to why his confidential details, as well as UK Government matters, were being stored in a jurisdiction outside of the sovereignty of the UK.

    the best one though was learning that UK MPs have been issued with ippads. which is great. confidential UK business can be snooped on by not just the U.S. govt but by a U.S. Corporation, and UK MPs can be "advertised at", and sold commercial music and entertainment services that they have absolutely no business letting in to Parliament.

    all good fun, eh?

  6. Poisoning the cloud by Anonymous Coward · · Score: 4, Interesting

    Microsoft has been harping on about this before. They previously said they themselves couldn't promise to keep their users' data private to the degree required by EU law.

    As I see it, what they're doing is trying to poison the whole idea of cloud services, because in poisoning their own market they also poison Google's. And while to Microsoft, 'cloud services' are an expensive and annoying distraction, to Google it's central to their entire business strategy.

  7. Is this really news to anyone? by Anonymous Coward · · Score: 5, Insightful

    I mean, everyone outside the US has known since the mid-2000's that the American Gov't has absolutely ZERO compunction about spying on ANYTHING within it's borders.

    Even "secretly" wire-tapping it's own citizens.

    In Canada we have distinct and fairly robust privacy legislation, and I'm constantly warning businesses to avoid storing anything in the cloud that could potentially contain affected info (customer data primarily, but also patient data in doctor's offices and other medical professionals). Simply uploading ANY of that data to the cloud COULD put you in violation of the law since you can no-longer provide ANY ASSURANCE WHATSOEVER that it hasn't been viewed or shared with unauthorized parties.

    Furthermore, I personally just assume, straight-up, that ANYTHING that Facebook, Google, Amazon or Microsoft host is de rigueur scanned, indexed and cataloged.

    This also applies to anything done in Chrome, or Android (vis a vis Google) or if you've installed any of Google's personal-search tools. It just doesn't make sense NOT to assume that the worst thing you can imagine happening in these cases either is-already, or will-eventually-be, happening.

    I single-out Google and it's many tools at the moment because hoarding information about you (and then selling it) IS the basis of their business model. The more information they can harvest about you personally, the more valuable their product is. Therefore, the greater their incentive is/will-be to accrue and store as much information as they possibly can about every single thing you do, place you go, thing you think... If they're not doing it already, the past history of American Corporocratic greed compels me to believe that they will eventually...

    Still, it's hard to believe that any of this would be considered "new" news in 2013.

    -AC

  8. Internet tradition by Okian+Warrior · · Score: 5, Insightful

    The US is driving business away with a weighted stick.

    People hold beliefs about other countries and people for a very long time; in many cases, long after the belief has had any meaning. For example, "the French surrendered", "Germans are Nazis", "Chinese products are crappy", "Japanese cars are like finely-tuned watches", and so on. Think of any nation and it comes with a satchel of beliefs held about its people.

    The US is getting an odius reputation for business and tourism. The overall message we send is: "don't come to the US for anything". Businesses are leaving the US in droves, preferring to operate in more friendly areas.

    When the US is known worldwide as "business unfriendly", it'll be nigh impossible to turn that around even if the situation changes.

    This is what our government is doing for us. It's effect on productivity (and employment) is obvious.

    (As a personal anecdote, I recently registered a .net domain, and the registrar (in France) had me click through a strongly worded message stating that the US could demand all sorts of privileges from the domain. Essentially, they stated that they could not guarantee my privacy or the safety of my data when registering a .net domain.)

    1. Re:Internet tradition by suutar · · Score: 2

      wild ass guess: It's .net, so it's handled by DNS servers the US can control, so they can get the domain to map to a monitoring proxy that forwards connections back to the real server but logs it all. And depending how the certificates are set up, perform man-in-the-middle decryption.

  9. Megaupload Case *Already* Poisoned the Cloud by sehlat · · Score: 5, Insightful

    Think about it a moment. The Hollywood ... er ... US Government seized all servers and data on a flimsy warrant and trumped-up charges, including the accusation that Megaupload had retained data on its servers even after takedown notice(s). It has since emerged that the government specifically requested that they leave those files up for "investigation." One guy trusted his business data and property to the service and he's *still* fighting to get it back, despite the fact that it was un-shared and 100% his own legal property.

    Cloud services effectively died that day. Why trust any service when a third party can cut you off at any time from your own property without let or recourse?

    1. Re:Megaupload Case *Already* Poisoned the Cloud by StormReaver · · Score: 3, Informative

      Cloud services effectively died that day.

      I wish you were right, but you're not. Sadly, Stupid breeds way faster than Smart, so "cloud" subscriptions keep growing.

    2. Re:Megaupload Case *Already* Poisoned the Cloud by Anonymous Coward · · Score: 2, Interesting

      You can still use cloud services as backup. Simply encrypt what you upload.

      Our company uses Google Docs and Drive extensively, and just use the Syncdocs plugin to secure the data.

  10. Count on Europe by Kergan · · Score: 3, Insightful

    Methinks you can count on Europe to eventually get this right.

    Twitter getting sued and losing to France's Jew student union over obnoxious hashtags is just the high profile round two of the same joust they had with Yahoo over nazi artifacts getting auctioned over a decade ago. They won last time; they'll win this time. And US companies will comply to French law on this matter just like last time. I suspect that the pitiful €1k/day fine is going to quickly balloon to obscene amounts of money until the courts get a reaction from Twitter.

    In Germany, users are suing Facebook over the right to get deleted, and while they were the first, in typical German grassroots achievements, they no longer are the only ones. This is simply going to win, and they're just getting started. Sure enough, the Irish subsidiary is dragging its feet to comply. Presumably to Zuck's despair -- here's a continent with over 600M people willing not only in fighting for the right to be deleted but also in actually enforcing it. In the end, sane views will prevail, and the US laws will get kicked back across the Atlantic where they belong -- for US citizens to debate further, hopefully with new, more enlightened insights.

    The same could arguably be told of countries like China, Egypt or Iran: ironically, US firms are made to comply with local law over there, plain and simple, much faster then they are to EU laws. But the EU is hopefully similar enough to the US that the latters' citizens will not shrug that the former are merely uneducated barbarians when their laws are sent back for review.

  11. Here is a European Parliment Report by Diamonddavej · · Score: 4, Informative

    Here is a report for the European Parliament (Pdf) about cyber crime and privacy of Cloud services, co-written by Caspar Bowden, it discusses the ramifications of FISAAA. The salient section is "3.4. The inter-state/states/companies relation" on page 34.

    http://www.europarl.europa.eu/committees/en/studiesdownload.html?languageDocument=EN&file=79050

    Furthermore, proposed changes to the EU's data protection regulations will facilitate FISAAA. Specifically, if a Security Companies' audit of a Cloud Service uncovers U.S. spying, they will be obligated not to inform an affected EU company. I wonder what pressure the U.S. is applying to get this passed...

    US lobbying waters down EU data protection reform

    "For example, IMCO voted to allow easier profiling of users by companies, and lessen the importance of reporting personal data breaches as soon as they occur. At the same time, most proposals to strengthen regulation were rejected.

  12. Security on the clouds by Taco+Cowboy · · Score: 4, Insightful

    No matter where that cloud is stationed, putting stuffs that are sensitive in nature is never a good idea.

    --
    Muchas Gracias, Señor Edward Snowden !
  13. Obvious question by theRunicBard · · Score: 2

    Are there alternatives? Dropbox is US, Google Drive is US, I would assume Skydrive is US... What else will they use?

    1. Re:Obvious question by jbeaupre · · Score: 2

      These?
      http://blog.websitepulse.com/free-cloud-storage-and-china/

      --
      The world is made by those who show up for the job.
    2. Re:Obvious question by GPierce · · Score: 2

      Until the drone blows hs server farm away, Kim Dotcom's Mega might actually be secure. At least that's the plan. And it will all be good until we find that Kim Dotcom is a CIA agent. (There is no such thing as being too paranoid.)

      --

      When you are dancing with wolves, never limp
    3. Re:Obvious question by Anonymous Coward · · Score: 2, Informative

      Jottacloud, qCloud, all the Scandinavian countries have super tight privacy laws, and except for sweden they don't really give into U.S. pressure..

    4. Re:Obvious question by fincan · · Score: 2

      Wuala, www.wuala.com. And as a US company, Spideroak, www.spideroak.com

  14. translation by terec · · Score: 4, Interesting

    If you look at, for example, the data protection laws here in Germany, the German government can get at my data even more easily than the FBI can get at data in the US. What I'm asking myself is: assuming that any government can look at data within its borders anyway, what's the best place to store my data? Good attributes for such a place are: I'm not living there, I don't want to travel there, and they aren't really on good terms with my government.

    I think what the EU representatives are really saying in so many words is: "don't store your data in the US, where European governments have a harder time getting at it, store it in Europe where we can get at it easily (but you can trust us!)".

    1. Re:translation by terec · · Score: 2

      You think that's a joke, but why not? What is the Chinese government going to do to you? Have you extradited for storing anti-Marxist propaganda? Fine you for copyright violations?

  15. Facebook fees by Anonymous Coward · · Score: 2, Insightful

    Remember Skype the other day? when was the last time you heard FBI complain it couldn't get Skype intercepts because of its P2P nature? Now they're *using* Skype intercepts in prosecutions! So our private calls are also intercepted now. I think the routing comes from an MS server and they simply route it through an intercept.

    In the latest financials, I see Facebook has substantial 'fees' income, separate from advertising. At first I thought it was for the charges they make for contacting your friends list, but that doesn't explain it, the fees go back before the introduced that charge.

    I think they sell NSA access. I think a substantial portion of that fee is to give NSA access to all the private profile information, all the non public graph data.

    I find it difficult to imagine a situation where Facebook has secret info, Facebook wants money, NSA has money, NSA wants info, there's no law stopping them getting it, even on US citizens, (cloud stuff greater than 6 months on USA citizens is not considered private, even if its private email, cloud stuff on non US citizens is fair game). Hence Facebook must be selling data to NSA by Occam's razor.

  16. duh .... by Dan667 · · Score: 2

    as a US Citizen I don't use them.

  17. Re:Practical impact? by __aaltlg1547 · · Score: 2

    For the most part, citizenship is not an issue. The FBI needs the same sorts of warrants to investigate a person in the USA whether or not that person is a citizen.

    Also, I find the notion that the FBI, NSA or CIA would take a deep and personal interest in the data of each and every person in the world wildly fanciful. As if they have millions analysts sifting through the mountains of data that the world produces every day...

    Of course they don't do that. They don't have the capacity to look at more than a tiny fraction of the world's data and they never will.

    But they want you to think that they have and maintain and are building capacity that will allow them to see and analyze every computer transaction in the world, break into any system any time they want and rummage through your data to their heart's content. (Like the government computer geeks do on TV shows.) Because if you think that, you will be discouraged from trying to commit a crime or try to conceal information from the United States. So the dupes on here who obsess about US government spying are really only furthering the government's agenda.

    But they also want you to think you have nothing to fear if you're not doing anything wrong. That's not quite true either. You can damn well get crossways with them without even trying and end up in a big mess.

  18. How is this news? by Anonymous Coward · · Score: 2, Insightful

    How oh how is this in 2013, news? The Patriot Act (Enacted into US law just slightly post 9/11/2001), allows the US government to access any data from any source held by a US company, whether that companies operations are within the United States, or located in a foreign country (any other country). The act also requires the company to provide all information requested by the US government, and requires the company *NOT* to disclose to any party their actions on behalf of the US Government. So it's not just data stored on US servers, the servers can belong to people in other countries, with the server physically located not in the United States. It basically makes all US companies with access to data spies for the US government under US law. There are fines, penalties (including prison) for companies disclosing that the US Government is snooping for information, and likewise for non-compliance. That members of the EU are just discovering this now is quite surprising.

  19. Re:Verisign is a US company by xaxa · · Score: 2

    http://m.theinquirer.net/inquirer/news/2083906/claims-com-net-websites-jurisdiction

    (Posting from phone, I might folllow up. Properly later.)