Europe Frightened By US 'Cloud Act', Fearing National Security Risks

"A foreign power with possible unbridled access to Europe's data is causing alarm in the region. No, it's not China. It's the U.S.," writes Bloomberg (in an article shared by hackingbear).

"As the U.S. pushes ahead with the 'Cloud Act' it enacted about a year ago, Europe is scrambling to curb its reach." Under the act, all U.S. cloud service providers, from Microsoft and IBM to Amazon -- when ordered -- have to provide American authorities with data stored on their servers, regardless of where it's housed. With those providers controlling much of the cloud market in Europe, the act could potentially give the US the right to access information on large swaths of the region's people and companies.

The U.S. says the act is aimed at aiding investigations. But some people are drawing parallels between the legislation and the National Intelligence Law that China put in place in 2017 requiring all its organisations and citizens to assist authorities with access to information. The Chinese law, which the US says is a tool for espionage, is cited by President Donald Trump's administration as a reason to avoid doing business with companies like Huawei Technologies. "I don't mean to compare US and Chinese laws, because obviously they aren't the same, but what we see is that on both sides, Chinese and American, there is clearly a push to have extraterritorial access to data," said Ms Laure de la Raudiere, a French lawmaker who co-heads a parliamentary cyber-security and sovereignty group. "This must be a wake up call for Europe to accelerate its own, sovereign offer in the data sector."

Yes, if you don't own it, someone else does.

[Frobnicator]

Hardly news, and this has been "news" in the computer world since the beginning.

This is not a new concern. People have been renting out hardware long before Amazon was invented, computer time has been rented out . Back in the 1960s and 1970s many mid-sized banks were hesitant to avoid computers not because they didn't trust or couldn't afford the machines, but because they didn't trust the companies who owned the machines or the governments where the computers were located. IBM with locations around the globe was the biggest and generally considered most trustworthy, but (looking up history online) you could rent computer access from Honeywell, Sperry Rand, Siemens, EMI, Olivetti, and others. Noting their location, that could mean you were subject to US laws, or UK laws, or Germany or France or Italy or wherever the computing center was located.

I recall discussions a decade ago asking how much we valued hosting our own data, if we were willing to sacrifice the security of controlling it versus the convenience of letting Google Docs control access to all our documents. There are companies who trust every bit of their digital data to Amazon or Google or other companies. They figure that the cost savings is a benefit, and they don't care about (or don't realize) the security implications.

There are companies that decide that maintaining control is important. For them, even if it would be cheaper or easier to lease out hardware remotely the value of maintaining control is greater than any cost savings.

American law is a double edged sword for them

[MikeRT]

The flip side of this is that if you're European and can evade being identified locally, you can use American hosts to protect your speech since federal law protects American hosts from being taken to court for speech that is legal under the first amendment.

Re:Well duh

[Kjella]

Well in this case we're talking about people who come with a court-approved warrant. As long as we're in a single jurisdiction it's only a question whether the police officers will knock on you company's door or the company next door running your servers, unless you work for the mafia or something you're just going to hand it over. And keeping it in-house doesn't actually solve the problem. It doesn't even have to involve client data.

There's two issues here:
1) Jurisdiction shopping, that despite operating in one jurisdiction you send your data to another country with more favorable laws and courts.
2) Jurisdiction leakage, that your data is unwittingly and unwillingly brought under the jurisdiction of other legal systems.

Now it's not exactly news that countries have different laws, that's one of many reasons you have legal subsidiaries. Say you're McDonald's, if you want to operate a restaurant here in Norway you have to comply with local taxes and regulations and permits and whatnot so you create McDonald's Norway, in the US you create McDonald's US and so on for each country with a simple holding company on top. So far, so good.

But now imagine if they fear some kind of price fixing investigation and say hey Norway got better privacy laws than us, let's just move the company email servers and all other non-essential data there to be operated by our Norwegian subsidiary. US courts come with a warrant, you shrug and like we have no data try the Norwegian courts. This is bad. But then you try to fix it by saying subsidiaries are puppets to a parent company, if you can instruct them then you must. That solves one problem but creates a new one.

Let's say that to reduce long term sick leave we have a program to help people get back to work, lots of gory detail on what condition you have, how it limits your working ability, what the company has done to try to accommodate you and we say this isn't just company data we're going to give it special protection and access restrictions. But then the marching orders come from the top, hand over all your data. Do you comply? If US companies can instruct their subsidiaries to comply with US law, well then Chinese companies can instruct their subsidiaries to comply with Chinese law.

The US, as usual, wants the rules to only apply in one direction. They want US courts to be able to go in and grab data from other jurisdictions, while they'll get very angry if China uses their companies as hired thugs in the same way. And they justify their hypocrisy by saying we're the good guys, it's okay when we do it. It's not okay, start respecting that these businesses operate in other countries and that here our laws take precedence and stop trying to act like world police.