Slashdot Mirror
Europe Frightened By US 'Cloud Act', Fearing National Security Risks (straitstimes.com)
"A foreign power with possible unbridled access to Europe's data is causing alarm in the region. No, it's not China. It's the U.S.," writes Bloomberg (in an article shared by hackingbear).
"As the U.S. pushes ahead with the 'Cloud Act' it enacted about a year ago, Europe is scrambling to curb its reach." Under the act, all U.S. cloud service providers, from Microsoft and IBM to Amazon -- when ordered -- have to provide American authorities with data stored on their servers, regardless of where it's housed. With those providers controlling much of the cloud market in Europe, the act could potentially give the US the right to access information on large swaths of the region's people and companies.
The U.S. says the act is aimed at aiding investigations. But some people are drawing parallels between the legislation and the National Intelligence Law that China put in place in 2017 requiring all its organisations and citizens to assist authorities with access to information. The Chinese law, which the US says is a tool for espionage, is cited by President Donald Trump's administration as a reason to avoid doing business with companies like Huawei Technologies. "I don't mean to compare US and Chinese laws, because obviously they aren't the same, but what we see is that on both sides, Chinese and American, there is clearly a push to have extraterritorial access to data," said Ms Laure de la Raudiere, a French lawmaker who co-heads a parliamentary cyber-security and sovereignty group. "This must be a wake up call for Europe to accelerate its own, sovereign offer in the data sector."
"As the U.S. pushes ahead with the 'Cloud Act' it enacted about a year ago, Europe is scrambling to curb its reach." Under the act, all U.S. cloud service providers, from Microsoft and IBM to Amazon -- when ordered -- have to provide American authorities with data stored on their servers, regardless of where it's housed. With those providers controlling much of the cloud market in Europe, the act could potentially give the US the right to access information on large swaths of the region's people and companies.
The U.S. says the act is aimed at aiding investigations. But some people are drawing parallels between the legislation and the National Intelligence Law that China put in place in 2017 requiring all its organisations and citizens to assist authorities with access to information. The Chinese law, which the US says is a tool for espionage, is cited by President Donald Trump's administration as a reason to avoid doing business with companies like Huawei Technologies. "I don't mean to compare US and Chinese laws, because obviously they aren't the same, but what we see is that on both sides, Chinese and American, there is clearly a push to have extraterritorial access to data," said Ms Laure de la Raudiere, a French lawmaker who co-heads a parliamentary cyber-security and sovereignty group. "This must be a wake up call for Europe to accelerate its own, sovereign offer in the data sector."
When you put your data elsewhere than on your own iron, expect it to be as good as public. Everybody has known this since the beginning of the internet. Security-conscious IT folks don't do cloud, even if it costs more.
In my opinion, the Cloud Act is just an official recognition of what's already going on.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Hardly news, and this has been "news" in the computer world since the beginning.
This is not a new concern. People have been renting out hardware long before Amazon was invented, computer time has been rented out . Back in the 1960s and 1970s many mid-sized banks were hesitant to avoid computers not because they didn't trust or couldn't afford the machines, but because they didn't trust the companies who owned the machines or the governments where the computers were located. IBM with locations around the globe was the biggest and generally considered most trustworthy, but (looking up history online) you could rent computer access from Honeywell, Sperry Rand, Siemens, EMI, Olivetti, and others. Noting their location, that could mean you were subject to US laws, or UK laws, or Germany or France or Italy or wherever the computing center was located.
I recall discussions a decade ago asking how much we valued hosting our own data, if we were willing to sacrifice the security of controlling it versus the convenience of letting Google Docs control access to all our documents. There are companies who trust every bit of their digital data to Amazon or Google or other companies. They figure that the cost savings is a benefit, and they don't care about (or don't realize) the security implications.
There are companies that decide that maintaining control is important. For them, even if it would be cheaper or easier to lease out hardware remotely the value of maintaining control is greater than any cost savings.
//TODO: Think of witty sig statement
Isn't this in combination with the GDPR just going to make it plain illegal for European data controllers to put their data on US owned servers?
So, just make it impossible for even the vendor to read the (unencrypted) data. The most the vendor could do is hand over encrypted data, leaving authorities to try to decrypt it without the key. Or try to force the owner to give up the key.
One such new offering is IBM Hyper Protect DBAAS:
Hyper Protect DBaaS: the evolution of cloud databases
Getting started with IBM Cloud Hyper Protect DBaaS
BTW, this doesn't run on Intel hardware. It runs on IBM Z hardware, on dedicated cores per instance, which should minimize the potential for Spectre-type attacks.
IBM is rolling this out aggressively. How aggressively?
For now, they are handing out well-provisioned Postgres (8G memory, 80G data) and MongoDB (8G memory, 40G data) experimental instances for free.
Only reason I am not taking them up on this is that I know we won't be able to afford the price, once it is not free. I'll stick with out 1G memory Databases for PostgreSql instance for our little educational app.
Hyper Protect DBaaS (pricing)
Not an IBM shill. Just happy to not be drinking the AWS kool aid.
In a word, no. There could be some concerns in some cases, but generally not an issue.
The Cloud Act relates to what a warrant or subpeona may reach, and doesn't change anything - it just affirms what existing law, stating explicitly what had been implicit.
It says that the pre-existing power of US courts to order US companies to turn over data material to a case cannot be thwarted by the US company stashing the bits on disks which are physically overseas. That was already a bit of a "duh, no shit" to anyone who has studied law, but Congress saw fit to state it explicitly.
GDPR doesn't say you can't comply with a subpoena or warrant. It explicitly says you can comply. So no problem, there, no conflict between Cloud Act and GDPR, generally.
The one wrinkle is that GDPR says when you send data to another country, one of two things needs to be in place
A mutual legal assistance agreement
Or
The other country has approved privacy law
The US has both. A new data privacy safe harbor agreement with the US was approved by the EU in 2016, after the previous one was found lacking. We also have a Mutual Legal Assistance Agreement (MLAA).
There could be cases, however, in which a subpoena is issued which doesn't comply with the MLAA. Then one could argue complying with that particular subpeona could violate GDPR. Except we ALSO have the 2016 safe harbor agreement, so the MLAA isn't actually necessary anyway.
So in rare cases you could argue that there might be a conflict, but you'd probably lose that argument.