Do you want to share?
Do you like this article?
American law enforcement authorities can spy on data stored by EU citizens who choose to use US cloud services – and it is legal for them
to do so.
Former chief privacy advisor to Microsoft Europe, Caspar Bowden, has
highlighted the privacy issue in a Fighting Cyber Crime and Protecting
Privacy in the Cloud report, which was recently presented to the European Parliament.
Bowden, who co-authored the findings, referred to how the Foreign
Intelligence Surveillance Act Amendment Act (FISAAA), allows US
authorities to spy on cloud data.
‘Heavy-calibre mass surveillance’
Despite it being lawful in the US to conduct purely political
surveillance on foreigners’ data accessible in US clouds, Bowden’s
latest report argues that this has very strong implications on EU data
sovereignty and the protection of its citizens’ rights.
“Most attention continues to be focused on the US Patriot Act of
2001, which certainly contains powers for direct access to EU data, but
nothing like FISAAA 1881a’s heavy-calibre mass surveillance fire-power
aimed at the cloud,” the report said.
Although cloud computing is not a new technology, the study addresses the challenges raised by the growing reliance on it and begins by exploring how the EU is addressing associated concerns.
Loss of control
The study argues that the main concern arising from the growing
reliance on cloud computing by private citizens, companies and public
administration, is not just cyber fraud, but is the loss of control over
individuals’ identity and data.
The report says the question of privacy and data protection is
furthermore challenged by the ‘exceptional measures’ taken in the name
of security and the fight against terrorism.
It also raises concerns over the fact that the largest providers of
cloud services are legally or physically located in the US, which makes
the data processed through their cloud liable to interception and
seizure by US authorities.
Big change slips through
Under the FISAAA, mass-surveillance of foreigners (outside US
territory), but whose data is within range of US jurisdiction, is
permitted.
The recent report says that the most significant change on the scope
of the surveillance, managed to escape any comment or public debate
altogether.
“The scope of surveillance was extended beyond interception of
communications, to include any data in public cloud computing as well.
This change occurred merely by incorporating ‘remote computing services’
into the definition of an ‘electronic communication service provider’,
the report said.
Fear of industrial espionage
The concerns over cloud privacy in the EU is proving a potential
liability for some as companies turn down cloud-based services from US
providers.
UK-based defence company BAE Systems’ reported decision to abstain from using Microsoft’s Office 365 cloud-based software suite, was due to fear of industrial espionage, according to the study.
Warnings for users
The report concludes by requesting the European Parliament to make
further enquiries in relation to the US Acts. It also states the EU
needs an industrial policy for autonomous capacity in cloud computing,
and argues that no EU citizen should be left unaware if sensitive data
about them is exposed to a third country’s surveillance apparatus.
A hearing on the European Parliament’s findings of the report is due next month.
