Researchers from the University of Amsterdam in the Netherlands have condemned the United States for allowing the controversial Patriot Act to bypass foreign laws and let Americans intercept data from persons internationally.
In a just published study, Cloud Computing in Higher Education and Research Institutions and the USA Patriot Act, researchers from the school’s Institute for Information Law say that legislation enacted to allegedly protect the security of US citizens has in the process eroded privacy protections on a global scale.
As more and more companies and individuals across the world begin relying on cloud computing to store information digitally on remote servers, the Dutch researchers warn that the Patriot Act and the Foreign Intelligence Surveillance Act (FISA) allow for those files to be fed into the US intelligence community, disregarding privacy safeguards in place for others around the globe.
"Most cloud providers, and certainly the market leaders, fall within the US jurisdiction either because they are US companies or conduct systematic business in the US," Axel Arnbak, one of the authors of the research paper, tells CBS News. "In particular, the Foreign Intelligence Surveillance Amendments Act (FAA) makes it easy for US authorities to circumvent local government institutions and mandate direct and easy access to cloud data belonging to non-Americans living outside the US, with little or no transparency obligations for such practices – not even the number of actual requests."
Indeed, the number of requests for wiretaps on email and phone accounts under the FAA remains something that even members of the US Congress’ intelligence committee are privy to, and that’s just in regards to Americans surveilled. Arnbak and his colleagues say they are concerned by what this legislation and measures included in and after the Patriot Act can have on an international audience.
In the abstract for their study, the researchers write that the Patriot Act “has started to play a symbolic role in the public debate” because “It is one important element in a larger, complex and dynamic legal framework for access to data for law enforcement and national security purposes.” Coupled with the FAA, US laws don’t limit only Americans to invasion of privacy.
Taking into account the Patriot Act, FISA and the 2008 amendments to the act, the researchers say their report describes vast “legal powers for the US government to obtain data of non-US persons located outside of the US from cloud providers that fall under its jurisdiction.”
“Such jurisdiction applies widely, namely to cloud services that conduct systematic business in the United States and is not dependent on the location where the data are stored, as is often assumed. For non-US persons located outside of the US, constitutional protection is not applicable and the statutory safeguards are minimal,” they warn.
To CBS, Arnbak says his fellow residents of the European Union could easily be in trouble, despite local efforts to limit outside interference.
"In the US legal framework, there is a legal doctrine called 'extra-territorial jurisdiction'. This implies that cloud providers operating anywhere in the EU, or anywhere in the world for that matter, have to comply with data requests from US authorities as soon as they fall under US laws," he says.
Given that more and more members of the international community are relating on cloud computing, the researchers warn that things could only get worse for Europeans interested in avoiding Uncle Sam.
"If US government agencies have no jurisdiction over an entity operating in the Netherlands, they may submit a request for mutual assistance under such agreements," one part of their paper reads. "But in the borderless cloud, in which activities are in the U.S., there is ‘no clear obligation under US law for the US government to rely on such agreements when seeking access to data on non-US persons.’”
Last year, Microsoft UK's managing director Gordon Frazer was asked, "Can Microsoft guarantee that EU-stored data, held in EU based datacenters, will not leave the European Economic Area under any circumstances – even under a request by the Patriot Act?"
"Microsoft cannot provide those guarantees,” he responded. “Neither can any other company."