
The Collapse of the US-EU Safe Harbor - twsted
http://blogs.microsoft.com/on-the-issues/2015/10/20/the-collapse-of-the-us-eu-safe-harbor-solving-the-new-privacy-rubiks-cube/
======
buro9
The proposals do not address the elephant in the room and the very reason Safe
Harbor collapsed: The NSA and the ability of the US government to override any
treaty to access any data using secret warrants.

It is that which killed Safe Harbor, and none of the proposals at the end of
the article would be immune to that weakness again.

It would remain the case that the proposals made would not be in line with the
clear ruling that the European court gave if the US government can continue to
override international treaties and their own courts.

~~~
Zach_the_Lizard
The European intelligence agencies were trading info with the NSA, so European
companies can be under the same sorts of threats. It's a red herring.

Personally I think this is really about protectionism and the NSA provides a
convenient excuse given European intelligence agency involvement.

~~~
Zigurd
Not all of Europe is part of the Five Eyes, or even it's outer orbits. And if
they are, the relationship is not symmetric. They don't have first-party
access to US government communications, never mind, say, POTUS's cell phone.

"They all do it" is meaningless if one nation has an NSA and Greece has a
sketchy looking guy with black shoes and no socks and a tape recorder.

~~~
Zach_the_Lizard
>Not all of Europe is part of the Five Eyes, or even it's outer orbits.

Five Eyes is only one such intelligence alliance. Germany, for instance,
cooperated with the NSA despite not being part of FVEY:
[http://www.spiegel.de/international/germany/german-
intellige...](http://www.spiegel.de/international/germany/german-intelligence-
agencies-used-nsa-spying-program-a-912173.html)

The Dutch, again not part of Five Eyes, tapped phone calls to pass to the US.
We don't know the full extent of which nations played a role. I'm willing to
bet it's more than have so far been revealed.

>They don't have first-party access to US government communications, never
mind, say, POTUS's cell phone.

Germany wasn't exactly giving the US access to their government's
communications either, "just" private citizens. They did assist the US in
getting access to the French leadership, though.

>"They all do it" is meaningless if one nation has an NSA and Greece has a
sketchy looking guy with black shoes and no socks and a tape recorder.

When the large European nations are aggressively spying on their own citizens
and then passing that info around to foreign governments in exchange for
special software or information, it sort of renders their complaints about the
NSA kind of moot. Yeah, the NSA spied on your citizens, but you helped them.

For those nations that didn't engage in this, I have a feeling not having your
data in America isn't going to prevent the NSA from getting it if they desire
it. Especially since much of that data will end up in the sorts of European
nations that are spying on their citizens and trading data with the NSA
anyways.

~~~
biafra
> Yeah, the NSA spied on your citizens, but you helped them.

I did not help them.

Either the German government did or the BND and VS did without orders from the
German government. This needs to be investigated and punished accordingly.
That is very unlikely, but at least we have parliamentary commision (NSA
Untersuchungsausschuss, NSAUA) to investigate these wrongdoings. Some
interesting things were already uncovered by the NSAUA.

~~~
JoBrad
Well, I (a person) didn't directly help the NSA, either. I didn't vote for the
people who did it, either. But "I" (a citizen of the United States) did help
them in that I am part of the US, and I generally support the form of
government that we have.

I doubt that the BND acted without orders from the Chancellor's office, just
as the NSA didn't and hasn't acted without orders from the President.

------
hopeless
Microsoft are at the centre of another case which will really decide how badly
EU-US trade is affected:

> Microsoft stands in contempt of court right now for refusing to hand over to
> US authorities, emails held in its Irish data centre. This case will surely
> go to the Supreme Court and will be an extremely important determination for
> the cloud business, and any company or individual using data centre storage.
> If Microsoft loses, US multinationals will be left scrambling to somehow,
> legally firewall off their EU-based data centres from US government reach.

— from [http://www.irishtimes.com/business/ecj-ruling-on-irish-
priva...](http://www.irishtimes.com/business/ecj-ruling-on-irish-privacy-case-
has-huge-significance-1.2382895)

At the moment, data can be held within the EU by US companies and it's all ok.
If Microsoft is forced to hand over emails stored within the EU to the US
government, then all bets are off.

In that future, it may not even be enough to have an EU-based subsidiary of a
US company hold data within the EU, since it'll have been shown that the U.S.
government can coerce them.

And we like to talk about large companies like Microsoft, Apple, Facebook,
Google etc. But they can throw money, lawyers and engineers at this problem.
But the thousands of US-based SaaS apps do not have that luxury. Likewise,
there are thousands of EU-based small SaaS app that will have everything from
their hosting stack, to their bug tracker, to their communications tools taken
off them.

~~~
_delirium
In this case, the U.S. isn't trying to get Microsoft to coerce their European
subsidiary into handing over the data; it's trying to get Microsoft U.S.
itself to hand over the data. The problem for Microsoft is that the parent
company in the U.S. has direct access to the data, without having to involve
any employees of the European subsidiary, even though the data is stored on
European servers. Therefore the U.S. government's position is that a search
warrant is valid and not extraterritorial: it's being served on a U.S.
company, asking U.S.-based employees to turn over data they have direct access
to.

Microsoft would be in a stronger position if the data on its EU servers were
only accessible by employees of its European subsidiary. Then Microsoft's U.S.
branch could respond to a search warrant by truthfully saying that they don't
have that data, and the request must be redirected to its European subsidiary.
But that would complicate its technical infrastructure, so it would rather not
do that. However, if the case turns out adversely, that's one possible
response. They could segregate access, so that credentials for access to EU-
based data are only given to EU-based Microsoft employees.

~~~
hopeless
Thanks for making that clearer.

I'm not yet convinced that a multinational could have strong enough controls
that 1 person on a team has the password but another person doesn't. In
reality, this stuff get's mixed around a lot, even if there are official
policies in place

------
ChuckMcM
I think we'll look back at this and say "That is when the whole house of cards
collapsed." The notions of the Internet being "somewhere else" and the rules
being coded by the body legislating the person who is accessing it, is
untenable. I expect a lot of churn on the privacy, tax, and access
(censorship) policies which have grown up over the years.

Consider:

    
    
       * France (and China) trying to impose content
         restrictions on Google results. [1]
    
       * The EU invalidating the safe harbor privacy rules.[2]
    
       * The recent invalidation of tax strategies in the
         Netherlands and Luxembourg. [3]
    

These are all _soverign_ issues. And for anyone who has ever looked at the
Internet as a "place" intuitively understands how impractical it is to have
the rules be based on that origin of the connection in meat space.

The depth and complexity of this particular confluence of concepts is really
staggering. I can not even imagine how you would establish an institution to
"rule" the Internet. I might even go so far as to assert it isn't possible.
What I fear is that what _is_ possible is the Chinese model where every
country has its own "Internet" and your ability to access it from outside, or
to leave it from inside, will be governed by some electronic equivalent of a
passport. And that idea brings the whole "identity" question really out to the
forefront of the discussion.

Very interesting challenges ahead.

[1] [http://www.teleread.com/chris-meadows/france-demands-
google-...](http://www.teleread.com/chris-meadows/france-demands-google-
censor-search-results-everywhere/)

[2] [http://www.natlawreview.com/article/european-court-
justice-i...](http://www.natlawreview.com/article/european-court-justice-
invalidates-us-eu-safe-harbor-agreement)

[3]
[http://www.thisismoney.co.uk/money/news/article-3062128/Appl...](http://www.thisismoney.co.uk/money/news/article-3062128/Apple-
warned-face-1-5bn-bill-guilty-tax-avoidance.html)

[http://www.wsj.com/articles/googles-tax-setup-faces-
french-c...](http://www.wsj.com/articles/googles-tax-setup-faces-french-
challenge-1412790355)

[http://www.reuters.com/article/2015/10/21/us-eu-
taxavoidance...](http://www.reuters.com/article/2015/10/21/us-eu-taxavoidance-
idUSKCN0SF0US20151021)

~~~
JoBrad
On the other hand, it could lead to a more fractured web, that is highly
segregated based on where the host is that is serving up the data. Like US
Corporate law, it could lead to a mass of companies deciding to place most or
all of their servers in what would otherwise be very silly locations.

~~~
ChuckMcM
I completely agree, it could actually make "Data Havens" practical simply
because the laws regarding them would be easier to parse. I've done a cursory
scan of the whitepapers of various think tanks but I haven't found any that
really dig into this question. If anyone sees one please link it here.

------
grabcocque
The ECJ was simply responding to a fairly obvious and fundamental problem:
your private data IS NOT SAFE in the US. The US government doesn't care and
has no intention of changing this, so expect the ECJ's ruling to stand for a
long time.

------
jacquesm
Color me impressed with the no-nonsense and respectful way in which Microsoft
tackles this. Looking forward to other tech giants following suit.

The 'privacy is dead' crowd should really take notice of this article.

~~~
jmnicolas
You know I really wanted to believe in the new Microsoft ... then I started to
notice the new telemetry patches in Windows update.

They can say whatever they want about privacy, as long as they sneakily
collect data about my computer usage I won't believe a word of what they say.

~~~
jacquesm
I try very hard to never use Microsoft products, that's for sure let there be
no mis-understandings about that. So I can't comment on what the most recent
incarnation of Windows does but I'm well aware that Skype did not change for
the better after MS took over.

Even so, saying this as not exactly a Microsoft fan (to put it very mildly)
their _words_ (not necessarily their deeds) are spot on, this is really what
is needed and _privacy really is a fundamental human right_.

Now if they will actually act on these words it will count for something.

~~~
randomhunt
> I'm well aware that Skype did not change for the better after MS took over

While I'm acutely aware of the negative impact various changes had on privacy,
cf the leaked documents referencing it, however I'm not sure that statement is
blanketly true.

I can now have Skype running on my phone where previously it used to drain the
battery in a few hours flat. That is, personally, a huge improvement.

Another thing I've noticed is I get both better video quality (when I use
video, I prefer audio only) and I get less disconnects due to "network"
reasons.

~~~
jacquesm
I meant that - in case the context did not make it abundantly clear - from a
privacy perspective, not from a usability perspective.

------
BuildTheRobots
Site seems down. Copy/paste from google-cache here (too big to submit as a
comment): [http://pastebin.com/0jLCA65D](http://pastebin.com/0jLCA65D)

~~~
spython
"Legal rules that were written at the dawn of the personal computer are no
longer adequate for an era with ubiquitous mobile devices connected to my
butt." Are you sure it's from google cache?

~~~
BuildTheRobots
Ah, ok. Apparently I still have the cloud-to-butt extension installed o_0

~~~
ewzimm
This may be remembered as cloud-to-butt's finest hour. A potentially
historically significant statement made readable to the Buzzfeed crowd.

------
linkregister
Google cache:
[http://webcache.googleusercontent.com/search?q=cache:0BKIRj9...](http://webcache.googleusercontent.com/search?q=cache:0BKIRj96qT0J:blogs.microsoft.com/on-
the-issues/2015/10/20/the-collapse-of-the-us-eu-safe-harbor-solving-the-new-
privacy-rubiks-cube/+&cd=3&hl=en&ct=clnk&gl=us)

I'm getting an Internal Server Error on the original page.

------
devy
To me the key idea from Brad Smith's post, which I don't neccessarily agree
with, was this:

    
    
            Third, there should be an exception to this approach for citizens who move physically
    	across the Atlantic. For example, the U.S. government should be permitted to turn
    	solely to its own courts under U.S. law to obtain data about EU citizens that move to
    	the United States...
    

What he really arguing is that EU should not invalidate the Safe Harbor in
that it breaks the Internet and Microsoft will provide its customers data
access for U.S. and EU governments under "in the most limited circumstances".
In that sense, it's not something out of ordinary than what typical
Microsoft's position is in this issue. They can certainly do better than that,
I.E. throwing away the server side encryption key like Apple does for iOS
devices so that they don't have the technical capability to give out user data
even if summoned to.

~~~
jvdh
To me the quote you use from the original post talks about people who move
(physically) from the EU to the US. These people remain EU citizens, but can
hardly be distinguished from US people, as they have a US address. As EU
citizens they have more rights to privacy than their US neighbors.

------
forgotAgain
He makes the issue more complex than necessary for the benefit of his
employer. There is no reason why private information needs to move across
borders without the express consent of the individual involved. At that point
the individual agrees to be bound by the rules of the country where the data
is going or no transaction is done.

Let each country have it's own set of rules and have all countries respect
those rules for data located in the hosting country.

The idea that each country must be exactly the same and data is by default
available for transmission across borders is only to the benefit of
multinational companies.

~~~
aidenn0
In many jurisdictions, some rights cannot be legally signed away. Often the
requirements on a non-negotiated contract are even higher. Lastly the US
government is currently trying to coerce Microsoft into revealing data stored
overseas, so even storing data in the country of origin may be insufficient
protection.

~~~
forgotAgain
I'm not saying that no changes are needed. What I am saying is that the
proposals put forth by Smith are more complex than necessary and that the
purpose of the added complexity is to benefit his employer and not
individuals.

 _In many jurisdictions, some rights cannot be legally signed away_

In those jurisdictions there would have to be changes to allow individuals to
provide permission to move their information across borders.

 _Lastly the US government is currently trying to coerce Microsoft into
revealing data stored overseas, so even storing data in the country of origin
may be insufficient protection._

Which is why I said "Let each country have it's own set of rules and have all
countries respect those rules for data located in the hosting country."

------
sbov
As a small company, stuff like this scares the shit out of me. It would be
expensive, but companies like Microsoft can survive things like this. But how
can a small company do anything but ignore it?

~~~
stoolpigeon
I work for a missions organization with ministries all over the world. We are
trying to centralize for cost and due to lack of resources but everything we
collect is pretty sensitive since it gets tied back to religious stuff. I
think we'll need to hire lawyers in every EU country to get an idea of what we
need to do - and then we'll probably need to duplicate a lot of effort to
comply and we may just not use certain tools because it will become
impossible.

------
mtgx
> Government officials in Washington and Brussels will need to act quickly,
> and we should all hope that Congress will enact promptly the Judicial
> Redress Act, so European citizens have appropriate access to American
> courts.

Well, Microsoft is wrong here to believe that the Judicial Redress Act [1]
will be sufficient. The CJEU has required "essentially equivalent" privacy
protections for EU citizens as they get in the EU.

The US Privacy Act does _not_ give them that, so this Judicial Redress Act is
a hit and a miss.

The US needs to pass a much stronger privacy law that is "at least" as good as
the one in the EU, if it wants its companies to continue to get EU citizen
data (and I assume it does). It can start by finally reforming the ECPA for
the 21st century.

[1] [http://judiciary.house.gov/index.cfm/press-
releases?id=9455F...](http://judiciary.house.gov/index.cfm/press-
releases?id=9455FA93-0026-4928-8D3A-DDB374D64472)

~~~
estel
From the rest of the article, I don't think he's suggesting that only the
Judicial Redress Act is sufficient as a replacement for Safe Harbour? Just
that it's a useful first step that congress can take soon.

------
pfortuny
The excuse that the legal rules are obsolete is a red herring.

It depends on the rules.

For example: privacy of communications has no intrinsic dependence on
technology. Security of personal data requires the verification of said
security (or the commitment to it), etc...

I do not know about this specific law. But just because a law is old does not
mean that it is bad. And this is what Microsoft is saying.

After hundreds of years of slavery, it was abolished in the US in a single
day. So what? Is this bad?

