

Yes, U.S. authorities can spy on EU cloud data. Here's how - nettizen
http://www.zdnet.com/yes-u-s-authorities-can-spy-on-eu-cloud-data-heres-how-7000010653/
EU citizens and businesses are warned against using the cloud over the risk that U.S. law enforcement and intelligence agencies can obtain your personal records. Here's how the U.S. can acquire your data, even if you're based in the EU.
======
timthorn
The assertion breaks down at this point: "So, Slicklizzard U.S. Corp.
instructs its subsidiary—which it wholly owns, and therefore can order its
London-based subsidiary to carry out actions, without reason or prior warning,
to send all of Doe's data from its Dublin data center to its U.S.-based data
center."

This involves ordering UK employees to move personal data out of the UK, and
assumes that they're willing to be complicit. Most of the teams I've worked
with would rather obey the law than a potentially illegal request from their
US colleagues.

~~~
zero_intp
Per the article, it is not against the laws- under the safe harbor act.

A lawyer could argue that the FISA potential creates a situation where the USA
is /never/ a safe harbor, but a third tier IS/Abuse/CST goon question a
request for a legitimate type of report from above?

~~~
ithkuil
Ok, let's suppose it's not illegal to send the data to the US because of the
safe harbor act.

What is the legal ground that prevents me, let's say, uk employee of an UK
subsidiary of an US company, to tell the press that my UK company has been
orderd by it's US owner to hand over private data to the US.

I mean, I cannot be possibly forced to abide by the FISA warrant, right? But
can my company be in trouble (and hence fire/sue me? *) for this kind of
action of an employee? I mean, how can the US law hold responsible an US
company for an non-illegal action performed by a non US employee of a non US
branch of that company?

------
DanBC
> _Former Microsoft privacy chief Caspar Bowden, speaking at a panel
> discussion in Brussels this week, warned that U.S. law allows the government
> to spy on non-U.S. citizens files and documents, and that new Europe-wide
> data protection law proposals specifically allow such surveillance._

The ancient ECHELON programme tells us that the US (and others) have no
problem spying on citizens, using loopholes to spy on their own citizens.

The horrible state of encryption means that most people can't justify
encrypted cloud storage because the cost : risk : reward and threat modelling
stuff is unfavourable.

It's pretty scary that all this stuff is ending up on random servers across
the world.

~~~
etherael
What do you mean by horrible state of encryption? why is it high cost to make
a truecrypt container and use that as your interface? the only thing I can
think of is it's inconvenient to be unable to simultaneously mount content
from multiple places at once. That doesn't seem like an enormous cost, did you
mean something else?

~~~
DanBC
> why is it high cost to make a truecrypt container

Because normal people can barely use MS Word, how do you think they're going
to be able to use Truecrypt?

------
tonfa
The reverse is also true:
[http://www.hoganlovells.com/files/News/c6edc1e2-d57b-402e-9c...](http://www.hoganlovells.com/files/News/c6edc1e2-d57b-402e-9cab-a7be4e004c59/Presentation/NewsAttachment/a17af284-7d04-4008-b557-5888433b292d/Revised%20Government%20Access%20to%20Cloud%20Data%20Paper%20\(18%20July%2012\).pdf)

------
pathy
What if Slicklizzard US is the subsidiary, could the US still request the
information from Slicklizzard UK? Is any kind of presence in the US enough to
enforce the FISA warrant?

~~~
csense
I would assume that, if the US subsidiary decided to comply, but the UK parent
did not want them to, then the UK parent could say "no thanks" and there's
nothing the US subsidiary could do.

To punish the parent, the US government could presumably prosecute the US
subsidiary for noncompliance and, if successful, shut down all the company's
US parts (including US-based domain names like .com) and seize US bank
accounts etc.

And maybe even brand them as a terrorist organization since, clearly, if the
US government says it's a matter of terrorism, if you don't help them then
you're a terrorist (never mind that doing so would involve breaking the law of
the UK jurisdiction where you're based).

~~~
javert
_And maybe even brand them as a terrorist organization_

They are saving that for ideological enemies, such as people who hold
traditional American political values (e.g. freedom of speech, freedom from
excessive taxation).

------
confluence
All data that is not under your direct control must be assumed to be
immediately accessible by the authorities.

Thinking at the extremes is a really useful thought model because it makes
stuff like the above relatively unsurprising. It also modifies one's behavior
to protect oneself from the most likely worst case scenario.

~~~
nextparadigms
That doesn't't mean citizens shouldn't fight for better privacy rights, or at
least enforce the ones they have, though. Comments like that always sound
defeatist to me.

~~~
etherael
It's not defeatist because it doesn't imply you just can't do anything about
it, it implies you should be responsible for your own key management and
encrypt sensitive data appropriately. Government agencies silently seizing an
appropriately setup truecrypt container are not a threat.

------
youngerdryas
Binding corporate rules for data processors was inserted into the European
Commission’s data protection regulation proposal with loopholes built-in which
allow for FISAAA surveillance.

