
Microsoft regularly shared data of India bank customers with US intelligence - koolhead17
https://scroll.in/latest/900224/microsoft-regularly-shared-data-of-india-bank-customers-with-us-intelligence-agencies-dna
======
ramshanker
That is why I totally support the proposed regulation by Central Bank of India
(RBI) to mandate STORAGE of all financial transaction of Indian customers
within India ONLY [1]. VISA & MASTERCARD are pushing for "At least one local
copy is enough to comply law enforcement requests." NO. If they find India to
be a nonviable business opportunity to them with latest Indian regulations,
there are plenty local players full capable and compliant.

As long as market is OPEN to all, there is no harm introducing "Financial data
on local servers only" regulations.

[1][https://economictimes.indiatimes.com/small-
biz/startups/news...](https://economictimes.indiatimes.com/small-
biz/startups/newsbuzz/rbi-wants-local-data-to-be-stored-in-india-raises-fresh-
concerns-about-safety/articleshow/63637739.cms)

~~~
mooneater
Maybe a small improvement, but in 2018 changing the physical location of data
does not of course keep it safe.

~~~
blihp
It's not about ensuring safety, it's about ensuring jurisdiction.

------
pacohope
This is an idiotic article. Read carefully before you decide what you think.

1\. Scroll anonymously reposted a poorly-written article from DNA. (First link
in first sentence)

2\. Look at the facts quoted in the article. "Banks know that Microsoft MIGHT
be sharing". (emphasis mine) What does the title say? It doesn't say what the
banks say. Banks know that it COULD happen under some circumstances. The
article title omits any sense of uncertainty and says it definitely already
has happened. Those are different.

3\. The article quotes a number of 3,036 requests for "Indian customers in the
US" which means NOT PEOPLE IN INDIA. And certainly not customers of RBI in
India (which the article would have you believe). Indian nationals living in
the US have a different expectation with respect to US law enforcement.

4\. Microsoft has issued a strong and clear
rebuttal.[https://news.microsoft.com/en-in/setting-the-record-
straight...](https://news.microsoft.com/en-in/setting-the-record-straight-on-
microsofts-commitment-to-protecting-our-customers-data/)

This was wild conjecture, un-sourced anonymous writing, and it was poorly
fact-checked. It looks like the author saw a single document that they didn't
understand. Then they wrote a bunch of conspiracy theory bogey-man nonsense
that has nothing to do with the document they saw.

------
kevin_b_er
Governments will need to learn the cost of doing business with US corporations
or their subsidiaries. They will need to learn that their information kept
with any US is no longer secure due to US law. Merely having it accessible to
a US corporation is enough.

~~~
pjmlp
The problem is that the only solution is that every single government brings
their whole IT stacks in land, which naturally does not scale.

~~~
toweringgoat
India is big enough to do that easily.

Other countries with sane laws can also group together to scale.

Think banking secrecy, but for cloud data.

~~~
pjmlp
The full stack from the hardware layer, FABs, all the way up to business
applications?

Yes, it is possible, easily is not a word I would use though.

------
joewee
Many people don’t realize that much of the data privacy legislation coming out
of Europe is about national security, not privacy. The legislation focuses on
data retention and data transfer policies with a core objective of ensuring
that data for its citizens are held by local companies and to discourage
foreign companies from collecting too much data on its citizens.

~~~
themihai
The local companies have to abide by the same rules as the foreign companies.

~~~
joewee
Yes but there are restrictions on holding data of citizens within servers
hosted in another country. And there is a trend to segment users into systems
hosted within that country designed to adhere to their requirements. The end
goal is data on their citizens are more easily obtainable by local government.

~~~
themihai
Renting some servers in Europe is not that a big problem. What prevents
foreign companies from using AWS-EU region and then foreign governments (i.e.
US) from accessing it?

>> The end goal is data on their citizens are more easily obtainable by local
government.

I think this is a sensible requirement, don't you think? What makes the U.S.
gov more eligible than the local gov to access their citizens data? It's not
only a national security issue, it's a local police issue as well(i.e. finding
criminals based on their digital fingerprints).

The current situation is quite ridiculous if you think about it. You can't
have global services without a global "police". As we don't have a global
police(yet) local gov try to make these global companies to store data
locally.

~~~
joewee
It is a sensible requirement but it will require a major shift in how
companies think about what data it collect and what will the storage retention
policies.

Siginicant data collected on individuals across the world via social media are
held with US companies that must follow the processes put in place to provide
Law Enforcement with data regardless of the citizenship of the person, when
someone commits a crime in one jurisdiction, that local law enforcement has
the right to collect from the business, data needed to support their case.

The problem is when Bob from country X commits a crime "social media business"
may have relevant information on, how cooperative will the US company be in
helping country X? Especially if country x is politically unpopular at the
moment.

Require local subsidiaries follow data protection and retention that adheres
to local law. Everything gets much easier.

Another issue, "social media business" has a tone of information on citizens
of country X, now the citizens of country X are vulnerable to manipulation
which could disrupt the stability of country X. What do they do?

------
grezql
this is deeply worring, its something I feared.

Right now when I do risk analysis, I consider any american service, whether
they have servers in Europe or not as high risk. We are currently moving our
elasticSearch to cloud and one requirment we have focused on is nulling out
the personal data before it even enters the AWS network.

~~~
pacohope
Read more carefully before you worry. You're not reading facts and making
sober decisions. You're reading a headline that isn't supported by the article
it is attached to. You have to go read up on facts and understand the cloud
before you can make sweeping judgements like this. You know very little about
how the cloud works, so you worry a bit. That's prudent. But the way to cure
ignorance is not to avoid the subject. The way to cure ignorance is to read.

------
ai_ia
Sometimes I wonder why most people of my country are so apathetic towards
these privacy related news and often debate on stupid issues of who said what.

If this would have happened to a developed country, I am guess it would have
been a huge uproar by now.

------
nickelcitymario
> “No government has direct access to any of our users’ data,” said an
> unidentified company spokesperson.

"...unidentified company spokesperson."

If this was a true statement, why wouldn't anyone at Microsoft be willing to
hang their name on it?

~~~
pacohope
The Scroll article itself has no named author. If this article was true, why
wouldn't the author put their name to it? The answer to that is because this
is just a rip-off of a different article written by a different author, who
did put their name to it. Microsoft has issued a formal clarification on this
particular article. [https://news.microsoft.com/en-in/setting-the-record-
straight...](https://news.microsoft.com/en-in/setting-the-record-straight-on-
microsofts-commitment-to-protecting-our-customers-data/)

------
gfo
I'm curious if this has anything to do with the Tech Support scams that seem
to be commonly based in India. Microsoft would have an interest in helping law
enforcement fight those schemes as many purport to be from "Microsoft
Support".

Also of note, the Bank of India said they received no requests in 2016 or 2017
from Microsoft but the first paragraph notes the ~4000 requests were made from
2014-2016.

~~~
squaresmile
I think they are two different things:

> The RBI said Microsoft agreed to disclose information on 3,036 occasions
> between 2014 and 2016 in response to more than 4,000 government requests or
> legal demand requests for data of Indian customers _in the US_.

> according to Microsoft, it had received “zero demands from the _US law
> enforcement_ for commercial enterprise content located _outside the United
> States_ ” in 2016 and 2017.

In the first sentence, I think the requests were from the RBI and not US
intelligence.

~~~
antsar
Interesting that the second quote says "content located outside the United
States", not "content pertaining to customers located outside the united
states".

They can just keep a copy in both places, allowing them to simultaneously
"have zero requests for content outside the US" _and_ "share data of India
bank customers".

~~~
pacohope
If you believe that cloud providers just copy your data willy-nilly from place
to place, you've obviously never dealt with the cloud before. They go to great
pains to earn trust by making sure that your data only lives where you put it.
You haven't read any of their documentation, you haven't looked into the
independent, third-party audits that verify that their documentation is true.
You know what region you put your data in, and the cloud provider doesn't
surrepititiously copy places without your knowledge. If your approach to risk
management is that cloud providers will do the opposite of what they write in
documentation and that the third party auditors are lying or not actually
seeing what really happens, you'll never be able to use any equipment that you
don't personally manage. You'd never be able to use a managed data centre or a
so-called "private cloud" either, because all these providers could just tell
you one thing and do another.

Then there's the simple fact that it doesn't scale to copy everybody's data to
the US. When you're as big as one of these major cloud providers, that's just
simply not possible.

