European data stored in the "cloud" could be acquired and inspected by U.S. law enforcement and intelligence agencies, despite Europe's strong data protection laws, university researchers have suggested.
A research paper written by legal experts at the University of Amsterdam's Institute for Information Law and titled "Cloud Computing in Higher Education and Research Institutions and the USA Patriot Act" supports previous reports that the antiterror Patriot Act could theoretically be used by U.S. law enforcement to bypass strict European privacy laws to acquire citizen data within the European Union.
The Patriot Act, signed into law in 2001, granted some new powers to U.S. authorities, but it was mainly a "framework law" that amended and strengthened a variety of older laws, such as the Foreign Intelligence Services Act and the Electronic Communications Privacy Act (ECPA).
"Most cloud providers, and certainly the market leaders, fall within the U.S. jurisdiction either because they are U.S. companies or conduct systematic business in the U.S.," Axel Arnbak, one of the authors of the research paper, told CBS News.
"In particular, the Foreign Intelligence Surveillance Amendments (FISA) Act makes it easy for U.S. authorities to circumvent local government institutions and mandate direct and easy access to cloud data belonging to non-Americans living outside the U.S., with little or no transparency obligations for such practices -- not even the number of actual requests."
This holds true for requests targeted at non-U.S. individuals and for entire business records, he added.
Sophie in 't Veld, Dutch vice chair of the European Parliament's civil liberties committee, welcomed the research, adding that it "provided further evidence" to support the theory.
She told CBS News, however, that the European Commission's proposals for new data protection rules will not solve the potential conflicts posed by third country law and that the lengthy period of time it takes for EU laws to become ratified, "would not be a reason to let the situation be for several years to come."
Information security, privacy, and data protection lawyer Bryan Cunningham, who worked under both Democratic and Republican administrations, most recently as deputy legal advisor to former U.S. National Security Advisor Condoleezza Rice under President George W. Bush, told CBS News that this "important report" should "help correct a widespread post-9/11 misconception" that the Patriot Act and related legislation "provided vast new powers for the U.S. government to gain access to sensitive communications and data of non-U.S. persons."
The research resurfaces questions about the security and sovereignty of citizen and government data in an ever-connected global and borderless online world. It also supports a ZDNet report that European data protection rules do not protect EU citizens' data against extra-territorial third country law, such as that of the United States.
Months after the research was published, Microsoft U.K. Managing Director Gordon Frazer was the first to publicly admit that the software giant could not guarantee that European citizen data stored in EU-based data centers would not leave the European Union under any circumstances, including under a Patriot Act request.
"Neither can any other company," Frazer noted.
Frazer's disclosure triggered outrage among politicians in the European Parliament. Subsequently a number of European member state governments began to question their own cloud service provisions, and in some cases banned U.S. providers from offering IT and computing services in their countries.
U.K.-based defense giant BAE Systems in the past year reneged on plans to adopt Microsoft's cloud-based services, citing fears that critical national defense secrets could land in U.S. hands.
The Dutch government is also investigating a potential conflict with third country law in regard to personal citizen passport data. Dutch social-liberal party D66 raised questions in the country's parliament after suspicions arose that U.S. authorities could potentially access Dutch fingerprint and facial scans for passports because the North Holland-based company Morpho is owned by parent company Safran, which conducts systematic business in the U.S.
U.S. jurisdiction 'extends to companies'
Cloud computing is the storing of documents, photos, music, and files online. Governments, in possession of citizen data along with their own national security secrets, are increasingly utilizing cloud services for internal government communications, hosting documents, and enabling the sharing of vast amounts of data between government departments.
For companies, schools, and universities that wish to keep their data in their home jurisdiction -- governments, most of all -- the cloud poses a new set of risks.
Because most major cloud providers, such as Apple, Amazon, Google, and Microsoft, are based in the U.S., the study was focused on the provisions under U.S. law, particularly in reference to the Patriot Act, signed in 2001, and the Foreign Surveillance Intelligence Act, originally signed into law in 1978 and last amended in 2008 by Congress.
The researchers explain that businesses, schools, and universities located outside the United States -- including foreign governments -- that use cloud services offered by a company that conducts business in the U.S. could be forced by U.S. law enforcement to transfer data to U.S. territory for inspection by law enforcement agencies.
"In the U.S. legal framework, there is a legal doctrine called 'extra-territorial jurisdiction.' This implies that cloud providers operating anywhere in the EU, or anywhere in the world for that matter, have to comply with data requests from U.S. authorities as soon as they fall under U.S. laws," said Arnbak.
"These laws, including the Patriot Act, apply as soon as a cloud service conducts systematic business in the United States. It's a widely held misconception that data actually has to be stored on servers physically located in the U.S."
If it is forced to hand over EU-stored data to the U.S., the company could be found in breach of EU law, even if it is covered by both EU and U.S. legal jurisdictions.
"The key criterion in this respect is whether the cloud provider conducts systematic business in the United States, for example because it is based there or is a subsidiary of a U.S.-based company that controls the data in question," the researchers write.
Because non-U.S. residents are not protected from unwarranted searches under the Fourth Amendment, the researchers warn that this "gives the U.S. government entities concerned the statutory power to gather data on a large scale about non-U.S. citizens located abroad. And legal protection under specific U.S. laws applies primarily to U.S. citizens and residents."
However, under FISA -- amended by the Patriot Act in October 2001, just a month after the September 11 terrorist attacks -- foreigners were not the only group immune to unwarranted searches, the Fourth Amendment notwithstanding.
"The Bush administration had intercepted the communications of Americans without obtaining a judicial warrant. The New York Times had carried reports on this from late 2005," the researchers write.
The Patriot Act also added power to FISA which, "enables the FBI to request access to business records for an investigation into espionage and terrorism involving both U.S. and non-U.S. persons."
However, while the researchers warn that U.S. law extends beyond the reach of its borders, figures relating to requests do not exist in the public domain.
The common misconception, according to the researchers, is that FISA gives the U.S. "unrestricted" or "unprecedented" access to data outside the country. FISA warrants do go through a "special court known as the Foreign Intelligence Surveillance Court (FISC)." The role of the court is to, "review the acquisition of intelligence information in this way if U.S. government entities require the assistance of electronic communication service providers for this purpose."