This keeps highly sensitive requests for foreign data, under the premise of keeping terrorism-scale investigations secret, out of the public eye. Because FISA courts hold national security secrets and details of ongoing terrorism investigations, the researchers say the data can't and shouldn't be published.
"Given the nature of intelligence work, it is not possible to gain insight into actual requests for information by the U.S. authorities, other than a description of the general legal framework," the researchers write.
EU citizens 'at risk' from FISA, Patriot Act
While most Americans are aware of the Patriot Act and its wide-ranging provisions for domestic security, its role outside the U.S. border remains widely unknown.
While the researchers focused their efforts on the data protection of cloud users in higher education in the Netherlands, in speaking to CBS News, Arnbak warned that the concern over the ability of third countries accessing data stored in the European Union was not limited to the Netherlands but that it "certainly" extends to the 27 member state bloc, and even outside the European Union.
"The risk of data access by U.S. authorities to cloud data is realistic, and should form an integral part in any decision-making process to move data into the cloud," he said.
Because the Netherlands is a member of the European Union, the country's data protection laws originally stemmed from a wider directive from the European Commission.
Ratified in 1995, the EU Data Protection Directive must have been subsequently implemented into the legal systems of all member states by 1998. Therefore, every EU member state has the same foundation framework for data protection and privacy, allowing data to freely flow across member states' borders, just as EU citizens have the right to do.
"This concerns anyone with an interest in autonomy and control over access to data -- governments, businesses, nonprofits, and consumers alike. That's why the current debate on electronic heath records in the Netherlands is both fascinating and very serious. It appears that nobody has looked into this risk before investing millions in taxpayer money to build these systems," Arnbak said.
He noted that businesses and governments alike, despite the additional costs, should consider in-house solutions instead of moving to the cloud. "If data is processed in-house, institutions will at the very least know of such investigations at an early stage."
Cunningham says, "There remains no credible way -- short, perhaps, of end-to-end encryption with the data provider holding the only key -- to assure confidentiality and security for cloud-stored data, whether stored in the United States or elsewhere."
"Governments and institutions seeking such privacy and security protections should, at least for now, stick to storing their own data or, perhaps, implementing national cloud solutions with robust privacy and security protections."
Because the U.S. government has "ample possibilities to request data from foreign (in this case Dutch) users of the cloud," the researchers claim, "it grants [authorities the ability] to retrieve information on a large scale, including access to complete data sets."
"In other words, these agencies may obtain information not only about a student who could pose a threat to U.S. national security but also about a student who makes an appointment in good faith through e-mail with a person suspected by U.S. authorities of drug trafficking," the researchers assert.
But this also extends outside the Netherlands to countries both in and outside the European Union. "From the U.S. legal perspective, Dutch users of cloud-based computing services therefore enjoy the same degree of [U.S.] constitutional protection as North Koreans," the study says.
However, the U.S. is not alone with laws like FISA or the Patriot Act. The researchers note that such wide-ranging provisions, which can give countries access to cloud-stored data outside their respective jurisdictions, are not limited to the U.S. "Other nation states, including the Netherlands, have comparable provisions in place for access to data in the context of law enforcement and national security."
As an example, the report points to the Dutch Intelligence and Security Services Act, which gives the Dutch security and intelligence services "the power to process the personal data of a wide range of persons." One of the sections of the law specifically carries FISA-like provisions in the Netherlands, which authorize authorities "to carry out, using a technical aid, targeted tapping, reception, recording, and interception of any form of conversation, telecommunication, or data transfer by means of an automated activity, irrespective of where this takes place."
Similarly, the Canadian Anti-Terrorism Act "replicates" much of the provisions in the U.S. Patriot Act. Ontario's information and privacy commissioner, Ann Cavoukian, said in a recent report that the act's provisions are part of the normal data-sharing process between governments.
"You can outsource services, but you cannot outsource accountability," Cavoukian says.
"Legal provisions regulating data access for intelligence and law enforcement purposes will exist in all democracies," Arnbak says.
Cunningham warns that large, multinational, private cloud companies could pose a greater risk to private and sensitive citizen data than governments.
"Many intelligence services around the world, particularly in nondemocratic countries, have no effective legal restrictions whatsoever, and are aggressively collecting massive amounts of sensitive personal, government, and commercially valuable information around the world," Cunningham says, continuing:
"Particularly with the rise of large, lightly regulated cloud data storage providers, private, multinational companies actually may have more access to sensitive, personal data than national governments." Cunningham goes on to say that such firms "assert far more authority to combine and data-mine such data for their own purposes than would the government be permitted under U.S. law."
"And, whether or not such companies would intend to misuse such data, they are far from immune from ill-motivated insiders and external hacking activities by individuals, criminal groups, and foreign governments."
As a result, many countries can also theoretically acquire data stored by companies in another country without a mutual legal assistance request -- used by governments to request help in obtaining evidence from another jurisdiction to assist in investigations in another -- if the company is required by that country's domestic law to assist, in spite of any protection offered by a third country's legal system.
This could include cloud-stored medical data, financial information provided by banks, and business documents or corporate secrets, all the way down to an ordinary user's cloud-stored iTunes music collection or the cloud-stored photos taken on a recent vacation.
Because the U.S. is home to the global powerhouses that run major cloud services -- not limited to Apple, Amazon, Google, and Microsoft -- the research increases the scope of relevance to cloud users. Conversely, the report notes that the company may not have to be headquartered in the U.S. to be supposedly susceptible to a data access request.
"If a company has a subsidiary or branch in the United States, it may be assumed that such jurisdiction exists, but jurisdiction may also exist in other more complex cases," the researchers assert.
Authorities, however, are more likely to be interested in the electronic communications between two or more persons, rather than a citizen's recent holiday photos.
In the case of cloud-stored e-mail, which many businesses, schools, universities, and ordinary citizens use, this can be hosted by an EU-based subsidiary of a U.S.-based parent company. U.S. residents enjoy not only Fourth Amendment protection from unwarranted searches but also additional protection from the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act (SCA), which regulate the U.S. government's access to electronically stored data, such as e-mail, in criminal investigations.
One of the strongest legal protections, the researchers note, under the SCA is the provision that requires U.S. authorities to request a search warrant from a judge, based on grounds of reasonable suspicion, if e-mail is less than 180 days old. This law recently came to light after the recent resignation of Gen. David Petraeus, the former director of the Central Intelligence Agency. A warrant from only a federal prosecutor is required to acquire e-mails that are older than six months.