There are so many parts to the institutions running the European Union that it's easy to lose sight of them all and their varied activities. For example, one of the lesser-known European Parliament bodies is the Directorate-General for Internal Policies. You might expect the studies that it commissions to be deadly dull, but some turn out to be not just highly interesting but hugely important.
One such is the new report "Fighting cyber crime and protecting privacy in the cloud" [.pdf]. Here's the basic background:
While cloud computing is not a new technology per se and has been developed and marketed primarily for profit-driven purposes, the growing reliance on its infrastructures and services poses a series of challenges for EU strategies and policies. This study addresses these challenges, examining the current EU framework in the field and highlighting the legal aspects in relation to the right to data protection, the issue of jurisdiction, responsibility and the regulation of data transfers to third countries.
As you can see, rather than being yet another vacuous load of nonsense about the currently fashionable "cybercrime" area, whatever that is, this latest study concerns the undeniably important cloud computing approach, and how it impacts data protection. This emphasises something that I mentioned last week: that data protection promises to be one of the really key areas for 2013.
Here's why cloud computing is problematic for data protection:
The set of relations currently defining cloud computing technologies encompasses negotiations and tensions between public authorities, private entities and public and private authorities. In this set of relationships, data protection and privacy are often objects of negotiation to the detriment of individual rights. Where cloud computing is possibly most disruptive is where it breaks away from the forty-year-old legal model for international data transfers, jeopardising the rights of the EU citizens:
Consumers' rights are subsumed into a complex mesh of contracts among private entities. Therefore, from a legal perspective, the challenge of jurisdiction is central. The legal determination of both the responsibilities and legal liabilities of data controllers and processors and the rights of the individual as ‘data subject' are paramount.
Lack of legal certainty surrounding the concept of cybercrime and legal frameworks of cloud-based investigations, as well as inadequate tools to safeguard privacy and data protection increase the potential for misuses and abuses by law enforcement actors and agencies. European citizens' data are not sufficiently protected in this regard. This aspect is enhanced by exceptional measures taken in the name of security and the fight against terrorism. The US context is here particularlyilluminating, both in the case of the Patriot Act and in the case of the US Foreign Intelligence Surveillance Amendment Act (FISAA) of 2008. In this case, the question of the legal framework of data transfers/processing to third countries is critical.
As this notes, cloud computing adds extra dimensions to the data protection debate because more players are involved: not just the company using the cloud computing service, and the one supplying it, but also the jurisdiction that the latter resides in – usually the US. As I wrote last week, that's already problematic because the US places greater emphasis on protecting companies using personal data than on protecting the owners of that data. But as the new report rightly points out, things are actually much worse than that:
Where the infrastructure underpinning cloud computing (i.e. data centres) is located, and the legal framework that cloud service providers are subject to are key issues, especially in a law-enforcement context where challenges to the right to data protection and to privacy are particularly stringent. These concerns have been dealt with as a business opportunity for some EU-based companies, which have advertised their services as safe from any interception on the basis of the US PATRIOT Act, and as a potential liability which has seen other companies turning down cloud-based services from US providers – such as UK-based defence company BAE Systems' reported decision to abstain from using Microsoft's Office 365 cloud-based software suit in fear of industrial espionage.
But it may be that the US PATRIOT Act is not the greatest threat here:
So far, almost all the attention on such conflicts has been focussed on the US PATRIOT Act, but there has been virtually no discussion of the implications of the US Foreign Intelligence Surveillance Amendment Act of 2008. §1881a of FISAA for the first time created a power of mass-surveillance specifically targeted at the data of non-US persons located outside the US, which applies to Cloud computing. Although all of the constituent definitions had been defined in earlier statutes, the conjunction of all of these elements was new.
The law was passed in the aftermath of allegations of "warrantless wiretapping" affecting US citizens after the attacks of 9/11. Accounts emerged in the US media in 2005 that surveillance of Internet and telephone communications had been conducted in violation of strict constitutional and statutory protections afforded to US citizens (and legal residents). In response to mounting public concern, in 2007 Congress enacted the Protect America Act as a temporary measure, which aimed to legalize whatever surveillance activities were still being conducted, and to grant retroactive immunity to telecommunications companies implicated (who would otherwise have been liable for heavy damages for their complicity).
There followed a test case at the Foreign Intelligence Surveillance Court of Review, which held definitively that the Fourth Amendment requirement for a specific warrant only applied to surveillance directed at US persons. This opened the door for Congress to enact FISAA §1881a in 2008, which authorized mass-surveillance of foreigners (outside US territory), but whose data was within range of US jurisdiction. However, the most significant change escaped any comment or public debate altogether. The scope of surveillance was extended beyond interception of communications, to include any data in public cloud computing as well. This change occurred merely by incorporating "remote computing services" into the definition of an "electronic communication service provider".
This is the bombshell that this otherwise mild-mannered EU report contains: it reveals that the data held on any cloud computing service "within range of US jurisdiction" could be intercepted quite legally as far as US law is concerned, without the need for a "specific warrant", which only applies to American citizens.
As the report goes on to explain:
This represents a sea change from the concerns expressed in 2001 by the European Parliament over the "ECHELON" system of strategic communications surveillance. Following concerns about "cookie hijacking" attacks on web browsers using wireless connections, most popular US based web sites now encrypt communications in transit, and so would not be (directly) vulnerable to interception. But FISAAA 1881a means that any data-at-rest formerly processed "on premise" within the EU, which becomes migrated into Clouds, becomes liable to mass-surveillance – for purposes of furthering the foreign affairs of the US (as well as the expected purposes of terrorism, money-laundering etc.).
As a consequence, FISAA §1881a can be seen as a categorically much graver risk to EU data sovereignty than other laws hitherto considered by EU policy-makers:
new NSA data centres constructed for storage and analysis on an unprecedented scale
the extension of scope from communications-in-transit to include data inside US Clouds
whistleblower reports of the sophistication of data analysis contemplated the express targeting of foreign data without safeguards applicable to US citizens
a doctrine of indiscriminate collection, which only seeks to control subsequent access
Remarkably, it does not appear that the EU Commission, national DPAs, or the European Parliament had any awareness of FISAAA 1881a until mid-2011. Most attention continues to be focussed on the US Patriot Act of 2001, which certainly contains powers for direct access to EU data, but nothing like 1881a's heavy-calibre mass-surveillance fire-power aimed at the Cloud. A few EP questions have now been asked and in February 2012 Commissioner Reding speculated that any such conflicts of law arising might have to be settled at the International Court of the Hague (although the US does not recognize its jurisdiction).
The root problem is that cloud computing breaks the forty year old legal model for international data transfers. The primary desideratum would be a comprehensive international treaty guaranteeing full reciprocity of rights, but otherwise exceptions ("derogations") can be recognized in particular circumstances providing there are safeguards appropriate to the specific situation. Cloud computing breaks the golden rule that "the exception must not become the rule". Once data is transferred into a Cloud, sovereignty is surrendered. In summary, it is hard to avoid the conclusion that the EU is not addressing properly an irrevocable loss of data sovereignty, and allowing errors made during the Safe Harbour negotiations of 2000 to be consolidated, not corrected.
"Once data is transferred into a Cloud, sovereignty is surrendered": this is the key point. Even if cloud computing services are offered in Europe, provided they are owned by US companies, FISAA will apply, and the US government will be able to intercept any or all of the data held on European companies. What we know about a huge new US government data processing centre seems to confirm an intention to do precisely that:
A project of immense secrecy, it is the final piece in a complex puzzle assembled over the past decade. Its purpose: to intercept, decipher, analyze, and store vast swaths of the world's communications as they zap down from satellites and zip through the underground and undersea cables of international, foreign, and domestic networks. The heavily fortified $2 billion center should be up and running in September 2013. Flowing through its servers and routers and stored in near-bottomless databases will be all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital "pocket litter."
And if you think encrypting your data will protect you, you may want to think again:
According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: "Everybody's a target; everybody with communication is a target."
The question then becomes: what should companies do since cloud computing turns out to be potentially toxic for non-US users of US services? Clearly, no EU company should be using any kind of US-owned cloud computing services, since that practically guarantees the data will be piped straight to facilities like the one described above.
Once people suffer economic losses as a result of this loss of privacy, they will start suing the companies that were supposed to be holding their data securely. Indeed, continuing to store sensitive personal data in US-controlled clouds now that we know such data is wide open to interception by the US government may well be construed as negligence by EU courts, with fines fixed accordingly.
That leaves two main alternatives. First, European-controlled cloud computing systems. Fortunately, setting up cloud computing infrastructure isn't hard, not least because a wide range of open source software is available in this area to ease the task. This should lead to a burgeoning of European cloud computing services once companies start realising the dangers of using US-controlled systems.
However, there may still be risks associated with those, since European police forces may also seek powers to access data held on such services. Companies for whom data security and privacy are absolutely crucial need to think about bringing the clouds in house. Again, the availability of low-cost open source solutions that scale effortlessly is hugely helpful here, especially if an enterprise already has experience of implementing free software solutions. Somehow it seems appropriate that software whose origins lie in the preservation of basic freedoms should be deployed in this way to counter toxic cloud computing's threat to them.