It is easy to take certain fundamental civil liberties for granted: the right to free speech, the right to protest and the right to privacy being a few cherished examples. Unfortunately, there is a looming threat to these rights from the attitudes and approach of the Trump Administration. This might simply be a concern for US citizens if it were not for the fact that the US Department of Justice (DoJ) is seeking to extend its reach using new extra-territorial intrusion measures, which means that it could well impact us all.
President Trump’s attitude to free speech has been obvious for some time now. His relationship with the mainstream media has always been strained. Branding factual reporting as ‘fake news’ while relying on contradictory, misleading and often outright untrue claims to support views of his own is bad enough, but when he brands the press as ‘enemies of the people’, he is straying into tactics used by dictators and autocrats to delegitimise foreign governments, opposition parties, and dissenters.
More recently Trump’s response to the Charlottesville riots in which his criticism of right wing white supremacists was muted, is at odds with his reaction to protests against his own inauguration. Indeed, the US Department of Justice is not only seeking to pursue DisruptJ20, the group that organised protests against Trump’s inauguration in January 2017, but it is also seeking information on all those that ever visited its web site (information such as “logs showing connections related to the website, and any other transactional information, including records of session times and duration,” as well as IP addresses). This information could be used to identify those that even visited the DisruptJ20 site, which is to say the DoJ is effectively compiling information on all those who showed even a modicum of interest in protesting against the administration.
The President’s attitude to privacy is no less worrying. In his first week in office he extended his ‘America first’ mantra into the realms of privacy by issuing an executive order to weaken protections for data held in the US about foreign citizens. This states that: “Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
But we are safe from Trump, here in Europe, surely? Not necessarily.
All this would be worrying enough were it not for the increasing number of intrusive extraterritorial legal powers being sought by the Department of Justice as it seeks to extend its reach beyond America’s borders. These include:
But we are safe if we use a UK-based cloud service provider, surely? Yes.
Many US cloud firms have sought to allay their European customers’ fear of US surveillance, by offering a level of data residency where they agree to store data in their local European facilities rather than in the US. However typically their contracts do not guarantee full protection. Not only is it common for metadata or indeed large quantities of data to be moved abroad in the event of an incident (they reserve right to take data anywhere in the world in order to support the service), but the data can still be subject to an order for retrieval from the US authorities (US-based cloud providers will always be subject to US law and to the increasing number of intrusive extraterritorial provisions) – and then subject to subsequent seizure.
It is therefore no longer simply a matter of the country in which the data is stored, but also the nationality of the service provider that matters. UK-based cloud providers on the other hand are subject only European and UK law – and post Brexit will be subject to UK law alone.
Just as we are seeing an encroachment on protections and civil liberties in the US, we are seeing ever greater protection in the UK, with the proposed Data Protection Bill (DPB), which is designed to align with the stringent European General Data Protection Regulation (GDPR). If you want peace of mind then you can be safe in the knowledge that with a UK-sovereign cloud provider that complies with DPB and GDPR, your clients’ data is safe from US surveillance and legal intrusion, from the Trump administration and from all its agencies from the DoJ to the NSA.