Why data sovereignty matters

Written by Bill Mew, Cloud Strategist at UKCloud

It is easy to take certain fundamental civil liberties for granted: the right to free speech, the right to protest and the right to privacy being a few cherished examples. Unfortunately, there is a looming threat to these rights from the attitudes and approach of the Trump Administration. This might simply be a concern for US citizens if it were not for the fact that the US Department of Justice (DoJ) is seeking to extend its reach using new extra-territorial intrusion measures, which means that it could well impact us all.

President Trump’s attitude to free speech has been obvious for some time now. His relationship with the mainstream media has always been strained. Branding factual reporting as ‘fake news’ while relying on contradictory, misleading and often outright untrue claims to support views of his own is bad enough, but when he brands the press as ‘enemies of the people’, he is straying into tactics used by dictators and autocrats to delegitimise foreign governments, opposition parties, and dissenters.

More recently Trump’s response to the Charlottesville riots in which his criticism of right wing white supremacists was muted, is at odds with his reaction to protests against his own inauguration. Indeed, the US Department of Justice is not only seeking to pursue DisruptJ20, the group that organised protests against Trump’s inauguration in January 2017, but it is also seeking information on all those that ever visited its web site (information such as “logs showing connections related to the website, and any other transactional information, including records of session times and duration,” as well as IP addresses). This information could be used to identify those that even visited the DisruptJ20 site, which is to say the DoJ is effectively compiling information on all those who showed even a modicum of interest in protesting against the administration.

The President’s attitude to privacy is no less worrying. In his first week in office he extended his ‘America first’ mantra into the realms of privacy by issuing an executive order to weaken protections for data held in the US about foreign citizens. This states that: “Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

But we are safe from Trump, here in Europe, surely? Not necessarily.

All this would be worrying enough were it not for the increasing number of intrusive extraterritorial legal powers being sought by the Department of Justice as it seeks to extend its reach beyond America’s borders. These include:

  • Rule 41 – Rule 41 of the Federal Rules of Criminal Procedure was approved by the Supreme Court of the United States earlier in 2016. It came into force on 1st December 2016 when attempts by Congress to block or delay it failed. It authorised federal magistrate judges in the United States to issue warrants to remotely access data anywhere in the world.
  • Microsoft Dublin case – In 2013 a New York judge issued a warrant demanding that Microsoft turn over customer emails related to a drug case, but Microsoft argued that the warrant did not apply because the data was stored internationally. Microsoft argued that the DoJ should instead approach the Irish government through an existing mutual legal assistance treaty to access the data. Microsoft won its case in the Second Circuit in July 2016 and a subsequent split decision on appeal in January 2017 meant that the court would not reconsider its decision. However the US Justice Department (DoJ) is now seeking to appeal to the Supreme Court.
  • Google Philadelphia ruling – In February 2017, a U.S. magistrate ruled against Google and ordered it to cooperate with FBI search warrants demanding access to user emails that are stored on servers outside of the United States. Thomas Rueter ruled that transferring emails from a foreign server so FBI agents could review them locally did not qualify as a seizure because there was “no meaningful interference” with the account holder’s “possessory interest” in the data sought. “Though the retrieval of the electronic data by Google from its multiple data centres abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States.” The differentiation between retrieval and seizure in this ruling would mean that a US-based cloud computing firm could be ordered to retrieval information that it holds anywhere in the world and once retrieved to the US, it could be seized by US authorities.
  • There is also an impending deadline of December 31st by which the US Congress will need to decide whether to extend the Foreign Intelligence Surveillance Act (FISA) with the FISA Amendments Act (FAA) and its most controversial component, Section 702. This permits the government to seek out the content of Americans’ communications that have been swept up through Section 702 without any suspicion of wrongdoing, let alone a warrant, a problem known as “the backdoor search loophole.”

But we are safe if we use a UK-based cloud service provider, surely? Yes.

Many US cloud firms have sought to allay their European customers’ fear of US surveillance, by offering a level of data residency where they agree to store data in their local European facilities rather than in the US. However typically their contracts do not guarantee full protection. Not only is it common for metadata or indeed large quantities of data to be moved abroad in the event of an incident (they reserve right to take data anywhere in the world in order to support the service), but the data can still be subject to an order for retrieval from the US authorities (US-based cloud providers will always be subject to US law and to the increasing number of intrusive extraterritorial provisions) – and then subject to subsequent seizure.

It is therefore no longer simply a matter of the country in which the data is stored, but also the nationality of the service provider that matters. UK-based cloud providers on the other hand are subject only European and UK law – and post Brexit will be subject to UK law alone.

Just as we are seeing an encroachment on protections and civil liberties in the US, we are seeing ever greater protection in the UK, with the proposed Data Protection Bill (DPB), which is designed to align with the stringent European General Data Protection Regulation (GDPR). If you want peace of mind then you can be safe in the knowledge that with a UK-sovereign cloud provider that complies with DPB and GDPR, your clients’ data is safe from US surveillance and legal intrusion, from the Trump administration and from all its agencies from the DoJ to the NSA.

Comments are closed.