US cloud companies give up fight for privacy after CLOUD act is signed into law

Originally published at: US cloud companies give up fight for privacy after CLOUD act is signed into law - Nextcloud

The Verge reports how Microsoft and the US Department of Justice have withdrawn the Supreme Court Case about accessing data operated in different countries. The reason is that the new CLOUD Act, signed by President Trump, guarantees US access to data under jurisdiction of US companies. In other words, if Microsoft can access the data, an US court can order them to hand it over. That the data might be in a German, Dutch or Indonesian data center does not matter. For obvious reasons, this is a decision the Electronic Frontier Foundation strongly disagrees with. What does this mean for European and international companies handling data of European customers? We think that the full access guaranteed to US authorities and law enforcement means no US owned or operated cloud service can legally be used for any privacy-sensitive data of Europeans.

Giving up the fight

With Microsoft and other US cloud companies basically giving up the fight for privacy and security of their users, US legislation guarantees law enforcement and government agencies in general have full access to cloud data hosted by US companies. It does not matter if that data is located in the US, Europe, China or anywhere else. This means European companies who think they are safe and can ignore US law, using for example European-hosted services from US companies, are up for some potentially huge fines under the GDPR (or DSGVO in Germany).

What does this mean? Microsoft is pretty honest about it:

• We will not disclose data hosted in Microsoft business services to a government agency unless required by law.
• If we are compelled by law to disclose customer data, we will promptly notify the customer and provide a copy of the request, unless we are legally prohibited from doing so.

We know pretty much any request for data of companies or users comes with a so called ‘gag order’, forbidding any communication to the targeted organization or individual, so when the data is given, you won’t know. That’s one big advantage of a local data center: if you’re compelled to hand over data to a government agency, at least you’ll know and can take appropriate measures. And, of course, it can only be the government in the country you’re operating in – not the government of any country your hosting company operates in.

Serious business risk

It should be rather obvious that when the US government can compel Microsoft, Google, Dropbox or others to hand over data of users and businesses (in secret), you can count on other governments to be able to do the same. From Australia to Zimbabwe, if Microsoft wants to have a presence, they have to and promised to abide by local law. And if that law requires them to hand over data and not talk about it, they will.

Perhaps you trust government 100% with the data of your customers. Maybe you don’t. In either case, if data of your customers leaks due to incompetence or malice of any of those governments that can compel your hosting provider to hand over data; or if your customers simply find out you (or your hosting provider) handed over data to the government of Zimbabwe, China, Japan or Monte Negro, lawful or not, they can sue you under the GDPR in Europe.

Why clouds was created by powerfull corporations in first place???
Just to spy on companies and people more easilly than before that!
That’s why personal server with cloud or for company is much better solution.

Oh come on…you really think the creators of Dropbox (for example) really thought to themselves, “let’s create a system for sharing files so that the government can spy on everyone”

Let’s do a reality check here. Law enforcement can get a warrant to access your data in your house if they can show cause. Running a private cloud server doesn’t protect you from that.

It’s unfortunate that a consequence of data being stored at a central location is that it becomes easier to access data by accident (or by being hacked) and the benefit of a private cloud is that you’re less likely to be hacked but you’re not protected from legitimate legal requests.

I think the issue isn’t that Law Enforcement could get access to your cloud, I think the issue is that you would be aware that Law Enforcement has access to your cloud. Who knows who Microsoft, Dropbox, etc are farming your information out to for whatever reason. The truth of the matter is, as soon as you place any information in any of these corporate hosted clouds its no longer your information.

i agree - this is a silly idea.

i agree again: you’re not protected (you shouldn’t be anywhere if you’re acting against the law - but what if laws are compromised by a evil governement? - a completely different discussion so let’s just forget about it here) but as far as getting your house/flat/apt searched by the police is referring to germany they obstacles are set very high… only a judge can grant that… and only in very important cases and with a really good cause.
it’s much easier to receive data from big companies. even without you getting to know that the policed raided your externally stored data.

plus (the old discussion): are you sure that dropbox (or others) won’t run any algorithms on your data to search for keywords (and/or forbidden content) and thus collect at least some meta-data on you that they can sell to third-party companies?

I haven’t looked at dropbox in years but I would assume that these days you can encrypt your data so that analysis option is not possible.

Have you seen who’s on the board of directors of Dropbox? https://www.theguardian.com/technology/2014/apr/11/dropbox-condoleezza-rice-privacy-surveillance