In 2013, former National Security Agency analyst Edward Snowden stunned the world by revealing top-secret details of the agency’s data collection practices. Ever since, individuals and companies all over the world have been trying to figure out how to keep their data safe from Uncle Sam’s prying eyes.
The NSA isn’t content to simply vacuum data out of cyberspace, although it collects enormous amounts of data that way. It also actively undermines data security in a variety of ways. For instance, what the NSA calls “active implants” are installed on “network infrastructure devices” to conduct “targeted copying.” In plain English, this means the NSA is using sophisticated hacking tools to subvert the Internet’s security architecture at its most basic level.
One response to the Snowden revelations was for companies formerly using Internet services in the US to seek out non-US solutions. That’s cost US cloud computing companies at least $35 billion, according to a 2014 study. Of course, since the NSA knows no borders, this precaution didn’t necessarily prevent surveillance by the NSA or US law enforcement agencies. But, it created some legal barriers against it, since the data protection laws of the hosting country would presumably apply.
One of the first companies to consider this tactic was US computing giant Microsoft. In 2014, it announced that it would offer its non-US customers the option to store their data outside US borders. Obviously, it hoped to recover some of the business it had lost to non-US companies offering cloud services. The company knew this precaution wouldn’t stop all NSA surveillance. But, it was a start.
Naturally, this didn’t sit well with the Obama administration. It promptly filed a lawsuit against Microsoft demanding that it give the government access to an e-mail account hosted at a facility in Ireland. The resulting ruling declared that US companies must turn over private information stored anywhere in the world when they receive a valid demand from the US government.
Microsoft appealed the decision, and the appeal remains pending. In the meantime, Microsoft—and the Irish government—suggested there was an existing mechanism prosecutors could use to legally obtain it. That mechanism is the US-Irish MLAT, or Mutual Legal Assistance Treaty.
MLATs facilitate information exchange and asset recovery by governments in criminal investigations. But, they also respect a concept called “comity,” and that fact doesn’t sit well with the US. Comity is a rule of courtesy in which one country defers to the jurisdiction of another. Under the rules of comity, domestic courts generally respect the laws and judicial procedures of foreign jurisdictions.
In the context of the case against Microsoft, Irish law is more restrictive than US law when it comes to data disclosure. It’s easier for US prosecutors to collect data directly from Microsoft than to make an inquiry under the MLAT. So that’s what they do.
While waiting for the results of the appeal, a legal bombshell emerged. Last week, the European Court of Justice (ECJ), the highest judicial body of the European Union, invalidated an EU-US data exchange agreement. The ECJ concluded that US companies can’t be trusted to maintain EU data protection standards, due to the massive surveillance programs Snowden revealed.
Please follow SGT Report on Twitter & help share the message.