WingNews logo WingNews
top | item 45822902

Microsoft Can't Keep EU Data Safe from US Authorities

299 points| Mossy9 | 3 months ago |forbes.com

129 comments

order

csense|3 months ago

This applies to any company, doesn't it?

Your home country can tell you "Give us your data" and you have to comply.

"I will never give up customer data" is a very tough promise to keep, if the government threatens you with your business license being revoked, your servers and domains being forcibly seized by the police, and you personally going to jail.

(Under the current US administration, we can add "A close examination of the immigration status of all foreign nationals employed by your company, followed by probable deportation or jail" to the list of potential consequences for resisting the government.)

autoexec|3 months ago

The trick is to collect as little data as possible and to get rid of what you need to collect as quickly as you can. This is in direct opposition to the practices of companies like Microsoft which wants to spy on their users and profit from the data they collect though.

There's also an open question of how possible it is to run a system that doesn't collect/store data in a way that makes it possible to be collected by the government. The US government can force companies to compromise their systems or shut down their services if they refuse. In the past they've even threatened that shutting down a service instead of compromising it could still get operators in legal trouble.

At this point anyone who wants to keep the US government out of their data should avoid using any US company.

cesarb|3 months ago

> This applies to any company, doesn't it? Your home country can tell you "Give us your data" and you have to comply.

Not all countries have an equivalent to the USA CLOUD Act.

tremon|3 months ago

Your home country can tell you "Give us your data" and you have to comply

Not according to both Amazon's and Microsoft's historic marketing materials. They have always claimed that data stored in your local jurisdiction is not accessible to law enforcement abroad. And the US judiciary initially agreed with that: https://petri.com/microsoft-wins-appeal-data-stored-abroad-s...

...which then led to the US CLOUD act and here we are, once again, proving that the past is alterable; just like Oceania has always been at war with Eurasia.

satellite2|3 months ago

Of course. But what if the holding lives in a country that don't enforce this (or is too weak to). Then all the subsidiaries are really sovereign from the host country perspective.

It seems the solution is ages old. Don't have the holding incorporated in an empire...

throwawayffffas|3 months ago

Well yes but that is all the more reason for EU entities to use EU companies for data storage.

xorcist|3 months ago

That's not so. In a democratic state of law, the police can not unilaterally decide to seize you servers, and the politicians cannot tell the police to do so. Separation of powers is a thing.

LarsKrimi|3 months ago

> "I will never give up customer data" is a very tough promise to keep

If you don't have a spine, sure

That's what US companies are seen as from a European perspective: Spineless and untrustable

It's a great sales argument for locally grown software though, so I'm not complaining :)

idkfasayer|3 months ago

In theory, there is rule of law, the intention of which is to prevent government's access to your property and body without a court order and any emergency access such as use of force at crime scenes being subject to public scrutiny. I guess that was the idea when the USA was established as a country, but people forgot what their ancestors where fighting for.

throwawayffffas|3 months ago

> Carniaux did say that the situation had never arisen.

That's what he would say if the company was under a gag order in the US. So I would take anything they say with a mountain of salt.

alwayseasy|3 months ago

Specifically here, he is under oath in France so an American gag order wouldn't protect him from the French justice system.

This make it less likely he's lying. It could be possible Microsoft France has a "rogue" employee system where a key person only obeys to Microsoft US orders rather than his French boss and French law. Then the boss can swear to the Senate that they're complying.

This is exactly the system the US Congress accused TikTok of having set up.

jmyeet|3 months ago

An inevitable consequence of this administration destroying US foreign influence and power at an unprecedented rate is that (IMHO) it is inevitable that the EU builds their own cloud and mandates its use for EU data. It is becoming a matter of national security.

The interesting thing is that the US is acting in the exact way that they accuse China of acting. Companies like Huawei are forbidden from installing telecom infrastructure for "national security" reasons [1]. One of justifications for first banning then forcing a sale of Tiktok was because of possible Chinese government interference. It's only a matter of time before the EU and China start making the same determination against US tech giants (eg Meta executive brags about silencing dissent [2]).

This administration really is killing the golden goose.

[1]: https://www.reuters.com/business/media-telecom/us-fcc-bans-e...

[2]: https://www.youtube.com/watch?v=7eO8byuv6PE

TiredOfLife|3 months ago

Huawei is itself fully to blame. They knowingly supplied equipment to Iran.

spongebobstoes|3 months ago

I don't think that YouTube video is a good supporting piece for your point. The spokesperson says they don't want to propagate harmful stereotypes. "brag about silencing dissent" seems like a strawman interpretation

A better faith interpretation is that people are free to criticize Israel and Zionism on Meta, just not using racist tropes.

josephh|3 months ago

But then who can? No global cloud providers, including Hetzner and OVH, are free from CLOUD act because they have US presence[1].

1. https://us.ovhcloud.com/legal/faqs/cloud-act/

timeon|3 months ago

Who? You can use Hetzner and OVH proper instead of US subsidiaries. Using AWS/Azure/GC in Europe these days is pretty risky for more than one reason.

jeffrallen|3 months ago

Exoscale is a European cloud provider with no exposure to the CLOUD Act.

(I work there.)

immibis|3 months ago

Possibly only their US subsidiaries though?

dboreham|3 months ago

I'm guessing: Russia?

emodendroket|3 months ago

A bit of a "hoist by their own petard" situation since the US has been raising this specter about Chinese tech for quite some time.

jacquesm|3 months ago

Yes. For Europe there isn't a real alternative other than to painstakingly re-grow our independence. That will take a long time.

Havoc|3 months ago

The whole concept of big cloud somehow setting up sovereign clouds in Europe seems incredibly naive to me.

Every AWS employee knows where his bread is buttered - Seattle not Brussels

Yeul|3 months ago

Yep when the CIA calls every American salutes and follows orders.

rdtsc|3 months ago

Yup. I always thought it was a way just to get business in EU. Do some performative dance of "hey, look! a separate DC building with EU employees only" and then hope nobody would ask too many questions.

Then the next level is regulators in EU also have to care and can't just say "ok, you have a separate DC building with EU employees only. Good. My job is done, I checked" and move on.

penguin_booze|3 months ago

> U.S. companies can be forced to hand over data, regardless of where it is stored

s/U.S./Chinese/

Tomato <=> Tomato

varispeed|3 months ago

Governments are not exempt from Cloud Act and US providers can be under gag order, so from EU or UK government perspective, they will never know if data has been accessed by 3rd country and what happened to it.

This is actually amazing that all the tenders have not been rejected under national security grounds or simply security services (yet again) have not done the job tax payers pay them to do.

immibis|3 months ago

> they will never know if data has been accessed by 3rd country and what happened to it.

They should have arranged to get a 100 euro refund every time it happens, or 440 euros if the UK does it.

pkstn|3 months ago

Luckily we have great European cloud companies like UpCloud https://upcloud.com

jeffrallen|3 months ago

With 3 data centers in the USA, seems like they are probably subject to the CLOUD act.

eeasss|3 months ago

This is known. The problem is that the EU is hooked on us technology. I don’t see this untangling soon which is a big strategic weakness

BiteCode_dev|3 months ago

Pretty much yes. From Saas to authentication systems to OS to chips. The EU infra is entirely dependent on the US. All documents, emails, chat messages, and most forms of storage are directly or indirectly linked to an American service.

On top of that, the US can update it all remotely, including the hardware now thanks to things like intel ME.

Let's hope we never get into a conflict with them, because even without bombs, they can basically shut us down with a few keystrokes: https://www.bitecode.dev/p/the-eu-can-be-shut-down-with-a-fe...

Or at least have everything they need to develop such a capability. And it's not like the current people in power care much about alienating other countries.

jeppester|3 months ago

Anyone who's read the law has known this for years.

The GDPR is incompatible with the Cloud Act, and so the only legal (or so it should be) way to use US companies is to treat them like unsafe third countries - no matter the data center location.

But everyone wants to continue like before. Having to ensure that Amazon and Azure never touches unincrypted personal data is hard. So one "compromise" after another has been tried - never solving the actual problem.

As a EU citizen I think it's entirely embarrassing. Either the EU should have the power to force European subsidiaries to be exempted from the cloud act, or everyone should be forced to abide the law, which would greatly boost EU tech. Instead we are just rolling over.

schuyler2d|3 months ago

I can't imagine the Cloud Act being effective without Microsoft (and French gov) complicity.

If they can make successful tax shelters they can architect the entities and the architecture to remove this option.

There's some 9-eyes thing where this is a feature not a bug

1123581321|3 months ago

I wouldn't think "sovereign" EU data would be protected from US snooping either, unless the Five Eyes Plus alliance is going to be dissolved. Even then...

GTP|3 months ago

Well, not relying on US cloud would already be a giant step in the right direction, by making it significantly harder to snoop on the data.

IsTom|3 months ago

With UK out there's no Five Eyes members in EU.

blibble|3 months ago

I suspect the other 4 eyes are somewhat less willing to do the US regime's bidding these days

tempodox|3 months ago

Of course they can’t. U.S. companies are under U.S. jurisdiction, no matter where their data centers are located.

bluGill|3 months ago

This is a French company owned by a US company though which makes things complex.

thinkindie|3 months ago

I wonder why people are surprised, as this is an open secret nobody is willing to admit. And it's basically the reason we had Schrim I and Schrim II.

At the same time a massive migration from US cloud in EU to EU cloud would be a massive pain for a lot of companies in the EU.

nashashmi|3 months ago

US cloud act is definitely an overreach. Suddenly private infrastructure is now an extension of the government surveillance complex. This is the equivalent of the govt being able to put a camera on your building because they want to observe the public/private area around it.

Agingcoder|3 months ago

Maybe I’m misunderstanding something - if I store my data elsewhere , am I not supposed to encrypt it anyway, with my keys ? If the crypto is strong enough then surely cloud providers can’t do anything with it ?

cesarb|3 months ago

> Maybe I’m misunderstanding something - if I store my data elsewhere , am I not supposed to encrypt it anyway

"Cloud" is not only for storage; it's also for compute. Doing compute directly on encrypted data (homomorphic encryption) is very slow and very complicated, so when using a cloud, the data is usually either unencrypted, or encrypted but the key is elsewhere in the same cloud.

riskable|3 months ago

Another take: Microsoft admitted under oath in France that the US government doesn't care enough about French data to ever have requested any.

I'm sure if you asked the current administration what they think of France, they'd reply, "all they do is wine!"

thefz|3 months ago

The current administration will have difficulties pointing to France on a map.

shevy-java|3 months ago

Time to pull away all EU data from the Trump USA.

embedding-shape|3 months ago

I think many already started, the only reason it's starting to appear in the news is because people are making progress with the moves, and US companies are noticing it, but it's been planned and organized for a lot longer than just the last year.

spookie|3 months ago

Can assure you it has been happening for a while.

radiator|3 months ago

What difference, at this point, does it make? The EU has already surrendered any notion of sovereignty to the US in the fields of military and energy.