American law enforcement authorities can spy on data stored by EU citizens who choose to use US cloud services – and it is legal for them to do so.

Former chief privacy advisor to Microsoft Europe, Caspar Bowden, has highlighted the privacy issue in a Fighting Cyber Crime and Protecting Privacy in the Cloud report, which was recently presented to the European Parliament.

Bowden, who co-authored the findings, referred to how the Foreign Intelligence Surveillance Act Amendment Act (FISAAA), allows US authorities to spy on cloud data.

‘Heavy-calibre mass surveillance’

Despite it being lawful in the US to conduct purely political surveillance on foreigners’ data accessible in US clouds, Bowden’s latest report argues that this has very strong implications on EU data sovereignty and the protection of its citizens’ rights.

“Most attention continues to be focused on the US Patriot Act of 2001, which certainly contains powers for direct access to EU data, but nothing like FISAAA 1881a’s heavy-calibre mass surveillance fire-power aimed at the cloud,” the report said.

Although cloud computing is not a new technology, the study addresses the challenges raised by the growing reliance on it and begins by exploring how the EU is addressing associated concerns.

Loss of control

The study argues that the main concern arising from the growing reliance on cloud computing by private citizens, companies and public administration, is not just cyber fraud, but is the loss of control over individuals’ identity and data.

The report says the question of privacy and data protection is furthermore challenged by the ‘exceptional measures’ taken in the name of security and the fight against terrorism.

It also raises concerns over the fact that the largest providers of cloud services are legally or physically located in the US, which makes the data processed through their cloud liable to interception and seizure by US authorities.

Big change slips through

Under the FISAAA, mass-surveillance of foreigners (outside US territory), but whose data is within range of US jurisdiction, is permitted.

The recent report says that the most significant change on the scope of the surveillance, managed to escape any comment or public debate altogether.

“The scope of surveillance was extended beyond interception of communications, to include any data in public cloud computing as well.  This change occurred merely by incorporating ‘remote computing services’ into the definition of an ‘electronic communication service provider’, the report said.

Fear of industrial espionage

The concerns over cloud privacy in the EU is proving a potential liability for some as  companies turn down cloud-based services from US providers.

UK-based defence company BAE Systems’ reported decision to abstain from using Microsoft’s Office 365 cloud-based software suite, was due to fear of industrial espionage, according to the study.

Warnings for users

The report concludes by requesting the European Parliament to make further enquiries in relation to the US Acts. It also states the EU needs an industrial policy for autonomous capacity in cloud computing, and argues that no EU citizen should be left unaware if sensitive data about them is exposed to a third country’s surveillance apparatus.

A hearing on the European Parliament’s findings of the report is due next month.

[Image via sikhsiyasat]