I wonder how long before this gets spung pro/anti EU in the British press. Seems like once again the EU is protecting people from their goverments.
Silicon Valley now 'illegal' in Europe: Why Schrems vs Facebook is such a biggie
Today's victory by Austrian privacy advocate Max Schrems in the European Court has massive repercussions for how the superpowers make law, and how Silicon Valley conducts business. And it may only get worse for America's data processing giants, very soon. Microsoft is challenging the notion that the world's data is by default …
COMMENTS
-
-
Tuesday 6th October 2015 15:25 GMT nematoad
Agreed
" Seems like once again the EU is protecting people from their gover[n]ments."
And yet there are a lot of people who want to take the UK out of the EU. I suppose that then the protections granted by the data regulations of the EU will be withdrawn leaving us to the mercy of anyone who has our personal data.
Unlikely? One of the countries who expressed satisfaction with "safe harbour" happens to be the UK, the other is the Republic of Ireland, which would, I suppose, show why their Data Protection Commissioner declined to take any action over Schrem's complaint.
I think we need someone on our side on this and the only one willing to come forward seem to be the ECJ.
-
-
Wednesday 7th October 2015 01:12 GMT Matt Bryant
Re: Lars Re: Agreed
"....and that the problem is the USA not the EU." LOL! Ignoring that the Europeans are not innocent of spying on all they can get, your presumption is that the US (in this case US government agencies such as the NSA and FBI) having access to European data is The Problem. The real problem is that view - that giving the US access is something that is wrong and needs to stop. That this is a view actually not shared by the governments of the individual EU countries is easily shown by the fact they all co-operated with the NSA in return to access to data from PRISM. Why else come up with the fudge of Safe Harbour in the first place? And, since the EU is nothing more than the sum of those individual governments with an extra layer of bureaucracy, it would seem obvious that the real view of the EU is that allowing the US access to European data is actually good but needs to be hidden from the paranoid lest they spook the voters.
So, having already shown that the EU itself doesn't actually think the US having access to European data is The Problem, let's look at why voters in Europe might think it is. Is it bad if the NSA intercepts terrorist communications? Surely not, especially if they provide information on threats to Europeans as well. Or the activities of international criminal gangs? Nope, sounds a good thing to me. So I suppose the only "bad thing" would be if the NSA actually were spying on everyone indiscriminately, not just the "bad guys". And here we can just ignore the fact that even the NSA doesn't have the resources to spy on everyone, that there would seem little other than paranoia to even suggest they would want to, and get back to the usual question the tinfoil-attired refuse to answer - if you are so sure it is a "bad thing", show me the harm done. Because despite Snowjoke's grandiose posturing he has actually provided SFA to build a case that the US agencies do anything but look for "bad guys".
Dear tinfoil-attired, your downvoting will not change the facts outlined above but will give me cause to laugh. But, for added humour value, please at least try and post a counter to the idea the members of the EU are just as eager to keep the NSA in business.
-
Wednesday 7th October 2015 09:56 GMT nematoad
Re: Lars Agreed
"... please at least try and post a counter to the idea the members of the EU are just as eager to keep the NSA in business."
Well it depends on which "members of the EU" you are talking about.
If you mean the member states then yes, they probably are all trying to spy on anyone they want.
However this decision has not been taken by the member states but by the ECJ. This is the independent judicial arm of the EU. Its decisions are binding on the member states and gives EU citizens a way of holding said states to account, so that if Schrems was to make a similar complaint now he would have a much stronger footing.
Of course politicians in the member states will all say that they accept the court's decision, they have no choice, but will then go about subverting and sidestepping the new regulations as fast as they can. Being believers in the saying "One rule for us, another rule for them" they will try and carry on as usual but with the threat that if they are caught out they will get hammered.
So it's a step in the right direction. We the citizens now have a powerful stick with which to beat the spies when they get caught, but everyone must keep watching. The powers that be won't give up their lazy ways and stick to the new rules and it's up to us to try and make sure that they do.
-
Wednesday 7th October 2015 13:24 GMT terry doyle
Re: Lars Agreed
"So I suppose the only "bad thing" would be if the NSA actually were spying on everyone indiscriminately, not just the "bad guys". And here we can just ignore the fact that even the NSA doesn't have the resources to spy on everyone,"
Once data is stored .. the data crunching power will come along sooner or later to trawl through it. You are saying no one will want to?.. maybe.
-
Thursday 19th November 2015 18:35 GMT Anonymous Coward
Re: Lars Agreed
In case you have not been paying attention - starting years BEFORE 9/11, the NSA was already pouring money in to huge data centres and putting intercepts into every fibre link they had access to (inside and outside of the USA). The forerunner of the massive data sifting engine that the NSA now has, existed BEFORE 9/11, and was simply expanded on.
After 9/11 all bets were off. The US spook agencies used court orders and federal "secrets act" gag orders to forcibly get all the data they wanted, while keeping the people at the telecoms and big web providers & phone manufacturers silent (or else). Either you cooperated with their breaking the law or you were "defaco" a terrorist.
And what data was being acquired?
Snowdon made it very plain that a common pastime of contractors with the NSA, is looking at the sex photos & sex videos taken from peoples cell phones. These are images taken off of phones without any warrants at all. They are from RANDOM people's cell phones. I do not mean those photos grabbed as they passed through the cell network (with a FISA warrant) although they definitely have all of those too. If it is on your phone, or was on your phone, they have it stored somewhere. The size of the server farms they are running is ungodly huge.
So there is no secure data. The NSA put their own 'spook' contractors into every I.T. company (and government agency that dealt with "security"). They compromised the standards, and broke the code. We also know all of that from Snowdon.
The truth is that SSL has been broken for years now. The spooks have no intention of cooperating with the courts, or the people. They want your data and they will have it. None of this is new anyway. The US was taking data from the sat network with PRISM ages ago (including aiding in corporate espionage). Germany is one of the worlds biggest pipes of data to the NSA. They want "easy in" back doors for the few larger system that do not already have them. However a "back door" for ANYONE rapidly becomes a back door to EVERYONE.
Here is a big part of the problem. Aside from the terrible infringements on privacy, businesses MUST have privacy to do business. Intellectual property is very valuable. Right now there is no security that is meaningful, on any system on any network. Not any more. We need unbreakable hard encryption just so that business can (again) have the ability to do business properly.
Meanwhile the spook agencies continue to grab all the data they can find, no mater what it is.
One of the points made over the recent Paris attacks and those in Turkey is that indiscriminate mass surveillance creates a MASSIVE body of information that is impossible to meaningfully search. Sure there is face recognition done on every photo taken at every stop light and bank camera, and security camera (guess what FACEBOOK, Instagram, etc al are used for). SO they have a lot of data - a lot of it was illegally seized even by the "overly broad"quazi-legal powers of the NSA. However there is so damned much of it that NOBODY (not even the best A.I. in the world) can sift through it in a meaningful manner.
So we have lost all privacy. The NSA has a search system similar to GOOGLE for their own in house use (and they have been giving limited access to it to large police agencies) and we are all in it that system.
In return all we have gotten out of the process is a bunch of unethical NSA contractors fapping over peoples private images.
And the we have the patriot act (and others) which give the US draconian and near unlimited powers, in the USA and OUTSIDE of it. Businesses just *cannot* refuse an order to provide them unlimited data access. Saying no is officially "treason", at which point they can do anything they want to those who say no.
Google, Facebook, Apple, Viacom, Comcast...and every other large business out there has been FORCED to let the NSA wander through their data, and store anything they want for later. Apple has been on the "shit list" of the NSA ever since they started modifying their phone OS so it is less possible SPY on at will.
The only game in town is a VPN paired with an ONION server connection, and every copy of ONION software that is downloaded, results in a "watch order' on the person who grabbed the software.
-
Saturday 5th December 2015 23:18 GMT Gary Bickford
Re: Lars Agreed
It's worth adding that most of the objectionable provisions of the Patriot Act were already in place for use in the "War On Drugs", and had been in use for years. How do you think they nabbed that Panamanian dictator (and former CIA contractor), and all those Columbian drug lords?
-
-
Saturday 5th December 2015 23:18 GMT Gary Bickford
Re: Lars Agreed
In today's climate (no pun intended), the only real limitation is the cooling capacity of computing facilities. NSA's Signals Division spends more on computing than NASA's entire budget. Of course, that is matched by the National Reconnaissance Office and USAF satellite surveillance, which is also more than NASA's entire budget.
-
-
-
Wednesday 7th October 2015 01:13 GMT Uffish
Re: Agreed
I would like some form of legislation that says that being in possession of any piece of 'private and personal' information is illegal unless it has a clear, auditable link to specific, named permission from the subject. Wont happen of course. Big Brother is watching us all and taking copious notes.
-
Saturday 5th December 2015 23:18 GMT Gary Bickford
Re: Agreed
IIRC at one time Sweden had a very strong privacy law, and an enforcement arm that could go into any business to assure that they weren't storing personal information unnecessarily, nor passing it to anyone else without permission. But that was a long while ago, IDK what the present situation is.
-
-
-
-
Tuesday 6th October 2015 18:24 GMT ckm5
EU not interested in protecting the people from their gov'ts....
... this is all about making sure the data is easily available to EU gov'ts and that there are jobs for Europeans at large foreign firms.
AVG proved what a joke EU 'privacy' regulations are - all you need is to store your data in the EU, then you can do whatever you want with it, including handing it over to any gov't without due process.
Max Schrems is a fool if he thinks this makes any difference, your data is safer from EU gov'ts if it is in the US (although not safe from the US gov't) - and vice versa (nach).
I'm sure all the EU spy agencies are opening champagne today as Schrems has done something they have not yet managed to do, e.g insure they can always access citizen data. If Schrems thinks that this will stop access to data, well I've got a bridge for sale.
Up next, mandatory data retention..... You know it's right and good for you.
-
Wednesday 7th October 2015 01:13 GMT Yet Another Anonymous coward
Re: EU not interested in protecting the people from their gov'ts....
The concern isn't the spy agencies. The spy agencies will get all your data whether it is in the UK, Eu or USa, whether it is legal or not.
The issue is the commercial use.
A US company wants access to all your medical records before giving you a mortgage?
Illegal in the Eu, but without safe harbor all they have to do is copy your data to the US (or some island with no Data Protection) check your "lifestyle choices" for insurance risks and then their Eu subsidiary can use the conclusion without you having any knowledge
-
Wednesday 7th October 2015 01:15 GMT Anonymous Coward
Re: EU not interested in protecting the people from their gov'ts....
Max Schrems is a fool if he thinks this makes any difference, your data is safer from EU gov'ts if it is in the US (although not safe from the US gov't) - and vice versa (nach).
Nope, for a whole raft of reasons, the simplest one is that data in the US is simply not protected as well, even if that data is of a US citizen. At present we're very focused on EU vs US, but we're overlooking the fact that US people actually have the same problem and would indeed be better off hosting in the EU. That would not protect them from legal requests for data (nor should it, that is a law enforcement tool), but it would keep their data safe from the US mass surveillance.
We have to be careful with generic terms here - "US" also includes US citizens, which are people just like you and me (although possibly better armed) who are just as entitled to privacy, and who (as far as I can tell) don't exactly get it either. When we start looking for solutions we have to take a step back and keep a bigger picture in mind because I do not think this can be solved in isolation. We can START in isolation, sure, but the answer lies in working towards a solution that works on both sides.
-
Wednesday 7th October 2015 04:34 GMT veti
Re: EU not interested in protecting the people from their gov'ts....
@AC: Who the data is about, is not really relevant, except in that it establishes who has standing to sue. An American citizen who lives in France and provides his data to a company in Belgium? - their data is "protected", for whatever that's worth, by the European directive, and the person's citizenship is irrelevant. And anyone who lives in the US is subject to - and protected by - US law, regardless of citizenship. (The 14th amendment makes it unconstitutional to make special protections only apply to "citizens".)
The issue is that if you give consent for anyone in the US to access your data legally - then that person can be compelled under US law to access that data without your consent, e.g. to pass it on to the NSA, regardless of any local law elsewhere that says they can't. That's the case Microsoft is fighting right now.
As for who is "entitled to privacy" - that's easy, no-one. Or everyone. It depends on what you mean by "entitled". And "privacy", come to think of it. To me, "privacy" means that my personal shit is shared only with my knowledge and consent. When I do stuff online, I know spooks can track it, and by the act of doing it online I could be said to "consent" to that, and therefore my privacy is not really being violated. QED.
And what I'm "entitled" to is what the law, as interpreted by the courts, says it is, no more and no less. My entitlement, and yours and everyone else in the worlds' - changed with this ruling. That's why it's a big deal.
-
Wednesday 7th October 2015 13:24 GMT Anonymous Coward
Re: EU not interested in protecting the people from their gov'ts....
And what I'm "entitled" to is what the law, as interpreted by the courts, says it is, no more and no less. My entitlement, and yours and everyone else in the worlds' - changed with this ruling. That's why it's a big deal.
I don't think that your rights have not changed one iota by this ruling. They have been clarified and so freed from the nebulous clouds of BS that US vendors have been using to shield user from the truth (and thus protect their income), but the rights in play already existed for quite some time.
It is very important to keep this in mind because it will help you understand why the noise coming from the US is drama rather than substance - they have known this for ages, but have been milking your ignorance of the law for all it's worth. Don't be blinded by just more BS.
-
-
-
-
-
Wednesday 7th October 2015 00:55 GMT Matt Bryant
Re: James 51
"....Seems like once again the EU is protecting people from their goverments." Sorry, but that comes across as an incredibly naive take on the EU. Apart from the fact the various EU governments and their spook agencies have all been party to the NSA activities, most (if not all) of them already spend plenty of time on their own efforts intercepting both traffic from their own citizens and those abroad (look up Frenchelon for a start). The only difference is the NSA did it bigger and better, which is why the EU spooks wanted in on the deal. Those same governments then form the EU system and make the political decisions that guide the lumbering EU monstrosity. To put it quite simply in terms the tinfoil-attired might comprehend, the EU data crooks are driving the data bus and simply trying to make it look like they aren't co-operating in the data heist with the US data crooks.
This whole repeal of Safe Harbour is simply EU political windowdressing - no-one is going to stop Faecesbook's or Google's Internet traffic going out of Europe today, tomorrow or next week. There may be some polite queries as to what safeguards those companies are going to put in place, to which I predict the companies will respond with some sweet nothings, and eventually they will thrash out a new compromise (all data going to the US is encrypted whilst in transit and at rest, ignoring that as the key-holders the US comapnies can still be ordered to decrypt and hand over the data in the US) and business will proceed as usual.
-
Wednesday 7th October 2015 13:24 GMT Barry Mahon
Re: James 51
Schrems argued with the Irish DC that he hadn't agreed that Faeces,... could send on his data.The ECJ said ok, maybe, it depends on the smaller print, BUT, the general shopping bag that the EC agreed with the USA has no right to be assumed as the carte blanche, that is the crux. It would not be so bad if we hadn't learned from Snowden and the post 9/11 stuff in the patriot act, etc., what the US could/would do with the data.
I would never agree that the EU/EC has any interest in protecting any of us, they are driven by pols. We on the other hand have an interest, or some do, and Schrems has provided a better mousetrap.
-
-
-
Tuesday 6th October 2015 14:55 GMT Anonymous Coward
On the other hand, could we in the EU grow some companies to rival the big US Tech firm's services?
That is the exact problem. Someone who has a bright idea in the US can easily find someone to sponsor them (as witnessed by the ease by which Peeple got both investment and publicity) and then has a large market to sell into. In the EU, the first problem is that investment is a lot harder to get, the second problem is marketing across all the different countries who still all have their own laws and language. The result is that anything large can only grow if it has political friends or Really Big Money behind it.
The short version is that we can't, and thus need at least US technology. Services less so.
-
-
Tuesday 6th October 2015 12:52 GMT Quentin North
Mainly a public sector issue
For the public sector this effectively rules out the use of most cloud services as we are required to protect personal data and not transfer it to other jurisdictions without protection. Goodbye office 365, google apps etc, hello, on premise data centre, exchange, etc.
-
-
Wednesday 7th October 2015 00:51 GMT TheVogon
Re: Mainly a public sector issue
"Goodbye office 365"
Office 365 is one of the few such services that you can set to retain your data only within the EU - which can be enforced by DRM (secured by Thales hardware HSM systems) that is specifically designed not accessible from the US if that's what you want...
-
Wednesday 7th October 2015 09:56 GMT Anonymous Coward
Re: Mainly a public sector issue
Please pardon my ignorance, but I thought that one of the design principles of the internet was fault tolerance, and so if your data can;t get from A to B diretly, it'll automatically try anotehr route. Which could in theory mean someone in the Uk trying to aess data held in teh UK but it travelling a circuitous route via one or more foreign countries. And if one of those countries happened to be teh US, we're back to square one, surely? Or am I missing something? (I expect I probably am, I'm no expert in this...)
-
Saturday 5th December 2015 23:19 GMT Gary Bickford
Re: Mainly a public sector issue
I'm not sure, but if an encrypted copy were sent to another jurisdiction (e.g. USA), but the keys were never sent out, that might provide backup with reasonably secure privacy. It would have to be sent back to EU before decryption, slowing things down a bit, but small price. The USA copy could be safely 'disclosed' in its encrypted form without violating privacy. Of course it would be necessary to use multiple keys, at least one for each small unit of data like a file.
It would also be useful to store the encrypted data on drives with Full Disk Encryption, with the disk key(s) also stored in a special system outside the jurisdiction. The US Fifth Amendment actually protects against forcing a person from disclosing a password to an FDE drive, _if_ the person has never written it down or disclosed it to anyone (verbally, email, whatever). The court case regarding a corporate person's privacy and what constitutes disclosure if the data is on a special server would be interesting.
-
-
Wednesday 7th October 2015 09:05 GMT Anonymous Coward
Re: Mainly a public sector issue
O365, was, and is a solution to a problem that only Redmond ever had.
Amen to that. The problem was "how to squeeze revenue out of something that everyone already has when we can't get away with changing the document format anymore". That's also why they're trying to move to a subscription model but they couldn't just be satisfied with a license ping every so often, no, in typical MS style they tried to go the whole hog and grab personal data. I can see that becoming a bit of a problem now :).
Not that this a problem I have, mind - I've been using LibreOffice for years on Windows, Linux and OSX as it's the only solution where the UI has been left usable and fidelity remains consistent regardless of platform. It doesn't just save us money, it saves time.
-
-
Tuesday 6th October 2015 15:35 GMT SImon Hobson
Re: Mainly a public sector issue
> Goodbye office 365
Actually, that is probably one thing you can use ! Read up on the Microsoft vs DoJ case. If MS have done things properly then the US company won't be able to hand over the data - one of two things will happen :
1) They win, and the DoJ is told to FOAD
2) They lose, the US officers instruct the Ireland officer to hand over the data. The officers in Irelnd tell them to FOAD as it would be illegal. The US officers return to court, and point out that they cannot obtain the information.
I really hope option 1 happens. Option 2 would open so many more cans of worms than today's ruling - not least would be the farcical situation where US officers of the company would be unwise to set foot in Europe, and European officers of the company would be lunatics to set foot anywhere under US control !
If option 1 does happen, then it'll demonstrate that given the right structure it is possible for a US based company to comply with both US and EU law. The key is that Microsoft Ireland is a separate legal entity to Microsoft US, and Microsoft US have no access to data held by Microsoft Ireland. At least, that's what they are claiming.
-
Tuesday 6th October 2015 16:18 GMT Anonymous Coward
Re: Mainly a public sector issue
given the right structure it is possible for a US based company to comply with both US and EU law. The key is that Microsoft Ireland is a separate legal entity to Microsoft US, and Microsoft US have no access to data held by Microsoft Ireland. At least, that's what they are claiming.
I do this for a living, and sadly, that's not how it works. The problem is leverage. MS Ireland is a subsidiary of MS US, and is thus controlled by MS US in both organisational and monetary/investment terms. The DoJ will thus claim that MS US has the means to get that data and will fine them for non-compliance if they don't cough up. As the main article stated, this is for fairly sensible reasons but rather inconvenient for Microsoft.
There is another vector at work here too: how do you get to legally force data out of a US outfit? In the US, post 9/11 there are so many routes to demand legally supported access to information it is a miracle that this hasn't leaked earlier although part of that can be attributed to VERY, VERY persistent refusal to even discuss the problem in public, which is something that now no longer can be avoided. If you're an EU business outsourcing to the US I'd start looking at what part of that data can be considered private and find a way to separate that out before it becomes ugly. This story is long from over.
-
Wednesday 7th October 2015 01:13 GMT Yet Another Anonymous coward
Re: Mainly a public sector issue
And without Eu wide safe-harbor rules, the USA can negotiate a special treaty with Ireland where the USA has access to all data held in Ireland. If Ireland doesn't sign then all those US companies can switch their Eu-HQ to Luxemburg or some other European country that says yes.
-
Wednesday 7th October 2015 01:15 GMT Rol
Re: Mainly a public sector issue
Yes, agree.
I posited that US data wranglers would be forced into partnerships with EU companies only the other day. The US company would front up the infrastructure costs to get their EU partner to where they need to be and then garner royalties from licensing their brand name and IP.
The EU company wouldn't be subjected to the Patriot Act and its US partner would no longer need to support such a monstrously fat pipe to the NSA.
It could work, and it could also see many more European IT jobs in the offing.
-
Wednesday 7th October 2015 10:48 GMT Anonymous Coward
Re: Mainly a public sector issue
That will work as long as the US organisations and those offering the service make indeed sure that there is no possible leverage (typically, investment and finance are dangerous routes).
There are a few legal kinks you have to work out, mainly on the contractual front, but yes, it is possible and at the moment it's even essential for a US company if it wants to retain its EU customers.
-
-
-
-
Wednesday 7th October 2015 01:14 GMT Hairy Airey
Re: Mainly a public sector issue
Actually there is at least one cloud provider that ensures your data stays within the EU. The one I'm thinking of allows you to store it all in the UK. Very good news for them this announcement.
The competition of course need to get the ability to keep cloud data within the EU sorted. I wonder how many companies have been using cloud companies but not mentioning that some of their users personal data is being stored in the US?
-
Wednesday 7th October 2015 09:05 GMT Anonymous Coward
Re: Mainly a public sector issue
I am no MS fan, but MS has datacenters in the EU, the only issue is that they would need to store the data in the EU DataCenters... A simple choice by region when choosing provider? even now it makes sense to store it in the EU to save on transmission time between EU and US..
Although I disagree with the gmail argument in the text...
If I email someone with a gmail.com email address, you assume it is US based right?
-
Wednesday 7th October 2015 13:24 GMT Anonymous Coward
Re: Mainly a public sector issue
If I email someone with a gmail.com email address, you assume it is US based right?
Let's not do assumptions, I just dug up the 5 machines that handle email for gmail.com.
Here is the list:
74.125.200.27
74.125.25.27
173.194.72.27
74.125.136.27
74.125.204.27
Paste that list into <a href='http://www.ipligence.com/iplocation">http://www.ipligence.com/iplocation</a> and see for yourself.
-
Wednesday 7th October 2015 16:14 GMT Vic
Re: Mainly a public sector issue
I am no MS fan, but MS has datacenters in the EU, the only issue is that they would need to store the data in the EU DataCenters
No.
They are already in court fighting exactly that case; if they win, then what you have said above is (almost) true.
But at present, they are legally oblliged to hand over any data they "control" - i.e. any data in any data centre in the world over which they have any power.
Vic.
-
-
Wednesday 7th October 2015 13:24 GMT h4rm0ny
Re: Mainly a public sector issue
It's not necessarily goodbye to those tools. Google might have a bit more of a problem technically (educated guess, not fact), but MS could very easily spin up a distinct European Azure and I'm certain that Amazon wouldn't find it any harder. Indeed, both already have the infrastructure in place and putting the necessary data segregation in place would be fairly straight-forward (at least for the architects of such epic projects as AWS and Azure it would be).
And if the question is a legal one, well MS could certainly licence the Azure technologies to some European countries. They essentially already do this as MS Server and many of their own commercially available tools are the same as in Azure. In business terms, licencing "AWS" might be a little harder but again, hardly insurmountable. In both cases, find a large European company as a front, and away you go.
-
-
Tuesday 6th October 2015 12:52 GMT alain williams
A future Enron
The argument here is complete bollocks. If data were held in, say, Ireland the USA would need to request an Irish court to release the data. If the Irish court was satisfied that there is good reason then it would probably order a release of the necessary documents, much as it would agree an extradition of a person.
Requesting a court in the USA for access to data held in the USA is also what the FBI should do, but it is just much simpler for them to go & grab it.
What this will stop is fishing expeditions and the use of data for purposes other than nailing criminals. There has long been a suspicion about the USA helping themselves to trade secrets.
-
Tuesday 6th October 2015 15:25 GMT JetSetJim
Re: A future Enron
> If data were held in, say, Ireland the USA would need to request an Irish court to release the data
I guess the DoJ are arguing that as Microsoft (US) doesn't need to ask an Irish court for permission to get data from Microsoft (Ire), therefore they can compel the data transfer internally so that they can get it from MSUS.
Doesn't make it right, of course, but that's the Land of the Free(TM) for you.
-
Tuesday 6th October 2015 15:25 GMT Raumkraut
Re: A future Enron
The argument here is complete bollocks. If data were held in, say, Ireland the USA would need to request an Irish court to release the data. If the Irish court was satisfied that there is good reason then it would probably order a release of the necessary documents, much as it would agree an extradition of a person.
In the Microsoft case, the US government could indeed have asked the Irish courts for the data. The fact that they haven't, and are pushing this issue through the US courts, suggests to me that this is not about getting this particular data from Microsoft, but about setting a precedent.
If the US government can get a legal precedent set, that US corporations must hand over data wherever it lies, then they wouldn't have to get cooperation from, or even inform, other nations that information was being requested.
-
Wednesday 7th October 2015 09:56 GMT alain williams
Re: A future Enron
If the US government can get a legal precedent set, that US corporations must hand over data wherever it lies, then they wouldn't have to get cooperation from, or even inform, other nations that information was being requested
But getting a legal precedent will be in a court in the USA, not Europe.
Data held on a server in Dublin owned by an Irish subsidiary managed by Irish employees is still going to be subject to Irish/EU law. When the USA parent company is ordered to order an Irish employee of its Irish subsidiary to do something against Irish law we are going to see an interesting conflict. If the parent company tries to order sacking will the subsidiary be allowed to comply - or find itself having to pay compensation ?
Time to order the popcorn by the mega bucket load.
-
Wednesday 7th October 2015 14:57 GMT Anonymous Coward
Re: A future Enron
Do you really believe someone in Seattle has not RDP/SSH access to systems in Ireland? They really don't need to ask someone in Ireland to perform that - they can do from the US. MS could have easily complied, but they did know when the news had spread, nobody would trust their EU systems any longer.
FBI wanter an US precedent because it's there where it can find a judge allowing them access to data stored abroad - without the nuisance of asking the locals, data are just a remote session away, aren't they?
-
-
-
Tuesday 6th October 2015 15:35 GMT Anonymous Coward
Re: A future Enron
The issue is not a future Enron, where probably a foreign court will send data to FBI following the bilateral agreements - the issue is when FBI & friends want to access data a foreign court will probably deny them access. They are trying now with a drug dealer case because they hope to make people think "hey, it was a fucking drug dealer, FBI is right!" - but once working for drug dealer, it will work for any case you can find a US judge issueing you a warrant to access a foreigner email... and FBI does a lot more than going after drug dealers...
-
Wednesday 7th October 2015 00:55 GMT Anonymous Coward
Re: A future Enron
"There has long been a suspicion about the USA helping themselves to trade secrets."
US companies like Autodesk are pushing Cloud only (no local data storage) applications. Which is very concerning, as their applications are used for product design in many leading edge fields (eg bio-medical, robotics, automation systems, etc).
Hopefully this new ruling makes that practise illegal.
-
-
Tuesday 6th October 2015 12:53 GMT DaveDaveDave
Let me count the ways...
He illustrates with a practical example of how US companies are now in breach of EU rights.
Imagine you’re a UK resident business, and you're using Google for email. What happens when I email you? You'll receive my message on US-owned infrastructure. Before you've gained my permission, you've exported my personal data - and maybe it’s even privileged information - to a third party entity.
That's because the recipient of the email - in this case you - export the data to a third party without the sender's permission.
That really is complete bollocks. How many different errors can we find? First up, of course emails are not private - that's laid down in the spec. What 'personal data' is there? What's more, it would be absurd to argue that the recipient is the one sending data to Google - that is, obviously, what the sender has done. Again, that's by definition.
I'll leave a few for someone else.
-
Tuesday 6th October 2015 14:55 GMT Dr. Mouse
Re: Let me count the ways...
First up, of course emails are not private - that's laid down in the spec.
This much is true. However, emails will likely have personal information in them: Email address, of course, but name, phone number, address, company name, job title etc.
It has been established that the email is to be read by the intended recipient only. If you forward that email on to someone else, especially if the person has put in the email that it is confidential (remember not many users realise that it's trivial to intercept), you could be breaking data protection laws.
What's more, it would be absurd to argue that the recipient is the one sending data to Google - that is, obviously, what the sender has done. Again, that's by definition.
On a completely technical level, yes. However, on a human level they sent that information to you. You then contracted Google (or whoever) to receive and store that data on your behalf. They probably won't even know it's Google: a business would be using their own domain etc. The email is addressed to you, not to Google, so the sender is sending it to you.
-
Tuesday 6th October 2015 15:50 GMT SImon Hobson
Re: Let me count the ways...
> They probably won't even know it's Google
More importantly, assuming Google "sort themselves out" like Microsoft have done (assuming they don't lose their case), then the sender will not know what provisions the recipient has made with Google. Have they contracted with Google in Ireland for services to be hosting and under the jurisdiction of the EU, or with Google in the US without that protection, or some other permutation ?
Thus the sender of the email cannot know if it will get exported without prior contact to find out. This comes back to whoever is exporting the data can only do so with the permission of the data subject - and that means prior contact to establish the terms of reference for receiving email.
It's going to get "quite interesting" for a while, I think the icon just about sums up the immediate of the ruling :-)
-
-
Tuesday 6th October 2015 14:55 GMT Anonymous Coward
Re: Let me count the ways...
That really is complete bollocks.
Ah, here is a fun exercise. Call up the ICO and ask them. No, really, do this, you're right to ask questions but you should also be prepared to accept that the answers may not be to your liking.
I have, and I'm afraid you won't like the answer.
-
-
Wednesday 7th October 2015 00:54 GMT DanielN
Re: Let me count the ways...
"No, the recipient is the one using GMail, and is causing the mail to be exported."
This reflects a near total ignorance of how email works. What happens is this:
1. You configure your email client to use a mail server that you have vetted and which is supervised to your satisfaction. You can choose any email server you want, that obeys any policies you want.
2. You click "send" and the message is sent from your email client to your chosen server.
3. Your server looks up an "MX" record (mail exchanger) record in the DNS (domain name system). The result is something like "gmail.com MX gmail-smtp-in.l.google.com.".
4. Your server looks up an "A" (IP address) record for "gmail-smtp.google.com". The result is something like "gmail-smtp-in.l.google.com A 64.233.168.26".
5. Your server then uses whatever policy it wants for that IP address. For example, private companies frequently detect IP addresses outside the company and make an archival record our apply a secrecy filter for addresses outside the company. In your case, you can check a geographic database to find what national jurisdiction the address is in. The result would be, in this case, "Mountain View, California, U.S.A.".
6. The server, which you control, freaks out at those evil, civil rights-hating Americans and returns the message to you as undeliverable.
7. The bounce message says something like "Avertissement de ne pas avoir suffisamment d'intimité!" because you most likely got your server software from some extremely sarcastic Americans.
-
Wednesday 7th October 2015 10:50 GMT Fred Flintstone
Re: Let me count the ways...
4. Your server looks up an "A" (IP address) record for "gmail-smtp.google.com". The result is something like "gmail-smtp-in.l.google.com A 64.233.168.26".
Almost, it also includes a preference value because it's usually a list of servers, and the preference value helps prioritising which one to use. Having said that, I totally love your step 6 and 7, that deserves an RFC of its own :).
There is also another problem that few people know about and which is (IMHO) rather misleadingly used to claim "privacy": your connection to your local mail server and the recipient's connection to their mail server may be encrypted (typically to prevent exposure of plaintext credential exchanges), but the transport between the two mail servers is not mandatory encrypted and may thus be in plain text..
-
-
-
Tuesday 6th October 2015 15:25 GMT Raumkraut
Re: Let me count the ways...
First up, of course emails are not private - that's laid down in the spec.
I'd argue that private correspondence can still take place using postcards. Just because someone might overhear or see what you're saying, doesn't necessarily make a one-on-one conversation public.
What 'personal data' is there?
Even if the email is encrypted, there is still personally-identifiable metadata - sender email address, mail client headers, IPs, etc.
What's more, it would be absurd to argue that the recipient is the one sending data to Google - that is, obviously, what the sender has done. Again, that's by definition.
Sort of, but only indirectly. If I send a postcard to a PO Box in Bristol, and the person managing that PO box has instructions to forward everything to an address in Kentucky, did I send that postcard to the US? Or did the post office do that, at the behest of the PO Box owner?
Email is somewhat similar: When most people send an email to bob@smallshop.co.uk, they firstly hand it off to their ISP or email provider, whose email server checks the DNS of smallshop.co.uk for where to send the email (ie. smallshop.co.uk are instructing the email server where to forward the message). If that destination server is in the US, well then.
-
Wednesday 7th October 2015 08:35 GMT hugo tyson
Re: Let me count the ways...
I agree the email example is a very poor one: by sending an email to a person you give them the right to do whatever they like with it, stupid legalese boilerplate on the end notwithstanding. And email never has been private. Of course, the public's expectation might be different, but that doesn't make it so.
A better example, and easier to understand would be: you think you order a product from an EU business. Name, address, credit card, implicitly shopping habit. Turns out their servers are in the US. They just exported your personal data without your consent.
-
Wednesday 7th October 2015 13:24 GMT Anonymous Coward
Re: Let me count the ways...
I agree the email example is a very poor one: by sending an email to a person you give them the right to do whatever they like with it, stupid legalese boilerplate on the end notwithstanding
Correct: end legalese has no power (one-sided contract, so not valid)
Incorrect: the recipient does NOT have full rights - you own the copyright which in theory gives you control over distribution, but in practise is usually not worth the costs to enforce (also because it is unlikely to undo the damage).
-
-
Tuesday 6th October 2015 12:53 GMT fruitoftheloon
Let the games begin.....
Well, that was a pleasant surprise, I would love to find out how much EUrocrat time & our money was spent trying to keep Pandoras box closed...
I am looking forward to some jolly good sport 'watching' various media to spot the 'seeds of doubts', proclaiming how the entire interwebs are about to come crashing down.
Birds home to roost eh?
/chuckles
-
Tuesday 6th October 2015 12:54 GMT Ian Michael Gumby
Simple solution..
Be careful what you put online and don't use FB or other Social Media websites....
I don't have a FB account.
I do have a linkedIn acct, however, it only has public information that I want out there for business related tasks.
Of course, FB is still on shaky legal grounds in other areas of privacy too. Suppose I get tagged in a photo a friend took without my knowledge. Does FB have, as they claim, the right to use my image without my approval?
I don't have a FB account so how do they have my agreement to their ToS?
Yet FB doesn't make that distinction.
-
-
Wednesday 7th October 2015 16:14 GMT Afernie
Re: Simple solution..
"Does FB have, as they claim, the right to use my image without my approval?"
No of course not. Still if you joined Facebook and accepted the terms and conditions you'll find that you did give your approval for Facebook to do as they see fit with your media on a royalty-free basis when you signed up. Or did you think Facebook was free?
-
Wednesday 7th October 2015 16:14 GMT Saul Dobney
Re: Simple solution..
"it's not even your image, it's an image of you. You have almost no rights regarding a picture someone else has taken of you."
This isn't copyright, it's data protection. In the US, public data is fair game. This is not the case in Europe. Under European rules, a business does not have the right to have information about you unless you consent in some way (which could just be being notified). It doesn't even matter if the image was taken in public or it's publicly available.
Technically the photograph is data about you and so you do have a right of redress. This is why Google can be compelled to remove images or personal information from search listings in the EU. And in other European countries like France it doesn't just stop with data protection, there are further laws about privacy. France is currently looking at whether Facebook's automated face recognition meets data protection standards as it's not clear that it does because of the lack of consent.
-
-
Tuesday 6th October 2015 15:35 GMT Charlie Clark
Re: Simple solution..
Does FB have, as they claim, the right to use my image without my approval?
Depends on the law of the land: in some countries, such as Germany, there is a concept of "the right to one's own image". However, to know whether they're in breach or not you'll have to log on… Any initial defence will probably rest on an indemnification from your friend that no rights were being infringed.
-
-
Tuesday 6th October 2015 12:54 GMT Doctor Syntax
"US companies that export data are fundamentally illegal in Europe."
Actually it's any company that exports personal data to the US.
"That's because the recipient of the email - in this case you - export the data to a third party without the sender's permission."
Actually, this one doesn't fly. The sender of the email exported his own data.
"Brussels doesn't have the institutional machinery, or maybe even the brains, to fix this one."
Or the balls.
'the US doesn't recognise an "abroad"'
I'm not sure of that. The abroad where companies like Apple accumulate their income outside the US tax regime seem to be recognised OK. The Microsoft case seems to hinge on the fact that for whatever reason (and none that I can think of do the originator of the case any credit) someone decided to try to bypass the existing mechanism which the treaty with abroad would have enabled to try for a warrant in Ireland. And AFAIK the basis of their case is that records which Microsoft hold in trust for other people are somehow Microsoft's own records which they're entitled to demand because Microsoft is a US company. I don't see any problem with them going after records of a US company such as Enron wherever they're held.
And I assume that the Computer & Communications Industry Association largely represents US companies interests. If the ruling means that work formerly done in the US has to be done in Europe its hard to see how it isn't going to help the European IT industry.
One of the interesting aspects of this is how it's going to extend. Will the court rule it impossible to process personal data in the UK? Or France? Or India?
-
Tuesday 6th October 2015 14:54 GMT DavCrav
""That's because the recipient of the email - in this case you - export the data to a third party without the sender's permission."
Actually, this one doesn't fly. The sender of the email exported his own data."
I'm pretty sure you can't be right on that one. If I e-mail a company in the EU, I have a reasonable expectation that that data stays inside the EU. If the receiving company sets up automatic redirecting that shunts that e-mail to the US, then the recipient has done that, not the sender. You cannot say that the sender broke the law when they have no knowledge that the recipient has set up automatic forwarding.
If the recipient wants to avoid breaking the law, they have to, for all new addresses e-mailling them, set up an automatic bounceback with words like "This address forwards data outside of the EU. If you consent to this, please resend your message." The alternative is not to automatically redirect their e-mail outside of the EU and, you know, obey the law.
And if anyone says that e-mail doesn't work like that, it kind of doesn't matter. The law says it must, and if you don't want to break the law, stop sending e-mails. You can then complain to the legislature, but you still cannot break the law in the meantime.
-
Tuesday 6th October 2015 16:14 GMT DaveDaveDave
"If I e-mail a company in the EU, I have a reasonable expectation that that data stays inside the EU. If the receiving company sets up automatic redirecting that shunts that e-mail to the US, then the recipient has done that, not the sender."
That's true, but that's not the same as having a mailserver in the US to which the sender sends his email.
You've highlighted the gaping loophole that will actually be used so business continues as normal: don't be an EU company, don't have your servers in the EU. An EU citizen has every right to transmit his or her own data out of the EU.
-
Wednesday 7th October 2015 13:24 GMT Doctor Syntax
"IIf I e-mail a company in the EU, I have a reasonable expectation that that data stays inside the EU."
I should have quoted more of the original article:
" Imagine you’re a UK resident business, and you're using Google for email. What happens when I email you? You'll receive my message on US-owned infrastructure. Before you've gained my permission, you've exported my personal data - and maybe it’s even privileged information - to a third party entity.
That's because the recipient of the email - in this case you - export the data to a third party without the sender's permission."
In this case it's explicit that the email service is run by Google so there's no reasonable expectation that it would remain in the EU. Sorry for the misunderstanding.
-
-
Tuesday 6th October 2015 14:55 GMT Anonymous Coward
"The sender of the email exported his own data."
OK, same scenario, but now the recipient uses their own domain name (eg "[bland name].co.uk") which redirects guy@[bland name] to guy.bland@gmail.com
Sender has no expectation that email system is abroad.
Add to the mix that [bland name] is selling personalised birthday spoons - "your name and DoB, on a spoon!" and the email sender is ordering - a spoon.
Recipient knocks up invoice in google docs - somewhen somehow someone's personal data got exported
-
Wednesday 7th October 2015 07:48 GMT P. Lee
Re: sending emails abroad
Technically the sender should be responsible, because the MX lookup is done before sending the data. However, geolocation is tricky and non-trivial for the casual user.
Perhaps we need dns-based geolocation attached to every ip address (like ptr). Then you can build your apps with compliance requirements to check destination jurisdictions. No geolocation record, assume it's abroad.
-
Thursday 8th October 2015 09:31 GMT P. Lee
Re: sending emails abroad
Technically the sender should be responsible, because the MX lookup is done before sending the data. However, geolocation is tricky and non-trivial for the casual user.
Perhaps we need dns-based jurisdiction records attached to every ip address (like ptr). Then you can build your apps with compliance requirements to check destination jurisdictions. Maybe we could add jurisdiction qualifiers to dns queries.
-
-
Tuesday 6th October 2015 14:56 GMT Stoneshop
Abroad
One of the interesting aspects of this is how it's going to extend. Will the court rule it impossible to process personal data in the UK? Or France? Or India?
I know of at least one Australian business that had to roll back its offshoring plans because certain categories of data can not be held abroad, and not even handled by someone abroad. But in the EU ruling it clearly hinges on the relevant data protection laws in the US and relevant treaties between the US and the EU. So if India has the same level of data protection as the US then I suspect it will fall afoul of the EU rules too; if they're more EU-like, then proportionally less of a problem.
-
-
Tuesday 6th October 2015 12:54 GMT Big_Ted
I can see only one solution to this
No data sent to the USA and US companies needing to open European only businesses that comply with EU laws.
You don't do that then you get no business from the EU, that will hit them where it really hurts, in the balance sheet and you can bet all those shareholders will be screaming very quickly, then the US government will find itself under massive pressure as the US recovery turns into a possible US depression....
And lets be honest the quote from Big Tech: that "We expect that a suspension of Safe Harbor will negatively impact Europe’s economy, hurt small and medium-sized enterprises, and the consumers who use their services, the most". is a load of bullshit, it will hit the biggest US tech companies in a massive way, this could easily lead to EU citizen data only being allowed in centers on EU soil and run by EU business's with no USA input other than ownership and any profits being allowed to ead home, after tax that is.
It is simply the fault of US companies boardrooms for not doing their jobs and getting contingencies into place ready for this. If I were the CEO etc I would be asking several underlings what they have done to be ready and if nothing showing them the door.
-
Tuesday 6th October 2015 14:54 GMT DaveDaveDave
Re: I can see only one solution to this
"You don't do that then you get no business from the EU"
Which is enforceable how? You can't stop, e.g. Google selling over the internet to EU-based customers. You can only make it illegal for those customers to buy the service. That's going to go down well with the average punter, right?
-
Wednesday 7th October 2015 11:29 GMT SImon Hobson
Re: I can see only one solution to this
> Which is enforceable how? You can't stop, e.g. Google selling over the internet to EU-based customers.
Oh really ?
EU to Google - obey our laws or else.
Google - or what ?
EU - issues arrest warrants for Google execs in EU and they are charged with data protection offences (for which they don't really have any defence now).
EU - if that doesn't work, orders ISPs to block Google "properties"
So firstly, when the EU management resign en-masse it's hit Google - they do have considerable business presence in the EU which would grind to a halt without staff. Lets face it, would you work for a foreign manager telling you to break the law when the authorities are just watching for the next person to arrest ? So it's not just a case of changing it so middle managers in Ireland report to a senior manager in the US.
Blocking Google altogether would hurt the EU - but not half as much as it would hurt Google. Bear in mind that Microsoft fought the "abuse of dominance" stuff so hard not because of the direct financial benefit - but because they were desperate to keep their "everything Microsoft or it doesn't work" lock-in. If Google lost it's EU business, that would be a massive, massive dent in it's dominance. Do you think their competitors wouldn't be ready with "helpful instructions" on how to switch to using a non-Google service ?
-
-
Tuesday 6th October 2015 18:43 GMT ckm5
Only good news for US companies balance sheets....
... since it will justify yet more revenue hiding from US tax authorities.
'Sorry, we can't repatriate the $XX billions we made in the EU since we need it to pay for the local infrastructure we are mandated by law to maintain" - all while taking advantage of single digit tax rates offered by Luxembourg & Ireland.....
-
Wednesday 7th October 2015 13:24 GMT Doctor Syntax
Re: I can see only one solution to this
"If I were the CEO etc I would be asking several underlings what they have done to be ready and if nothing showing them the door."
The underlings might remind you of their several requests to do this which you quashed. Not that that would help them of course.
-
-
Tuesday 6th October 2015 12:54 GMT DaveDaveDave
Perhaps anything, but probably not
"But this supposes Europeans are content with US standards of privacy and data protection. Perhaps they're not."
Anyone who thinks the average punter in the EU either knows or cares about this issue is insane. Anyone who thinks the average punter in the EU would not notice or care about Google being switched off is not just insane, but bouncing off the walls.
It's worth pointing out that it's not like the EU can actually do anything to the likes of Google, since they're not EU-based corporations. Sure, ban them - but since making it illegal for them to sell will have zero effect, you'll have to make it illegal to use their services, and anyone can imagine how well that will go down.
I stand by my prediction that France will become the first nation to have its government toppled by a mob of citizens enraged by Google/Facebook/whatever switching off services as a result of idiotic government actions.
-
Tuesday 6th October 2015 14:55 GMT DavCrav
Re: Perhaps anything, but probably not
"It's worth pointing out that it's not like the EU can actually do anything to the likes of Google, since they're not EU-based corporations. Sure, ban them - but since making it illegal for them to sell will have zero effect, you'll have to make it illegal to use their services, and anyone can imagine how well that will go down."
The EU can completely fuck over Google, not by banning them, but by saying that they cannot trade in the EU. The website can still function here, fine, but, and here's the kicker for them, they would not be able to make any money here. Why do you think Google is submitting arguments to the EU competition commissioner?
-
Tuesday 6th October 2015 16:18 GMT DaveDaveDave
Re: Perhaps anything, but probably not
"The EU can completely fuck over Google, not by banning them, but by saying that they cannot trade in the EU. The website can still function here, fine, but, and here's the kicker for them, they would not be able to make any money here."
And how do they enforce that? Google isn't European, and they can't make laws which affect it unless it consents. To stop Google selling here, you have to make buying from them illegal - which is what I said.
As for the ultimate power balance here, how long do you think any government will last after Google says 'sod it, it's not worth the effort, we're blocking access from Madland'? I wasn't joking about the enraged mob. If government stupidity results in Google withdrawing service from a country, it's going to make Tahrir Square look like a family picnic.
-
-
Tuesday 6th October 2015 14:55 GMT Dr. Mouse
Re: Perhaps anything, but probably not
Anyone who thinks the average punter in the EU either knows or cares about this issue is insane.
You are right. But it is not the average punter who will hurt big American corporations in general.
Take our company. We use a US-based hosted ERP/CRM system, and a US based Email service. We are now, overnight, technically breaching DPA. Unless something happens quickly, we may have to change the services we use. We are a small/mid sized business, and our custom will loose these 2 several hundred grand a year. Multiply that up through the number of similar businesses in the UK alone, it will start to hit the bottom line. Add in the rest of Europe, and larger businesses, government departments, etc and it will hurt.
-
Wednesday 7th October 2015 01:14 GMT aeromorph
Re: Perhaps anything, but probably not
It'll also hurt you because you have to switch service providers. Moving mail systems, ERP, CRMs, etc. is no small amount of work between migrating data to training staff. Then there is the price difference between between American offerings and local counterparts. This won't just hurt American corporations, it will hurt everyone.
-
Wednesday 7th October 2015 13:24 GMT Anonymous Coward
Re: Perhaps anything, but probably not
Take our company. We use a US-based hosted ERP/CRM system, and a US based Email service. We are now, overnight, technically breaching DPA.
I would say to move your hosting to somewhere in the EU but that's not the complete answer. There are a couple of other things you need to do, mainly of a legal nature, otherwise you will suffer what we can presently call the "Microsoft" problem in that you may be served with a warrant for customer data (to obtain data without the customer knowing) and have no credible defence, an exposure that all US companies suffer from. There is a way around that, but it's up to you to decide if the pain of doing that will be offset by your ability to offer both your US and EU customers EU level privacy protection (which, by the way, means that your business customers can offer it to their customers too!).
It is not all bad news. This could actually end up being an opportunity for some businesses rather than a pain, because in a way you're asked to step up, and it is in my experience easier for a small business to do that than it is for the likes of Google and Facebook.
I just find it regrettable that the EU had to step in to remind US politicians that people have rights too. I'm fully OK with law enforcement having the tools they need (I am occasionally involved in creating anonymised informant channels myself), but with power comes great responsibility. If you're found unable to handle that sort of responsibility you shouldn't complain if the consequences eventually hit home.
-
Wednesday 7th October 2015 13:24 GMT Doctor Syntax
Re: Perhaps anything, but probably not
"Unless something happens quickly, we may have to change the services we use."
As things stand the Schrem case now goes back to the Irish court with the ECJ ruling to guide it. Courts are involved so your concept of quickly may need some adjustment. But that gives you time to explore alternatives.
-
-
-
Tuesday 6th October 2015 12:56 GMT DaveDaveDave
Now this is just hilarious
"The reason they haven't managed is Snowden. Before Snowden, the EU had no choice but to risk being blackmailed in trade talks. Now Europe has leverage, as well as local political pressure, and can hold up Snowden’s evidence of US non-compliance."
Bwahaha. So a man who is famous for stealing and selling confidential information, while making obviously fake claims to be whistle-blowing about something that was already public knowledge, is somehow a hero of openness?
-
-
Tuesday 6th October 2015 16:13 GMT DaveDaveDave
Re: @Dave x 3: Now this is just hilarious
" I didn't realise that everything that Mr Snowden 'shared' with us plebs was already public knowledge, clearly I missed that bit...."
Public knowledge and widely known by the public aren't quite the same thing. There was nothing that wasn't public knowledge before. It's something of a litmus test, really: anyone who didn't know the stuff already hadn't known even the most basic things about electronic surveillance; those who'd actually spent years on the subject just shrugged and said 'nothing new here'.
https://en.wikipedia.org/wiki/ECHELON
Snowden 'leaked' operation details that put operatives at risk and allowed black hats to hide better, but he didn't tell us anything new about what goes on.
I mean, really, one of his 'revelations' was that spies spy on other countries for their own government. Wow. Who knew that? Dictionaries are classified information, right?
-
-
-
Tuesday 6th October 2015 16:18 GMT DaveDaveDave
Re: Now this is just hilarious
""Selling" information? "Obviously fake"? "Already public knowledge"?"
Yes, obviously selling it. It beggars belief to suggest that Snowden, with his knowledge of electronic surveillance, didn't know that taking the data into China and Russia is functionally equivalent to handing them a copy. And yet that's where he went, even though - 'obviously fake' - if they were true he could legally claim political asylum in almost any country on the planet.
And I think I've dealt with the public knowledge issue. The only people who didn't know the things Snowden 'released' were those with no prior interest in the subject whatsoever - and even they in fact knew most of what he released, because who the hell doesn't know that spies spy and intelligence agencies gather data?
-
Wednesday 7th October 2015 13:24 GMT TheVogon
Re: Now this is just hilarious
"It beggars belief to suggest that Snowden, with his knowledge of electronic surveillance, didn't know that taking the data into China and Russia is functionally equivalent to handing them a copy"
Watch Citizenfour. Snowden was extremely careful of precisely that sort of situation - and left it up to the journalists to assess what could be released.
-
Wednesday 7th October 2015 00:51 GMT ckm5
Re: Now this is just hilarious
Don't fool yourself - almost all EU governments know exactly what the US is up to. They have been quietly cooperating with this for decades (see 5 Eyes, Echlon, etc).
Data sharing is deep, eager & very common, GCHQ, BND, BVD and others have vastly larger operations spying on their citizens than any US agency has spying on US citizens. The famously liberal Netherlands wiretaps a huge number of citizens and Italy has one of the highest wiretap rates in the world.
As far as 'public knowledge', I would say that anyone in tech for more than a little while has suspected that the intelligence services were far more active than the general public ever understood. Snowden just confirmed our suspicions with actual documentation in a dramatic way.
-
-
Tuesday 6th October 2015 14:55 GMT James Hughes 1
Re: Now this is just hilarious
Hmm. I suggest DaveDaveDave gets out more, or at least listen to the Panorama interview with Snowden from last night.
Did Snowden actually sell any information? Was all the knowledge already open? Why are the USA so keen to put him in jail if everything he announced was already public?
-
Tuesday 6th October 2015 16:18 GMT DaveDaveDave
Re: Now this is just hilarious
"Why are the USA so keen to put him in jail if everything he announced was already public?"
Because he sold other stuff to the Russians and Chinese, and because the stuff he released as his cover story was sensitive operational details about publicly acknowledged activities. Really, is it in any way surprising that a man who very obviously committed treason for money is wanted by the country he sold-out?
-
Wednesday 7th October 2015 01:14 GMT Anonymous Coward
Re: Now this is just hilarious
I suppose you have proof he sold stuff to the Russians and Chinese?
The US does so much bad shit by the intelligence agencies under the cover of secrecy that it badly needs some light and air shed on it. If he's revealed sensitive stuff, he hasn't revealed nearly enough. If he went all out and dumped everything he grabbed our current and previous administrations would have a lot of their members on trial for treason instead of Snowden, which is how it should be.
-
-
-
Tuesday 6th October 2015 15:25 GMT Michael Habel
Will this have repercussions
With MicroSoft's take on the 10-a-facation, of Windows 7? On that note will this upset SadNads applecart? In that he can't just take our Data willy-nilly at this moment in time? Or would they find a way to word wrangle such data theft in there EULA? e.g, Don't like it? Then don't use it?
-
-
Tuesday 6th October 2015 15:49 GMT Charlie Clark
Re: Missing the point
Well, Facebook will be the first test case. The ECJ has referred the matter back to the IPC in Ireland to check that it is satisfied with the handling of data.
The Microsoft test case is probably more important at the moment: can the US DoJ enforce extra-territoriality? If the US thinks it can then this would put a complete stop to transatlantic data processing for American companies because this would definitely contravene the ECJ's decision. Might see a boom in weird subsidiary and shell company set ups to try and work around this.
The US spooks should be careful what they wish for. They already have unparalleled access to personal data all over the place and they can normally get the rest with a formal court order. But if they continue to force the issue then they will be driving the data underground.
-
Tuesday 6th October 2015 15:50 GMT Vernon
Re: Missing the point
Isnt the issue that the NSA/FBI/US government simply demands data access and large corporations have no choice but to comply, thus rendering data privacy null and void if data is stored in the US, or(if Microsoft lose their court case) with a US corporation elsewhere in the world.
-
Tuesday 6th October 2015 16:14 GMT SImon Hobson
Re: Missing the point
> Isnt the issue that the NSA/FBI/US government simply demands data access and large corporations have no choice but to comply
Yes, that is the fundamental problem.
The US can fix that, they could pass laws explicitly allowing for data to be held in something like the "Safe Harbour" provisions - but backed by the force of law that states that it carries the same protection as it would if still held in the EU. I can't see it happening, since that would mean the various agencies would have to (by law) stay out of it.
Even if such laws were passed, could we really trust the US to abide by them - after all, they (the various spooks agencies) have shown remarkable willingness to completely ignore any law that's inconvenient. And the US government have shown remarkable willingness to pass laws making previous law breaking retrospectively legal (cf the AT&T case).
So even if they pass the laws, and we somehow decide to trust that they'll abide by it - there's nothing to say the agencies won't ignore that, and a future government simply pass a new law making it legal.
IMO Snowden is a hero. He saw something that's "wrong" and outed it - at great personal risk and expense. Everyone "knew" it was happening - but knowing and proving are different things altogether.
-
Wednesday 7th October 2015 00:57 GMT Anonymous Coward
Re: Missing the point
The US can fix that, they could pass laws explicitly allowing for data to be held in something like the "Safe Harbour" provisions - but backed by the force of law that states that it carries the same protection as it would if still held in the EU. I can't see it happening, since that would mean the various agencies would have to (by law) stay out of it.
The crucial problem in all of this is that such adjustment of law may be possible, but that will take time, a LOT of time. US vendors are not really keen to wait on this, but I must admit I do not feel very sorry for them because the issue is FAR from new - they have known this for close to a decade, yet chose not to do anything about it (possibly because they were benefitting from it).
Well, in the absence of a working plan B (as lobbying the EU to lower its own standards didn't work) I think they deserve to reap those rewards too. Unfortunately for them, they're negative.
Just to mix things up, I wonder where this leaves Uber - where do they process their data? Uh oh..
-
-
-
-
Tuesday 6th October 2015 15:25 GMT Anonymous Coward
Bwahaha. So a man who is famous for stealing and selling confidential information, while making obviously fake claims to be whistle-blowing about something that was already public knowledge, is somehow a hero of openness?
My opinion of hero-dom is somewhat more refined, it's not black and white.
On the minus side, here is someone who went to work for an organisation knowing that secrecy was required, and he broke the trust invested in him. As you can see, the consequences of what he made public go well beyond exposing US espionage.
On the plus side, he did reveal something that was flat out wrong. You can argue that he may not have had to reveal so much to make his point, but the fact is that the NSA and officials associated that have been more than just a bit creative with the truth, and that is a massive deal. Handing that sort of power and then seeing it abused is wrong (not that anyone will be held accountable, but it's good to know). To go public with that whilst knowing it may not end well and knowing that you're up against people who have no problem doing something illegal to shut you up, well, that takes courage especially if you are the actor itself.
To people who have to work with very secret information, I suspect Snowden will not easily get a hero tag. For people who have been trying to protect your privacy, even in the face of blatant user stupidity such as posting a whole life on FaceBook, yes, you could call it heroic.
-
Tuesday 6th October 2015 17:07 GMT DaveDaveDave
"he did reveal something that was flat out wrong. "
See, the problem is that that's just not true. He didn't reveal anything that wasn't already well-known to anyone with an interest and an ounce of common sense.
There's no real doubt that Snowden got the job solely to acquire data to sell to Russia and China. The bullshit 'whistleblowing' is a very thin cover story full of holes. He wasn't worried about things ending badly (once he got away with the stolen goods) because he already had a buyer (and powerful protector) lined up. The only courage he displayed was the courage to commit treason for money.
-
Tuesday 6th October 2015 18:07 GMT Anonymous Coward
See, the problem is that that's just not true. He didn't reveal anything that wasn't already well-known to anyone with an interest and an ounce of common sense.
You don't seem to know the difference between assumption and evidence. Here's a hint: you cannot act on an assumption, which is why the nudge-nidge-wink-wink ways of data sharing between governments and law enforcement is so hard to fight, but with evidence you can demand answers and make mince meat of the predictable denials.
There's no real doubt that Snowden got the job solely to acquire data to sell to Russia and China.
More evidence (by your own admission, this time), that you don't know the difference between assumption and proof. QED, I'd say.
-
Wednesday 7th October 2015 01:15 GMT Crazy Operations Guy
Selling public information
" He didn't reveal anything that wasn't already well-known to anyone with an interest and an ounce of common sense.
There's no real doubt that Snowden got the job solely to acquire data to sell to Russia and China"
You do realize that you just contradicted yourself in a single breath? What kind of nation would buy information that 'anyone with an interest and an ounce of common sense' would be able to figure out?
So is the data worthless or valuable? And if he intended to sell the data, why would he hand it over to a journalist? The data he copied was on a offline SharePoint server that didn't have proper monitoring running on it, it would have been trivial to just copy the data to a server that the Russians also had access to, he would have gotten paid, and the NSA would still wouldn't even have a clue that anything happened.
-
-
-
Tuesday 6th October 2015 15:25 GMT Velv
To pose a question...
If you are a citizen of country "A" and you "electronically sign" a contract hosted on a web server in country "B" while physically located in country "C" using an SSL connection secured by a certificate authority in country "D", who's laws are applicable?
Based on current laws around the world it could easily be all of them, and the permutations are immense.
Fetch the popcorn...
-
Tuesday 6th October 2015 17:07 GMT J.G.Harston
"What happens when I email you? You'll receive my message on US-owned infrastructure."
No, I receive it on me-owned infrastructure, my computer. I ****FETCH**** it from US-owned infrastructure, the Google GMail server, but the sender has deliberately put it there by chosing to send the email to that US-owned infrastructure by sending that email to a Google GMail account. If you don't want your letters to go through the Soviet Postal System, don't send any letters to recipients within the Soviet Postal System.
-
Wednesday 7th October 2015 00:52 GMT Vic
If you don't want your letters to go through the Soviet Postal System, don't send any letters to recipients within the Soviet Postal System.
That presupposes that you know your letters are going through the Soviet Postal System.
Suppose, for example. you were simply emailing a UK organisation form inside the UK. Let's imagine an imaginary digital tabloid. Let's call it theregister.co.uk.
Safe to assume that email is staying in the EU? No, it isn't. Because if you actually check the MX records, you'll see that the many MX records for our fictitious organisation all point to the US...
Vic.
-
-
Wednesday 7th October 2015 00:54 GMT Henry Wertz 1
I'd see gains for EU
"We expect that a suspension of Safe Harbor will negatively impact Europe’s economy, hurt small and medium-sized enterprises, and the consumers who use their services, the most"
And I think it could positively impact Europe's economy, help small and medium-sized enterprises; and "consumer" is a macroeconomic term, businesses have customers.
I would expect multinational companies to place more data centers within the EU (helping Europe's economy.)
I would expect small and medium-sized (as well as large) IT businesses to see an increase in business as (if they provide hosting or "cloud service") people move their online services into the EU; and if they don't provide hosting or cloud, some short-term business as others consult with them about what they should do.
I could see a further gain in these businesses as others OUTSIDE the EU move their data to exclusively EU-based data centers (as opposed to one that has data centers in both US and EU, since the US may then pressure them to keep non-EU traffic in the US so it's slurpable.) Either for privacy, or just to flip the bird to 3 letter agencies.
I'd expect a minimal one-time impact as non-IT-related businesses may hire an IT provider to see if they must move any services. But in most cases I'd guess they won't have to do anything (if they are using a provider with multiple data centers.. i.e. GMail or AWS or whatever... they should at most be able to tell them "I'm in Europe, move my data if it's not already here.")
-
Wednesday 7th October 2015 00:54 GMT robbie rob
ms datacentres
Not sure if you know but ms have 2 eu dcs. One in ireland one in belgium.
MS have recently gained approval for cloud storage for sensitive data. They have concluded a deal with the MoD. Think about that for a moment.
The NHS also can now store patient data in the cloud.
This will leverage Azure and related tech. Any MS account exec will be only too happy to confirm as it opens a rich vein of sales opportunities. Not directly as they will spin the implementation off to a gold partner but in hosting anf licensing related annuity income streams.
Again. Think deeply about the strategic implications...
-
Wednesday 7th October 2015 11:29 GMT Vic
Re: ms datacentres
MS have recently gained approval for cloud storage for sensitive data. They have concluded a deal with the MoD. Think about that for a moment.
And if they lose their case against the DoJ, they can *still* be forced to hand over all that data to pretty much any US official that wants a gander. Think about that for a moment.
Vic.
-
Wednesday 7th October 2015 13:24 GMT TheVogon
Re: ms datacentres
"And if they lose their case against the DoJ, they can *still* be forced to hand over all that data to pretty much any US official that wants a gander. Think about that for a moment."
No they can't. Office 365 DRM encryption and key management is specifically designed to enable you to prevent such data being taking directly from the US, and anyone doing it in Ireland would be breaking European law and could be locked up if appropriate. I think you will find that local Microsoft employees care somewhat more about a potential stay in a prison cell that an annoyed email from Redmond...
-
-
-
-
-
Wednesday 7th October 2015 13:24 GMT Anonymous Coward
Well, they've been aiding and abetting a foreign state-sponsored cyber grimnal gang, so that makes them treasonous in the UK. Except for them doubtless having a get out of jail card from some numpty politician or other.
I would caution against too generic thinking. GCHQ staff were tasked, and I'm sorry, I cannot fault someone for doing what they do for a job, even if they're not entirely happy with it. People have families and mortgages, and unemployment is not going to cover that. This is also my problem with the current EU decision which was IMHO entirely avoidable if US companies and their legal system were a bit more careful with people's rights. I do *not* enjoy the fact that this may put people out of a job, but all the US shouting seeks to distract from the reality that those responsible for this problem sit in Washington, NOT in Brussels.
What you need to look at is who does that tasking, because they (a) have the responsibility, (b) have the power and ( c) have the higher level view to know which activity sits where and how it hangs together. Attacking some sap because he or she works at a place getting up to dodgy stuff is unfair because they may not know, or have a life that doesn't lend itself to the consequences of unauthorised disclosure, nor would they be in a position to change anything.
Accountability starts at the top, and the problem we have right now is that we have lost the trust in those who are supposed to keep these people in check and within the law. Retrospectively changing the law to make something legal that was illegal at the time of action is not exactly helping either...
-
-
Friday 9th October 2015 17:06 GMT Anonymous Coward
Re: Orders?
City in Germany.... Nurem something? Some lawyery type stuff in 1945 and 46?...... That defence didn't work then, and it doesn't work now.
Well, let us, for argument's sake, assume there is a less than trivial difference between doing something that may be legal under a National Security banner and may possibly indeed play a supporting role in the protection of the nation, and an operation that was rather clearly one of most brutal cases of genocidal mass murders seen in recent history and that would have been obvious even to a blind man, if for no other reason than the gas bill and the smell.
Honestly? We're not talking about an "ich habe es nicht gewusst" scenario here, and I find the comparison frankly appalling. You really ought to rethink your black-and-white thinking here, because it's that exact binary attitude that leads to wars rather than solutions.
-
Monday 12th October 2015 02:28 GMT Matt Bryant
Re: Orders?
"....Nurem something? Some lawyery type stuff in 1945 and 46?...... That defence didn't work then, and it doesn't work now." Really? Of course, the big difference was there was real and actual evidence of harm from the Nazis' activities during and before WW2, whereas you lot of whiners have shown no evidence of harm at all relating to anything the NSA or the GCHQ have done, you just want to baaaaahlieve you must be being surveilled 24x7. Gosh, what a shock to your egos it would be to actually find out the spooks have zero interest in you.
-
-
-
-
-
Wednesday 7th October 2015 01:14 GMT Anonymous Coward
Protection against "an Enron"
This is easy. If the company itself is accused of criminal or financial wrongdoing, it must make its relevant records available to the US regardless of where they are stored. If they fail to do so, they will lose their corporate charter, be fined some huge amount or be leave their management subject to criminal penalties - basically, something bad enough they will want to avoid it.
That's distinct from "the company itself is not accused of wrongdoing, but someone connected to the company (as a customer, etc.) is so we want your overseas data. Too bad, can't force them to give it up.
It would need a lot of legal tightening and working through scenarios to make it workable, but that's the basic framework.
-
Wednesday 7th October 2015 01:14 GMT Anonymous Coward
No, I receive it on me-owned infrastructure, my computer. I ****FETCH**** it from US-owned infrastructure, the Google GMail server, but the sender has deliberately put it there by chosing to send the email to that US-owned infrastructure by sending that email to a Google GMail account.
I think you're missing the point a bit. The debate is about the fact that an email will be received (and held for pickup via IMAP or POP3 or read in situ with webmail) on infrastructure that is in the US, and which has at part of its conditions to use it either free or paid that you allow all email to be scanned for more than just virus and spam detection. This happens before it ever gets to you. What's more ..
If you don't want your letters to go through the Soviet Postal System, don't send any letters to recipients within the Soviet Postal System.
.. most senders don't even know it is happening, because companies typically use email addresses under their own domain name and few are capable (or are inclined) to do a quick MX lookup to see where exactly it all goes.*
* that alone is no guarantee either: MessageLabs Europe has a cute setup for EU customers where all servers appear to be EU based until you start digging and find that not all is well which would be of interest to a couple of their bigger clients, and at least one government that I could name...
-
Wednesday 7th October 2015 09:05 GMT Big_Boomer
Worms
OOooohhh, this is a great big can of wiggly squirmy worms that has once again popped open :-) . Somehow or other a great many governments are going to have to thrash out an agreement on how to "harmonise" their Data Protection such that access to data is done in a controllable way. Only the daft believe that their data is in any way "Private" but there are degrees of privacy that can be agreed. This is just a step in this "harmonisation". There will be a great many more but for a change the US are starting to realise that they can't always have their own way. Now if we can just get them to drop their STUPID date structure......
-
Wednesday 7th October 2015 09:05 GMT Anonymous Coward
And now for the REAL biggie..
Now we know that we ought to avoid hosting in the US ..
ryuu:~$ dig +short theregister.co.uk mx
10 aspmx4.googlemail.com.
10 aspmx3.googlemail.com.
10 aspmx2.googlemail.com.
5 alt2.aspmx.l.google.com.
5 alt1.aspmx.l.google.com.
1 aspmx.l.google.com.
10 aspmx5.googlemail.com.
Oops :)
-
Wednesday 7th October 2015 13:24 GMT Anonymous Coward
Re: And now for the REAL biggie..
For those not up on how email works, what you see if the command line tool "dig" looking up where email has to go for a certain domain by looking up the so-called "MX" record (Mail eXchange record).
What it shows is that the domain "theregister.co.uk" (El Reg) uses Google as email provider :).
That is not *that* exceptional, "virginmedia.com" for instance does exactly the same, but you can be sure that there will be plenty discussions with lawyers right now trying to find a way out.
-
-
Wednesday 7th October 2015 09:16 GMT waldo kitty
wait... what??
[from the article] Crudely put, the US doesn't recognise an "abroad" - and fears that if it starts to do so, it will open a Pandora's Box of criminal evasion. This is being fought in Europe, where Microsoft is challenging a US Court order to access emails stored in Ireland. The DoJ fears that a future Enron would store its data offshore, and claim data protection.
this is different than stashing your $$$ overseas to avoid taxation on it how?? apparently the US does recognize an "abroad"... they cannot stop anyone from opening a swiss bank account so what makes them think they can stop them from using infrastructure that is located offshore?
-
Wednesday 7th October 2015 13:24 GMT Anonymous Coward
this is different than stashing your $$$ overseas to avoid taxation on it how
There is a framework in place to trace funds (which, by the way, isn't very bothered about your privacy either because not paying tax is even worse than being a murdering terrorist), but there is little in place to trace information.