EU cloud data can be secretly accessed by US authorities

US-owned companies bound by Patriot Act, says Microsoft


Personal information belonging to EU users of US-owned cloud-based services could be shared with US law enforcers without the user being informed, Microsoft has said.

The software giant said it could not guarantee that it would not have to hand over EU customers' data on a new cloud service it has developed whilst keeping details of the data transfer secret.

Cloud services allow internet users to store data online instead of locally.

EU data protection laws state that organisations must tell people when they are asked to disclose their personal information.

These EU provisions might conflict with obligations US-based firms, such as Microsoft, face under US law.

The USA Patriot Act gives law enforcement authorities the right to access personal data held by US-based companies, regardless of where it is stored in the world. The Act also gives law enforcers the right to prevent firms informing the customer that they have had to hand over the information. The controversial law was established as an anti-terrorism tool.

Microsoft is set to launch a new cloud service next week. It said it will allocate its customers a region where their information will be physically stored, but said it could not guarantee that it would tell EU customers' details if US authorities sought access to their data.

"In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service)," Microsoft said in its online data storage services' privacy policy.

"As a general rule, customer data will not be transferred to data centers outside that region," Microsoft said in an explanation about geographic boundaries for its new service.

"There are, however, some limited circumstances where customer data might be accessed by Microsoft personnel or subcontractors from outside the specified region (eg, for technical support, troubleshooting, or in response to a valid legal subpoena)," the explanation said.

The USA Patriot Act caused controversy in Canada in 2008 when a Canadian university told its staff and students not to send private data over an email system.

The system was outsourced to the US, prompting staff to lodge an official grievance against the university.

Staff complained that the fact that their emails are routed through the US meant their contents were vulnerable to interception by US authorities.

Microsoft can already transfer personal data from Europe to the US under a special agreement drawn up by the European Commission and US Department of Commerce.

The Safe Harbor scheme allows US companies that meet the requirements of the EU's Data Protection Directive to transfer EU data to the US.

EU companies are generally prohibited from transferring personal data to countries outside the European Economic Area unless there is adequate protection for that data.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.


Other stories you might like

  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading
  • Microsoft gives its partners power to change AD privileges on customer systems – without permission
    Somewhat counterintuitively, this is being done to improve security

    Microsoft has created a window of time in which its partners can – without permission – create new roles for themselves in customers' Active Directory implementations.

    Which sounds bonkers, so let's explain why Microsoft has even entertained the prospect.

    To begin, remember that criminals have figured out that attacking IT service providers offers a great way to find many other targets. Evidence of that approach can be found in attacks on ConnectWise, SolarWinds, Kaseya and other vendors that provide software to IT service providers.

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading

Biting the hand that feeds IT © 1998–2022