In what appears to be an effort to ease the concerns of EU customers about the security of U.S.-based clouds, Microsoft has launched the Office 365 Trust Center and is offering its customers compliance with the European Commission’s Data Protection Directive. Microsoft claims to be the first cloud provider to sign a set of EU “model clauses,” which are standard contractual clauses that govern the international transfer of personal data. “When included in service agreements with data processors,” Microsoft writes, “the model clauses assure customers that appropriate steps have been taken to help safeguard personal data, even if data is stored in a cloud-based service center located outside the EEA.”
Though the USA Patriot Act is nowhere mentioned on Microsoft’s newly launched site or in its press materials, it’s hard not to see Wednesday’s announcements as a response to widely reported fears among EU customers that U.S. law gives federal authorities unprecedented leeway to snoop on foreigners’ data when that data is hosted in U.S. clouds.
Earlier this week, a VP at U.K. defense contractor BAE Systems told an audience that his company was set to adopt Office 365 when the firm’s lawyers nixed the idea for Patriot Act reasons. The BAE incident is one example of a much larger trend of companies avoiding U.S.-based public clouds because of concerns that the PATRIOT Act not only gives the U.S. government the power to snoop on private data held by cloud providers, but the feds can also use gag orders to prohibit cloud providers from informing their clients that their data has been compromised. U.S. cloud companies and lobbyists have pushed back on these fears as unfounded, but it’s clear that they aren’t.
I contacted Microsoft to get clarity on whether the announcements were a direct response to Patriot Act concerns, and on whether an EU client who takes Microsoft up on its offer to sign contracts with the EU model clauses in them could still be subject to NSL-related snooping. A spokesperson sent along the following statement in response:
It’s not uncommon for new technologies to create legal questions, and the current dialogue about data sovereignty and the cloud is only the latest example. This is an important topic which affects all cloud providers, including non-U.S. companies with a presence in the U.S., as well as those companies headquartered in the U.S. It is also an active discussion in many regions with similar statutes. We are seeing strong momentum from customers for our cloud services and most take a thoughtful approach considering issues of data sovereignty alongside other evaluation criteria when making a decision to move to the cloud. In the rare instance we receive a government request for enterprise customer data, we will only respond when legally required, and will first try to redirect the request to the customer so they can determine how to respond. For any request, we make every effort to notify customers in advance, unless we are legally prohibited from doing so.
From the above, it’s not at all clear whether the new announcements address the NSL-related concerns that EU companies have; my guess is that they do not, because if they did Microsoft would make a point of stating this explicitly. So this looks like an attempt to reduce the fear level around this issue without actually addressing the root of the problem.
Of course, it’s important to be fair to Microsoft here and note that this problem is not of the company’s making—it’s the government’s fault—and it’s also not specific to Microsoft. Redmond is just trying to make the best of a bad situation. As Microsoft rightly points out in the above statement, every single cloud provider with any kind of presence in the US has to deal with these Patriot Act issues, so there’s really nothing that the company can do short of lobbying Congress to get these provisions repealed. Perhaps if US tech companies lose enough business over this, we’ll see them band together and fight the Patriot Act with the same vigor that they’re opposing SOPA.
And they are definitely losing business, as EU cloud providers are seize the opportunity created by the Patriot Act to snap up customers. One such provider is the Switzerland-based SecureSafe, which advertises itself as a kind of Swiss bank account for keeping your digital files safe from the prying eyes of US feds. The company’s blog seized on my earlier article about the EU’s Patriot Act fears, and positioned its service as a direct response to those fears.
After some poking around the SecureSafe site, I find the ideas behind the service very compelling and will definitely be checking it out. Right now, my secure cloud storage solution is a hacked-together combination of an encrypted sparseimage on OS X, Dropbox, and 1Password. But even though my wife has my 1Password password, if I were hit by a bus she’d probably have to bring in a nerd and privacy geek to help her untangle the whole mess and get at all of our files. With SecureSafe, you can designate people to inherit your data in the event of death, which is actually a feature that services like Dropbox and Google apps could and should offer.