By Ryan Gallagher
Europeans, take note: The U.S. government has granted itself authority to secretly snoop on you.
That’s according to a new report produced for the European Parliament, which has warned that a U.S. spy law renewed late last year authorizes “purely political surveillance on foreigners' data” if it is stored using U.S. cloud services like those provided by Google, Microsoft and Facebook.
Europeans were previously alarmed by the fact that the PATRIOT Act could be used to obtain data on citizens outside the United States. But this time the focus is a different law—the Foreign Intelligence and Surveillance Amendments Act—which poses a “much graver risk to EU data sovereignty than other laws hitherto considered by EU policy-makers,” according to the recently published report, Fighting Cyber Crime and Protecting Privacy in the Cloud, produced by the Centre for the Study of Conflicts, Liberty and Security.
The FISA Amendments Act was introduced in 2008, retroactively legalizing a controversial “warrantless wiretapping” program initiated following 9/11 by the Bush administration. Late last month, it was renewed through 2017. During that process, there was heated debate over how it may violate Americans’ privacy. But citizens in foreign jurisdictions have even greater cause for concern, says the report’s co-author, Caspar Bowden, who was formerly chief privacy adviser to Microsoft Europe.
According to Bowden, the 2008 FISA amendment created a power of “mass surveillance” specifically targeted at the data of non-U.S. persons located outside America, which applies to cloud computing. This means that U.S. companies with a presence in the EU can be compelled under a secret surveillance order, issued by a secret court, to hand over data on Europeans. Because non-American citizens outside the United States have been deemed by the court not to fall under the search and seizure protections of the Fourth Amendment, it opens the door to an unprecedented kind of snooping. “It's like putting a mind control drug in the water supply, which only affects non-Americans,” says Bowden. The lack of attention European data protection authorities have paid to this provision has been “shocking,” Bowden adds. But with FISA’s renewal and the release of the report, that could be about to change.
Most countries’ spy agencies routinely monitor real-time communications like emails and phone calls of groups under suspicion on national security grounds. However, what makes FISA different is that it explicitly authorizes the targeting of real-time communications and dormant cloud data linked to “foreign-based political organizations”—not just suspected terrorists or foreign government agents. Bowden says FISA is effectively “a carte blanche for anything that furthers U.S. foreign policy interests” and legalizes the monitoring of European journalists, activists, and politicians who are engaged in any issue in which the United States has a stake. FISA, according to Bowden, expressly makes it lawful for the United States to do “continuous mass-surveillance of ordinary lawful democratic political activities,” and could even go as far as to force U.S. cloud providers like Google to provide a live “wiretap” of European users’ data.
U.S. officials, perhaps unsurprisingly, have continually rejected claims of mass snooping on Europeans. In a speech last year, William Kennard, U.S. ambassador to the European Union, addressed what he called the “fear of unlimited U.S. government access to data,” saying that all law enforcement and national security investigations in the United States are subject to legal and judicial constraints designed to protect individual privacy. It’s certainly questionable whether a U.S. court, even in secret, would be audacious enough to actually authorize mass spying on European journalists, even if it is a theoretical possibility. But in Europe, serious skepticism remains. Not satisfied with assurances from U.S. officials, Bowden and co.’s report calls for EU citizens to receive “prominent warnings” that their data could be vulnerable to U.S. political surveillance. The report also proposes that Europeans be granted equal protection in American courts.
Concerns on the issue of U.S. access to foreigners’ data have been simmering for several years—and could soon reach boiling point. Dutch politician Sophia in 't Veld, vice-chair of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, is among a handful of European parliamentarians working to address the issue. The problem is a complex one, Veld tells me, because companies are required to comply with two conflicting jurisdictions, so new legislation won’t necessarily fix the situation. There’s also politics involved. “It’s very clear that the European Commission [the EU’s executive body] is turning a blind eye,” says Veld. “So are the national governments—partly because they don’t grasp the issue and partly because they are afraid to stand up to U.S. authority.”
Now, though, it seems inevitable that Europe’s policymakers will eventually have to face up to questions over U.S. snooping, no matter how controversial. The latest report uses words like “heavy-calibre mass surveillance fire-power aimed at the cloud”—the kind of language that can’t be brushed under the carpet for long.