Arnold Picot, director of the Institute for Information, Organization, and Management at the Munich School of Management, was mistaken when he described the cloud as secure. Talking to Zeit Wissen magazine, he branded fears of a data catastrophe in the cloud as irrational: "The big cloud providers' systems are highly professional, and data security is the basis of their business."
But Professor Picot is only human -- which, as we all know, gives him the right to err. In fact, US authorities have recently been granted access to European cloud data.
Err... just recently? How naïve are we supposed to be?
In early July, Microsoft hit the headlines for all the wrong reasons when its British managing director, Gordon Frazer, admitted that US criminal prosecutors were granted access to customer data, under the US Patriot Act. Accordingly, customers throughout Europe using virtual services provided by Redmond (such as Office Cloud and email) must expect to be probed by the US Secret Service. In actual fact, this issue doesn't just concern Microsoft; it also concerns firms like Amazon, Google, and Apple, to name a few.
Providers based in the United States must hand over data on demand as soon as American security is threatened -- which basically means all the time. In other words, the main purpose of the Patriot Act is to simplify investigations by the Federal authorities in the event of terrorist peril. Fundamental rights are irrelevant, and those being investigated don't even have to be notified. The Patriot Act has been in force since 2006. The right to access data anywhere in the world prompted only little resistance here in Europe at the time. And now? Things have since gone very quiet about this official spying.
But thanks to Gordon Frazer, a storm is now brewing in the cloud. Some data protection campaigners have sounded the alarm. Thilo Weichert, who heads the Schleswig-Holstein Independent Data Protection Center, is one of the most vociferous protesters. He believes this contravenes European data protection legislation. In 2008, I interviewed Thilo Weichert on the subject of Google and data protection. Three years later, one of his answers has lost none of its relevance. He said:
US law applies -- hence there is, de facto, no data protection. Those who are foolish enough to use Google services because they're free must, or at least ought to, know that they're putting themselves at risk of a data disaster. There are also German providers with free services, which feel bound by German law.
And it's precisely these email data and other services provided by American companies that US authorities have been accessing for years. It's not a secret; it's just not publicized.
Perhaps it will be now? No. Even though the matter's now being talked and written about again, such talk won't necessarily change the law. But the fact remains that Microsoft is one of just a handful of companies to have spoken about this in public. The term "data security" has long been the hallmark of many American companies -- yet US government authorities have much more access to those companies' "secure" data than some Europeans know.
This is bound to annoy data protection campaigners like Weichert, because neither the US government nor the companies that hold data are being upfront about the government's right to spy on users' data. Authorities are filing applications to access data at will, enabling them to produce and combine user profiles and then skim off data. Although companies like Google and Microsoft know this, under US law they aren't allowed to talk about it.
Data protection campaigners, the European Union, and other influential bodies and individuals need to engage in dialogue with the US government and corporate world. After all, what's the use of companies that offer data security and encryption but then reveal everything to authorities on request?! Unfortunately, we can't believe the providers, since they've been gagged by the state and are unable to talk about any such cases in public.
The issue here isn't the spying itself; the issue is that everyone should be entitled to some transparency about these practices. Or maybe the issue, instead, is the naïvety of those using these services, who think that their data is safe in the cloud.