On June 28, 2011, at the launch of Office 365, the new cloud based version of its well-known office tools, Microsoft stated that data that you store on the cloud is subject to scrutiny by the US government even when it is stored overseas. ZDNet reporter Zack Whittaker reported that, when asked if Microsoft could guarantee that data stored in the European Union would not leave the European Economic Area, Gordon Frazer, managing director of Microsoft UK, explained that it could not. Because Microsoft is a US based company it has to comply with US laws and would be forced to disclose data to the US government if required to do so under the Patriot Act. When asked if customers would be notified of a government ordered disclosure, he said that neither Microsoft nor any other company can provide such a guaranty. Gagging orders, injunctions and U.S. National Security Letters can prohibit disclosure of information requests to the owners of the information.
These public admissions are consistent with similar admissions previously made by Microsoft in a white paper detailing Office 365 security which states:
In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service).
Accordingly, if a governmental entity approaches Microsoft Online Services directly for information hosted on behalf of our customers, [Microsoft] will try in the first instance to redirect the entity to the customer to afford it the opportunity to determine how to respond. …and will use commercially reasonable efforts to notify the enterprise customer in advance of any production unless legally prohibited.
In addition to the insecurity that this language creates for European users who, by using the service, may be exposed to US government scrutiny, it also brings into question the legality US run cloud services in the Europe. European data security directives prohibit removal of data from Europe without the data owner’s consent. Microsoft did not explain how it reconciles its obligations under US and European law.
Microsoft’s own white paper increases concern about the extra territorial transfer of data:
As a general rule, customer data will not be transferred to data-centers outside that region. There are, however, some limited circumstances where customer data might be accessed by Microsoft personnel or subcontractors from outside the specified region (e.g., for technical support, troubleshooting, or in response to a valid legal subpoena)
This language not only creates concerns for European customers of the Office 365 service but for US customers concerned with running afoul of export controls which might hold them strictly liable for foreign transfer of certain technical information.
While some readers may shrug off the disclosure requirement assuming that laws such as the Patriot Act are limited in use to terrorist investigations, it is important to understand that nothing restricts the scope of information obtained under the act or the transfer of information gained to other government agencies. In fact, the government has repeatedly refused to disclose how it feels that it can use the Patriot Act and where there has been disclosure, the interpretation has been expansive.
So what do these disclosures suggest for users of cloud services. For one thing, it is likely that European users will shy away from accessing cloud services provided by US companies. We are also likely to eventually see litigation reconciling European Union data rules against compelled disclosure under national security laws such as the Patriot Act. Finally, companies that are subject to export control compliance would be wise to shy away from cloud services and instead opt for restricted hosting services where they can assure no foreign access to their data.