Experts warn on wire-tapping of the cloud
Leading privacy expert Caspar Bowden has warned Europeans using US cloud services that their data could be snooped on.
In a report, he highlights how the Foreign Intelligence Surveillance Act Amendment Act (FISAAA) allows US authorities to spy on cloud data.
This includes services such as Amazon Cloud Drive, Apple iCloud and Google Drive.
He told the BBC this heralded a new era of “cloud surveillance”.
Mr Bowden, former chief privacy adviser to Microsoft Europe, made a name for himself as a privacy advocate when the controversial Regulation of Investigatory Powers Act (RIPA) came into force in the UK in 2000.
Parliament accepted some of the amendments proposed by Mr Bowden as the then director of the Foundation for Information Policy Research.
Now he has turned his attention to US legislation and has co-authored the Fighting Cyber Crime and Protecting Privacy in the Cloud report which was recently presented to the European Parliament.
In it he said that FISAAA “expressly permits purely political surveillance”, so that anyone with stored information relating to US foreign policy could find themselves of interest to the US authorities.
“Anyone who, for example, belongs to a campaign group which may oppose some aspect of US foreign policy, whether it be the Iraq war or climate change,” he said.
The FISAAA was originally drafted in 2008, and was recently renewed until 2017. It was added on to existing legislation to take account of cloud computing, which was just emerging as a means of data storage.
“What’s amazing is that nobody really spotted it for four years,” said Mr Bowden.
“When FISAAA was extended to cover cloud computing, encrypting data to and from the cloud becomes irrelevant so it is surprising that nobody noticed this,” he added.
Adam Mitton, a partner at law firm Harbottle & Lewis, agreed that the FISAAA could be a threat to privacy but questioned how much it was used.
“In theory there is a clear threat to the privacy of European citizens, but in reality the fact that it is obscure suggests that the threat isn’t as great as it might be perceived,” he said.
“If it was being used by an authority and having an impact on individual citizens, I think that the source of the information would come to light. The legislation is now five years old and I’m not aware of any case that has relied on it,” he added.
Storing data in the cloud is becoming hugely popular not just for consumers who use it to keep photographs and other personal data safe but for businesses which are increasingly using cloud services to offer back-end processing power.
Under the FISAAA, US cloud providers can be compelled to release data from any citizen living outside of the US.
“The fibre-optic cable that carries the data is split and a miniature supercomputer scans all the data in real-time with any material of possible interest being instantly copied to the NSA [National Security Agency],” said Mr Bowden.
The court order is made in secret and remains secret – meaning it would not show up in things such as Google’s transparency reports, which aim to document data requests from governments around the world.
“We have long known that the Americans can spy on foreign data but FISAAA extends this to reach inside the data centre. It allows the authorities to enact surveillance on a mass scale because it is wired into the infrastructure,” Mr Bowden said.
A hearing on the European Parliament’s findings of the report is due next month.