Setting aside the also poorly-known fact that the U.S. Patriot Act effectively allows U.S. authorities to access cloud data belonging to Europeans and stored in European Union datacenters, it's bad news that the newly renewed FISAA can also be used in a similar way.
Under the Act in question, all the data stored in U.S. cloud services - including, of course, that of giants such as Google, Amazon and Microsoft - by non-American could be accessed by U.S. agencies if the companies in question have a presence in the EU - and most, if not all, do.
To do this, the U.S. authorities need only get a secret court to issue a secret surveillance order, and hand it over to the companies. Bound by U.S. law, the companies are and will be forced to comply.
The problem has been noted in a recently published study requested by the European Parliament's Committee on Civil Liberties, Justice and Home Affairs, titled "Fighting Cyber Crime and Protecting Privacy in the Cloud."
"Where cloud computing is possibly most disruptive is where it breaks away from the forty-year-old legal model for international data transfers, jeopardizing the rights of the EU citizens," pointed out the researchers.
The fact that consumers’ rights are bundled into a complex web of contracts among private entities, and the "lack of legal certainty surrounding the concept of cybercrime and legal frameworks of cloud-based investigations, as well as inadequate tools to safeguard privacy and data protection increase the potential for misuses and abuses by law enforcement actors and agencies," make European citizens’ data insufficiently protected.
"This aspect is enhanced by exceptional measures taken in the name of security and the fight against terrorism. The US context is here particularly illuminating, both in the case of the Patriot Act and in the case of the US Foreign Intelligence Surveillance Amendment Act (FISAA) of 2008. In this case, the question of the legal framework of data transfers/processing to third countries is critical," the researchers concluded, adding that these elements "have been neglected in EU policies and strategies, despite their very strong implications for EU data sovereignty and the protection of citizens’ rights."
One of the main problems with FISAA is that it allows surveillance of real-time communications and cloud data of individuals and organizations that are not suspected of any crime - just political activity. According to Caspar Bowden, one of the study's co-authors, that might result in the monitoring of European politicians, activists, and even journalist involved in political issues important to the U.S.
While the U.S. was quick to assure that such things will never be able to happen, many European politicians are still skeptical.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.