The Foreign Intelligence Surveillance Act (FISA) allows the U.S. government open access to electronic information stored by non-US citizens on US-based servers, like a host of cloud services available today. iCloud, Google Drive, Dropbox, and other popular services are all subject to this law, passed in 2008 by the Bush administration and recently re-authorized by the Obama administration for another 5 years.
What this means is that any data stored by non-American citizens on cloud servers here in the US is able to be looked at in entirety by various agencies in the US federal government, including the NSA, FBI, and CIA.
Caspar Bowden, Chief Privacy Adviser to Microsoft Europe for nine years until 2011, told UK-based The Independent: “What this legislation means is that the US has been able to mine any foreign data in US Clouds since 2008, and nobody noticed.”
Several posts, like this one at the Huffington Post, written around the time of the re-authorization of the FISA mention email and overseas phone calls, but do not take notice of cloud-based data.
Sophie in ‘t Veld, a Dutch MEP who serves as vice chair of the European Parliament’s civil liberties committee, told The Independent, “Let’s turn this around and imagine this is not the United States having unlimited access to our data but the government of Mr Putin or the Chinese government – would we still wonder if it’s an urgent issue? Nobody would ask that question.”
While we may imagine that the US won’t use the data for anything nefarious, we just may be too naive. Even worse, however, is the precedent this sets for countries to gather data on non-citizens via commercial services that may in the future be housed in a location other than our country of origin.
We’ve contacted Apple, Google, and Dropbox for comment, and will update if we receive a response.
Update Google responded to our request for comment with Google’s general policy on these types of issues, saying that the company is unable to comment on FISA, specifically. They also pointed us to the official blog post and FAQ, as well.
Law enforcement agencies must be able to pursue illegal activity and keep the public safe. But it’s just as important that laws protect our users against overly broad requests for their personal information.
Respect for the privacy and security of data that users store with Google underpins our approach. Before complying with a government request, we make sure it follows the law and Google’s policies. We notify users about legal demands when appropriate, unless prohibited by law or court order. And if we believe a request is overly broad, we seek to narrow it — like when we persuaded a court to drastically limit a U.S. government request for two months’ of user search queries.
We’re still awaiting any word from Apple or Dropbox.
Source: The Independent