Most European nations have long had stronger privacy laws than those in the United States. As a result U.S. Internet companies doing business there–incluiding Google, Microsoft, Yahoo, Facebook, and AOL–have signed on to so-called “safe harbor” principles, promising a European level of privacy protection. Now, of course, it appears they’ve also been providing gobs of data about some overseas customers to the U.S. National Security Agency (see “NSA Surveillance Reflects a Broader Interpretation of the Patriot Act”).
Among other fallout, it’s reasonable now to expect E.U. regulators and customers to go nuclear–and U.S. companies to face tough sledding ahead.
I had a chance today to speak with Radu Sion, a computer scientist at Stony Brook University and a leading figure in cloud computing security. “Expect some interesting court battles in the E.U. based on this,” he said. “Any of these companies, if ever they were to admit this, that they allowed the government to have a tap inside their service, which according to the E.U. is not allowed, they probably could get shut down in Europe–specifically Facebook, which has a lot of users in Europe.”
Sion was of course speculating, as most commentators have been doing in the absence of solid information about what has been going on. I asked Sion how the NSA could get hold of data from Internet companies. Sion surmised that the mechanics of the task would either be a direct digital pipeline from the company to the NSA, or some Web-based way for the NSA to submit its request and recieve a response. Either way, he presumes, the surveillance is hardly some secret eavesdropping technology, just a company handover.
You can read the definitions of safe harbor principles here. Note that the first principle requres “notice” about how information is shared: “Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure.”
I’m no lawyer, but the wholesale transfer of inboxes to the U.S. government arguably qualifies as something that our privacy-minded friends in Europe–if not us surveillance-loving Americans–should be told about.