European Cloud Providers Cloud the Truth After PRISM—What Should U.S. Providers, and the U.S. Government, Do About It?
European cloud providers have tried for years to gain a competitive advantage in the European market over U.S.-based counterparts by claiming that content stored with European providers is more protected from government access than data stored with U.S. companies. These European providers have tried to instill fear in potential customers, claiming that the USA PATRIOT Act gives the U.S. government essentially unfettered access to content stored with U.S. companies.
As has been well-documented here and elsewhere, the truth is that the U.S. imposes tighter restrictions on the ability of its law enforcement and security agencies to get data stored in the U.S. than many EU governments face in accessing data stored in their home countries. Moreover, unlike in the U.S., providers in the EU can voluntarily provide content and customer data to the government, and EU providers are required to retain data for up to two years, helping ensure the data is there when the government comes looking for it.
When I was at the Justice Department, it was not uncommon for law enforcement officials in European countries who were seeking their citizens’ content stored in the U.S. to complain that the evidentiary standards that had to be met to obtain that data under U.S. law were too high. No, you didn’t read that wrong: European governments complain to U.S. officials that they can more readily access their citizens’ data if that data is stored in Europe than if that data is stored in the U.S., because they often cannot satisfy our stricter standards for government access—standards that protect data in the U.S. regardless of whether that data is owned by an American or European customer.
Even before anyone ever heard of Edward Snowden, U.S.-based providers and U.S. government officials struggled to combat the misinformation being propagated by EU providers and media, with limited success. The hyperbole and hypocrisy from EU officials in the wake of the PRISM leaks has made that struggle even more difficult. The overheated rhetoric coming out of the EU shows no signs of abating, almost as if EU officials were determined to keep the public’s focus away from the even more permissive national security laws in their own backyard. But despite that rhetoric, the reality is that data belonging to EU citizens and companies is no less protected from government access—and arguably much better protected—if stored with a U.S. provider than with a European provider.
So as European providers seek to exploit the PRISM controversy to further cloud the truth, what should U.S. providers, and the U.S. government, do?
- ECPA Reform: U.S. providers should continue to play a leading role in forcefully advocating for a uniform warrant standard for all content stored in the U.S. One reason why European providers were initially able to gain traction with their attacks on U.S. laws is that our standards—while still higher than in many EU countries—are rather hard to explain, with different rules for opened and unopened e-mail, and different rules based on the age of certain e-mails. A warrant-for-all-content standard has the benefit of being easy to understand and explain in a foreign market. Google, Microsoft, Facebook, Twitter, Reddit and numerous other tech companies recently wrote to Congress to express support for a warrant requirement for stored content. Continued strong, and public, leadership by those companies is critical.
- Transparency: Google, Microsoft, Facebook, Apple and Yahoo deserve praise for their aggressive push for greater transparency about national security-related requests. Thus far they’ve pressed the issue in the courts and at the White House. They should not let up, and if necessary should take that fight to Capitol Hill as well. And they should use what data they are able to release to demonstrate that requests by governmental authorities in the U.S.—federal, state and local—in all types of cases combined affect only a fraction of a percent of users.
- Use economic and political leverage: There are signs that governments in Europe and elsewhere may try to take their frustrations over PRISM out on U.S. providers. Foreign officials are already using PRISM as an excuse to promote what my colleague Stewart Baker refers to as “information protectionism,” suggesting that European companies should not use U.S. providers and even going so far as to suggest laws requiring cloud providers to store data locally. The U.S. government cannot sit back and let European governments beat up on U.S. providers, who have done nothing other than comply with their obligations under U.S. law. The Obama administration and Congress should use all available leverage—economic, political and legal—to help protect U.S. providers from repercussions—including, where appropriate, suspending law enforcement and intelligence assistance to those countries that harass or threaten U.S. providers merely for obeying U.S. law.
- Fight fiction with facts: The U.S. needs to be much more willing to call out EU officials for their hypocrisy. U.S. providers—and the U.S. government—cannot afford to allow the narrative to harden further that U.S. laws are less protective of stored content than EU laws. The facts are very much on the side of the U.S. providers, and the U.S. government needs to work even harder now to make sure those facts are heard over the noise.
About the Author
Jason Weinstein is a partner at Steptoe & Johnson LLP specializing in data privacy and security, as well as criminal defense and internal investigations. He is a former federal prosecutor and most recently served as Deputy Assistant Attorney General in the Criminal Division, where he oversaw the Computer Crime and Intellectual Property Section.