If they have to obey an order from the government of the USA to hand over data that they have access to on servers in other countries ... what about data that they have access to stored on Windows PCs in other countries ?

I'm sure that if anyone actually read Microsoft's terms and conditions, they'd find that using Windows implicitly grants MS the right to slurp telemetry from them.

My thoughts have always been "Who the fuck do the Yanks think they are? A load of fucking crooks and conmen."

with a convicted felon in charge.

He's already selling 'Trump 2028' merch to the faithful.

{yes, the constitution says that he can't run but with the SCOTUS in his pocket, who knows}

that had never happened before Trump. I'd count on it happening if I were any country in the EU. I'd start building my own localized data farms if I were the EU, and possibly make US based ones in the EU illegal since they are nothing more than spying machines.

This has nothing to do with the mad orange king. Even before 2018 when the Cloud Act was made law, National Security Letters were a thing, as far back as 2001 when the PATRIOT act was made law.

And we all did predict all of this in this forum.

There is no guarantee for data sovereignty with US companies. And they are not allowed to talk about data requests in certain cases, and that was covered in ElReg over the years as well.

So: no, I don't believe Microsoft's report, and we all have warned about this issue.

That exactly, they aren't allowed to say if they've been made to hand over data in some circumstances so all the "we've never done it" claims are smoke and mirrors. The question should be "Are there any circumstances where you would have to hand over EU data to the US government and not be able to tell anyone?"

Makes me think of the Regulation of Investigatory Powers act aka RIPA in the UK passed 20 years ago which prohibits those served with a demand under RIPA from notifying the subject of the request and requiring them to deny any such request has been made. Worse it's been increasingly built on since as UK public are so tech illiterate and lacking in memory retention that the govt and media just wait a few years and again start on about tackling the wild west of the internet

There is no guarantee of sovereighty with any cloud company, Yankee or otherwise. Microsoft are just the case in point.

You either go on-prem - and even thats vunerable to a sufficiently motivated state actor - or you risk assess it.

There are no absolutes in this game - ever. Lets stop pretending there are.

This is the truth, you can't really trust what a company based in the US, Brazil, UK, France, China, Russia, or anywhere else does with your data. They are all beholden to local laws.

Not just local law, but also international agreements and data sharing under such agreements as Five Eyes.

Snowden disclosed NSA had full access to Microsoft, Google, FaceBook etc servers prior to 2012.

Seems people have forgotten...

@Roland6

"Snowden disclosed NSA had full access to Microsoft, Google, FaceBook etc servers prior to 2012.

Seems people have forgotten..."

What he did was one of the most significant exposures to be made and yet fell out of public concern so quickly. I can understand him cast as both the hero and the villain but as I side with the people before the government I do wish he was treated better than exile.

"yet fell out of public concern so quickly". I wonder why.

A National Security Letter does not allow access to the content of communication, only the metadata.

And the Cloud Act, eventually, should not apply to most EU citizens:

An ECS or RCS provider may challenge a domestic warrant that compels disclosure of the contents of an electronic communication if:

- the customer or subscriber is not a U.S. citizen or national, lawful permanent resident, corporation, or other unincorporated entity;

- the customer or subscriber does not reside in the United States; and

- the required disclosure creates a material risk that the provider violates the laws of a foreign government with which the United States has in effect an executive agreement on data access.

However, according to the CLOUD Act site on the DoJ, the US is still in negotiation with the EU for one of these "executive agreement"s. So the third point above cannot ever be true for the EU until an agreement is made. This means, I think, that other motions to quash would have to be used if providing data would violate local laws (e.g. GPDR).

You are incorrect. An NSL does two things: it requests something, and requires that you not tell anyone about the contents of that request.

By law, NSLs can request only non-content information, like transactions, contact info, audit log records and that kind of thing. The law forbids using them to collect actual content. This means if a provider uses zero knowledge encryption of content, an NSL alone definitely cannot result in anything extra being provided. This does not preclude the use of an NSL to gather metadata and then the utilisation of other pieces of legislation to then gather info about, and eventually grab, the resulting data if it is plaintext. For instance: Are EXIF tags content? Are identified objects and category keywords logged in a SharePoint database considered to be content? Nope. Microsoft loves keeping your data plaintext (from their perspective) where possible by encouraging all but the most highly paying customers to use encryption keys Microsoft possesses and controls.

Additionally, Microsoft brags at every possible opportunity about how they go above and beyond to help law enforcement, even forming the Microsoft Digital Crimes Unit (DCU) and being instrumental in working with organisations like the IWF to proactively catch out users they deem as undesirable by scanning every piece of content they get their grubby mitts on, including any data you chose to encrypt using your own keys. For example, OneDrive will happily decrypt your encrypted ZIP files without your express consent, if they can work out the key, and they’ll happily use bruteforce techniques to achieve this. You can observe this for yourself by encrypting a ZIP containing known malware with “infected” as an encryption password. OneDrive will detect the malware because it has decrypted your ZIP and scanned its contents. Also don’t even think about using any complex password and then using any other related service to provide the decryption password, because if you do, they will attempt to use it to decrypt your files and scan them. Likewise for encrypted Excel or Word documents, where they will happily slurp data using connected services (such as whenever you edit an image) whenever you edit them to do things like add tags. Microsoft invented a whole bunch of categorisation tools for detecting all manner of content and will perform custom queries for law enforcement utilising any derived metadata they’ve created about the contents of your files.

Microsoft does everything in their power to demonstrate to Joe Public that they probably shouldn’t be trusted, irrespective of which servers your data is stored on, and irrespective of network flows being limited to specific countries. Just. Say. No.

Data sovereignty at the nation state level is just misdirection. The real problem is far simpler. They cannot be trusted with anything private at all.

When I see a brand new poster with a posting history of 2 posts, I immediately think MS' PR are trying and failing to manage this story.

Welcome, we've known here for years that the US can rummage through any data held on a server owned by a US company located outside the US.

In 2001 nobody expected that Russian asset would become US president.

Twice.

It's time for the Spanish Inquisition to make an appearance and take him away

Four times.

That seems...unexpected.

Decades back the US tax authorities marched into the US branch of a Swiss bank and demanded details of customer accounts held in Switzerland. To comply they would be breaking Swiss banking law. Not to comply would be non compliance with the warrant so a US offence. They complied because local law supersedes foreign law in as much as the local authorities were already there with cuffs ready.

The only solution is to make it impossible to access the data. This was done and the next time it happened the folks in the US protested they were not physically able to comply. It was accepted as a valid personal defense but the bank was still fined daily for non compliance.

Yeah, but RIPA says if you don't tell 'em any encryption key they can [1]lock you up , until you do.

[1] https://www.legislation.gov.uk/ukpga/2000/23/section/53

As many commentards here, myself included, have been pointing out for a long time, any data placed on a server operated by a US company is available for slurpage by the US TLAs. If they really want it, the data is taken by means of a National Security Letter. Then, even the weak protections afforded by the Cloud Act don't apply. They'll just copy it. Nobody will even know it was copied as the US company cannot even tell you about it.

If you're an EU company and you put your data on a US cloud provider's servers, regardless of pretty words like "sovereign", you are breaching GDPR, client confidentiality agreements and who knows what else.

Just say no to US cloud services.

Just say no to US cloud services.

Just like I remember a [1]Just say No campaign from long ago.

[1] https://en.wikipedia.org/wiki/Just_Say_No

" Just like I remember a Just say No campaign from long ago. "

I can not recall whether that was no to sex or to drugs... Must have been drugs.

The '60s are a blur too but wasn't that campaign a Nancy Reagan initiative ?

Might be ungentlemanly but drugs would still have been the better offer. ;)

You are breaching GDPR in a wholly irrelevant way though. This elephant has been in the room since GDPR was formed and its just one example. Look at Safe Harbour.

If the benefit from data interchange is big enough - even the EU turns a blind eye to it.

So whilst you are breaching GDPR or Client Confidentiality - no one will point it out because no-one else in the room is wearing kecks either.

If you're an EU company and you put your data on a US cloud provider's servers [...] you are breaching GDPR

Surely not if you encrypt it with a key YOU control. Microsoft can't hand over data they can't read.

Sure, but that only works if all you're doing with that cloud is storing data. In most real-world scenarios, the cloud will be actually running a workload on that data, and that means it can't be encrypted all the time.

> Surely not if you encrypt it with a key YOU control. Microsoft can't hand over data they can't read.

Only if that encryption happens on your premises, not theirs.

Which makes it rather difficult to have an app on a cloud-hosted server reading/writing cloud hosted storage in a secure way.

Are you speaking of the key that is available in your GitHub repository that is controlled by Microsoft?

Or even the key that you created locally and then sent to the appropriate colleagues via Outlook or Teams in Office 365.

If you ever made a secret key and sent it over any network outside (and sometimes even inside) your business, the US already has a copy.

" the government cannot make requests that are not precisely defined."

US Government; Give us all the data.

Is that precise enough?

Anyone who ever believed otherwise is a fool.

I appreciate the importance of data sovereignty, but given the horrendous number of security holes Microsoft’s cloud services seem to suffer from, it’s all a bit of a moot point.

what this article is about is that data sovereignty is not available from Microsoft hosted solution, so them having holes is a moot point if you are after data sovereignty

In short, the American government demands the same right to hoovering offshore data "owned" by American cloud and internet service providers exactly the same as the Chinese government does of Chinese providers.

Typical case of the pot calling the kettle black.

There's not one Government that wont. They are all at it. Some just pretend more than others.

Wok surely ?

I'm gonna play devils advocate here. Mark Boost is being a little disengenuous, There is no way if you are asked to guarantee something under oath, that you will answer yes unless you personally are aware its watertight and there are clearly ways that it may not be.

That doesnt mean that MS (or anyone else) couldnt engineer a situation where its very very very difficult for it to happen in practise.

For instance MS US and MS France are 2 seperate companies, with 2 legally seperate sets of employees and infrastructure. So you engineer it so neither set of empoyees has **any** data access to the other set of infra. Lets also say France has a law saying export of French data for a Cloud Act request is a crime. The US Ceo has to obey US law and says give me data on pain of jail time. The French CEO has to obey french law and says non - J'irai en prison.

Result : Legal Stalemate.

Of course whether MS has the will to implement this is a another story. Just like its theoretically possible for the Data grab to happen - its also theoretically possible to prevent it - leaving edge cases like the NSA hacking it out of France etc.

The reality is that bad lawyers and politicians play the absolutes game. Good Lawyers and Techies play the risk game. What is the likelyhood Uncle Sam will do a slurp and what are the consequences if they do do.

Lets face it - if you want to protect your data you hide it in a cupboard in the basement at the bottom of a long stair behind a door that says beware of the Leopard, and you patch your leopard against Zero days.

Difference though is that MS US *owns* MS France. In the US judiciary's books, that means MS US controls MS France. And even before the Trumpet, that was the view of other legal eagles. who demanded that MS US give access to stuff under MS Ireland's control, despite MS US protesting and saying "it's not under our control". Result: MS US paying a nominal daily fine of being in contempt of court for *not* giving the Justice Department access to said contentious files.

Again, if you merely *touch* something Leftpondian, whether that's a currency, or you use a service of theirs, or you do business with them, the view of the US judiciary is that you fall under US law and as such you can be prosecuted for something in the US that is not a crime elsewhere (see the recent traders who had their sentences undone because in the UK they never broke any laws, but the US believed they did until they undid those sentences in the US).

So, lesson here is: reduce/stop your exposure to anything Leftpondian.

Wait! What are you saying? That we have no sovereignty? You mean all that shit about Take Back Control was for nothing?

Well shoot me in both feet with a double-barrelled shot gun.

Now you're just being naive.

If the FBI delivers a National Security Letter to Microsoft saying "give us all data that company x stores on your cloud services, regardless of where in the world the servers are located", Microsoft will deliver that data. They cannot refuse to comply with a National Security Letter.

No ifs, no buts, no "but the French arm of our company says it would be illegal", no clever legal arguments. You deliver it or your US CEO goes to prison.

Do you honestly believe that a Microsoft subsidiary can lock their US masters out of their network? The US operation will simply log in and copy the data as instructed.

Isn't no access to the data by the US owner sort of the whole point of this "sovereignty" scheme?

The "sovereignty" scheme is smoke and mirrors cooked up by marketing, sales, and legal.

A National Security Letter does not allow access to the content of communication, only the metadata.

That will tell 'em!

The FBI used them time and time again to get access to the content

Who is gonna arrest them?