When hyperscalers can’t safeguard one nation’s data from another, dark clouds are ahead
- Reference: 1754301607
- News link: https://www.theregister.co.uk/2025/08/04/when_hyperscalers_cant_safeguard_one/
- Source link:
It was the French Senate, Microsoft France’s director of public and legal affairs, and the foreign nation? The USA.
Microsoft admits it 'cannot guarantee' data sovereignty [1]READ MORE
This is a great story, but it’s not really news. Microsoft’s strategy to pacify EU data sovereignty unease has been to offer a [2]special Cloud for Sovereignty service girded with special contractual promises. Topped off with an extra-special pledge of stiff legal resistance if Washington approaches with the can-opener. This is all doubtless true, but as a plausible guarantee of data safety, [3]skepticism is too weak a word . It compares poorly to sheltering from an atomic blast by hiding in a fridge.
The trouble with data sovereignty is that of sovereignty itself. The word is a powerful concept that’s easy to grasp, thus ideal as a tool to persuade and motivate. It was a primary war cry for those wanting to leave the EU during the UK Brexit referendum. Take back control, abolish alien interests in our affairs, create a state entirely in our own interests. Sounds great, until reality intrudes. Absent isolationism or invasion, if one sovereign state wants to deal with another, then both have to accept a pragmatic dilution of individual power in the greater interest. Think North Korea, think Putin’s Russia, think the EU.
So it is with data sovereignty. The most succinct definition of the cloud is the most useful here: it’s somebody else’s computer. If that someone else can be compelled by law to let someone you don’t like turn up with a big USB drive and a writ, you do not have data sovereignty. The same goes if you want to be the ones seeking to help yourself to data. The UK government, having used its [4]Brexit-boosted sovereignty last year to sharpen its claws, secretly demanded that Apple put a back door into its encryption services. This has not gone well; Apple did no such thing, and Washington put the boot in. Nothing like the smell of burning rubber in the morning as the [5]sharpest of U-turns gets underway . Stop taking orders, start making orders, indeed.
[6]
The power of pragmatism over ideology isn’t going away. It is perfectly possible that after due consideration, the EU will mandate that sensitive data cannot be stored or processed in places where non-EU entities can demand access. This would be a major blow to all US-based hyperscalers, especially where cloud services are inextricably linked to AI strategies, which is all of them. It would also look like a boost for EU-homed cloud providers, although who knows how far this would anger the febrile American administration and what it might do to show that anger.
[7]
[8]
In any case, if there’s one thing we’ve learned this past decade it’s that things can change rapidly, fundamentally and in unexpected ways. Assume that one or more native EU concerns get all the business, state, corporate and consumer, banned from US-controlled platforms. What are the rules for partnering, investment, changes of ownership, and establishing zones outside the EU? What if they, too, change?
[9]Windows 11 is a minefield of micro-aggressions in the shipping lane of progress
[10]The tiny tech tribe who could change the world tomorrow but won't
[11]Blocking stolen phones from the cloud can be done, should be done, won't be done
[12]Torvalds' typing taste test touches tactile tragedy
There is in truth no immutable guarantee about someone else’s computer, whether you’re a country or a corner shop. How much this matters to you is part of the great three factor equation of data safety. How much do you need, how much will it constrain your goals, how much cost can you bear.
The ultimate safeguard against legal, invisible, state-sponsored snooping is on-prem services. Will your own data security be as good as that of the hyperscalars, or will you be more vulnerable that way to other threats? What do you lose in scalability and reliability, and what happens if you want to operate in markets with data sovereignty restrictions not to your advantage? If you’re the NSA or GCHQ, the answers are going to be clear. For everyone else, the shifting sands of the international legal, regulatory and power-broking environment mean more uncertainty on the horizon.
In the bleakest view, data sovereignty is used to drive a balkanised world of services, one where national and bloc interests are used as excuses to shut down competition and choice. Through rosier glasses, a strong international framework is built to guarantee data sovereignty by origin irrespective of locality.
[13]
Like Microsoft’s claims to defend EU data, you’ll have to judge the credulity of that particular eyewear for yourself.
Get our [14]Tech Resources
[1] https://www.theregister.com/2025/07/25/microsoft_admits_it_cannot_guarantee/
[2] https://www.theregister.com/2025/04/30/microsoft_getting_nervous_about_europes/
[3] https://www.techzine.eu/blogs/privacy-compliance/114459/microsoft-cloud-for-sovereignty-isnt-all-its-cracked-up-to-be/
[4] https://www.csis.org/analysis/new-investigatory-powers-act-united-kingdom-enhances-government-surveillance-powers
[5] https://www.theguardian.com/technology/2025/jul/21/uk-demand-backdoor-access-apple-users-encrypted-data
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/paasiaas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aJDZCT419fmMafz2_HMuBQAAABU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/paasiaas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJDZCT419fmMafz2_HMuBQAAABU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/paasiaas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJDZCT419fmMafz2_HMuBQAAABU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/07/28/windows_11_is_a_minefield/
[10] https://www.theregister.com/2025/07/24/column_settings_standards/
[11] https://www.theregister.com/2025/06/09/opinion_column_blocking/
[12] https://www.theregister.com/2025/05/20/torvalds_typing_taste_test_touches/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/paasiaas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJDZCT419fmMafz2_HMuBQAAABU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
Microsoft's claims to defend EU data
Have already been evaluated and found to be wanting.
Microsoft's hands are tied by the laws of the country in which they are headquartered. Anyone who purports otherwise is either lying or stupid.
The only reason why the EU has not banned US based cloud services from the region is that they are too scared of the consequences in terms of retribution from the US government. This cowardice is a perfect example of what happens when you don't stand up to a bully. Give 'em an inch and they'll take a mile. That the EU allowed themselves to be bullied into a shit tariff "deal" with the mad orange king, without even threatening to hurt the massive income that the USA gets from EU customers of US hyperscalers shows clearly how scared they are of the bully.
Not to mention that the consequences for EU businesses, who have ignored all the down sides of putting their data on computers owned by a US company, would be significant. Many companies would need years to divorce their IT infrastructure from the US hyperscalers. This fact is something that the hyperscalers are fully aware of and something that they do their utmost to maintain. The US government is also very happily aware of the fact that they have the EU by its digital testicles and only need to squeeze to get whatever they want.
We find ourselves at a turning point. Either we roll over and allow the USA to rule Europe and steal our resources, or we stand up and say "Enough!".
On-prem services is a good start ...
but what software do you run on your in-house machines ? If that is written by an entity beholden to an inquisitive government how can you be sure that your data will not be exfiltrated ?
If you run Microsoft then its telemetry is designed to do just that - beam parts of your data back to the mother ship. If the USA government takes an interest in you how much telemetry will have nothing to do with debugging faulty Microsoft code ? A good firewall cannot be used to stop MS telemetry.
Open source software is much better but not a 100% silver bullet. I suspect that Debian is more resilient to 'interesting/unseen' code additions than Red Hat but it is likely that you will have some proprietary business specific code running on the machines.
Where Are Internet Service Providers Based?
Amazon -- USA
Meta -- USA
Microsoft -- USA
Palantir -- USA
Yahoo -- USA
Google -- USA
Apple -- USA
IBM -- USA (includes RedHat)
.......so how hard can it be for ANYONE OUTSIDE THE USA to figure out where private data will end up?
Let me spell it out -- USA!!
Yup....."cloud" is not the answer!!
The actual answer (partial) -- Air Gaps!!
Re: Where Are Internet Service Providers Based?
Alibaba?
Re: Where Are Internet Service Providers Based?
ByteDance?
It’s back to basics: business models
The real problem is we are obsessed with bigger is better. Thus we are obsessed about creating monoliths. Microsoft can’t guarantee data sovereignty because it wants to own and control those cloud data centres. If however, we move to the cooperative model, which underlies Open Systems and was the ideal of cloud before everyone flocked to AWS, Google and Microsoft. Microsoft doesn’t need to operate those data centres, it merely provides tools and standards.
I suggest the easiest way to gain sovereignty is to limit the market ownership. The EU could require Microsoft et al to sell all of its EU datacentres to local operators and demerge them from their highly centralised operations. So businesses could still run 365, just that it’s on a local cloud operators infrastructure.
I think it was news for some people
>> This is a great story, but it’s not really news.
Actually quite a lot of people thought that American companies like MS would obey local laws. After all, that is what they say.
Any data on American computers is subject to access by the American regime. The Foreign Commonwealth and Development Office signed a new contract with MS earlier this year. I seem to recall Parliament doing the same a few years ago. All that supposedly confidential data, discussions with your MP about topics which are nothing to do with the USA, are slowly being added to an American database about you and me, Britain really is just a stub of an independent state. And the USA is not our friend.