As I understand things, US law lets US spy agencies get secret warrants, requiring Google and AWS to give them access to everything while keeping the existence of such access secret.
EU law, meanwhile, prohibits such access, under the GDPR.
There is an obvious conflict here, when a US cloud provider operates an EU data centre.
Luckily, cloud providers have never received a secret warrant they can't reveal the existence of wink and spy agencies would never operate outside the law wink so the apparent conflict has never arisen in reality wink
Yes, all data stored in data centers administered by US companies like Apple/Google/Amazon/Microsoft should be considered available to the US Government and US competitors. There are known examples of the US government doing industrial espionage for US businesses in the past.
This is an extremely uncomfortable truth that European businesses really don't want to acknowledge and just keep pretending it's not true, not a big deal, and even if it was there is nothing they can do about it.
Instead they focus on complying with endless security check lists with unlikely scenarios while ignoring the elephant in the room.
> This is an extremely uncomfortable truth that European businesses really don't want to acknowledge and just keep pretending it's not true, not a big deal, and even if it was there is nothing they can do about it.
Doesn't seem true. We have to use local hosting. Hetzner, OVH or a local DC are popular options. Using US services for sensitive data is just not legal.
With the Cold War ended, officials of the CIA and other U.S. intelligence agencies have acknowledged that they are redirecting efforts away from traditional spying toward gathering information aimed at ensuring that the United States remains economically and technologically competitive.
and Operation Eikonal hoovered up more than it should have:
After the revelations made by whistleblower Edward Snowden the BND decided to investigate the issue; their October 2013 conclusion was that at least 2,000 of these selectors were aimed at Western European or even German interests
That's less direct than "ECHELON was used for industrial espionage", which is the specific question being asked. Everyone should be aware of Five (and 18) Eyes, but the TLAs having personal information about individuals is different from them passing Boeing data from Siemen's private business documents.
I think that so much data is currently shared with third parties that warrants are obsolete. One can build a data heavy case long before needing a court issued warrant.
> There is an obvious conflict here, when a US cloud provider operates an EU data centre.
American agencies don't need a secret warrant. The CLOUD ACT already resolved this particular predicament for the government just as Microsoft appealed its 2018 case to the Supreme Court.
Secret warrants only in the context of counterintelligence and counterespionage investigations that target foreigners.
Which in that particular context I don’t know what else would possibly be considered a reasonable alternative.
The vast majority of countries don’t have to go in front of a court at all to do this exact same thing they just go ahead and do it. I know people here tend to get super pissed about the boogeyman that is FISA but if you had a more transparent example to point to I would love to see it. I think people get really caught up on the fact that they personally don’t have access to that information and then make a large magical leap to all kinds of conclusions that aren’t based in reality at all.
If that system was being abused to go after illegitimate targets for example then sure, that’s something to be pissed about but I don’t think we have any compelling evidence of that at this stage.
I just find the entire public debate on this topic incredibly lacking in nuance but never lacking in conviction.
> Secret warrants only in the context of counterintelligence and counterespionage investigations that target foreigners
That sounds like a limited context - but the courts were happy to give spy agencies a warrant covering records of every phone call made in America [1]
So it turns out the warrants don't have to describe the place or person to be searched, and don't have to be limited to foreigners. And that wasn't a one-off error or individual mistaken judge - it was reauthorized 34 times under 14 different judges.
Granted some of the rules were changed after that specific surveillance was revealed - but the "fixes" ignored the fundamental problem that secret courts aren't effective at preventing spy agency overreach.
> Luckily, cloud providers have never received a secret warrant they can't reveal the existence of wink and spy agencies would never operate outside the law wink so the apparent conflict has never arisen in reality wink
European states are fully aware of that problem, hence why eg companies storing medical data must do so with servers located in Europe and owned by European companies.
There's the question of whether it's safe to use servers provided by a european subsidiary of an american company and if the company would bypass their european employees or order them to break the law, but it's not a question that stakeholders are pretending doesn't exist.
EU law, meanwhile, prohibits such access, under the GDPR.
There is an obvious conflict here, when a US cloud provider operates an EU data centre.
Luckily, cloud providers have never received a secret warrant they can't reveal the existence of wink and spy agencies would never operate outside the law wink so the apparent conflict has never arisen in reality wink