All personal information stored by British internet users on major “cloud” computing services including Google Drive can be spied upon routinely without their knowledge by US authorities under newly-approved legislation, it can be disclosed.
Cloud computing has exploded in recent years as a flexible, cheap way for individuals, companies and government bodies to remotely store documents and data. According to some estimates, 35 per cent of UK firms use some sort of cloud system – with Google Drive, Apple iCloud and Amazon Cloud Drive the major players.
But it has now emerged that all documents uploaded on to cloud systems based in the US or falling under Washington’s jurisdiction can be accessed and analysed without a warrant by American security agencies.
The Foreign Intelligence Surveillance Act, known as FISA, allows US government agencies open access to any electronic information stored by non-American citizens by US-based companies. Quietly introduced during the dying days of President George W Bush’s administration in 2008, it was renewed over Christmas 2012.
But only now are privacy campaigners and legal experts waking up to the extent of the intrustion. Caspar Bowden, who was chief privacy adviser to Microsoft Europe for nine years until 2011, said: “What this legislation means is that the US has been able to mine any foreign data in US Clouds since 2008, and nobody noticed.”
Significantly, bodies such as the National Security Agency, the FBI and the CIA can gain access to any information that potentially concerns US foreign policy for purely political reasons – with no need for any suspicion that national security is at stake – meaning that religious groups, campaigning organisations and journalists could be targeted.
The information can be intercepted and stored in bulk as it enters the US via undersea cables crossing the Atlantic Ocean.
Mr Bowden, who now works as an independent advocate for privacy rights and co-authored a report for the European Parliament warning of the threat to clouds posed by FISA, criticised the UK Information Commissioner’s Office for giving free rein to the US authorities.
The body which polices data protection laws in the UK effectively ruled that companies were right to pass information over to foreign government requests as the disclosure was made “in accordance with a legal requirement”, such as FISA.
Mr Bowden said: “Every time we make a bridge of trust, or commit an indiscretion, using a social network or webmail, think how a foreign country could use that information for its own purposes to influence policy and politics. Drafts of documents prepared online, who is in contact with each other, all of this can be captured and analysed using data-mining algorithms much more advanced than those offered by public search engines.”
His report, being considered by the EU in a review of its electronic privacy directive, cautioned that the threat of “heavy-calibre mass-surveillance fire-power aimed at the cloud” was greater than that posed by cyber-crime.
Gordon Nardell QC, a British barrister who specialises in data protection, said he was “shocked” by the powers outlined in the highly-controversial amendments to FISA. He said: “What’s different about this is that it’s a power in the US authorities to insist on real-time collection of information by any data processer within US jurisdiction. The US authorities basically grab everything that is going in and out.”
Sophie in’t Veld, a Dutch MEP who serves as vice chair of the European Parliament’s civil liberties committee, warned that European authorities must act as soon as possible.
She said:”Let’s turn this around and imagine this is not the United States having unlimited access to our data but the government of Mr Putin or the Chinese government – would we still wonder if it’s an urgent issue? Nobody would ask that question.”
Eric King of pressure group Privacy International, said: “Allowing mass surveillance, unwarranted and unaccountable, is terrifying.”
Isabella Sankey, Director of Policy for Liberty, said: “US surveillance ambitions know no bounds. The chilling US Foreign Intelligence Service Act treats all non-US citizens as enemy suspects.”
Last night, Google said: “It is possible for the US government (and European governments) to access certain types of data via their law enforcement agencies. We think this kind of access to data merits serious discussion and more transparency.”
Amazon and Apple were yet to comment last night. – The Independent
THE CLOUD: HOW IT WORKS
1 Individuals create their own files, such as written documents, contact lists or spreadsheets on a computer or smartphone
2 These files are uploaded via the internet to a Cloud service, storing the file remotely on computer servers – often thousands of miles away
3 Users are then able to access or download their files anywhere in the world on any device connected to the internet
All non-American nationals are vulnerable to having their files legally tapped into or monitored by US authorities without a warrant under the FISA legislation