Suppose vast quantities of Europeans’ digital data were being sent every few days to a foreign power that has threatened military action against an EU Member State. How should the EU react?
Oh, and that foreign power isn’t Russia or China – it’s the United States.
We’re not talking about the data provided to online service providers such as Google and Facebook – rather the disk backups that are running on everyone’s personal computer, typically every few days. This potentially enormous security exposure is just sitting in plain sight but hasn’t yet visibly bubbled up into the consciousness of European policymakers.
That needs to change – the EU needs to conduct a detailed threat assessment reflecting the new realities, identifying who needs to make changes… and how.
Why this is suddenly a policy issue
Two changes make this a much more serious issue today than it would have been in the past – first, technical and economic changes and second, changes in the geopolitical environment.
First, previously, consumers and businesses often did their disk backups to hard drives that they themselves controlled. Today, it’s increasingly common for backups to be done to the cloud – disk backups to offline storage are no longer in vogue. Indeed, this author’s own backup software provider (Symantec) just stopped offering offline backup.
Prominent providers of cloud backup services are Amazon Web Services (AWS), Dropbox, IBM, Microsoft, Google and Dell, all of which are US‑based. As much as 70% of all cloud services in the EU are provided by four US‑based firms – AWS, Microsoft Azure, Google Cloud and IBM Cloud.
The second reason is geopolitics. As recently as a few months ago, the US was a reliable and predictable ally. Today, US foreign policy has become unpredictable and the country has threatened military action against Denmark to annex or gain control over Greenland. The US might also very well support Russia in its aggression against Ukraine, thus becoming an EU adversary.
US intelligence services can get hold of our data
It would be naïve to think that US-based firms would refuse to provide data to US intelligence services and doubly naïve to think that US law prevents the inappropriate collection of Europeans’ data. The US has many legal (and extra-legal) ways to force American firms to provide data for national intelligence purposes – whether they want to or not. Most US online platforms (Microsoft, Yahoo, Google, Facebook, PalTalk, YouTube, Skype, AOL and even Apple) were already providing extensive data to the NSA’s PRISM programme by 2012, as the Snowden data made clear.
It would also be naïve to suppose that US law prevents personal data collected by US firms to be turned over to US national security services. US law enforcement can for the most part be relied on to comply with US law – they may eventually need to use their surveillance results in court, and they would then have to convince a judge that the data was collected lawfully. US national surveillance authorities are under no equivalent constraint.
In the past, it’s fairly certain that US national surveillance did not comply with then-current US law (FISA). As in most developed countries, US law generally permits data collection from US citizens and others inside the country but only where there is a credible basis for suspicion. Lawsuits (in which this author was involved) make clear that US intelligence services were already capturing data in 2002-03 from tens of millions of American internet users, presumably without adequate legal justification and thus flagrantly violating then-current US law.
The US responded to the lawsuits not by producing evidence to show that the surveillance was legal (presumably because this wasn’t the case) but rather by enacting a law (the 2008 FISA Amendments Act) that granted retroactive immunity to firms that might have been improperly gathering the data under colour of law.
Since 2018, American law (specifically the CLOUD Act) has also empowered the US government to force private firms to provide personal data irrespective of whether it’s stored in the US or abroad, providing firms with only limited means to challenge the government’s demands.
Finally, how far current US law protects Europeans against abuse by US surveillance authorities isn’t entirely clear. The Obama and Biden administrations signed Executive Orders to try to address EU concerns over the use of Europeans’ personal data, as expressed in the Court of Justice’s Schrems I and Schrems II decisions, but how much confidence one should have in those Executive Orders should be neither less nor greater than one’s confidence in the current President.
An Executive Order issued by one president can be amended or rescinded by the next. And Executive Orders, especially those relating to national security, are not always made public – we wouldn’t necessarily know if US law changed in ways that were harmful to EU security interests. Under Trump, we simply cannot rely on the US adhering to previous Executive Orders.
Mitigating this exposure as individuals, firms and governments
Such exposure might be more relevant for some more than others but most of us can’t assess accurately how our data might be used by an adversary to the EU. We might not even pay attention to which data is backed up and might not notice if more than we requested were being taken. Furthermore, modern AI tools are getting progressively better at combining data from multiple sources.
That’s why it would be ideal for all of us in the EU to either use cloud backup services that store backup data only within the EU, without foreign ownership or control that could imply risk – or alternatively to backup to offline storage that’s fully under our control.
However, changing might not be easy… or cheap. Cloud backup is popular because it does have some real advantages. Large volumes of storage are available, the services are professionally managed, they benefit from huge economies of scale and scope, and the storage is off-site. But it may still be necessary to forego these advantages, at least for some of us.
Beyond individual choice, EU policymakers need to step in. First, security/cybersecurity experts need to undertake a new hard-headed threat assessment reflecting the new practical and geopolitical realities. Second, for those who need to change how they do backups based on that threat assessment – and for those who choose to change – a new certification scheme at EU level is needed that identifies safe and reliable providers and methods.
