Experts slam online data surveillance law

All personal information stored by internet users on major "cloud" computing services can be spied upon. Photo / Thinkstock

US govt agencies able to spy on any cloud-based data without warrant.

All personal information stored by internet users on major "cloud" computing services including Google Drive can be spied upon routinely without their knowledge by US authorities under newly approved legislation.

Cloud computing has exploded in recent years as a flexible, cheap way for individuals, companies and Government bodies to store documents and data.

But it has now emerged that all documents uploaded on to cloud systems based in the US or falling under Washington's jurisdiction can be accessed and analysed without a warrant.

The Foreign Intelligence Surveillance Act, known as FISA, allows US Government agencies open access to any electronic information stored by non-American citizens by US-based companies. Quietly introduced during the dying days of President George W. Bush's Administration in 2008, it was renewed over Christmas 2012. But only now are privacy campaigners and legal experts waking up to the extent of the intrusion.

Caspar Bowden, who served as chief privacy adviser to Microsoft Europe for nine years until 2011, told the Independent: "What this [law] means is that the US has been able to mine any foreign data in US clouds since 2008, and nobody noticed."

Significantly, bodies such as the National Security Agency, the FBI and the CIA can gain access to any information that potentially concerns US foreign policy for purely political reasons with no need for any suspicion that national security is at stake, meaning that religious groups, campaigning organisations and journalists could be targeted.

Bowden, who now works as an independent advocate for privacy rights and co-authored a report for the European Parliament warning of the threat to clouds posed by FISA, criticised the UK Information Commissioner's Office for giving free rein to the US authorities.

The body, which polices data protection laws in the UK, effectively ruled that companies were right to pass information over to foreign Government requests as the disclosure was made "in accordance with a legal requirement", such as FISA.

Bowden said: "Every time we make a bridge of trust, or commit an indiscretion, using a social network or webmail, think how a foreign country could use that information for its own purposes to influence policy and politics ..."

His report, which is being considered by the EU in a review of its electronic privacy directive, cautioned that the threat of "heavy-calibre mass-surveillance fire-power aimed at the cloud" was greater than that posed by cyber-crime.

Gordon Nardell, QC, a British barrister who specialises in data protection, said he was shocked by the powers outlined in the amendments to FISA.

He said: "What's different about this is that it's a power in the US authorities to insist on real-time collection of information by any data processor within US jurisdiction. The US authorities basically grab everything that is going in and out."

Sophie in 't Veld, a Dutch MEP who serves as vice-chairwoman of the European Parliament's civil liberties committee, warned that European authorities must act as soon as possible.

She said: "Let's turn this around and imagine this is not the US having unlimited access to our data but the Government of Mr Putin or the Chinese Government - would we still wonder if it's an urgent issue? Nobody would ask that question."

Isabella Sankey, Director of Policy for Liberty, said: "US surveillance ambitions know no bounds.

"The chilling US Foreign Intelligence Service Act treats all non-US citizens as enemy suspects."

Last night a Google spokesperson said: "It is possible for the US Government (and European Governments) to access certain types of data via their law enforcement agencies. We think this kind of access to data merits serious discussion and more transparency."

Amazon and Apple were yet to comment.

- Independent