In the midst of a pending federal court decision to subpoena data stored abroad and a recent European court ruling invalidating cross-Atlantic data transfers, Microsoft is rolling out plans to build and expand server storage centers in Europe to circumvent both governments and protect users’ privacy.
The Windows maker announced Tuesday plans to build its first data storage centers in the United Kingdom, expand a similar facility in Dublin and on Wednesday its intention to build two new server farms in Germany under the oversight of German telecommunications company Deutsche Telekom.
Once the facilities are up and running by the second half of 2016, not even Microsoft will be able to access user data stored on the German servers without the permission of users themselves or Deutsche Telekom.
“Our new data center regions in Germany, operated in partnership with Deutsche Telekom, will not only spur local innovation and growth, but offer customers choice and trust in how their data is handled and where it is stored,” Microsoft CEO Satya Nadella said in a statement Wednesday.
The announcement comes amid a pending decision in the U.S. Second Circuit Court of Appeals on whether the Justice Department can compel Microsoft to turn over Outlook emails stored on a Dublin server as evidence in a federal narcotics investigation under the the 30-year-old Electronic Communications Privacy Act (ECPA).
It also follows the European Court of Justice’s decision last month to invalidate the U.S.-EU Safe Harbor agreement, which allowed U.S. tech companies to self-certify they were meeting EU privacy standards when transferring Europeans’ data across the Atlantic to servers in the U.S.
National Security Agency whistleblower Edward Snowden said the agreement was used to facilitate mass surveillance of EU citizens’ data in transit, and the European court cited bulk surveillance programs revealed by Snowden in 2013 as a primary factor in its decision.
Without a new agreement currently in the works between U.S. and EU lawmakers, thousands of U.S. companies like Microsoft and Facebook could face stiff penalties for providing service to the EU.
Microsoft’s announcement is the first example of a major U.S. tech company essentially admitting it can’t protect user data inside U.S. borders, though it’s unclear if the action will actually protect Europeans’ data from U.S. spying.
Though the programs cited by Snowden often intercept Web traffic in transit as it crosses the global Internet via infrastructure like undersea fiber cables, the NSA’s official mandate is to surveil targets abroad. Though the Obama administration claims it has backed away from German surveillance specifically since NSA was caught snooping on German Chancellor Angela Merkel’s cellphone, the signals intelligence agency is legally barred from conducting such surveillance within U.S. borders.
It’s also an indication U.S. spying is in fact hurting the market share of U.S. tech companies in Europe, especially in the burgeoning cloud storage and computing sector of the global economy, which many in the industry have warned since the disclosures by Snowden more than two years ago.
At the time, Microsoft was revealed to be one of NSA’s closest collaborators in executing mass surveillance programs like Prism, even helping the agency get around Microsoft’s own encryption.
Ceding user data access to Deutsche Telekom seemingly alleviates any concerns with EU privacy regulators in the absence of a Safe Harbor agreement, and Microsoft’s very public about-face in the Dublin server case has no doubt been a boon to the company’s public relations profile, damaged in the wake of the Snowden leaks.
As Microsoft will still be the owner of its new European data centers, it’s legally unclear if handing the keys to Deutsche Telekom will allow the company to rebuff future requests for user data under ECPA. The Reagan-era law allows DOJ to subpoena any “business records” from companies based in the U.S., including emails, after they’re 180-days old.
Google and Apple have elected to tackle the issue by adopting end-to-end encryption over all users’ communications, which in Apple’s case, not even the company can access without a user’s password (though the FBI and DOJ are also seeking a pending legal remedy for that tactic as well).
Even that may not be enough to safeguard private data in the UK, where Parliament member Theresa May recently proposed a bill that would force tech companies to turn over unencrypted communications to British law enforcement and intelligence agencies when prompted with a warrant.
“We believe very strongly in end to end encryption and no back doors,” Apple CEO Tim Cook told The Telegraph on the subject of May’s legislation earlier this week. “We don’t think people want us to read their messages. We don’t feel we have the right to read their emails.”
“Any backdoor is a backdoor for everyone. Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how. Opening a backdoor can have very dire consequences.”