Microsoft’s new plan to keep the US government’s hands off its customers’ data: Germany will be a safe harbor in the digital privacy storm.
Microsoft on Wednesday announced that beginning in the second half of 2016, it will give foreign customers the option of keeping data in new European facilities that, at least in theory, should shield customers from US government surveillance.
It will cost more, according to the Financial Times, though pricing details weren’t forthcoming.
Microsoft Cloud – including Azure, Office 365 and Dynamics CRM Online – will be hosted from new datacenters in the German regions of Magdeburg and Frankfurt am Main.
Access to data will be controlled by what the company called a German data trustee: T-Systems, a subsidiary of the independent German company Deutsche Telekom.
Without the permission of Deutsche Telekom or customers, Microsoft won’t be able to get its hands on the data. If it does get permission, the trustee will still control and oversee Microsoft’s access.
Microsoft CEO Satya Nadella dropped the word “trust” into the company’s statement:
Microsoft’s mission is to empower every person and every individual on the planet to achieve more. Our new datacenter regions in Germany, operated in partnership with Deutsche Telekom, will not only spur local innovation and growth, but offer customers choice and trust in how their data is handled and where it is stored.
On Tuesday, at the Future Decoded conference in London, Nadella also announced that Microsoft would, for the first time, be opening two UK datacenters next year. The company’s also expanding its existing operations in Ireland and the Netherlands.
Officially, none of this has anything to do with the long-drawn-out squabbling over the transatlantic Safe Harbor agreement, which the EU’s highest court struck down last month, calling the agreement “invalid” because it didn’t protect data from US surveillance.
No, Nadella said, the new datacenters and expansions are all about giving local businesses and organizations “transformative technology they need to seize new global growth.”
But as Diginomica reports, Microsoft EVP of Cloud and Enterprise Scott Guthrie followed up his boss’s comments by saying that yes, the driver behind the new datacenters is to let customers keep data close:
We can guarantee customers that their data will always stay in the UK. Being able to very concretely tell that story is something that I think will accelerate cloud adoption further in the UK.
Microsoft and T-Systems’ lawyers may well think that storing customer data in a German trustee data center will protect it from the reach of US law, but for all we know, that could be wishful thinking.
Forrester cloud computing analyst Paul Miller:
To be sure, we must wait for the first legal challenge. And the appeal. And the counter-appeal.
As with all new legal approaches, we don’t know it is watertight until it is challenged in court. Microsoft and T-Systems’ lawyers are very good and say it's watertight. But we can be sure opposition lawyers will look for all the holes.
By keeping data offshore – particularly in Germany, which has strong data privacy laws – Microsoft could avoid the situation it’s now facing with the US demanding access to customer emails stored on a Microsoft server in Dublin.
The US has argued that Microsoft, as a US company, comes under US jurisdiction, regardless of where it keeps its data.
Running away to Germany isn’t a groundbreaking move; other US cloud services providers have already pledged expansion of their EU presences, including Amazon’s plan to open a UK datacenter in late 2016 that will offer what CTO Werner Vogels calls “strong data sovereignty to local users.”
Other big data operators that have followed suit: Salesforce, which has already opened datacenters in the UK and Germany and plans to open one in France next year, as well as new EU operations pledged for the new year by NetSuite and Box.
Can Germany keep the US out of its datacenters? Can Ireland?
Time, and court cases, will tell.
Image of US flag with man peeking through courtesy of Shutterstock.com
Rusty Smith
Who in their right mind would believe Microsoft? The ones that built spyware into Windows 10? The very ones that has given the NSA back doors into every operating system they built so far because they caved to government pressure? Those people are now going to be trusted to keep your data private and away from the eyes of the NSA spies? Yeah, sure they are…
Adam
Forgive my ignorance, but exactly what spyware is built into Windows 10, and why would Sophos (or Malwarebytes, or any of the other antivirus/anti-malware programs available) not detect it?
John Hawk
But it isn’t necessary for the NSA to spy on European data centres – their very good friends at GCHQ are quite happy to do it for them, probably with the help of German intelligence.
Mahhn
Ohh the Irony. US citizens running to Germany for Privacy and Security from the spy on all and secret prisons of the evil corporation run corrupt government of the once great freedom pillar of the world. Oh the shame of it all. At least something good has come, those we helped save (Germans) 50 some years ago still have some of the freedom we gave them.
Maybe they can help us rebel against our evil empire like we once helped them. Thank you Germany for setting a better example than my own corrupt politicians.
TonyG
In order to give people reliable systems, monitoring is built into most software these days – be it iOS, Android or Windows. It is what makes things better. I wouldn’t call this “spyware”. The mobile comms operators have tracked which tower your phone is connected to since the onset of mobile phones – the system simply can’t work without knowing how to route the connection.
The problem is that any technology can be misused, and it would appear that the security services worldwide are at the forefront of misusing technology as much as they can.
Part of the problem is how far we are prepared to cede control? I guess that in theory, and although most of us don’t like it, then it is ultimately our own government – at least in a democratic country, because if a majority of us don’t like it, we can change the government and hence the law and control.
Which does make I interesting that a UK government is happy to hand over all our data to the US but at the same time railing against the EU for trying to protect our privacy.
Whatever you believe about Microsoft, it is at least attempting to stand up for privacy, and the more datacentres it has in European countries, the greater the chance of any whistleblowing if they are not doing their utmost to protect that data.
In any case, since the data doesn’t magically fly through the air, surely we should be more worried about it being siphoned off in the network infrastructure? We already know that Cisco routers were intercepted and modified in transit by NSA.
John Hawk
Who needs the NSA when there’s GCHQ to do their bidding?
BobCov
The headline is in error. The point of this move is not to avoid US surveillance at all. It is entirely to be able to legally say they do not have custody of customer data so that they can be in a position to be unable to comply with warrants and what not issued for customer data by various US entities. The spying will no doubt continue and this facility will be just as vulnerable as all the others. Via black ops, blackmail or social engineering, they will get in the door, I have no doubt about that.
John
The only way to have “strong data sovereignty” is to encrypt your data and keeping the keys to yourself. And even the strongest encryption is powerless in the face of weak authentication.
Daren
“The US has argued that Microsoft, as a US company, comes under US jurisdiction, regardless of where it keeps its data.”
It’s not Microsoft’s data, it’s customer data, and therefore the US has no claim over non-US citizens data
Hank
In light of what is transpiring in France yesterday and continuing today, Microsoft, Apple and others, etc. etc. are beyond the pale. There is no balance in this, it’s the corporate way or the highway. Trust us we are Apple or we are Microsoft. Only we know what’s best for our “customers” (and our bottom line) and like lemmings running their end, there are people flocking to this false premise of privacy concerns when in reality all they really want is those of you to “buy in” to their corporate greed.
Yet there are those who find these company’s total and complete resistance to assisting “lawful” scrutiny virtuous by unilateral encryption that can NOT be reversed NO MATTER WHAT and further ploys like we store our information elsewhere offshore so that the mean old USA can’t get to it (legally or not) and spy on everyone. There are mistakes made everyday by people both within and without the NSA and other agencies and corporations in the states. So you put your trust in a corporation????
There must be fairness and balance on this issue. Someone please explain what do you do now as the French authorities try to find who is responsible for the horror of yesterday, and perhaps prevent further death, when companies actively pursue policies and create phones that cannot be “Lawfully” searched for evidence? and others further insultingly use these efforts as a means to “sell” their products. How do you defend the fact that there may very well be a phone found on the body of one the terrorist or in an apartment that cannot be searched? “better to let some people die so that my information on who “unfriended me” stays private?”
Paul Ducklin
Actually, you can argue this entirely the other way around. A terrorist who follows good operational security practices will just use “uncrackable” encryption anyway.
If you are the sort of person who is ready to murder random people in a theatre and then blow yourself up, you’re hardly going to have the sort of scruples that make you obey laws about encryption software. But a terrorist who doesn’t follow good opsec can be tracked, investigated, and perhaps even caught in advance, using a variety of other techniques anyway. (If you can acquire his password via other means, then even “uncrackable” encryption comes to nothing.)
On the other hand, “backdoor crypto” laws mean that the rest of us who do wish to obey the law, and have nothing to hide, will be forced to use operational security practices that put us at risk from a wide range of sources – *including* those very terrorists that you want to protect us from, for whom a mandated backdoor or key escrow system would simply be another weak point worth attacking. Well worth attacking.
Bob
From the MS release:
“Availability of services is anticipated to begin in the second half of the year 2016. Services will be available to customers in Germany, the EU and the EFTA.”
Well, they didn’t need to say Germany if they said EU.
But what about countries outside of the EU and the EFTA?