Microsoft can't protect French data from US government access

[Luis Rijo at PPC Land]

Microsoft’s disclosure that it can’t protect French data from being silently accessed by its US business is in apparent tension with the GDPR but in compliance with the US CLOUD Act:

“The CLOUD Act asserts that U.S. data and communication companies must provide stored data for a customer or subscriber on any server they own and operate when requested by warrant.”

There are provisions for a provider to reject or contest these warrants and subpoenas, but they’re limited in scope. The EU previously found that the Act was in conflict with privacy protections guaranteed by the GDPR. Microsoft has claimed that there have been no such accesses “in recent years”, but this excludes classified requests and national security letters.

Microsoft may have found that its hands were tied because of the CLOUD Act, but it’s nonetheless made assurances that European data couldn’t be accessed from the US. From the linked post:

“The testimony contradicts years of Microsoft's security assurances regarding European data hosting. Despite implementing encryption and technical safeguards, the company acknowledged that US legislation ultimately supersedes protective measures when federal agencies issue valid data requests.”

For organizations storing sensitive data, this suggests some important principles to consider.

1. It’s not enough for a vendor to assure that data cannot be accessed via warrant or subpoena. Because US law supersedes those assurances, for your data to be truly protected it must be physically (not just legally) impossible for anyone to access it, in a way that’s fully auditable and under your control. That implies client-side encryption and self-hosting strategies.
2. Because the subjects of criminal subpoenas are unlikely to be notified, they present a useful route for government and law enforcement to silently access data. If you deal with sensitive or personally identifying data, this needs to be a part of your threat model.
3. Promises aren’t worth the paper they’re printed on.
4. Governments and organizations outside the US should invest in building their own software and platforms that adhere to their values and responsibilities.
5. Governments and organizations inside the US also can’t trust the safety of their data, and should consider doing the same. In particular, using strong, sovereign encryption ensures that an organization will know when their data is accessed — because it’s impossible to do so without their involvement.

This issue is not limited to Microsoft. As the article points out:

“Amazon Web Services, Google Cloud, and other hyperscale providers operate under identical legal frameworks, potentially exposing European data to extraterritorial access. The testimony suggests widespread vulnerability in European digital infrastructure built on American technological foundations.”

Reliance on US services has become a point of vulnerability for everyone. This should be a concern regardless of American leadership; under the current administration, it’s become a frequent topic of conversation for security leaders both inside and outside of the country.

France has mandated that sensitive data is migrated to services certified by SecNumCloud, a French security qualification to ensure the robustness of cloud solutions, particularly for sensitive and critical data. But this concern goes far beyond France. Any organization that needs to keep its information private, particularly for the safety and privacy of vulnerable individuals, must make tough choices about how to protect the sanctity of its data. For many of them, the prevailing cloud strategy of the last decade may have outlived its usefulness.

[Link]