The New York Times recently ran a story arguing that, after the Snowden revelations, Europe would have to build its own cloud computing industry to protect European privacy. I was moved to send the Times a letter in response. The Times edits such letters pretty heavily, so I'm sharing it here:
You left some critical facts out of your lengthy October 7 article on European government efforts to encourage European “cloud” computing services. While the article dwells on a perceived U.S. intelligence threat to European users’ privacy, it fails to ask a question of greater importance to Times readers: What will happen to personal data, American and European, that is stored in a European cloud? Nothing good, it turns out. European law requires that Internet service providers and telephone carriers store personal metadata for up to two years so that it will be available to European law enforcement and security agencies – a privatized and more comprehensive version of the NSA’s domestic telephone metadata collection. (NSA gave up its domestic Internet metadata collection a few years ago; Europe did not.) Not only does the “data retention” requirement in European law cover more personal information, it comes with far fewer safeguards. In Europe, unlike the United States, the authorities need only ask for stored data; companies can and do “volunteer” their data without any court order or other legal process. See Statement of Stewart A. Baker before the Committee on the Judiciary, United States Senate, July 31, 2013. And it shows in the surveillance statistics. Residents of Italy and the Netherlands are more than 100 times more likely to be the subjects of government surveillance than Americans, according to a study by the Max Planck Institute. See Hans-Jörg Albrecht, et al., Legal Reality and Efficiency of the Surveillance of Telecommunications, Max Planck Institute 104 (2003). The same will be true for Americans whose data is stored in a European cloud I have testified before Congress on the one-sided nature of Europe’s focus on privacy threats to the cloud. I’m disappointed to see the same one-sided focus on the news pages of The New York Times. Is all snooping on Americans a bad thing, or have you decided that it’s OK when foreign governments do it?