A leaked document has revealed that the US’s National Security Agency has direct access to the servers of many of the world’s top cloud service providers. Microsoft, Apple, Google, Facebook, Youtube, Skype, and AOL are all implicated. The revelation came from a leaked NSA presentation verified as genuine by The Guardian newspaper.
In the presentation the NSA claims that it is able to directly access data including E-mail, video and voice chat, videos, photos, stored data, VoIP, file transfers, notifications of log ins, and social network details at will and without a court warrant. The monitoring began in 2007 when Microsoft became the first company involved in the project but has since grown to include Google, Apple, and Facebook among others.
The revelation causes concern that companies which claim to be in compliance with the EU-US Safe Harbor agreement may either knowingly or unknowingly be in breach of the rules.
Safe Harbor is Broken
The EU-US Safe Harbor agreement is a set of standards to which US companies can conform so that they meet EU data protection requirements. Microsoft, Apple, Google, and Facebook all claim to conform to Safe Harbor. Without Safe Harbor it is illegal for the personal data of EU citizens to be processed on servers outside of the EU.
Why is Safe Harbor Relevant to Schools?
When developing our school’s data protection policy concerns about the US PATRIOT act, which enabled this breach of privacy, were raised, but we ultimately put our trust in Safe Harbor. The question is, should we and any other organisations using cloud services from Google, Microsoft, and Apple be reviewing our policies?
Google and Microsoft stores data for EU customers data centres within the EU, but the NSA claims that any data of foreign allies is a legitimate target for monitoring.
It’s currently not clear whether the companies involved were aware of the NSA’s data monitoring, most have released statements claiming that they are had no knowledge of this activity. What is is certain, however, is that this scandal will have repercussions for organisations using US based cloud services.