For the best experience use full HD.

Friday, August 1, 2014

Europeans, They Don't Know How Lucky They Have It

Earlier this week I shared my thoughts on why Zenimax/Bethesda decided to physically move their European mega-server to Frankfurt, Germany. To summarize they did it to avoid the brewing data privacy war between the United States and the rest of the world. It was pointed out to me in the comments that the U.S. considers any data held anywhere by U.S. companies to be subject to U.S. law, but that is incorrect. I will tell you why in a moment.

First, I want to acknowledge there was a ruling in the U.S. Federal Appeals court this week that seems to support what those readers were telling me. You can read a great write-up about it, by British ZDNet journalist Zack Whittaker, titled How one judge single-handedly killed trust in the US technology industry. Please go read that article. I guarantee it won't waste your time unless you don't really give a rat's ass about this whole privacy issue.

Now that you've read the article, it still does not confirm the supposition that foreign data is subject to U.S. laws. The reason is this isn't about the data. It's about U.S. law and how that law applies to U.S. companies. The data in question is not the point - though it is the objective. Laws apply to persons. You don't give a ticket to the car for speeding. You give it to the driver. That understood, understand Microsoft is a U.S. company. It has the rights of a person under U.S. law - yeah, I didn't like that ruling any more than you do. However, there is a bright side to that ruling. Since Microsoft has the privileges afforded to persons under U.S. law, it also has the obligations. That means it must comply with lawfully obtained U.S. subpoenas. This is true of any U.S. citizen. And just because we don't agree with how or why those subpoenas were granted, until Congress changes the law of the U.S., we have no recourse but to comply or pay the penalty. And believe me, the penalties will be severe in the current environment - like it or not.

But at no time does this law apply to the data in question (it is not a person,) the data center it is currently housed in (it is not a U.S. company and thus not a person under U.S. law,) or the country where that data center is located (that's a derp.) It does not apply to the originator of that data so long as that person is not a U.S. citizen. And please, please, please stop assuming laws apply to inanimate objects. That's just silly.

Now, in that previous paragraph notice I did not say owner, but originator. That's a fine point that needs elaboration. In the U.S., the originator is not necessarily (and probably isn't) legally the owner. As gamers you all know about that End User License Agreement (EULA) stuff we all agree to when we play a game. Did you think that only applied to games? Seriously? It applies to any service you have ever signed up to use. It's this legally binding contract that says you agree to certain things in return for certain considerations. That's a fancy legal term for services and or payment. In this case it means services. Microsoft gives you a service called email, and in return you give up some (many?) of your legal rights over whatever you submit to that service - to wit, your email.

And to make matters more complicated, U.S. companies aren't the only ones to use an EULA. I know I agreed to one when I started playing Assassin's Creed IV: Black Flag and Ubisoft is a French company. In fact, all companies world-wide use them as standard procedure. It's a devilishly sticky widget. How can you really hold yourself apart from all this Europe when you use the same legal agreements U.S> companies do? Isn't that a little like wanting your cake and eating it too? You can't have it both ways.

But seriously my European friends, this is not about you. This ruling has no jurisdiction outside the United States. It only applies to Microsoft, a U.S. company. It has no compulsory jurisdiction over non-U.S. citizens or companies doing business not in the United States. Do you grok what I'm saying?

Let me spell it out. If this worries you, stop using U.S. companies for your private stuff. Use a company that is headquartered in a country whose laws you approve, where that company is not considered a person. But for gods sake, stop bashing the U.S. because you don't like our laws. We are not forcing you to use our companies. And for the record, there are lots of U.S. citizens who don't like these laws either. You at least get a choice in all this. Feel lucky. I don't get a choice even if I use a European company that provides unbreakable encryption. If subpoenaed my choices are divulge my encryption keys or go to jail.  Be thankful you are not so unfortunate.

And as for those who are afraid Microsoft, or any other U.S. company, won't fall on their sword for the sake of your privacy, don't forget the data center in question is not within the U.S. The sovereign nation of Ireland could cut power to that data center at any time, and no one would get the data that resides on those servers. And there are less drastic measures Ireland and/or its citizens could take to keep your private stuff private. Start pestering them to do something about it rather than try to change a situation in the U.S. that even its voters haven't been able to change. Capish piezano? Squawking your heads off about how F@#$ up this is... well, frankly it's dumb. You have so many options for dealing with this I am honestly envious of you. What have you to complain about? Can't you see it from my perspective even a little? If you did, you'd know how lucky you have it.

4 comments:

  1. But isn't it also even one level more complicated?

    As a natural or judicial person operating in a foreign country, you are to a certain degree subject to the local laws. As a German, if I went to America, I would not be allowed to hand vodka to an 18-year-old, even though that would be perfectly legal according to German law.

    So couldn't Microsoft (or any other US-based company) find itself between Scylla and Charybdis? Ie, by US law it would be compelled to hand out the data; but by EU law it would be compelled not to?

    ReplyDelete
  2. I am not a legal expert, but I was in the U.S. military during the Cold War and stationed overseas. I have some practical experience in cross country legal cooperation. The only reason a host country's laws are binding on a soldier stationed there is because of agreements, called STANAGS (short for Standard Agreements, treaties as it were,) between the two countries. That is clearly not the case in this instance. Murder is as old as mankind and it's easy to form agreements concerning that act. Electronic data is too new for there to be any such standard agreements.

    But there is also something you assume that I mention in the post. Laws apply to people. The alcohol you give the minor is not subject to the law - you are. Of course, in the U.S. Microsoft is considered a person, subject to law. It isn't a European citizen. Can European law apply to a non-citizen? Yeah, that's splitting a hair, but it's a legal hair and that makes it significant in a court of law.

    That all said, the easy solution is to turn off the power, or wipe the hard drives. Physical possession is nine-tenths, right. Of course, if the data is distributed... well, that still leaves Europeans with the choice to use only European companies. The rest of the discussion becomes moot at that point. So if Europe wants to put this to rest, Europeans just need to stop using U.S. companies. Right?

    ReplyDelete
  3. I probably didn't express myself well - I don't disagree with your main point, and "giving alcohol" was just the nearest example of "me, the person, violating a local law". Does this local law apply to me? If not, what then? It's exactly the hair splitting which I'm curious about.

    Your conclusion reminds me of the crypto situation last century, where RSA was considered an ammunition and couldn't be exported from US servers - suddenly most crypto-implementations were hosted on EU servers.

    ReplyDelete
  4. Oh snap! I'd forgotten about the RSA thing. Good point!

    ReplyDelete

Be civil, be responsible and most of all be kind. I will not tolerate poor form. There will be no James Hooks here. We are all better than that.