[discuss] Misconceptions about what "US companies" means in respect of data rights of users - and how to protect them

Nick Ashton-Hart nashton at ccianet.org
Tue Jan 14 08:07:00 UTC 2014

Dear 1Net collaborators,

I've seen several emails recently with mistakes of fact about what is and is not a 'US company' with respect to the NSA's reach, as well as the idea that simply because data flows through the US or any other country that users' data is more, or less, susceptible to national security laws.

Simply put:

1) The way US law works, any company - regardless of where it is based or operates - is subject to the US' laws on national security once it has "legal nexus" with the US - which can be created by all kinds of events, but to be simple, even one person employed there in any subsidiary - even one that isn't wholly owned - is good enough. This means that a large number of international countries that are headquartered in pretty much every country are just as subject to US law as is a US-headquartered company.

2) With respect to access to data just because it flows through the US (or the UK, or France, or anywhere else): Just because data happens to transit a country does not make it more, or less, accessible to their security services. What does is really much more tied up in the above point: what service is the data a part of and what jurisdictions is that service subject to (at a legal level) and at a practical level, is the data encrypted or otherwise protected from being hoovered up from the wire and easily combined back into whatever it was before being packetized.

3) In the case of the NSA and GCHQ and many other countries, their security services have either a) listening posts in their embassies and consulates worldwide to allow them to intercept data they are interested without the host country knowing what they are up to or b) legal agreements to share data with other countries.

We have a real issue here - but it isn't fundamentally what US companies do or don't do or what the NSA does or doesn't get to do after Obama and the US Congress do whatever they are going to do about it' spectacular and abusive (in my opinion) overreach.

We have to look at the global picture which is fundamentally a question of what states agree to do with data between themselves, and what legal jurisdiction issues are presented by countries' existing practices of extending their laws to non-nationals and acts which don't relate to their territory.
To be more specific, can we imagine an MLAT system where countries agree to a set of principles ("Necessary and Proportionate" have been recommended on the ISOC Internet policy list) governing the exchange of information between each other for various purposes which would recognise human rights, be more transparent - and in the case of legitimate law enforcement access, provide more effective use of information? For example, the MLAT between Brazil and the USA is apparently basically unusable by either country due to the way it is architected. This is not the only one, but it is a good example.

We can all bang on about what the US and other countries are doing, and what companies are doing or not doing or should do - or we can get to the root of the problem and try to fix the underlying architecture.

You can riposte saying "But this isn't an Internet problem!" - and it fundamentally isn't, but the Internet is being abused and harmed as are users because of the problem so while we need to point out to policymakers that the above statement is true, we also should address the underlying problem to help deal with our issue.

Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://1net-mail.1net.org/pipermail/discuss/attachments/20140114/f34b4c42/attachment-0001.html>

More information about the discuss mailing list