The Washington Post and the Guardian aroused outrage with reports that the National Security Agency (NSA) and FBI had accessed central servers of Google, Facebook and others and gathered millions of phone users’ data.
Europe, which lacks internet giants of its own, has long yearned to contain the power of the U.S. titans that dominate the Web, and privacy-focused Germany was quick to condemn their co-operation with the U.S. security services.
“The U.S. government must provide clarity regarding these monstrous allegations of total monitoring of various telecommunications and Internet services,” said Peter Schaar, German data protection and freedom of information commissioner.
“Statements from the U.S. government that the monitoring was not aimed at U.S. citizens but only against persons outside the United States do not reassure me at all.”
The Post said the secret program involving the internet companies, code-named PRISM and established under President George W. Bush, had seen “exponential growth” during the past several years under Barack Obama.
Some of the companies named in the article have denied the government had “direct access” to their central servers. Nevertheless, the justice minister for the German state of Hesse, Joerg-Uwe Hahn, called for a boycott of the companies involved.
“I am amazed at the flippant way in which companies such as Google and Microsoft seem to treat their users’ data,” he told the Handelsblatt newspaper. “Anyone who doesn’t want that to happen should switch providers.”
CONCERNS RIPPLE BEYOND EUROPE
The European Union has struggled to assert its citizens’ rights to privacy in the United States for almost a decade.
Transatlantic agreements on sharing the financial and travel data of European citizens have taken years to complete, and the European Union is now trying to modernize an almost 20-year-old privacy law to strengthen Europeans’ rights.
International concerns also echoed beyond Europe.
In Australia, the conservative opposition said it was “very troubled” and had voiced concern to U.S. diplomats in Canberra about what it called large-scale, covert surveillance of private data belonging to foreigners.
“There is a massive global trend to cloud services,” said opposition communications spokesman Malcolm Turnbull, noting that the vast majority of providers were U.S. firms.
Fears about the security of data held on U.S. servers have already been a major factor in slow European adoption of “cloud” computing services, in which computing-intensive applications are done by central providers in large server farms.
The U.S. Patriot Act, signed into law after the September 11, 2001 attacks on the country, gave U.S. intelligence agencies significant new powers of data surveillance and had been a focal point of resistance.
“You hear more concerns in Europe than in the U.S., about the Patriot Act in particular. PRISM just enhances those concerns,” said Mark Watts, a partner in London law firm Bristows specializing in privacy and data compliance.
“The main players that are mentioned are much more on the consumer cloud end… but it may be that emotionally it adds to the concerns about U.S. cloud providers,” said Watts, whose clients include several large U.S. internet firms.
Cloud services accounted for $16.1 billion in revenues in western Europe last year, according to IT research firm Gartner, less than half the $32.9 billion generated in north America by firms such as Amazon or Salesforce.
Europe has tried to protect its citizens by imposing restrictions on the export of data to third countries without strong data protection laws, which can include the United States – but Bristows’ Watts said these were easy to get around.
European Justice Commissioner and Vice President Viviane Reding said: “This case shows that a clear legal framework for the protection of personal data is not a luxury or constraint but a fundamental right.”
Reding, who has been trying to push through an update to Europe’s data protection laws for 18 months, noted that EU government leaders meeting in the European Council had been able to agree the Data Retention Directive relatively quickly.
Their action on the 2006 directive, which stipulates that phone and internet companies must store records to help in fighting serious crime, showed they could act fast when limiting civil liberties.
“It is time for the Council to prove it can act with the same speed and determination on a file which strengthens such rights,” she said in an emailed statement.
Some of Europe’s difficulties in combating perceived data abuses arise from the fact that many European governments look with envy at the U.S. security services’ powers.
Britain is trying to strengthen its already powerful monitoring capabilities by bringing in what critics say would be the West’s most far-reaching surveillance laws.
The Guardian reported on Friday that Britain’s eavesdropping and security agency, GCHQ, had been secretly gathering intelligence from PRISM and had had access to the system since at least June 2010.
GCHQ said in an emailed statement to Reuters: “Our work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorized, necessary and proportionate.”
Mikko Hypponen, chief research officer at Finnish software security firm F-Secure, said outrage was the appropriate response to the U.S. revelations.
“What we have in our hands now is the first concrete proof of U.S.-based high-tech companies participating with the NSA in wholesale surveillance on us, the rest of the world, the non-American, you and me,” he said.
But he added there was little that individuals could do, with precious few alternatives to the popular services offered by U.S. firms Facebook, Google or Apple.
“The long term solution is that Europe should have a dot.com industry just like the United States, which would give us economic benefits but more importantly would make us independent of the wholesale surveillance of the U.S. intelligence agencies.”