[bestbits] PRISM - is it about the territorial location of data or its legal ownership

Katitza Rodriguez katitza at eff.org
Mon Jun 24 10:48:44 EDT 2013 

Only answering one of the questions on jurisdictional issues: The answer 
is somewhat complex

if data is hosted in the US by US companies (or hosted in the US by 
companies based overseas), the government has taken the position that it 
is subject to U.S. legal processes, including National Security Letters, 
2703(d) Orders, Orders under section 215 of the Patriot Act and regular 
warrants and subpoenas, regardless of where the user is located.

The legal standard for production of information by a third party, 
including cloud computing services under US civil 
(http://www.law.cornell.edu/rules/frcp/rule_45) and 
criminal (http://www.law.cornell.edu/rules/frcrmp/rule_16) law is 
whether the information is under the "possession, custody or control" of 
a party that is subject to US jurisdiction. It doesn’t matter where the 
information is physically stored, where the company is headquartered or, 
importantly, where the person whose information is sought is located. 
The issue for users is whether the US has jurisdiction over the cloud 
computing service they use, and whether the cloud computing service has 
“possession, custody or control” of their data, wherever it rests 
physically. For example, one could imagine a situation in which a large 
US-based company was loosely related to a subsidiary overseas, but did 
not have “possession, custody, or control” of the data held by the 
subsidiary and thus the data wasn’t subject to US jurisdiction.

On 6/24/13 5:28 AM, parminder wrote:
> Hi All
>
> There was some demand on the bestbits list that we still need to ask a 
> lot of questions from the involved companies in terms of the recent 
> PRISM plus disclosures. We are being too soft on them. I refuse to 
> believe that everything they did was forced upon on them. Apart from 
> the fact that there are news reports 
> <http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms.html> 
> that US based tech companies regularly share data with US gov for 
> different kinds of favours in return, or even simply motivated by 
> nationalistic feeling, we should not forget that many of these 
> companies have strong political agenda which are closely associated 
> with that of the US gov.   You must all know about 'Google Ideas 
> <http://en.wikipedia.org/wiki/Google_Ideas>', its revolving doors with 
> US gov's security apparatus, and its own aggressive regime change 
> ideas <http://www.informationclearinghouse.info/article34535.htm>. 
> Facebook also is known to 'like' some things, say in MENA region, and 
> not other things in the same region.....
>
> Firstly, one would want to know whether the obligations to share data 
> with US government extended only to such data that is actually located 
> in, or flows, through, the US. Or, does it extend to all data within 
> the legal control/ ownership of these companies wherever it may 
> reside.  (I think, certainly hope, it must be the former, but still I 
> want to be absolutely sure, and hear directly from these companies.)
>
> Now, if the obligation was to share only such data that actually 
> resided in servers inside the US, why did these companies, in face of 
> what was obviously very broad and intrusive demands for sharing data 
> about non US citizens, not simply locate much of such data outside the 
> US. For instance, it could pick up the top 10 countries, the data of 
> whose citizens was repeatedly sought by US authorities, and shift all 
> their data to servers in other countries that made no such demand? 
> Now, we know that many of the involved companies have set up near 
> fictitious companies headquartered in strange places for the purpose 
> of tax avoidance/ evasion. Why could they not do for the sake of 
> protecting human rights, well, lets only say, the trust, of non US 
> citizens/ consumers, what they so very efficiently did for enhancing 
> their bottom-lines?
>
> Are there any such plan even now? While I can understand that there 
> can be some laws to force a company to hold the data of citizens of a 
> country within its border, there isnt any law which can force these 
> companies to hold foreign data within a country's borders... Or would 
> any such act perceived to be too unfriendly an act by the US gov?
>
>
> I am sure others may have other questions to ask these companies.....
>
> parminder


-- 
Katitza Rodriguez
International Rights Director
Electronic Frontier Foundation
katitza at eff.org
katitza at datos-personales.org (personal email)

Please support EFF - Working to protect your digital rights and freedom of speech since 1990

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/bestbits/attachments/20130624/4ac177d9/attachment.htm>

More information about the Bestbits mailing list