The U.S. law enforcement and intelligence communities will not be able to access information stored on Microsoft’s new German data centers, according to Stewart Baker, former National Security Agency general counsel and partner at Steptoe and Johnson.
Microsoft is building data centers in Germany that are tailored toward customers who want the most stringent privacy protections. Access to information in these data centers will not be allowed to anyone, including Microsoft, without the permission of the customer or data trustee.
Microsoft did not respond to MeriTalk for comment.
After Microsoft won its 2nd Court of Appeals Decision against the U.S. government for denying law enforcement access to data held in its Ireland-based server, the company expanded to Germany where more privacy regulations are in place.
The German data regulations ensure that customers would be able to see where and how their data is processed.
“I don’t think that Microsoft would admit that that was their intention,” said Michael Vatis, partner at Steptoe. “I think there have been a lot of pressures on cloud service providers to set up their data centers locally so that they fall under the data and protection regimes of whatever locales they’re in, which gives assurance to people–to their customers–that whether it’s German law, or U.K. law, or Swiss law, or whatever, that those apply.”
The two new data centers, located in Magdeburg and Frankfurt, will be controlled by T-Systems, a subsidiary of Deutsche Telekom, an independent German company.
“Legally, I think this is pretty effective,” Vatis said. “Microsoft would argue, if served with a search warrant or with a subpoena, that it doesn’t have possession, custody, or control over the customer data stored in Germany.”
According to Microsoft, the data centers will provide the same security protections that the company offers to other data centers around the world, including multifactor authentication with biometric scanning and smart cards, data encryption, physical security controls, and protection against natural disasters and power outages.
The move toward excluding the U.S. intelligence and law enforcement community occurs after a push from Federal officials including NSA Director Adm. Mike Rogers, FBI Director James Comey, and Attorney General Eric J. Holder, for companies to leave a “backdoor” in their encryption so that the intelligence community could gain access to data. However, technology and cybersecurity experts said there’s no way to do this without exposing the material to hackers.
The Microsoft data centers focus on attracting clients in the public, financial, or health sector that specifically deal with sensitive data.
“Microsoft’s latest offering addresses companies who need to comply with the most stringent privacy regulations. It now enables us and our customers to scale and to successfully implement new business models even broader,” said Arthur Kaindl, general manager for Digital Health Services at Siemens Healthcare.
Baker said that prohibiting law enforcement access to data centers is possible when the facilities are built abroad. Baker also thinks the Federal government is less likely to go after a U.S. company for information than a foreign company.
“I think that Microsoft has a good chance of keeping it out of the hands of the U.S. government,” Baker said. “Whether that’s a good idea or whether it exposes the U.S. to more terrorism is a different question.”