A British citizen’s UK court action will test the legal right of Microsoft to disclose private data on UK citizens to the US electronic spying organisation, the National Security Agency (NSA).
The case will shine a light on the legality of top secret US court orders which require US technology companies to disclose details of foreign users’ private communications.
Kevin Cahill, a British journalist, has brought the case in the Lord Mayor’s and City of London County Court. The case centres on Cahill’s belief that Microsoft breached the security of his email account.
Cahill argues that, by obeying orders that are legally binding only in the United States, Microsoft has contravened British law – the Data Protection Act in particular.
The action follows revelations by former US intelligence contractor and whistleblower, Edward Snowden. Snowden revealed that the NSA had been collecting metadata about email and other communications from Microsoft since 2007, under its controversial Prism interception programme.
The case will raise questions over the jurisdiction of secret orders made by the US Foreign Intelligence Surveillance Court against US technology companies operating in the UK.
The other service providers named in the Snowden documents as contributors to the Prism programme are Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple.
Human rights lawyer Geoffrey Robertson QC said the action could have far-reaching consequences for Microsoft and other service providers, if it succeeds.
“Microsoft allegedly betrayed its customers by providing their personal information, without their consent, to the NSA,” said Robertson.
“This would constitute a serious breach of the British Data Protection Act, by an American company putting its allegiance to America above its legal duties to its British customers.”
Documents leaked by Snowden reveal that Microsoft assisted the NSA to circumvent the encryption on the Outlook.com email portal, including Microsoft’s popular Hotmail service.
The company also made it easier for the NSA to monitor its cloud storage service, Skydrive, which has over 250 million users worldwide, and its Skype telephone and video service.
A Microsoft spokesman told Computer Weekly: “We have been notified of an action being filed, and will be responding to it in due course. It would be inappropriate to comment further on the details of an active legal case.”
Facebook and Google named
Cahill is seeking damages of £1,000 under the Data Protection Act.
He has requested that the county court order Microsoft to reveal the contents of the orders made under the US Foreign Intelligence Surveillance Act (FISA).
He has brought additional actions against Facebook and Google in the UK and their named UK directors. Facebook and Google declined to comment on Cahill’s claims brought against them.
Invasion of privacy
Robertson said breaches of the Data Protection Act should be treated as seriously as the News of the Worldphone hacking case.
“The invasion of privacy, by deliberately declining to obtain a customer’s consent before exposing their personal details to another, deserves to be compensated on the same basis as obtaining personal data by hacking mobile telephones,” Robertson said.
John Hemming, MP for Birmingham Yardley and an IT specialist with expertise in cryptography, supports Robertson’s view.
“I have looked at this issue in some depth and, notwithstanding the fact that they have avoided the question, I do think it is quite clear that US companies may well have broken UK law, and UK law does take precedence in the UK courts, so that would cost them a lot of money,” he said.
Concerns over Parliamentary data
The case has also raised concerns over the security of British parliamentary data, due to plans to use cloud services from Microsoft.
“Parliament proposes to use the cloud for its records in the future. I’m not sure it is right for us to give our data to a company that is controlled by FISA courts in the USA,” said Hemming.
Monitoring foreign citizens
In principle, the NSA has greater freedom to monitor the communications of overseas citizens than US citizens.
The Foreign Intelligence Surveillance Act (FISA) court ruled that the NSA was required to separate American communications from foreign traffic – or breach the US Constitution’s fourth amendment – in October 2011.
The NSA’s Special Source Operations division refunds Microsoft and other data providers’ for complying with Prism surveillance orders. Prism costs the NSA $20 million per year.
EC seeks data controls
Following Snowden’s revelations, theEuropean Commission (EC) has threatened to freeze data-sharing arrangements with America, if it does not comply with European law.
The EC has demanded that redress in US courts be accessible to EU citizens whose rights have been infringed.
Robertson said Cahill was right to bring the case in light of the US government’s agreements with technology companies to harvest data from the internet.
“Customers whose data has been unlawfully transferred should sue them for breach of contract and breach of confidence,” Robertson said.
Microsoft had sought permission from the courts to reveal the contents of the orders it received under FISA, the Guardian reported in June 2013.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners.
If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com