惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Cisco Blogs
Schneier on Security
Schneier on Security
T
Tor Project blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Tenable Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Threat Research - Cisco Blogs
C
CERT Recently Published Vulnerability Notes
Security Latest
Security Latest
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
NISL@THU
NISL@THU
L
Lohrmann on Cybersecurity
Scott Helme
Scott Helme
Webroot Blog
Webroot Blog
Project Zero
Project Zero
Google Online Security Blog
Google Online Security Blog
The Last Watchdog
The Last Watchdog
Spread Privacy
Spread Privacy
Hacker News: Ask HN
Hacker News: Ask HN
PCI Perspectives
PCI Perspectives
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
W
WeLiveSecurity
Attack and Defense Labs
Attack and Defense Labs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
N
News | PayPal Newsroom
Help Net Security
Help Net Security
The Hacker News
The Hacker News
H
Heimdal Security Blog
O
OpenAI News
S
Security @ Cisco Blogs
N
News and Events Feed by Topic
Cyberwarzone
Cyberwarzone
Simon Willison's Weblog
Simon Willison's Weblog
G
GRAHAM CLULEY
www.infosecurity-magazine.com
www.infosecurity-magazine.com
博客园 - 叶小钗
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Hacker News - Newest:
Hacker News - Newest: "LLM"
T
Tailwind CSS Blog
大猫的无限游戏
大猫的无限游戏
A
Arctic Wolf
I
Intezer
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
S
Security Affairs
P
Proofpoint News Feed
S
Secure Thoughts
腾讯CDC
Google DeepMind News
Google DeepMind News
量子位
罗磊的独立博客

The Register - Off-Prem: Channel

'Death sentence': EU cloud lobby drags Broadcom to Brussels Iran war wreaking havoc on cargo, global delays likely OpenAI asks consultants to help it push Frontier OpenAI asks consultants to help it push Frontier ICO wins battle in fight to fine tech retailer £500k Rising memory costs see vendors change terms and conditions Capgemini to sell biz that has a deal to help ICE Ingram Micro admits ransomware raid exposed staff records Hiring at India’s Big Four outsourcers stalls as AI bites Hiring at India’s Big Four outsourcers stalls as AI bites Accenture to buy Palantir rival, UK-based Faculty The ‘Palantir-ization’ of IT services is upon us Amazon straps AI smart specs to delivery drivers Microsoft pivots to copyright claim in ValueLicensing case Client defended engineer boss lied about dodgy dealings Client defended engineer boss lied about dodgy dealings Node4 awarded £2.4M in damages after Tisski takeover Trump tariff turmoil toys with PC sales, economy not helping Everyone needs an AI phone. No, don't hang up, it's true Microsoft software reselling dispute heads back to UK court KPMG wrote 100-page prompt to build agentic TaxBot Google admits anticompetitive conduct in Australia Foxconn now making more from servers than iPhones Stock in the Channel pulls website amid cyberattack Ebuyer website bought by Fraser Group plc Ingram Micro attackers threaten 3.5 TB data leak this week India, not China, manufactures most US smartphones now India, not China, manufactures most US smartphones now Infosec firm Adarma confirms it will enter administration Small clouds out as VMware again changes partner program Trump tariffs turn techies topsy-turvy: US braced for PC tax Ingram Micro restarts orders – for some – following ransomware attack Ingram Micro confirms ransomware behind multi-day outage 14-hour+ global blackout at Ingram Micro halts customer orders Ingram Micro still silent 14 hours after global outage began Impact of Microsoft taking over Enterprise Account renewals starts to 'bite' Kaseya CEO: Why AI adoption is below industry expectations Taiwan blocks exports to SMIC, Huawei in defiance of Beijing Doomed UK smartphone maker Bullitt Group finally liquidated VMware drops the lowest tier of its partner program – except in Europe VMware price hikes? Between 800 and 1,500%, claim Euro customers Microsoft adds custom SaaS payment plans, variable payments India’s services giants brace for impact as US tariffs bite Tech suppliers await final grade as Trump prepares to flunk Department of Education Have I Been Pwned likely to ban resellers from buying subs, citing 'sh*tty behavior' and onerous support requests Have I Been Pwned likely to ban resellers Biz tax rises, inflation and high interest. Why fewer UK tech firms started in 2024 Fewer UK tech startups launched in 2024 Brit government contractor CloudKubed enters administration UK government tech procurement lacks understanding, says watchdog Microsoft, PC makers cut prices of Copilot+ gear in Europe, analyst stats confirm Microsoft invites Chinese software vendors to sell on its marketplace and through its partners Microsoft to sell Chinese software on its marketplace The channel stands corrected: Hardware is a refresh cycle business now Channel stands corrected: Hardware a refresh cycle biz now Ingram Micro to 'stop doing business' with Broadcom, downgrade to 'limited engagement' on VMware Microsoft preps big guns to shift Copilot software and PCs Pakistan IT org warns that bad internet could kill industry One of Europe's largest resellers mandates 3-day office week AI PCs need to be better at everything trad PCs can do Intel share price drop could see it delisted from Dow Jones IBM Canada can't duck systematic age discrimination claim Google goes shopping for Indian e-commerce assets at Walmart Fujitsu Japan adopts Oracle's Alloy service provider cloud Wipro appoints new CEO: US boss Srini Pallia takes over Microsoft reseller tells LSE of over 100 undisclosed deals Citrix reportedly doubles cost of some software licenses VMware by Broadcom teases more, cheaper, training, from May Boss at Microsoft reseller quits, admits secret share trades eBay tells 1,000 workers their days at company are numbered AWS Marketplace adds sales of third-party services Foxconn’s teams with HCL Group for India chip packaging play Nutanix set to benefit most from Broadcom's VMware upheaval India's big four services giants soar on demand for AI Broadcom to end VMware’s partner program Infosys loses ten-year, $1.5 billion contract China’s annual e-tail frenzy set records, but revenue hidden Infosys and Wipro slow graduate recruitment Gulf states and 'The Stans' could become new tech hotspot 'Unexpected system challenges’ delay Microsoft product Microsoft tells partners unbundling Teams is a ‘compromise’ Two top execs quit Infosys months after its president jumped JP Morgan: Bad times just starting for India's outsourcers Dell pulls storage, PCs, and compute into Apex ITaaS India’s major IT outsourcers slow hiring, fret about deals Microsoft pays $3.3M for alleged US sanctions busting Microsoft pauses delayed partner ecosystem security update Azure usage notifications for partners broken until March Revenues grows strongly at India’s big four IT outsourcers
Microsoft exec admits it 'cannot guarantee' data sovereignty
Paul Kunert Paul Kunert · 2025-07-25 · via The Register - Off-Prem: Channel

UPDATED Microsoft says it "cannot guarantee" data sovereignty to customers in France – and by implication the wider European Union – should the Trump administration demand access to customer information held on its servers.

The Cloud Act is a law that gives the US government authority to obtain digital data held by US-based tech corporations irrespective of whether that data is stored on servers at home or on foreign soil. It is said to compel these companies, via warrant or subpoena, to accept the request.

Talking on June 18 before a Senate inquiry into public procurement and the role it plays in European digital sovereignty, Microsoft France's Anton Carniaux, director of public and legal affairs, along with Pierre Lagarde, technical director of the public sector, were quizzed by local politicians.

Asked of any technical or legal mechanisms that could prevent this access under the Cloud Act, Carniaux said it had "contractually committed to our clients, including those in the public sector, to resist these requests when they are unfounded."

"We have implemented a very rigorous system, initiated during the Obama era by legal actions against requests from the authorities, which allows us to obtain concessions from the American government. We begin by analyzing very precisely the validity of a request and reject it if it is unfounded."

He said that Microsoft asks the US administration to redirect it to the client.

"When this proves impossible, we respond in extremely specific and limited cases. I would like to point out that the government cannot make requests that are not precisely defined."

Carniaux added: "If we must communicate, we ask to be able to notify the client concerned." He said that under the former Obama administration, Microsoft took cases to the US Supreme Court and as such ensured requests are "more focused, precise, justified and legally sound."

The Cloud Act was signed into law in 2018 following challenges the FBI faced when getting data via service providers through Store Communications Act warrants, which was itself legislated before cloud computing became a viable thing. Microsoft challenged previous requests, including one concerning a 2016 drug trafficking probe, when emails of a US citizen were held on Microsoft servers in Ireland, and Microsoft argued the SCA did not cover data held outside the US.

The bill was supported at the time it became law by AWS, Microsoft, and Google – and was criticized by civil rights groups. European cloud providers with skin in the game have talked up the potential data sovereignty issue for customers in the EU, although, as Microsoft has said, it has not received data requests from the US government for data held on Microsoft servers in Europe.

Back at the hearing in France, Microsoft was asked if a data request was well framed, would the corporation be "obliged to transmit the data?"

Carniaux admitted: "Absolutely, by respecting this process. But again, this has not affected any European company, or a public sector body, since we have been publishing these transparency reports."

Microsoft transparency reports are twice yearly publications in which the business reveals how it manages user data requests, content removal, and more.

Legrande chimed in to say that for the past three years Microsoft has implemented a technical environment to minimize data transfers and keep customers data within the EU, "whether at rest, in transit or being processed, or whether it is data generated by application logs, including the support part."

As proceedings continued, Carniaux was asked if in the event of an injunction that was legally justified, could he, as Microsoft director of public and legal affairs, "guarantee our committee, under oath" that data on French citizens could not be transmitted to the American government without the explicit agreement of the French government.

"No," said Carniaux, "I cannot guarantee that, but, again, it has never happened before."

The Register asked Microsoft to comment on this but it declined to do so.

Mark Boost, CEO at Civo, claimed: "One line of testimony just confirmed that the US hyperscaler providers cannot guarantee data sovereignty in Europe."

"Microsoft has openly admitted what many have long known: under laws like the CLOUD Act, US authorities can compel access to data held by American cloud providers, regardless of where that data physically resides. UK or EU servers make no difference when jurisdiction lies elsewhere and local subsidiaries or 'trusted' partnerships don't change that reality.

"This is more than a technicality. It is a real-world issue that can impact national security, personal privacy and business competitiveness. We've already seen examples like the Scottish police case, where sensitive data was transferred out of jurisdiction and beyond intended control. The recent Microsoft testimony demonstrates how this can now happen on demand by US authorities.

"The French Senate has set a precedent by demanding answers, and the UK and Europe have an opportunity to do the same. We're already seeing a shift towards building homegrown solutions that support true data sovereignty rather than data residency. The government now needs to help industry accelerate this trend by reducing its over-dependence on hyperscalers."

AWS was this week at pains to point out "five facts" about how the Cloud Act works following an uptick in "inquiries about how we manage government requests for data." First off, it says the legislation does not give US government "unfettered or automatic access to data stored in the cloud."

"The CLOUD Act primarily enabled the US to enter into reciprocal executive agreements with trusted foreign partners to obtain access to electronic evidence for investigations of serious crimes, wherever the evidence happens to be located, by lifting blocking statutes under US law.

"Under US law, providers are actually prohibited from disclosing data to the US government absent a legal exception," it adds, "To compel a provider to disclose content data, law enforcement must convince an independent federal judge that probable cause exists related to a particular crime, and that evidence of the crime will be found in the place to be searched."

AWS says it has not yet disclosed enterprise or government customer data under the Act; the principles of the Act are "consistent with international law and the laws of other countries"; and the law does "not limit the technical measures and operatonal controls AWS offers to customers to prevent unauthorised access to customer data."

The final point AWS makes - and one no doubt aimed at European rivals trying to exploit the data sovereignty movement - is that the Cloud Act does not only apply to US-headquarterd companies, it is applicable to all "electronic communication service or remote computing service providers" that do business stateside.

"For example, European-headquartered cloud providers with US operations are also subject to the Act's requirements. OVHcloud, a French headquartered cloud service provider that operates in the US, notes in its CLOUD Act FAQ page that 'OVHcloud will comply with lawful requests from public authorities. Under the CLOUD Act, that could include data stored outside of the United States'."

"Similarly, other cloud providers headquartered in the EU and elsewhere, also have operations in the US."

Despite this, mistrust of the Trump administration by some in Europe, notably including Dutch politicians, means worries linger about the state of relations between those in the EU trading bloc and the US.

Microsoft, like AWS and Google, has embarked on a campaign to assure any concerned customers in the EU that it can provide data sovereignty in the wake of Trump 2.0 and the US President's less than friendly stance towards nations once considered close allies, including the tariff policy that has derailed predictability in industries across the world.

Microsoft President Brad Smith noted the "volatile" economic and geopolitical tensions between the US and Europe and vowed to build more datacenters in Europe among other measures. AWS will have services in place by the end of this year to address worries and Google is tackling these issues too.

Nevertheless, there is a movement in Europe to become less reliant on American big tech, with technical advisors pressing the point for independence, and local techies and lobbyists urging the head of the European Commission to create a sovereign infrastructure.

Given the billions of dollars US giants transact with customers in Europe, they are going to put up a big fight to retain the business. And they have time on their side, as building self reliance cannot be achieved overnight.

We asked Google to comment and it referred us to a previous blog published in May. AWS, which also earlier sent over its aforementioned blog post from July 22, told us it nothing further to add. ®

Updated at 08.12 on August 14, 2025 to add:

After publication, a spokesperson at OVH Group made contact with The Register to send a statement but didn't respond to our request for an interview. The spokesperson said the blog post from AWS shows "digital sovereignty, and more specifically the question of how extraterritorial laws are applied to data stored in the cloud, is now an unavoidable topic.

"This is proof that cloud users need clarity on the Cloud Act, the Patriot Act or FISA 702 and the conditions of their extraterritorial reach."

The spokesperson said OVH's HQ, European activities and decision making are "based in France". And it has reviewed the "organizational architecture" of the Group as it is present in several countries, including the US.

"Our activities and organization have been organized on a legal, technical and operational level so that OVH US activities are fully independent of the other group entities, in order to protect them from the extraterritorial nature of the American laws and regulation.

"OVH Group abides by local laws in the countries it operates in. As such, OVH US may be subject to requests from American authorities within the framework of the Cloud Act as long as these demands are connected to customers of OVH US and are strictly compliant with applicable American law. The French OVH entity (or its European subsidiaries) is not subject to the Cloud Act, the Patriot Act or the FISA."