Microsoft Can't Keep EU Data Safe from US Authorities

Original Article ↗ Hacker News Discussion ↗

Microsoft, CLOUD Act, and French Testimony

  • Commenters note the testimony is from July and focus on the claim that no US data requests have yet occurred.
  • Some accept that, under oath in France, lying would be risky, especially given potential espionage charges if French state data were involved.
  • Others are deeply skeptical, pointing out US gag orders, the possibility of “rogue” staff or US-controlled access paths, and Microsoft’s prior marketing assurances to EU lawyers that now appear misleading.

Sovereign Cloud and “Trusted Subsidiaries”

  • The idea of a “trusted” local subsidiary with only local citizens is seen as weak protection.
  • Core concern: control flows through US-written software, global admin/support teams, and mandatory updates. A “security update” could exfiltrate data without local knowledge.
  • Several argue “sovereign clouds” from US hyperscalers are mostly compliance theater that satisfies checkboxes but not real sovereignty.

CLOUD Act vs GDPR and Legal Structure

  • Many say the incompatibility of CLOUD Act and GDPR has been obvious for years; US companies must be treated as unsafe third-country processors regardless of where data sits.
  • Debate over whether non‑US multinationals with US subsidiaries (e.g., OVH) are effectively under CLOUD Act reach; some cite OVH’s own FAQ acknowledging possible extra‑territorial requests.
  • Others argue foreign parents are outside US jurisdiction in theory, but note the US often uses economic and political coercion in practice.

Technical Limits of Protection

  • Strong end‑to‑end encryption and minimal data collection are seen as the only robust defenses.
  • But cloud isn’t just storage: for compute, plaintext and keys must exist in RAM somewhere, giving cloud operators (and thus their governments) theoretical access.
  • Confidential computing (Intel TDX, AMD SEV, enclaves) is mentioned but distrusted due to past side‑channel breaks and opaque hardware.

EU Dependence and Strategic Response

  • Several highlight EU’s deep dependence on US tech stacks (cloud, OS, chips, SaaS), calling it a severe strategic weakness.
  • Some foresee or advocate a slow but inevitable shift: EU‑only clouds, local chip/OS initiatives, more on‑prem/self‑hosted and open‑source alternatives.
  • Others stress the migration cost and political reluctance, noting that tenders still heavily favor US providers despite clear national‑security risks.