UK citizen sues Microsoft over Prism private data leak to NSA

A court action brought in the UK will test Microsoft's legal right to disclose private data on UK citizens to US intelligence services

This article can also be found in the Premium Editorial Download: Computer Weekly: Can BlackBerry restore its business appeal?

A British citizen's UK court action will test the legal right of Microsoft to disclose private data on UK citizens to the US electronic spying organisation, the National Security Agency (NSA).

The case will shine a light on the legality of top secret US court orders which require US technology companies to disclose details of foreign users’ private communications.

Kevin Cahill, a British journalist, has brought the case in the Lord Mayor’s and City of London County Court. The case centres on Cahill's belief that Microsoft breached the security of his email account.

Cahill argues that, by obeying orders that are legally binding only in the United States, Microsoft has contravened British law – the Data Protection Act in particular.

The action follows revelations by former US intelligence contractor and whistleblower, Edward Snowden. Snowden revealed that the NSA had been collecting metadata about email and other communications from Microsoft since 2007, under its controversial Prism interception programme.

The case will raise questions over the jurisdiction of secret orders made by the US Foreign Intelligence Surveillance Court against US technology companies operating in the UK.

The other service providers named in the Snowden documents as contributors to the Prism programme are Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple.

Technology companies shed light on government data requests

Earlier this year, Facebook published a Global Government Requests Report that lists the number of requests made by governments for data from the company. 

In the first six months of this year, the US government made between 11,000 and 12,000 requests to Facebook, covering the records of between 20,000 to 21,000 users. Some 79% of requests – which relate to either criminal or national security matters – were granted. 

A Facebook web page titled Information for Law Enforcement Authorities states that, for international requests: “We disclose account records solely in accordance with our terms of service and applicable law.”

In an official blog post dated 7 June 2013, Google denied having heard of the US Prism surveillance programme until the previous day and appealed for greater transparency. Companies are not permitted under US law to disclose details of requests made by the NSA under the Foreign Intelligence Services Act (FISA).

“First, we have not joined any program that would give the U.S. government – or any other government – direct access to our servers,” the website stated.  

“Second, we provide user data to governments only in accordance with the law.”

Far-reaching consequences

Human rights lawyer Geoffrey Robertson QC said the action could have far-reaching consequences for Microsoft and other service providers, if it succeeds.

"Microsoft allegedly betrayed its customers by providing their personal information, without their consent, to the NSA," said Robertson. 

"This would constitute a serious breach of the British Data Protection Act, by an American company putting its allegiance to America above its legal duties to its British customers."

Documents leaked by Snowden reveal that Microsoft assisted the NSA to circumvent the encryption on the email portal, including Microsoft’s popular Hotmail service.

The company also made it easier for the NSA to monitor its cloud storage service, Skydrive, which  has over 250 million users worldwide, and its Skype telephone and video service.

A Microsoft spokesman told Computer Weekly: “We have been notified of an action being filed, and will be responding to it in due course. It would be inappropriate to comment further on the details of an active legal case."

Facebook and Google named

Cahill is seeking damages of £1,000 under the Data Protection Act. He has requested that the county court order Microsoft to reveal the contents of the orders made under the US Foreign Intelligence Surveillance Act (FISA).

He has brought additional actions against Facebook and Google in the UK and their named UK directors. Facebook and Google declined to comment on Cahill's claims brought against them. 

Invasion of privacy

Robertson said breaches of the Data Protection Act should be treated as seriously as the News of the Worldphone hacking case.

"The invasion of privacy, by deliberately declining to obtain a customer’s consent before exposing their personal details to another, deserves to be compensated on the same basis as obtaining personal data by hacking mobile telephones,” Robertson said.

John Hemming, MP for Birmingham Yardley and an IT specialist with expertise in cryptography, supports Robertson’s view.

“I have looked at this issue in some depth and, notwithstanding the fact that they have avoided the question, I do think it is quite clear that US companies may well have broken UK law, and UK law does take precedence in the UK courts, so that would cost them a lot of money,” he said.

Concerns over Parliamentary data

The case has also raised concerns over the security of British parliamentary data, due to plans to use cloud services from Microsoft.

“Parliament proposes to use the cloud for its records in the future. I’m not sure it is right for us to give our data to a company that is controlled by FISA courts in the USA,” said Hemming.

Read more about the Edward Snowden revelations

Monitoring foreign citizens

In principle, the NSA has greater freedom to monitor the communications of overseas citizens than US citizens.

The Foreign Intelligence Surveillance Act (FISA) court ruled that the NSA was required to separate American communications from foreign traffic – or breach the US Constitution’s fourth amendment – in October 2011.

The NSA’s Special Source Operations division refunds Microsoft and other data providers’ for complying with Prism surveillance orders. Prism costs the NSA $20 million per year.

EC seeks data controls

Following Snowden’s revelations, theEuropean Commission (EC) has threatened to freeze data-sharing arrangements with America, if it does not comply with European law. 

The EC has demanded that redress in US courts be accessible to EU citizens whose rights have been infringed. 

Robertson said Cahill was right to bring the case in light of the US government’s agreements with technology companies to harvest data from the internet.

“Customers whose data has been unlawfully transferred should sue them for breach of contract and breach of confidence," Robertson said.

Microsoft had sought permission from the courts to reveal the contents of the orders it received under FISA, the Guardian reported in June 2013.

Read more on Network monitoring and analysis

Data Center
Data Management