VIENNA/BRUSSELS (Reuters) - Europeans reacted angrily on Friday to revelations that U.S. authorities had tapped the servers of Internet companies for personal data, saying such activity confirmed their worst fears about American Web giants’ reach and showed tighter regulations were needed.
The Washington Post and the Guardian newspapers aroused broad outrage with reports that the National Security Agency (NSA) and the FBI had accessed central servers of Google, Facebook and other big Internet companies and gathered millions of phone users’ data.
Europe has long yearned to contain the power of the U.S. titans that dominate the Internet, and privacy-focused Germany was quick to condemn the companies’ co-operation with the U.S. security services.
“The U.S. government must provide clarity regarding these monstrous allegations of total monitoring of various telecommunications and Internet services,” said Peter Schaar, German data protection and freedom of information commissioner.
“Statements from the U.S. government that the monitoring was not aimed at U.S. citizens but only against persons outside the United States do not reassure me at all,” he said.
The Washington Post said the secret program involving the Internet companies, code-named PRISM and established under President George W. Bush, had seen “exponential growth” during the past several years under Barack Obama.
Some of the companies named in the article have denied the government had “direct access” to their central servers.
On Friday, two of Silicon Valley’s elite chief executives spoke out against the potentially damaging allegations, defending their companies’ track records.
Google’s Larry Page and Facebook’s Mark Zuckerberg, in separate blog posts on their company blogs, strenuously objected to the reports and said they had never heard of a program called PRISM before Thursday.
“Press reports that suggest that Google is providing open-ended access to our users’ data are false, period,” Page wrote in a post co-authored with the company’s Chief Legal Officer David Drummond entitled “What the...?”
Zuckerberg said that Facebook is not part of any program giving the U.S. government direct access to its servers and that it had never received a “blanket request or court order” from any government agency asking for information or “metadata” in bulk.
Nevertheless, the justice minister for the German state of Hesse, Joerg-Uwe Hahn, called for a boycott of the companies involved.
“I am amazed at the flippant way in which companies such as Google and Microsoft seem to treat their users’ data,” he told the Handelsblatt newspaper. “Anyone who doesn’t want that to happen should switch providers.”
The European Union has struggled to assert its citizens’ rights to privacy in the United States for nearly a decade.
Transatlantic agreements on sharing the financial and travel data of European citizens have taken years to complete, and the European Union is now trying to modernize an almost 20-year-old privacy law to strengthen Europeans’ rights.
Fears about the security of data held on U.S. servers have already been a major factor in slow European adoption of “cloud” computing services, in which computing-intensive applications are done by independent service providers in large server farms accessed by the Internet.
The U.S. Patriot Act, signed into law after the September 11, 2001, attacks on the country, gave U.S. intelligence agencies significant new powers of data surveillance and had been a focal point of resistance.
“You hear more concerns in Europe than in the U.S., about the Patriot Act in particular. PRISM just enhances those concerns,” said Mark Watts, a partner in London law firm Bristows specializing in privacy and data compliance.
“The main players that are mentioned are much more on the consumer cloud end ... but it may be that emotionally it adds to the concerns about U.S. cloud providers,” said Watts, whose clients include several large U.S. Internet firms.
Cloud services accounted for $16.1 billion in revenues in Western Europe last year, according to IT research firm Gartner, less than half the $32.9 billion generated in North America.
Europe has tried to protect its citizens by imposing restrictions on the export of data to third countries without strong data protection laws, which can include the United States - but Bristows’ Watts said these were easy to get around.
European Justice Commissioner and Vice President Vivian Redding said: “This case shows that a clear legal framework for the protection of personal data is not a luxury or constraint but a fundamental right.”
Reding, who has been trying to push through an update to Europe’s data protection laws for 18 months, noted that EU government leaders meeting in the European Council had been able to agree the Data Retention Directive relatively quickly.
Their action on the 2006 directive, which stipulates that phone and Internet companies must store records to help in fighting serious crime, showed they could act fast when limiting civil liberties.
“It is time for the Council to prove it can act with the same speed and determination on a file which strengthens such rights,” she said in an emailed statement.
Some of Europe’s difficulties in combating perceived data abuses arise from the fact that many European governments look with envy at the U.S. security services’ powers.
Britain is trying to strengthen its already powerful monitoring capabilities by bringing in what critics say would be the West’s most far-reaching surveillance laws.
The Guardian reported on Friday that Britain’s eavesdropping and security agency, GCHQ, had been secretly gathering intelligence from PRISM and had access to the system since at least June 2010.
GCHQ said in an emailed statement to Reuters: “Our work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorized, necessary and proportionate.”
Mikko Hypponen, chief research officer at Finnish software security firm F-Secure, said outrage was the appropriate response to the U.S. revelations.
“What we have in our hands now is the first concrete proof of U.S.-based high-tech companies participating with the NSA in wholesale surveillance on us, the rest of the world, the non-American, you and me,” he said.
But he added there was little that individuals could do, with precious few alternatives to the popular services offered by U.S. firms Facebook, Google or Apple.
“The long term solution is that Europe should have a dot.com industry just like the United States, which would give us economic benefits but more importantly would make us independent of the wholesale surveillance of the U.S. intelligence agencies.”
Additional reporting by Harro Ten Wolde in Frankfurt, Paul Sandle and Michael Holden in London and Alexei Oreskovic in San Francisco; Editing by David Stamp and Philip Barbara