Thoughts on Technology and IT

Functionally? Yes – and it is massive.

Most people think of surveillance as satellites and spies. But the real power move is legal access to data, and the U.S. has architected a system that makes American cloud and tech firms a global collection grid.

This isn’t just about intelligence agencies. It’s about how U.S. laws intersect with the global dominance of American tech. Let’s break it down.

Three companies — Amazon (AWS), Microsoft (Azure), and Google — own 68% of the global public cloud market. That means most of the world’s digital infrastructure runs on U.S. platforms. Many other US companies piggyback on these services and provide storage for your financial transactions, document storage, bookkeeping, banking, contracts, legal advice medical data and endless other services. A short list is here:

• Cloud infrastructure and data platforms: AWS; Microsoft Azure; Google Cloud.
• Documents and file storage: Microsoft 365 (OneDrive, SharePoint); Google Workspace (Drive); Box; Dropbox; Adobe Document Cloud.
• Bookkeeping and ERP: Intuit QuickBooks; Oracle NetSuite.
• Payments and financial transactions: Visa; Mastercard; PayPal; Stripe; Block (Square).
• Banking platforms: JPMorgan Chase; Bank of America; Citigroup.
• Contracts and e‑sign / CLM: DocuSign; Adobe Acrobat Sign; Ironclad.
• Legal tech and e‑discovery: iManage; NetDocuments; Relativity.
• Healthcare EHR and portals: Epic Systems (MyChart); Oracle Health (Cerner); athenahealth.

In Q2 2025:

• AWS: 30% of global cloud infrastructure
• Microsoft: 20%
• Google: 13% (Source: Synergy Research Group)

Whether you're a European startup, an African NGO, or an Asian government agency, chances are some part of your digital operations flows through U.S.-controlled platforms.

A common assumption is: “If our data is stored in Europe, we’re safe from U.S. jurisdiction.” Not true.

The CLOUD Act lets U.S. authorities compel American tech companies to hand over data they “control,” even if that data sits on servers in Dublin, Frankfurt, or Singapore.

Example: A U.S. warrant served in California can require Microsoft to hand over emails stored in Ireland, as long as Microsoft has access and control. This exact issue triggered the Microsoft-Ireland case, but the CLOUD Act resolved it by giving U.S. law extraterritorial reach.

It’s not just the company — it’s the people too.

If you hire a U.S. systems admin working remotely from New York, and they have credentials to your European systems, a U.S. court can compel them to assist in accessing that data. That’s because U.S. law focuses on “possession, custody, or control”, not geography.

You Likely Will Never Know It Happened!

U.S. courts can issue nondisclosure orders, gag orders that bar cloud providers from telling you your data was accessed. While recent rulings have narrowed their scope, targeted secrecy remains legal and routine.

Bottom line: Access can happen behind your back, and legally so.

Intelligence Collection Runs in Parallel

This isn't just about law enforcement. U.S. intelligence agencies operate under FISA Section 702, which lets them target non-U.S. persons abroad — with help from service providers. The definition of “provider” includes not just companies, but their staff, agents, and even custodians.

This law was reauthorized in April 2024 and stays in effect until April 2026. It’s a separate, classified channel of compelled access.

Can the U.S. Compel Its Citizens Abroad?

Yes. If you're a U.S. national living in another country, courts can subpoena you under 28 U.S.C. § 1783 to produce documents or testify — and enforce it via contempt. Physical presence abroad doesn't shield you.

What About “Sovereign” Cloud?

Microsoft’s EU Data Boundary is often cited as a privacy solution. It keeps storage and processing within the EU, reducing routine data movement. That’s helpful for compliance and optics.

But legally, it doesn’t block U.S. demands. At a French Senate hearing in June 2025, Microsoft France’s legal director couldn’t guarantee that EU-stored data wouldn’t be handed over to U.S. authorities if compelled.

As long as a U.S. entity holds control, storing data in-region doesn’t reduce how much of it can be compelled. The geography may change — the legal risk doesn’t.

Compliance ≠ Control

Many companies focus on “paper compliance”: model clauses, certifications, and documentation that say they’re protecting data.

But real-world outcomes depend on control:

• Who holds the encryption keys?
• Who can access the console?
• Where do the admins sit?
• Who pays their salary?

If a U.S. provider or person ultimately controls access, then the data is within U.S. legal reach no matter where it lives. The only durable solution is removing U.S. control altogether.

This isn’t a conspiracy theory. It’s legal infrastructure – open, documented, and actively in use.

The U.S. hasn’t built the world’s largest spy network by hiding in the shadows. It’s done it by being the backbone of global tech and writing laws that treat control as more important than location.

If you’re a global business, policymaker, or technologist, this isn’t someone else’s problem. It’s a strategic risk you need to understand.

References:

Synergy Research Group, “Q2 Cloud Market Nears $100 Billion Milestone,” 31 Jul 2025 https://www.srgresearch.com/articles/q2-cloud-market-nears-100-billion-milestone-and-its-still-growing-by-25-year-over-year

18 U.S.C. § 2713 (CLOUD Act extraterritorial production) https://www.law.cornell.edu/uscode/text/18/2713

United States v. Microsoft Corp., No. 17‑2 (Apr. 17, 2018) (moot after CLOUD Act) https://www.supremecourt.gov/opinions/17pdf/17-2_1824.pdf

FRCP Rule 34 (possession, custody, or control) https://www.law.cornell.edu/rules/frcp/rule_34

18 U.S.C. § 2703(h) (CLOUD Act comity analysis, Congress.gov) https://www.congress.gov/bill/115th-congress/senate-bill/2383/text

18 U.S.C. § 2705(b) (SCA nondisclosure orders) https://www.law.cornell.edu/uscode/text/18/2705

In re Sealed Case, No. 24‑5089 (D.C. Cir. July 18, 2025) (limits omnibus gags) https://media.cadc.uscourts.gov/opinions/docs/2025/07/24-5089-2126121.pdf

50 U.S.C. § 1881a (FISA § 702 procedures) https://www.law.cornell.edu/uscode/text/50/1881a

50 U.S.C. § 1881(b)(4) (ECSP definition includes officers, employees, custodians, agents) https://www.law.cornell.edu/uscode/text/50/1881

PCLOB, Section 702 Oversight Project page (RISAA reauth and April 19, 2026 sunset) https://www.pclob.gov/OversightProjects/Details/20

28 U.S.C. § 1783 (subpoena of US nationals abroad) and § 1784 (contempt) https://www.law.cornell.edu/uscode/text/28/1783 https://www.law.cornell.edu/uscode/text/28/1784

Microsoft, “What is the EU Data Boundary?” https://learn.microsoft.com/en-us/privacy/eudb/eu-data-boundary-learn

Microsoft, “Continuing data transfers that apply to all EU Data Boundary services” https://learn.microsoft.com/en-us/privacy/eudb/eu-data-boundary-transfers-for-all-services

French Senate hearing notice: “Commande publique : audition de Microsoft,” 10 Jun 2025 https://www.senat.fr/actualite/commande-publique-audition-de-microsoft-5344.html

Coverage of the hearing (example): The Register, “Microsoft exec admits it ‘cannot guarantee’ data sovereignty,” 25 Jul 2025 https://www.theregister.com/2025/07/25/microsoft_admits_it_cannot_guarantee/