Britain's three spy agencies have turned to American company Amazon to host top-secret material on its cloud platform.

UK’s signals intelligence group GCHQ will use Amazon Web Services the most, while national security agency MI5, foreign intelligence service MI6, and other departments including the Ministry of Defence will use AWS during joint operations.

The secret contract was first reported by The Financial Times, but no details have been publicly revealed. Estimates place the contract at between £500m and £1bn over the next decade.

GCHQ's headquarters. Image courtesy of the Creative Commons
– Ministry of Defence

Can the US access the data?

The agencies’ data will be held in Britain, in Amazon data centers. The new cloud contract will allow spies to share data internally more easily, and use AI to recognize and translate speech. It will also allow GCHQ, MI5, and MI6 to conduct faster searches on each other’s databases, the Financial Times reports.

“This is yet another worrying public-private partnership, agreed in secret,” Gus Hosein, executive director of Privacy International, told the publication.

“If this contract goes through, Amazon will be positioned as the go-to cloud provider for the world’s intelligence agencies. Amazon has to answer for itself which countries’ security services it would be prepared to work for.”

Amazon scored its first big surveillance contract back in 2013, with the CIA. The $600 million deal was followed by dozens of other US military and surveillance contracts, although the CIA is now preparing to hand out billions to a wider consortium comprising AWS, Microsoft, Google, Oracle, and IBM.

In 2020, General Keith Alexander, a former head of the US National Security Agency (NSA) joined Amazon's board of directors.

During his time at the NSA Alexander is best known for building the global mass surveillance network that tapped the networks of Google, Microsoft, Yahoo, and Facebook, among others, which was exposed by whistleblower Edward Snowden in 2013. Alexander also misled the House Intelligence Committee when asked whether his agency was involved in warrantless wiretapping.

A year after Alexander joined Amazon, the cloud company won a secret $10 billion contract from the NSA - a contract which Microsoft is trying to scupper.

The UK's intelligence agencies have reportedly claimed that Amazon will have no access to data, although the company may be able to glean some information from usage habits.

It is not clear if the data is covered under the Clarifying Lawful Overseas Use of Data Act or CLOUD Act, a US law which could theoretically allow federal law enforcement to demand the UK data. Under CLOUD, US agencies can compel US-based technology companies to provide requested data stored on their servers, regardless of whether the data are stored in the US or on foreign soil.

No local cloud?

Apparently the agencies chose to use the services of a foreign provider because the UK has no cloud provider of its own. They could have turned to smaller European cloud providers like OVHcloud - although the deal would have been worth nearly a quarter of OVH's market cap.

European governments, which were spied on by both the NSA and GCHQ, have historically been less trusting of US cloud providers - with Germany's data watchdog speaking out against federal use of AWS.

This year, France passed stringent sovereignty requirements for state and critical infrastructure, restricting where government agencies could put their data. To get around it whilst still offering the technology of better-funded US providers, Capgemini and Orange plan to set up 'Bleu.' This will offer Microsoft Azure and 365 cloud services, but with Capgemini and Orange in control of the data centers, which will be kept separate from the wider Azure infrastructure. The sites will be operated entirely by Bleu staff, in France.

This is a similar approach to an attempt by Microsoft in 2015 to allow German customers to evade US access to their data through a deal whereby Deutsche Telekom would manage those customers. The scheme failed and was quietly closed down.

The wider EU hopes to knit together a patchwork of local offerings, and European-law-abiding-foreign-businesses, under the Gaia-X cloud banner.

Get a weekly roundup of EMEA news, direct to your inbox.