This article is part of a series: The journey of a file - The risk of US access.

• Introduction
• Part 1: Internet Network & Hardware and OS
• Part 2: Company network & Identity
• Part 3: Cloud storage & Encryption certificates (Comming Soon)
• Part 4: Transfer service infrastructure & Browsers (Comming Soon)
• Part 5: AI, automation, metrics & Corporate ownership (Comming Soon)

Navigating the transit points of US data jurisdiction

At the end of a year people often look back at the past twelve months (sometimes with mixed feelings) while looking forward to the year ahead. We are no different, particularly when viewing our work through the lens of secure data sharing, digital privacy, and security.

Looking back at 2025, two items were most prominent: the rapid evolution of AI and the clear shift of the USA from a traditional European ally to a more transactional power. The influence of the US government on our privacy, combined with its leverage over the American tech companies we depend on, has forced us to confront our increasing vulnerabilities.

In relation to our Databeamer product, we began to wonder: at which point in the entire process of sending a file from one person to another, does the risk of privacy infringement by the US government (with or without the help of Big Tech) actually exist? We identified several distinct transit points a file encounters on its journey. This article describes each of those points, the risks involved for European citizens, and how to identify more secure alternatives.

For each transit point, we also provide precedent examples to show that these risks are not merely theoretical; they have already occurred. While some examples may seem self-evident, seeing these points as a unified whole reveals a broader, systemic vulnerability. We must recognize that while we cannot influence every risk, it is wise to act on the elements we can change.

That’s why we at Databeamer support the shift toward European tech solutions. We have made our core software free from US tech, created a zero-knowledge encryption flow for our files and messages, and are now progressing toward a full quantum-proof solution.

American influence

For decades, European businesses operated under a comforting assumption: the United States is our closest ally, and by extension, their technology is our technology. We built our digital economy on American foundations (from the chips in our laptops to the clouds hosting our data) believing our interests were perfectly aligned.

But the geopolitical winds have shifted. While Europe has long viewed China and Russia with justifiable caution, we must now confront the reality that the United States requires a similar level of scrutiny. Over the last few years, the narrative has moved from partnership to dominance. Whether through the “America First” doctrine or aggressive trade controls, the US government is increasingly using its technological supremacy as a geopolitical lever.

Things became explicit in February 2025, starting with the speech by Vice President J.D. Vance at the Munich Security Conference. Vance contended that genuine European security is rooted in a government’s responsiveness to its citizens (particularly regarding immigration) and the protection of free expression. He sharply critiqued EU institutions, characterizing their efforts to regulate dissent as a slide toward totalitarianism. Consequently, he positioned the Trump administration as a global defender of free speech, pledged to challenge the restrictive institutional trends emerging in Europe.Regarding free speech, however, the US position on the RSF World Press Freedom Index tells a different story: its overall score is in the ‘problematic’ category, significantly lower than West-European countries and in a state of recent decline.

While European institutions are arguably more restrictive and legislative, from a consumer and privacy point of view, this regulation is often a protection. To Big Tech, however, Europe is a massive market where EU sanctions are seen as a major obstacle. The year 2025 showed that tech industry leaders have built significantly closer ties to the US government (highlighted by the “DOGE” initiative) for mutual benefit. Tech giants seek political help to reduce regulation and taxes while increasing pressure on the EU and NATO; in return, the US administration benefits from the infrastructure and global reach of Big Tech. We saw these leaders standing in prominent positions during the inauguration in January.

In Europe, the political consequences are already visible. We have seen the US overrule Dutch export decisions regarding ASML, threaten sanctions against the International Criminal Court (ICC) in The Hague, and expand surveillance laws like FISA 702 to capture more data from foreign citizens. Furthermore, the benefits seem to flow to a small circle around the administration, making the US appear increasingly like an untrustworthy party and almost like a kleptocracy. A nice key resource on this subject is the Kleptocracy Tracker timeline

Additionally, the administration’s ties to institutions like the Heritage Foundation (which has called for the abolishment of the EU ) are cause for alarm. They publicly argue that the transatlantic alliance would be better off without the EU, claiming the Union undermines US security by fining tech platforms like X. They openly cooperate with far-right parties in Europe with the goal of undermining the Union from within.

Relying on a future change in the White House is a gamble Europe cannot afford to take. Even if a future Democratic victory occurs, the structural “stickiness” of the American legal system means that regulations and judicial appointments cannot be easily undone. While diplomatic relations may eventually soften, the geopolitical shift toward technological nationalism is likely permanent.

Europe must therefore move beyond reacting to specific U.S. presidents and instead prioritize its own digital sovereignty. By building independent, European-led infrastructure, Europe ensures its security is dictated by its own laws rather than the unpredictable cycles of American domestic politics.

Europe awakes

For European companies and citizens, this poses an uncomfortable question: ‘If the US can exert pressure and decides to actually do so, do you actually own your data?’

Fortunately, the tide is turning. Europe is waking up from its digital slumber, as highlighted in the Draghi Report. The era of “technological naivety,” where we assumed the global market would always provide safe, neutral tools, is effectively over. Brussels and national governments have reached a turning point, recognizing that strategic autonomy is a fundamental survival mechanism. Spurred by warnings regarding the continent’s eroding competitiveness, a renewed political will is working to break the historical dependency on foreign infrastructure.

This shift represents a strategic pivot from passive regulation toward active investment. The European narrative is no longer centered solely on constraining US tech giants, but on building domestic alternatives. By placing digital sovereignty at the top of the agenda, the European Commission is driving a new era of local control over data infrastructure.

These ambitions are now being backed by capital. Through initiatives like the IPCEI-CIS and the Sovereign Tech Fund, way more euros are being channeled into open-source, decentralized, and strictly European cloud stacks. This is fueling an ecosystem of innovators that offer viable, compliant alternatives to global hyperscalers. The message is clear: Europe is no longer content to be a “digital colony”. However, businesses must be wary of “sovereignty washing” where European providers claim to be sovereign but remain built on American elements.

While companies like AWS, Google, and Microsoft may not necessarily acting with malice (they are businesses navigating a tightening legal context) their constraints become your risks as the US government increasingly uses them as vessels for political influence. The key is to understand these risks so you can minimize them or shift to trustworthy European alternatives. You cannot predict US foreign policy, but you can immunize your data against it.

Two core risks

Relying on US technology across these transit points exposes you to two distinct risks:

The Access Risk (Snooping)

Using laws like the US CLOUD Act or FISA orders to force data handovers. While ostensibly used to detect “criminal” activity, the definition of such activity is increasingly political.

The Shutdown Risk (Kill Switch)

The Office of Foreign Assets Control (OFAC) can prohibit US companies from providing services to specific entities. As seen with threats against the ICC or the forced sale of TikTok, this can disconnect an organization from the digital world overnight.

It’s about the owner, not the server

To be truly secure, a service must not be subject to non-European legislation like the US CLOUD Act or FISA. These laws compel American companies to hand over data regardless of where that data physically sits.

The “CLOUD Act” (Clarifying Lawful Overseas Use of Data) is specifically designed for extraterritorial data extraction. US jurisdiction follows the owner, not the server. As long as a provider is controlled by an American Ultimate Beneficial Owner (UBO), US law applies.

The reach of US law is so extensive that the Dutch National Cyber Security Centre (NCSC) has previously suggested that European companies should avoid hiring US nationals for sensitive roles to remain strictly outside the scope of the CLOUD Act. The human element is often the weak link; recent studies suggest that almost 90% of people will voluntarily consent to electronic searches if pressed by authorities. If an employee provides credentials under pressure, the legal firewall crumbles.

Tracking a File: the transit points involved

To clarify where U.S. jurisdictional influence can occur, we followed a file transfer through every transit point it touches. Yes, there is an overlap with the layers of the OSI model, but we approached these transit points more as distinct touch points where legal interference about a file and/or its telemetry data could take place within the full journey of that file. And keep in mind that even when a file is claimed as ‘securely encrypted’, access remains possible if it isn’t strictly zero-knowledge. Without this, the provider stays in control of the keys, leaving a back door open for jurisdictional overreach.

Throughout this article series, we examine each point in more detail, incorporating real-world examples and a brief assessment of the associated risks. Some of these risks may seem obvious or negligible depending on your technical knowledge, specific situation, and risk tolerance. Our goal is not to stir alarm, but rather to map out exactly where touchpoints with U.S. jurisdiction exist in a standard data journey.

Furthermore, it is important to remain mindful of the complexities within our own borders, including controversial European initiatives such as the UK Online Safety Act, the proposed CSAM regulation (often called “Chat Control”), and eIDAS 2.0.

Within this file transfer process, we have identified the following eleven points:

• Point 0: Internet network
• Point 1: Hardware and OS
• Point 2: Company network / remote workspace
• Point 3: Identity & Access Management (IAM)
• Point 4: File creation & (cloud) storage
• Point 5: Encryption certificates
• Point 6: Transfer service infrastructure
• Point 7: The browser
• Point 8: AI & automation
• Point 9: Metrics & analytics
• Point 10: Corporate ownership & influence

The file transfer scenario

We started our thought process with the following common situation: A Dutch freelancer sends a project update containing sensitive, copyrighted information (a large PDF-file) from his Apple laptop to a project manager in Germany working for a German corporation, using a Microsoft enterprise solution.

Phase 1: Creation of the file (sender side)

Point 1 (Hardware/OS)

The freelancer opens their Apple MacBook (M3 Chip) running macOS 16 (Tahoe). The Risk: As the OS boots, Apple sends telemetry to the U.S. confirming device location and user identity. The M3 chip’s “Secure Enclave” is proprietary U.S. silicon.

Point 7 (Browser) & Point 8 (AI & automation)

The freelancer types the report in Google Docs using Google Chrome. The Risk: Every keystroke is processed by Google’s servers in real-time. Chrome’s built-in Gemini AI analyzes the draft to offer grammar suggestions, effectively “reading” trade secrets before the file is even finished.

Point 4 (File creation & storage) & Point 10 (Corporate ownership)

The freelancer downloads the file as a PDF to their “Documents” folder. The Risk: Because iCloud Drive is enabled by default the user forgot about this. The PDF is silently uploaded to Apple’s servers (often hosted on AWS or Google Cloud infrastructure). The file is now legally subject to the U.S. CLOUD Act.

Phase 2: The transfer

Point 7 (Browser) & Point 5 (Encryption certificates)

The freelancer opens WeTransfer.com in a Chrome browser and uses it to transfer the file The Risk: Chrome validates the SSL certificate. If the U.S. government compelled a Certificate Authority to issue a fraudulent key, the encryption could be bypassed via a “Man-in-the-Middle” attack.

The file is uploaded to WeTransfer. The Risk: While WeTransfer is a European company, it relies on AWS (Amazon) for its storage infrastructure (S3). The moment the file is uploaded, it resides on Amazon’s hardware, placing it under U.S. jurisdictional reach. It may also use AI scanning of the files content when scanning is not disabled.

Point 0 (Internet Network)

The email notification travels from the freelancer to the Project Manager. The Risk: Data packets route through Tier-1 backbone providers like Lumen or Cogent. U.S. intelligence “Upstream” programs can scan this traffic metadata (who is emailing whom) as it flows through these fiber optic cables.

Phase 3: The reception

Point 2 (Company network) & Point 9 (metrics & analytics)

The Project Manager logs in via a Citrix Workspace session. The Risk: Citrix (a U.S. company) logs session duration, IP addresses, and application usage. Under a FISA order, Citrix must hand over logs, revealing exactly when and from where the manager is working.

Point 3 (Identity & Access Management): The Manager opens Outlook Online to retrieve the link.

The Risk: They authenticate via Microsoft Entra ID. Microsoft generates a log entry: “User X accessed email Y at 14:03.” This metadata allows for the mapping of the entire corporate hierarchy and communication patterns.

Point 1 (Hardware & OS)

The Manager uses a Lenovo PC running Windows 11. The Risk: Windows 11 telemetry sends “Pattern of Life” reports to Microsoft. The Intel CPU runs the CSME (Management Engine), a subsystem that the U.S. government can potentially access.

Phase 4: The storage & AI scan

Point 7 (The browser) & Point 8 (AI & automation):

The Manager clicks the link in Microsoft Edge and downloads the PDF. The Risk: As the PDF opens, the Edge Copilot sidebar activates. It scans the decrypted content of the PDF to offer a summary. The browser sends the file’s text to Microsoft’s AI cloud for processing, breaking the confidentiality of the document.

Point 4 (File Storage)

The Manager saves the file to the company’s “Secure” folder. The Risk: The folder is synced to OneDrive for Business. The file is now at rest in Microsoft’s cloud, where it is scanned by automated bots for “policy violations.” If the content triggers a specific keyword or sanctioned hash, the account could be flagged or suspended without warning

A verdict

The file moved from a computer in Amsterdam to a computer in Berlin. Yet, at every single step the data was processed, stored, or scanned by a US entity subject to US law. In the following we go a bit deeper into each layer and have a look at some precedent examples of where access by US government actually happened.