This article is part of the series The journey of a file – The risk of US access.

Navigating the transit points of US data jurisdiction

At the end of a year people often look back at the past twelve months (sometimes
with mixed feelings) while looking forward to the year ahead. We are no
different, particularly when viewing our work through the lens of secure data
sharing, digital privacy, and security.

Looking back at 2025, two items were most prominent: the rapid evolution of AI
and the clear shift of the USA from a traditional European ally to a more
transactional power. The influence of the US government on our privacy, combined
with its leverage over the American tech companies we depend on, has forced us
to confront our increasing vulnerabilities.

In relation to our Databeamer product, we began to wonder: at which point in the
entire process of sending a file from one person to another, does the risk of
privacy infringement by the US government (with or without the help of Big Tech)
actually exist? We identified several distinct transit points a file encounters
on its journey. This article describes each of those points, the risks involved
for European citizens, and how to identify more secure alternatives.

For each transit point, we also provide precedent examples to show that these
risks are not merely theoretical; they have already occurred. While some
examples may seem self-evident, seeing these points as a unified whole reveals a
broader, systemic vulnerability. We must recognize that while we cannot
influence every risk, it is wise to act on the elements we can change.

That’s why we at Databeamer support the shift toward European tech solutions. We
have made our core software free from US tech, created a zero-knowledge
encryption flow for our files and messages, and are now progressing toward a
full quantum-proof solution.

American influence

For decades, European businesses operated under a comforting assumption: the
United States is our closest ally, and by extension, their technology is our
technology. We built our digital economy on American foundations (from the chips
in our laptops to the clouds hosting our data) believing our interests were
perfectly aligned.

But the geopolitical winds have shifted. While Europe has long viewed China and
Russia with justifiable caution, we must now confront the reality that the
United States requires a similar level of scrutiny. Over the last few years, the
narrative has moved from partnership to dominance. Whether through the "America
First" doctrine or aggressive trade controls, the US government is increasingly
using its technological supremacy as a geopolitical lever.

Things became explicit in February 2025, starting with the speech by Vice
President J.D. Vance at the Munich Security Conference.
Vance contended that genuine European security is rooted in a government’s
responsiveness to its citizens (particularly regarding immigration) and the
protection of free expression. He sharply critiqued EU institutions,
characterizing their efforts to regulate dissent as a slide toward
totalitarianism. Consequently, he positioned the Trump administration as a
global defender of free speech, pledged to challenge the restrictive
institutional trends emerging in Europe.Regarding free speech, however, the US
position on the RSF World Press Freedom Index tells
a different story: its overall score is in the ‘problematic’ category,
significantly lower than West-European countries and in a state of recent
decline.

While European institutions are arguably more restrictive and legislative, from
a consumer and privacy point of view, this regulation is often a protection. To
Big Tech, however, Europe is a massive market where EU sanctions are seen as a
major obstacle. The year 2025 showed that tech industry leaders have built
significantly closer ties to the US government (highlighted by the "DOGE"
initiative) for mutual benefit. Tech giants seek political help to reduce
regulation and taxes while increasing pressure on the EU and NATO; in return,
the US administration benefits from the infrastructure and global reach of Big
Tech. We saw these leaders standing in prominent positions during the
inauguration in January.

In Europe, the political consequences are already visible. We have seen the US
overrule Dutch export decisions regarding ASML, threaten sanctions against the
International Criminal Court (ICC) in The Hague, and expand surveillance laws
like FISA 702 to capture more data from foreign citizens.
Furthermore, the benefits seem to flow to a small circle around the
administration, making the US appear increasingly like an untrustworthy party
and almost like a kleptocracy. A nice key resource on this
subject is the Kleptocracy Tracker timeline

Additionally, the administration's ties to institutions like the Heritage
Foundation (which has called for the abolishment of the EU )
are cause for alarm. They publicly argue that the transatlantic alliance would
be better off without the EU, claiming the Union undermines US security by
fining tech platforms like X. They openly cooperate with
far-right parties in Europe with the goal of undermining the Union from
within.

Relying on a future change in the White House is a gamble Europe cannot afford
to take. Even if a future Democratic victory occurs, the structural "stickiness"
of the American legal system means that regulations and judicial appointments
cannot be easily undone. While diplomatic relations may eventually soften, the
geopolitical shift toward technological nationalism is likely permanent.

Europe must therefore move beyond reacting to specific U.S. presidents and
instead prioritize its own digital sovereignty. By building independent,
European-led infrastructure, Europe ensures its security is dictated by its own
laws rather than the unpredictable cycles of American domestic politics.

Europe awakes

For European companies and citizens, this poses an uncomfortable question: 'If
the US can exert pressure and decides to actually do so, do you actually own
your data?'

Fortunately, the tide is turning. Europe is waking up from its digital slumber,
as highlighted in the Draghi Report. The era of "technological
naivety," where we assumed the global market would always provide safe, neutral
tools, is effectively over. Brussels and national governments have reached a
turning point, recognizing that strategic autonomy is a fundamental survival
mechanism. Spurred by warnings regarding the continent’s eroding
competitiveness, a renewed political will is working to break the historical
dependency on foreign infrastructure.

This shift represents a strategic pivot from passive regulation toward active
investment. The European narrative is no longer centered solely on constraining
US tech giants, but on building domestic alternatives. By placing digital
sovereignty at the top of the agenda, the European Commission is
driving a new era of local control over data infrastructure.

These ambitions are now being backed by capital. Through initiatives like the
IPCEI-CIS and the Sovereign Tech Fund, way more euros are
being channeled into open-source, decentralized, and strictly European cloud
stacks. This is fueling an ecosystem of innovators that offer viable, compliant
alternatives to global hyperscalers. The message is clear: Europe is no longer
content to be a "digital colony". However, businesses must be wary of
"sovereignty washing" where European providers claim to
be sovereign but remain built on American elements.

While companies like AWS, Google, and Microsoft may not necessarily acting with
malice (they are businesses navigating a tightening legal context) their
constraints become your risks as the US government increasingly uses them as
vessels for political influence. The key is to understand these risks so you can
minimize them or shift to trustworthy European alternatives. You cannot predict
US foreign policy, but you can immunize your data against it.

Two core risks

Relying on US technology across these transit points exposes you to two distinct
risks:

The Access Risk (Snooping)

Using laws like the US CLOUD Act or FISA orders to force data handovers. While
ostensibly used to detect "criminal" activity, the definition of such activity
is increasingly political.

The Shutdown Risk (Kill Switch)

The Office of Foreign Assets Control (OFAC) can prohibit US companies from
providing services to specific entities. As seen with threats against the ICC or
the forced sale of TikTok, this can disconnect an
organization from the digital world overnight.

It’s about the owner, not the server

To be truly secure, a service must not be subject to non-European legislation
like the US CLOUD Act or FISA. These laws compel American companies to hand over
data regardless of where that data physically sits.

The "CLOUD Act" (Clarifying Lawful Overseas Use of Data) is specifically
designed for extraterritorial data extraction. US jurisdiction follows the
owner, not the server. As long as a provider is controlled by an American
Ultimate Beneficial Owner (UBO), US law applies.

The reach of US law is so extensive that the Dutch National Cyber Security
Centre (NCSC) has previously suggested that European companies should avoid
hiring US nationals for sensitive roles to remain strictly outside
the scope of the CLOUD Act. The human element is often the weak link; recent
studies suggest that almost 90% of people will voluntarily consent to
electronic searches if pressed by authorities. If an
employee provides credentials under pressure, the legal firewall crumbles.

Tracking a File: the transit points involved

To clarify where U.S. jurisdictional influence can occur, we followed a file
transfer through every transit point it touches. Yes, there is an overlap with
the layers of the OSI model, but we approached these transit points more as
distinct touch points where legal interference about a file and/or its telemetry
data could take place within the full journey of that file. And keep in mind
that even when a file is claimed as 'securely encrypted', access remains
possible if it isn't strictly zero-knowledge. Without this, the provider stays
in control of the keys, leaving a back door open for jurisdictional overreach.

Throughout this article series, we examine each point in more detail,
incorporating real-world examples and a brief assessment of the associated
risks. Some of these risks may seem obvious or negligible depending on your
technical knowledge, specific situation, and risk tolerance. Our goal is not to
stir alarm, but rather to map out exactly where touchpoints with U.S.
jurisdiction exist in a standard data journey.

Furthermore, it is important to remain mindful of the complexities within our
own borders, including controversial European initiatives such as the UK Online
Safety Act, the proposed CSAM regulation (often called "Chat Control"), and
eIDAS 2.0.

Within this file transfer process, we have identified the following eleven points:

Point 0: Internet network
Point 1: Hardware and OS
Point 2: Company network / remote workspace
Point 3: Identity & Access Management (IAM)
Point 4: File creation & (cloud) storage
Point 5: Encryption certificates
Point 6: Transfer service infrastructure
Point 7: The browser
Point 8: AI & automation
Point 9: Metrics & analytics
Point 10: Corporate ownership & influence

The file transfer scenario

We started our thought process with the following common situation: A Dutch
freelancer sends a project update containing sensitive, copyrighted information
(a large PDF-file) from his Apple laptop to a project manager in Germany working
for a German corporation, using a Microsoft enterprise solution.

Phase 1: Creation of the file (sender side)

Point 1 (Hardware/OS)

The freelancer opens their Apple MacBook (M3 Chip) running macOS 16 (Tahoe). The
Risk: As the OS boots, Apple sends telemetry to the U.S. confirming device
location and user identity. The M3 chip’s "Secure Enclave" is proprietary U.S.
silicon.

Point 7 (Browser) & Point 8 (AI & automation)

The freelancer types the report in Google Docs using Google Chrome. The Risk:
Every keystroke is processed by Google’s servers in real-time. Chrome’s built-in
Gemini AI analyzes the draft to offer grammar suggestions, effectively "reading"
trade secrets before the file is even finished.

Point 4 (File creation & storage) & Point 10 (Corporate ownership)

The freelancer downloads the file as a PDF to their "Documents" folder. The
Risk: Because iCloud Drive is enabled by default the user forgot about this. The
PDF is silently uploaded to Apple’s servers (often hosted on AWS or Google Cloud
infrastructure). The file is now legally subject to the U.S. CLOUD Act.

Phase 2: The transfer

Point 7 (Browser) & Point 5 (Encryption certificates)

The freelancer opens WeTransfer.com in a Chrome browser and uses it to transfer
the file The Risk: Chrome validates the SSL certificate. If the U.S. government
compelled a Certificate Authority to issue a fraudulent key, the encryption
could be bypassed via a "Man-in-the-Middle" attack.

The file is uploaded to WeTransfer. The Risk: While WeTransfer is a European
company, it relies on AWS (Amazon) for its storage infrastructure (S3). The
moment the file is uploaded, it resides on Amazon’s hardware, placing it under
U.S. jurisdictional reach. It may also use AI scanning of the files content when
scanning is not disabled.

Point 0 (Internet Network)

The email notification travels from the freelancer to the Project Manager. The
Risk: Data packets route through Tier-1 backbone providers like Lumen or Cogent.
U.S. intelligence "Upstream" programs can scan this traffic metadata (who is
emailing whom) as it flows through these fiber optic cables.

Phase 3: The reception

Point 2 (Company network) & Point 9 (metrics & analytics)

The Project Manager logs in via a Citrix Workspace session. The Risk: Citrix (a
U.S. company) logs session duration, IP addresses, and application usage. Under
a FISA order, Citrix must hand over logs, revealing exactly when and from where
the manager is working.

Point 3 (Identity & Access Management): The Manager opens Outlook Online to retrieve the link.

The Risk: They authenticate via Microsoft Entra ID. Microsoft generates a log
entry: "User X accessed email Y at 14:03." This metadata allows for the mapping
of the entire corporate hierarchy and communication patterns.

Point 1 (Hardware & OS)

The Manager uses a Lenovo PC running Windows 11. The Risk: Windows 11 telemetry
sends "Pattern of Life" reports to Microsoft. The Intel CPU runs the CSME
(Management Engine), a subsystem that the U.S. government can potentially
access.

Phase 4: The storage & AI scan

Point 7 (The browser) & Point 8 (AI & automation):

The Manager clicks the link in Microsoft Edge and downloads the PDF. The Risk:
As the PDF opens, the Edge Copilot sidebar activates. It scans the decrypted
content of the PDF to offer a summary. The browser sends the file's text to
Microsoft's AI cloud for processing, breaking the confidentiality of the
document.

Point 4 (File Storage)

The Manager saves the file to the company’s "Secure" folder. The Risk: The
folder is synced to OneDrive for Business. The file is now at rest in
Microsoft's cloud, where it is scanned by automated bots for "policy
violations." If the content triggers a specific keyword or sanctioned hash, the
account could be flagged or suspended without warning

A verdict

The file moved from a computer in Amsterdam to a computer in Berlin. Yet, at
every single step the data was processed, stored, or scanned by a US entity
subject to US law. In the following we go a bit deeper into each layer and have
a look at some precedent examples of where access by US government actually
happened.