

A public cloud taking a stand against government intrusion - mvip
http://www.cloudsigma.com/en/blog/2013/06/27/55-your-data-and-privacy-with-cloudsigma

======
B0Z
_Again, we are not the police and not a court of law. Authorities can and do
require access to customer data from time to time in a way justified by local
law; we comply with the law in those cases._

Really?! And what are you suggesting your principled stance is going to be
when they shove a law in your face that violates and contradicts another law
or an edict or the US Constitution you grew up believing was sacrosanct?

The problem is that they make any law they want to make, then keep it secret.
Then they enforce the law they just made, forcing you into a position where
you either have to give them the middle finger or subject your business to the
possibility of being shut down - legally. Should you decide you want to
challenge the enforcement of a law you believe is illegal, on behalf of one of
your customers, you can't tell the press, you can't have an open proceeding in
view of public scrutiny, and you can't inform your customer of the challenge.
When the ruling eventually comes down (from a court who's sworn to as much
secrecy as the agency you were fighting), you aren't even allowed to share
_that_ with anyone either.

I applaud what you probably believe is a line in the sand. But we can't even
get to the real debate of privacy until we are allowed to challenge the very
instruments that lay claim to authority over us... in public. It's that
simple.

~~~
h0w412d
That's exactly why the users can no longer trust the service or the government
to do right by them. Client-side encryption is the only way to be sure your
rights aren't being trampled.

------
jdp23
Excellent points. One other thing I'd like to see is a commitment to notify
customers to the extent permitted by any court orders and to fight for
additional notification rights (as Twitter has done).

 _We have set-up our corporate structure so that each cloud location is
managed by a local company and therefore subject only to that jurisdiction
(our holding company is Swiss and unlike US holding companies it has no
concept of extra-territorial jurisdiction, if that were to change, we 'd
change holding company, it is that simple)._

IANAL, but this seems a very significant point. However, I wonder if the US
claims jurisdiction on the parent company if there's a US-based subsidiary?

~~~
cloudsigma
The Patriot act has provisions that can potentially be applied to subsidiaries
of US companies abroad but not vice versa. If you think about it it would mean
shareholders of companies could be pursued globally under US law just for
owning shares in a US company. It's all around a bad situation right now with
conflicting sets of rules and that's without a doubt.

~~~
jdp23
Thanks for te clarification!

------
jholman
Of course, the majority of these feature are shared by most or all of the very
"biggest competitor" cloud providers they are comparing themselves with, and
in many cases more effectively than this tiny company possibly can. So that's
a bit misleading, to claim these as competitive advantages.

The corporate structure point is interesting, but I'm skeptical about its
legal efficacy.

The part that's most interesting to me is the part of #1 where they say "sole
root/administrative access" and "we have no file system level access". Is this
actually technically possible, given that it's not just storage (obligatory
props to Tarsnap!), but actual computing? I mean, I know that there are
encryption schemes that allow you to do certain particular kinds of
transformation on the encrypted data without unencrypting it... but isn't it
impossible to do what they say, run a generalized IaaS/PaaS, without being
able to see your data?

In summary, is there a single competitive advantage here this is all of

    
    
        * actually a competitive difference, and
        * is actually possible, and
        * actually has any effect
    
    ?

~~~
zimbatm
If the "biggest competitor"'s head quarter is in the US then yes, they have a
competitive advantage. If you're using Amazon or Microsoft then they can be
compelled to have over your EU data.
[http://www.zdnet.com/blog/igeneration/microsoft-admits-
patri...](http://www.zdnet.com/blog/igeneration/microsoft-admits-patriot-act-
can-access-eu-based-cloud-data/11225)

------
IceyEC
The blog post claims that they only accept https on a page that is not served
over https:
[https://www.evernote.com/shard/s120/sh/e57bad7c-811d-4632-ad...](https://www.evernote.com/shard/s120/sh/e57bad7c-811d-4632-adaf-1bc2eb492cd5/2d5ac67eef5c1c3f8380ad9bd40de74c)

------
known
[http://prism-break.org/](http://prism-break.org/)

------
dvmmh
...and the NSA has tapped into every strand of fiber in the world making this
sales pitch meaningless. They already have access. They only request access to
allow what they already know to be admissible in the courts.

~~~
zhemao
If CloudSigma is using SSL with forward secrecy, tapping the fiber would be
pretty useless.

Unless you're suggesting the NSA has compromised CloudSigma's internal
network, which is possible.

~~~
cloudsigma
we do use forward secrecy for all our client facing services and of course
accept https only. we are also looking at upgrading from 128bit to either
256bit or even 512bit to offer a further 'extended runway' against future
direct decryption :)

------
pakostnika
Great!

