
We moved our servers to Iceland - classified
https://blog.simpleanalytics.com/why-we-moved-our-servers-to-iceland
======
avar
I'm Icelandic. This person seems to have done more research than most, but
there's a common misconception that Iceland's some sort of Internet freedom
haven. It isn't, and I think most of that came from foreign coverage of the
IMMI back in 2010-ish[1]. That _would_ have made Internet freedom in Iceland
exceptional, but it never passed into law.

Also, you should be careful in paying attention to international reports of
"xyz never happens in Iceland". Yeah maybe it doesn't, but 1/3 million people
live there, it could just be due to the small sample size, not that it's less
likely to happen.

Using Iceland to get away from the Five Eyes? Really? What does this person
think Iceland's undersea network cables are connected to? Unless the traffic
is local to the country it doesn't make a difference in that regard.

1\.
[https://en.wikipedia.org/wiki/Icelandic_Modern_Media_Initiat...](https://en.wikipedia.org/wiki/Icelandic_Modern_Media_Initiative)

~~~
AdriaanvRossum
Author here. Thanks for explaining your thoughts as you are Icelandic. Really
appreciate that. It's not too easy to do research in a non English speaking
country. I'm not a native English speaker, so forgive the typos.

I wrote this article a few months back and since then some things changed.
Somebody also enlightened me about the cooperation of Iceland with the US
government [1], although no source has been linked. I think governments spying
on data is something you can prevent with strong encryption and keeping the
data out of the those countries that are known for it a.k.a. Five Eyes. That's
what we do with our customers data.

I agree with your statement that "xyz never happens in Iceland" shouldn't be a
reason for choosing a country. I'm still very confident it's better not to put
our servers in any Five Eyes country.

For the speed I do think Iceland is not optimal. See the pings from this
comment [2]. I realized this after moving to Iceland that the speeds where
indeed slower than from Digital Ocean in Amsterdam.

I don't think your argument about the connection with cables are relevant. If
you send your data encrypted it will not be possible to read the packets,
right? Or maybe I don't get your point.

I'm thinking of moving our servers to Germany or The Netherlands. There are a
few downsides with that for example the environmental impact. We are looking
into other solutions to have no carbon footprint with Simple Analytics [3].

[1]
[https://news.ycombinator.com/item?id=19530972](https://news.ycombinator.com/item?id=19530972)

[2]
[https://news.ycombinator.com/item?id=19528028](https://news.ycombinator.com/item?id=19528028)

[3] [https://simpleanalytics.com](https://simpleanalytics.com)

~~~
Havoc
Did the move get you off the easylist?

~~~
unixhero
Is that a burn? Pretty veiled, lol :)

------
walrus01
It's pretty hilarious he thinks he is outside the reach of the five eyes
agencies. Try this thought experiment. Find the top eight largest Icelandic
ISPs' AS numbers and IP space. Now look at who their BGP peers and transits
are on both sides of the transatlantic submarine cables. And where those
cables land.

~~~
Spearchucker
This is exactly why I moved my personal web site from the US to Germany and
not to Iceland (which was my original plan). The thing of it was that GDPR
provided better protection than no GDPR, and the cables negate any other
benefit anyway. But this of course pre-dated the CLOUD act which could land
you in jail for complying with either it or GDPR, as one requires you to share
when asked, while the other prohibits it. Data protection needs a lot more
work, and some precedents must be set for enforcing US law in Europe, and of
course vice versa. Happily my server holds only my own data.

~~~
briandear
You moved your website because of Five Eyes? What kind of website is it?

------
jefftk
_> If you draw a straight line from San Francisco to Amsterdam you will cross
Iceland. Simple Analytics has most customers from the US and Europe, so it
makes sense to pick this geographical location._

This doesn't make sense. The normal way to do this is to terminate connections
close to the users, in this case running a server in (or near) the US and a
server in (or near) Europe. You don't have to pick a single point that's
optimal for all users.

But if you are going to pick a single point, Iceland is not the point to pick.
Connections don't follow great circle distance, they follow cables, and
Iceland primarily connects via Europe. Have a look at
[https://www.submarinecablemap.com/](https://www.submarinecablemap.com/) and
you'll see that the only connection West from Iceland takes an indirect route
via Greenland. If you run pings from SF to Amsterdam you'll see lower
latencies than SF to Iceland.

------
ozborn
A lot of the comments are fairly critical, but I think your move was praise
worthy from the perspective of CO2 emissions alone. You should feel good about
that.

While Iceland may not be a privacy paradise, I still think Icelandic hosted
servers provide a higher barrier than US based servers for government data
collection. The US government has a history of high volume warrant-free
collection of user data - your setup in Icelandic appears more resilient to
this approach. However, as others have pointed out, Icelandic hosted systems
are still vulnerable to traffic analysis as well as physical and legal attacks
on servers and key holders. The solutions to these types of problems though
are more political than technical.

~~~
walrus01
> A lot of the comments are fairly critical, but I think your move was praise
> worthy from the perspective of CO2 emissions alone.

If the goal is low or zero co2 emissions, there's a number of datacenters in
north america powered from 100% hydroelectric. In British Columbia, Oregon,
central/eastern WA state and in Quebec.

------
moviuro
Missing in title: (March 2019); see:
[https://news.ycombinator.com/item?id=19526521](https://news.ycombinator.com/item?id=19526521)

------
jonnismash
I see a lot of scrutiny in the comments, but the simple fact is that they are
actively trying to secure their users data to whatever extent they can. This
shows a _great_ form of care from a company and pushes me as a consumer to use
them. Yes Iceland has had reports of letting the US pull drives before. No I
wouldn't think to plant my servers in Iceland. But the fact that they are
considering all of this is a big big + in my opinion.

Most countries who have INTL fiber cables running in/out of them will have a
direct link to a "surveillance" country, but as long as encryption is
sufficient then the data is still relatively secure. and pulling RAM to
inspect the memory is a pretty hard thing to get away from.

I think this is as thoughtful as it gets when considering user and company
privacy.

------
exabrial
This is just a feel-good PR piece unfortunately.

> so we kind of need to trust the hosting provider

If you're worried about someone physically attacking a server to compromise
encryption keys, whether the data center operator is complicit is, sorta
redundant. Moving to Iceland isn't going to solve any of the attacks
mentioned.

That being said, hosting in colder climates makes a lot of sense from an
energy usage perspective. I think they should have focused on that first.

------
nodesocket
This all seems moot and a waste of time and energy. They just managed to
significantly increase latency to all their users (in the US and Canada).
Maybe if they bought co-location in Iceland and racked up their severs in a
dedicated cage, ok that makes a little more sense in terms of hardening and
control. However, using what amounts to a shared hosting provider, doesn’t
help mitigate their concerns.

------
notyourday
> so we kind of need to trust the hosting provider

Let me get it straight. The author is waxing about Five Eyes, country-level
attacks, fiber optic taps, etc but bushes off the most direct attack as "we
kind of need to trust the hosting provider?" Now that's the one weird set of
priorities.

------
dangus
> he indeed was correct about the fact the US government is able to access the
> data of our users. At that time, our servers were indeed running on Digital
> Ocean and they could pull out our drive and read our data.

You aren’t encrypting anything?

------
lez
Moving servers out of US is obviously a step in the right direction. However,
it's also understandable if a user wouldn't want to be tracked by 3rd parties,
at all.

Even if there's no 3rd party involved, we've seen NSA tapping onto private
companies (Google) internal network as well. If any analytics company grows
big enough, it's definitely becoming a target for the NSA.

~~~
MattConfluence
> it's also understandable if a user wouldn't want to be tracked by 3rd
> parties, at all.

For what it's worth, the author claims that Simple Analytics respects the Do
Not Track (DNT) browser setting, so that user would be able to have it his way
without needing to install EasyList. But of course that is something that
requires a degree of trust, and DNT seems to be a failure for the most part,
because of all the other parties that do not respect it.

------
ksec
I remember for some reason Google Analytics had may be some bad press and then
we have a new era of analytics, Simple was one of them, but they refused to
add aggregate data such as Browsers, Countries of Origin and Devices Info.

So I am surprised to see that have finally done it.

The other one is Fathom [1], doesn't seems to be in development anymore.

[1][https://usefathom.com](https://usefathom.com)

------
RocketSyntax
1 internet line into the country, and 1 internet line out. I've asked
Icelandic computer scientists about this at length.

------
asdfman123
This is a random question, but has anyone considered building data centers
just at high elevations to save on cooling?

Maybe that's why there are data centers in Salt Lake City. High elevation,
nearby talent pool, relatively central to the US.

~~~
djhaskin987
I live in Utah County, approximately 40 minutes south of Salt Lake City. I
live less than 20 minutes away from Eagle Mountain, where they are going to
build a new Facebook data center, and less than 20 minutes away from a rather
large NSA data center installation in Bluffdale. We also have C7 and Rackspace
10s of minutes north of me and Adobe HQ 10 minutes away as well.

I don't know why people use Salt Lake City as a location for data centers in
the sense of its cheaper to cool. We are high elevation, but we are a high-
elevation desert. It's usually pretty hot here. We have winters, true, and
it's way dry here, but the winters are rather mild, especially compared to
places like Wisconsin or Chicago, where I am originally from. It must be
because of cheap electricity and/or tax laws. We have a lot of wind power
here, and some coal power as well. One thing's for sure: cooling isn't why
they build datacenters here. I have no idea why but I'm not complaining either
:)

~~~
jdsully
The lower the humidity the more efficient evaporative cooling is. These data
centers don’t use traditional AC.

~~~
yellowapple
This is, as it so happens, why we sweat "more" in higher humidity (given a
constant temperature relative to a non-humid atmosphere), and why humidity
adds to perceived temperature. We're actually still sweating either way, but
when the air's already humid there's nowhere for that sweat to go, so it stays
on your body (and with it, the heat it was supposed to wick away).

------
yellowapple
I use 1984 for my mail server and I've been pretty happy with them. Decent
pricing, and they support OpenBSD on their VPS offerings (which is perfect
since OpenSMTPD + Dovecot is my preferred mail stack).

------
Trias11
Someone suggested the approach on how to choose the best location, best
services, best apps, best encryption for privacy and anonymity:

Research what pedophiles, drug dealers and terrorists are using and use that

------
underdog789
> "Another advantage from moving to Iceland is the climate and location of the
> country. Servers produce a lot of heat and Reykjavík (Iceland’s capital,
> where most data centers are located) is on average 40.41°F (4.67°C), meaning
> it’s a great location to cool down the servers. For each watt used to run
> servers, storage and network equipment, proportionally very little is used
> for cooling, lighting and other overhead. "

Am I the one not understanding heat transfer ? Because if companies follow
suit and this is done at scale, good luck with the rising temperatures,
Iceland.

~~~
superhuzza
Are you suggesting that a bunch of data centres will noticeably increase the
temperature of Iceland?

That seems pretty unrealistic - think about the scale of energy that would
require.

------
vkaku
I should consider moving my stuff over too

------
avodonosov
Was he removed from EasyList?

This may be difficult, from the cases I know.

~~~
aeyes
[https://github.com/easylist/easylist/pull/1855](https://github.com/easylist/easylist/pull/1855)

The PR to add the site to EasyList never went through, it currently isn't in
EasyList and never was.

~~~
dwild
If you follow the pull request, you'll see a commit has been done to add it to
the easyprivacy list for tracking servers though.

It is still there:

[https://github.com/easylist/easylist/blob/master/easyprivacy...](https://github.com/easylist/easylist/blob/master/easyprivacy/easyprivacy_trackingservers.txt#L2002)

------
dotdi
I applaud your efforts and I have to say that this moves simpleanalytics quite
high up my "in case I need analytics" list.

------
JimWestergren
How does my Redistats hold up in the public scrutiny of the HN crowd?
[https://redistats.com/privacy-policy](https://redistats.com/privacy-policy)

