
U.S. Cloud Act is raising concern about extraterritoriality - DyslexicAtheist
https://www.bloomberg.com/news/articles/2019-02-24/huawei-frightens-europe-s-data-protectors-america-does-too
======
mcv
I think this CLOUD Act will basically force internationally operating US
companies to split up into a US part and an EU part. This law makes it
impossible for any company with access to personal data of EU citizens, to
obey both US and EU law. The only solution seems to be to ensure that they are
two different companies. The other option is to abandon the EU market.

What still surprises me is that nearly all of the major cloud companies are
based in the US. Microsoft, Amazon, Netflix, Google, Apple, all of them US
companies. If ever a law is going to create some EU competitors, it's the
Cloud Act.

The other option is that either the US or the EU is going to water down their
law. I'd be really sad if it's the EU, because that would legitimise and
strengthen other countries' extraterritorial grasp over non-citizens' data.
Like China with Huawei.

~~~
cabalamat
> The only solution seems to be to ensure that they are two different
> companies.

If the EU comany is a subsiduary of the US company, then it will have to
follow its orders and won't really be separate.

Furthermore if people based in the USA have physical access to the servers
located in the EU, then if the US government wants that data, it will probably
be exfiltrated to the USA, regardless of what EU governments want.

The solution is for EU governments to have control over their own computing
infrastructure. This obviously includes cloud computing and datacenters. But
it also needs to include operating systems and chips, because otherwise the
risk of a foreign power putting a backdoor in them is too great.

Ditto for all countries, of course.

~~~
hellisothers
Here lies humanity, they tried to do the same things 15 different ways and
squandered their resources doing so.

(Not saying you’re advocating for this, just that it is the current plan it
seems)

~~~
cabalamat
> Here lies humanity, they tried to do the same things 15 different ways and
> squandered their resources doing so.

Polities that don't retain control over their computing infrastructure will in
the future have effectively ceded independence to others.

Because controlling the full stack from silicon to cloud services is expensive
(fabs can cost c. $20 billion), this has geo-political implications: namely
that in the future there will only be a small number of loci of independent
power. The USA will be one, China another. Does Europe want to make itself a
third, or will it be content to be subservient to others?

~~~
Mirioron
The EU won't be content with it, but they still won't do anything about it.

~~~
ionised
Why not?

Safe Harbour was shot down after the Schrems case.

Google and Facebook are being taken to task currently.

The huge fines for GDPR violations will come if the companies cited as in
breach of the regulations fail to do what the EU asks.

The EU is doing a lot. Just because it can't act with immediacy it doesn't
mean nothing is happening.

------
tyfon
As of today we have cloud offerings of for instance azure completely separate
from the US companies due to this.

Here in Norway we can get the complete azure offering from a company called
Evry using azure stack [1] and there is a data centre like this in Germany too
at least that I know of, probably many more.

And sectors like government and banking are required to use them and not the
parent companies offerings, especially if it contains PII.

If this goes on I suspect a lot of the revenue US tech companies see today
will disappear even if (for now) most run the licensed version of azure stack
and the like.

[1] [https://www.evry.com/en/what-we-do/key-services/evry-
cloud-s...](https://www.evry.com/en/what-we-do/key-services/evry-cloud-
services/the-cloud-is-now-local---evry-azure-stack/)

~~~
vegardx
Outside of the government sector it seems like these laws are to make sure
that the data is within legal jurisdiction, and has nothing to do with
privacy.

~~~
tyfon
Banking data is at least considered to be "important" enough to keep within
the borders too, but privacy is important too in regards to GDPR. How do you
prevent unauthorized access to the data (i.e. the US government) with the
cloud act. Do you report those requests as a breech? There is really no
difference between that and having the servers hacked in other ways.

~~~
vegardx
Banking data is important because the police and tax authority wants to make
sure they have access, privacy doesn't really come into play here. It's a nice
side effect, though. It's the same with accounting data.

When it comes to GDPR it only talks about where and by who data is processed,
it doens't really put any restriction on storage, except for some pretty vague
(on purpose) requirements about data protection (read: encryption).

~~~
tyfon
But if the US government access PII without authorization via the cloud act
wouldn't it count as a data breech when it comes to GDPR?

~~~
vegardx
Then they should be getting encrypted or pseudoanonymised data, if you are
following the regulations.

For services like AWS you can argue that they should be able to get ahold of
these encryption keys, but most data protection authorities seems to think
this is good enough.

~~~
thefounder
Encryption is useless when you store the keys on the same infrastucture. U.S
may ask for keys as well.

Even if you would store the keys on a local service at some point your data
will lie/transition decrypted on the remote hardware.

It's not a good idea at all to use hardware controlled by a hostile government
regardless of what kind of encryption you plan to use.

~~~
Foxboron
>Encryption is useless when you store the keys on the same infrastucture. U.S
may ask for keys as well.

Are you claiming HSM are unsafe?

>Even if you would store the keys on a local service at some point your data
will lie/transition decrypted on the remote hardware.

Well no. You have TPM and HMS which should solve this problem sufficiently.
Even hardware tokens for crypto e.g Nitrokey and/or yubikey should be
sufficiently safe for most use cases.

>It's not a good idea at all to use hardware controlled by a hostile
government regardless of what kind of encryption you plan to use.

It depends. You shouldn't host anything at any "hostile government", but who
is the hostile government? Is this a hostile nation based on a threat model
for your company? Or is this your personal opinion?

~~~
james_in_the_uk
The cloud providers provide the access controls for the HSM. Why break the
encryption when you can just come through the front door?

~~~
close04
That's not how HSMs work or they would be totally useless.

Short of a hidden vulnerability or a manufacturing defect there's no
"official" way to physically access data from the device without destroying
it. And accessing the data the normal way still requires access the cloud
provider doesn't have (a certificate password for example).

If we're talking hackers that could successfully hack an HSM, they don't
really care about laws. And if we're talking about acting under some law, that
law has to compel the owner of the password to give it up. Not the cloud
provider.

------
Isinlor
If complying with CLOUD act would infringe on EU citizens rights, is there any
legal reason why EU regulator should not fine a company that is infringing EU
laws?

We, Europeans, should follow our laws to their full extend and fine infringing
companies with full power. No matter on whose request they break our laws. Be
it Russians, Chinese, Australian or Americans.

~~~
Neil44
I agree. Companies need to find a way to operate within the law, or not
operate. Throwing your hands up and saying it’s too hard is not an acceptable
answer.

~~~
mcv
I'm not sure how I feel about this argument in light of article 13 of the EU's
new copyright directive. Legislators also have a responsibility to make laws
that are reasonable and possible to obey.

It is possible for companies to obey the Cloud Act, but as far as I can see,
only by choosing between operating in the US and operating in the EU. If
that's considered unreasonable, then it's a bad law.

~~~
delinka
A company _choosing_ to operate in multiple jurisdictions with
competing/contradicting laws does not put a requirement on lawmakers to make
the laws more amenable to the company trying to satisfy both jurisdictions. If
you take that path, consumers end up with little protection under the law.

Maybe the company should split up operations, or operate under licensing
agreements with foreign companies rather than thwart the will of the people
who they seek to fleece.

~~~
mcv
You're right, it's not the government's job to protect business models,
particularly if they are considered harmful. A sensible government would
probably want a healthy environment and market for companies to operate it,
but exactly what that means is clearly something on which governments can
radically disagree.

So I admit that the US is entirely within its rights to create a law that
makes it impossible for cloud providers to simultaneously operate in the US
and the EU.

It's still be sad though that the two major democratic power blocs in the
world can't agree on something like this.

~~~
Silhouette
_You 're right, it's not the government's job to protect business models,
particularly if they are considered harmful._

That's a convenient way to pass the buck, but the reality is that this is why
we can't (any longer, lawfully) have nice things.

It's particularly hypocritical in this case that the EU itself is a
facilitator of its member states' security services getting access to personal
data in ways that would otherwise clearly violate its own privacy laws, yet it
objects strenuously when other countries do exactly the same thing. There is
no principled ethical argument at stake here. It's all about who has the power
and everyone trying to grab more of it than they're really entitled to,
instead of acting like grown-ups, recognising the limits of their own
authority, and collaborating with others in areas of genuine mutual interest
when there is wider international agreement on certain principles.

Perhaps we need another exercise in shutting everything down, to show how much
the general public and the businesses in each place stand to lose if this
chest-thumping carries on. Just choose a random week and then firewall off
every US-based social network in Europe, fine any US-based financial services
businesses that do any sort of data processing of EU individuals, and so on.
And then a few years later, once the inept politicians have been replaced and
when the catastrophic economic damage caused in just that one week has started
to heal, maybe we can get back to a more sensible approach to the whole issue
of international relations in the age of global communications.

------
mtgx
I hope this bites US cloud service providers _hard_. They need a strong
blowback against their cowardly support for the Cloud Act in the US.

Microsoft, for instance, was suing the US government over its abusive NSL-
enabled _secret data requests_ , which made up almost _half_ of the data
requests the gov was making to Microsoft.

But then Microsoft decided to drop the lawsuit and support the Cloud Act,
which may have taken the actions of the US government from the shadows and
into the light (somewhat), but it didn't really change the outcome of those
actions. I imagine Microsoft and other cloud providers supported it because it
gave them more legal cover. Well hopefully they'll live to regret that mistake
with the EU blowback now.

I also think it's just a matter of time (a year?) until the Privacy Shield
will be invalidated by the top EU court, and then a new much stricter
agreement will have to be made that will make all but impossible data
transfers to the US.

The EC is also to blame in this whole thing, because _for some reason_ they
decided to once again compromise with the US government on the type of EU-US
data exchange deals they were making (which somehow always seem to go one way,
from the EU to the US), because they gave the US gov the benefit of the doubt
and thought the US gov would act in "good faith." Hopefully by now they've
realized their error in thinking that.

------
hevi_jos
Just look at the new HoloLens: It uses the cloud in order to analyze the
objects in front of you at your office, your house or whatever on real time.

Combine that with this with companies like Apple tracking your pulse in your
clock(that gives them knowledge about your deep emotions an activities on real
time).

Add companies like Google that track your phone, your car(with the maps
abilities) on real time.

Add to this companies that track what your friends are doing on real time:
[https://www.apertus.org/facebook](https://www.apertus.org/facebook)

This gives the US secret services more control over people than Stasi had.
With the difference that they control all the people in the world. Too much
power with so small oversight.

~~~
judge2020
> Apple tracking your pulse in your phone(that gives them knowledge about your
> deep emotions an activities on real time).

Health data is encrypted to a point where Apple can't read it:

[https://www.apple.com/business/site/docs/iOS_Security_Guide....](https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf)

> Health data can be stored in iCloud. When configured for iCloud storage,
> Health data is synced between devices and secured by encryption that
> protects the data both in transit and at rest. H

~~~
sangnoir
> Health data is encrypted to a point where Apple can't read it

Apple controls the encryption keys and the underlying OS. If the user is not
in control of the encryption, then it's nothing more than a pinky-promise that
they won't peek at your data, for example, if a new management team takes over
tomorrow.

~~~
TheAceOfHearts
For many people this is a reasonable risk. If they pulled something like that
it would start a huge legal battle, and it would seriously harm their
reputation. I suspect that pushing out a change of this sort would also
require a system update, which you could always delay until it's been
carefully vetted by others.

At least with Apple you can maintain a fairly small chain of trust, since they
have greater control over their hardware. Being in control of the encryption
keys is unlikely to protect you from hardware backdoors or state-sponsored
attacks.

------
Kankuro
Ok, so there should be reciprocal European law: any company operating in the
EU must provide access to the EU authorities (all countries) any data managed
by it and stored in any country in the world (so including US data stored in
the US), otherwise it would get big fines or interdiction to operate in the
EU. (PS: I don't want that, it should work like extradition but with real
reciprocity)

------
stunt
Is there a good European cloud provider?

~~~
tormeh
Scaleway and Hetzner come to mind, although I have no idea how good they are.

~~~
lightbyte
I use Scaleway to host a personal Nextcloud [1] instance. I haven't had any
issues with them thus far and their instances are pretty darn cheap.

[1] [https://nextcloud.com/about/](https://nextcloud.com/about/)

------
segmondy
This reminds me of the crypto wars, except this time around it's the privacy
wars. We didn't win the crypto wars for nothing, all we have to do is make use
of it and we can win this again.

------
tzs
Suppose I, operating in the US, rent some physical storage space in Europe
from a European storage company, and then ship a box of documents to them and
tell them to put them in my rented storage space.

I don't think there is any serious doubt that a US court or US law enforcement
with a warrant would be able to order me to contact the storage company and
tell them to ship the box back to me.

The European country the storage unit is in would not see this as some attempt
at exercising extraterritorial jurisdiction. To them, it is just a routine
interaction between me and a service provider I am using in Europe. That my
motive for asking for my box back was to satisfy a court order rather than
because I actually wanted to use my documents is irrelevant.

(This works both ways. A French court ordering a French company that had
stored physical documents to retrieve those documents would not raise issues
in the US if the French company was using a US document archiving service to
hold them).

I don't see why there should be any difference between my physical documents
that I keep in a box in a Paris storage unit, and my electronic documents that
I keep on an Amazon server in the Paris AWS region.

~~~
cesarb
In your example, the US court is ordering _you_ to request the documents.
There's no question that the US court has jurisdiction over you.

What about this variation over your example: instead of contacting you, the US
court bypasses you and asks directly the European storage company. This is
much more questionable, since a US court shouldn't have jurisdiction over an
European company.

~~~
DuskStar
Funnily enough, in the GDPR equivalent (you, a EU resident, hire a company in
the US to store a box for you) the EU bypasses you and requires the storage
company to have an effective security guard and fire suppression system...

~~~
ionised
The difference is that in this case the US considers itself the owner of all
data on US and Eu citizens alike.

The EU merely says that you cannot store Eu citizens data without the
necessary safeguards in place and permissions asked.

This is a very different issue in my view. The US has an inflated sense of
entitlement, whereas the EU is being protective and inhibiting of data
collection on its citizens by foreign organisations.

------
hopler
Nationalism/Sovereignty vs Globalisn/OneWorldOrder.

In the past we occasionally had rounds of "harmonization" where countries
agree on one set of laws, as with copyright. We'll see what the future holds.

------
KorematsuFred
What happens if say EU were to pass a law that no data stored in EU data
centered be shared with non-EU countries ? In such case no company can obey
both laws. How will this be handled ?

~~~
jeroenhd
Actually, the EU privacy laws already forbid loads of data being stored in
countries where the privacy of that data might not be maintained.

When the US was ruled as not trustworthy enough, the Privacy Shield agreement
was quickly thrown together. That's currently why some sensitive information
about European citizens is allowed to be stored on US soil.

However, acts like these (Cloud act, PATRIOT act, etc.) make me, as a
European, very uncomfortable. I hope the EU will take action against the US.
Russia and China already have regulations that certain information can only be
stored inside their own country's borders and MS Outlook still works fine;
there's no need for the EU to just take crap like this without putting up a
fight.

