
Getting out of the cloud… - snw
http://blog.koehntopp.info/index.php/228-getting-out-of-the-cloud/
======
hedonistbot
Dear HN, please scale down the panic.

>President Trump’s Executive Order calls for federal agencies in the U.S. to
ensure that their privacy notices make clear that Privacy Act protections
extend only to citizens and permanent residents of the U.S. Importantly,
Article 14 of the Order explicitly states that the federal agencies must do so
in a manner that is “consistent with applicable law.” In the context of
EU-U.S. data transfers for law enforcement purposes, the Judicial Redress Act
constitutes applicable law, and thus President Trump’s Executive Order, as
written, should not impact the Judicial Redress Act’s extension of the Privacy
Act’s protections to citizens of the EU. As a result, absent further action
from the U.S. government, we do not expect this Executive Order to impact the
legal viability of the Privacy Shield Framework.

[https://www.huntonprivacyblog.com/2017/01/28/privacy-
shield-...](https://www.huntonprivacyblog.com/2017/01/28/privacy-shield-
impact-of-trumps-executive-order/)

~~~
hedonistbot
Here is a good summary from Techcrunch. TLDR: the EO shouldn't invalidate
Privacy Shield protections, but the whole framework is flawed and does not
guarantee privacy of EU citizens. The relevant parts:

> The spokeswoman has now sent us a statement in which the EC asserts that
> Privacy Shield “does not rely on the protections under the U.S. Privacy
> Act”.

> Critics of Privacy Shield –– including the lawyer who brought the original
> challenge against Safe Harbor — have consistently argued the arrangement
> contains the same fundamental flaws as its invalidated predecessor, given
> ongoing U.S. government agency surveillance programs accessing European
> citizens’ data.

[https://techcrunch.com/2017/01/26/trump-order-strips-
privacy...](https://techcrunch.com/2017/01/26/trump-order-strips-privacy-
rights-from-non-u-s-citizens-could-nix-eu-us-data-flows/)

------
emptyfile
Starting to think the Trump presidency will be great for Europe, by making it
politically unfeasible for European politicians to continue pretending the US
is a good ally, leader of the free world, champion of liberal values, etc...

The US fifth column voluntarily leaving the EU will surely expedite the
process.

~~~
shaki-dora
By any objective standard, the last 70 years were the best ever for Europe,
and the world as a whole. There are certainly differences of opinion and
interests between Europe and the US, but they are far from negating the
overlaps. The ideas that the US has propagated are fundamentally sound, and
any US hypocrisy may undermine the effort to spread them, but not the value
they offer.

If you are an average citizen anywhere in Europe, throwing the dice in either
the time or spatial dimensions is a losing proposition: there is almost no
time nor place of higher prosperity, lower physical danger, better chances
regardless of class/gender/race/etc, higher life expectancy, more vibrant
cultural life, more freedom to explore your interest/kinks/obsessions etc. And
the shift of the US under Trump is a throw of the dice in the best case. In
reality, it is unlikely that a new world order build by an orange buffoon
could in any way rival the current one, which was build by people who had the
foresight and moral compass to invest trillions into a continent, and even the
very country that had just plunged the world into the darkest crevice of
history.

I'm not saying that all is well, just that we are, historically, closer to the
best than the worst, or even to average. But any assertion that the system was
fundamentally broken is obviously not supported by the outcomes it produced,
and the way to optimise a system running at it's historical best involves
carefully planned tuning, not destroying it with a sledgehammer and asking a
reality TV character to build a new one.

~~~
corv
Not at all. There is many a lost generation in European countries.

~~~
TeMPOraL
Best for the entire group on average != best for some subset of that group.
But it seems to me that some people believe they'll be happier if they pull
the world back to year 1940.

------
surferbayarea
[https://www.google.com/transparencyreport/userdatarequests/c...](https://www.google.com/transparencyreport/userdatarequests/countries/)
[https://govtrequests.facebook.com/country/United%20States/20...](https://govtrequests.facebook.com/country/United%20States/2016-H1/)

~60,000 google user accounts(not just email, but all your web browsing data)
were handed over to the government in 2016. And this was under the Obama
administration.

~~~
lern_too_spel
Those aren't requests to hand over all a user's data to the government. Half
of those are subpoenas, and half of the remaining are search warrants. You're
probably thinking of NSLs, which you can find ranges for
[https://www.google.com/transparencyreport/userdatarequests/U...](https://www.google.com/transparencyreport/userdatarequests/US/),
but those don't contain content. Also, it's unclear why you're talking about
the number of Americans when the executive order is a change in the handling
of foreigners' data.

~~~
surferbayarea
FISA Content requests: July to December 2015 21000–21499. Note - FISA requests
includes all personal information, NSL does not. And sure - this particular
order is about foreigners' data, but they might require citizens' data in
future. Also is data privacy only a US citizen's right? Googlers claimed to
have strong views when non-citizen googlers were being treated unfairly on
immigration. But no statement when non-citizens' privacy is being snatched
away.

~~~
lern_too_spel
FISA is for non-Americans' data, and you were talking about Americans
previously.

You can't write an executive order that says you can get access to something
you previously needed a warrant for without a warrant.

~~~
surferbayarea
Seems it does include US citizens.

Per
"[https://en.wikipedia.org/wiki/Foreign_Intelligence_Surveilla...](https://en.wikipedia.org/wiki/Foreign_Intelligence_Surveillance_Act")
: "and "agents of foreign powers" (which may include American citizens and
permanent residents suspected of espionage or terrorism)."

~~~
lern_too_spel
You can look at the definition here:
[https://www.law.cornell.edu/uscode/text/50/1801](https://www.law.cornell.edu/uscode/text/50/1801).
Suspicion of espionage or terrorism isn't enough to be considered an agent of
a foreign power. A US citizen must be known to have aided a foreign power in
espionage or sabotage and done so knowingly.

------
toyg
In fairness, this has been a long time coming - legal-aware geeks have been
warning us since 2001 about the infamous PATRIOT Act. SafeHaven and
PrivacyShield were both disingenuous attempts at persuading people that
"actually we don't really mean that for you, friends". In a way, I'm glad the
hypocrisy is over.

This might actually help the European market.

------
Taek
It's things like these that push me so hard in the direction of decentralized
cloud applications. Centralized institutions should not be able to see your
data, and foreign powers should not be able to command them to drop your data
(or otherwise hold it hostage).

~~~
floatboth
But what if I specifically _want_ to store my own personal data in a different
country? I want privacy from _my_ government, not from foreign ones!

~~~
Taek
I'm the case of Sia at least you will have the ability to whitelist and/or
blacklist hosts on the network. Which makes it really easy to control which
countries do or don't end up with your data.

------
ktta
Can any one please explain in layman terms what this means a bit more clearly?

I think I understood the part where the US no longer a good place to store
data, and that there are no proper privacy laws protecting foreign citizens'
data that is stored on US soil. So basically, if you still want to have a
proper privacy policy, GTFO your data to non-US servers ASAP.

Anything else? Something I've gotten wrong?

~~~
Beltiras
There's also the chance that USDoJ vs. Microsoft will land in USDoJ's favour.
If so, then if your cloud provider is US-based (e.g. Amazon), then your data
can be procured by the US government with a NSL or similar secret court
mechanisms without you even being notified. I don't think that people
frequenting HN need to have it explained to them why this is bad for US-based
cloud providers. Amazon needs to segregate Frankfurt, fast.

~~~
darkr
Ireland's in the EU too (eu-west-1)

------
openmosix
For the tech industry, this is gonna be harder to navigate than the upcoming
regulations on visas and h1bs. I don't even want to think about all the
refactoring and rearchitecting to provide data segregation on multi-region.
What a mess.

------
mi100hael
It's hilarious that Obama expanded the powers, scope, and capabilities of
domestic spying more than any previous administration, but people thought he
was a good dude and gave him a pass. Now Trump is in office less than a week
and all of a sudden people are hair-on-fire worried about keeping their data
on the same servers that have been essentially pwnd by the feds for years.
Spoiler alert: nothing's changed except your level of interest in the issue.

------
sghiassy
Can anyone recommend a European alternative for Amazon AWS?

~~~
beejiu
Aren't the data centers technically owned by Amazon Ireland for compliance
(cough tax) reasons? Amazon clearly state that data never moves out of the
region.

~~~
Freak_NL
As long as Amazon has a US presence, it, and the data is hosts, is within
legal reach of US judges and government.

~~~
Veratyr
This isn't yet decided. Microsoft and the DoJ are still arguing about this in
the court system, which so far has ruled that the US government _cannot_
compel Microsoft to release data it holds in Ireland. It's currently waiting
for the DoJ to decide whether to take it to the Supreme Court:
[http://www.politico.com/blogs/under-the-
radar/2017/01/micros...](http://www.politico.com/blogs/under-the-
radar/2017/01/microsoft-data-broad-appeals-court-234098)

~~~
beejiu
Even if the DoJ did make it law, it would surely conflict with law that the
Irish domiciled entity is subject to.

~~~
ci5er
Penalties for the US-based domestic entity to compel compliance of the off-
shore entity would fall onto the domestic entity. The off-shore entity ALSO
has to comply with whatever local regulatory regime they fall under.

Unlinking the two companies completely might satisfy what you appear to be
angling for, but it would be, in essence, a potential competitor to Amazon at
that point.

------
boomboxy
Don't want to sound like I sound, but this might be the end of the Internet as
we know it.

~~~
surferbayarea
more like the internet will finally be fixed. There is no reason gmail cannot
encrypt my email and remove pii data, except that it will eat into advertising
revenues. Its easy for companies like Google to take a stand on an easy thing
like the government making it a bit harder to get visas, but when it comes to
saying no to government requests for your email - they happily comply.

~~~
lern_too_spel
The number one benefit that Gmail touted when it launched was searchable
email. That will break.

You're perfectly free to use E2E encryption on Gmail, and they are even trying
to make it easy for you, though that project is evidently not as well staffed
as the advertising org.

~~~
surferbayarea
search-ability is not a constraint for encryption. Eq see
[https://people.eecs.berkeley.edu/~dawnsong/papers/se.pdf](https://people.eecs.berkeley.edu/~dawnsong/papers/se.pdf)

~~~
lern_too_spel
Performant search is. Gmail wouldn't work with O(n) search times.

~~~
surferbayarea
The inverted index could simply be built/live on client side. The cloud is
then just a backup data storage. Encrypted email is downloaded, unencrypted
and indexed on your laptop/phone etc.

~~~
lern_too_spel
To be clear, you're proposing that users download their entire email storage
to their phones and browsers before they can search or spam filter their
email? And you think that this would be a compelling product for the average
email user? I'm having a hard time figuring out if you're trolling.

~~~
burgerdev
Isn't this how pretty much any mail client does it? Thunderbird does a decent
job at spam filtering my mail. You know, I can even search folders in Outlook!
Saying that scanning your 1M mails with 1kb each _requires_ the use of a cloud
service seems a bit over the top.

~~~
lern_too_spel
And how long does that search take? How long does it take to download that
mail to a new device? How long would that have been on 2006 Internet? I've
never said that it's impossible. I've only said that it takes away the main
advantage claimed at launch — fast, working search.

------
simplehuman
It's easier to move our own company's apps, I feel. What's harder is all the
SaaS products that we use most of which are in the US :/ I have to look more
closely into selfhosting solutions.

------
_pdp_
“A pessimist sees the difficulty in every opportunity; an optimist sees the
opportunity in every difficulty.” ― Winston S. Churchill

