
US free to grab EU data on American clouds - 925dk
http://euobserver.com/justice/118857
======
alan_cx
Again, again, again......

When are people going to realise clouds are dangerous? You lose control of
your data regardless of smart programmers or civil rights. You can never ever
be sure it wont be taken, spied on or just lose it.

Yes, there is a huge convenience to clouds, no doubt what so ever, but I will
never ever trust them.

Use? Yes.

Rely on? Assume to be secure? Assume to be private? Assume to be always
available? No, never, ever.

Trust in a US justice system where my data might be? Well, we've seen that
plays out. The US justice system scares the hell out of me. So much so that I
personally avoid everything I can that might bring me with in the orbit of the
US justice system.

And I really don't like the way our data is being herded in to one place, or
several holding camps. It really feels like the data equivalent of an
internment camp. Put it all in one place so the authorities can control it and
us, or just open fire.

You know, if government interference was really just for stuff like anti-
terror, then I could accept all this. But its not. They seem more concerned
with the profits of media companies and copyright than anything that really
effects us plebs.

Oh, got to go, I think I just saw a black helicopter... I'll have rant at
that.

~~~
jakeonthemove
Well, with the way it's been going, you'll soon have no choice but to rely on
cloud services.

Everything is a goddamn service now - even my fingerprint reader wants an
Internet connection - yeah, screw you Authentec!

Even managing multiple WP sites now has to be done via a third party service:
<https://managewp.com/> (I've got nothing against them, they're very good - in
fact, there is no better local alternative, which is what makes me sad/angry).

~~~
mattrad
There is an alternative to managewp.com: <https://wpremote.com/> (not
affiliated, etc.)

It's free, and UK-based - so benefits from EU data protection. By
@humanmadeltd.

EDIT: Running on EC2 AFAIK, so subject to Safe Harbor, FWIW.

~~~
jakeonthemove
And again, out of the user's _real_ control... Sure, the security seems sound,
but you still put all your eggs in someone else's basket, so to say, with any
such cloud service.

------
Nursie
This just exposes 'safe harbour' for the mockery it is.

I've been attempting to have a dispute with the uk government over this and
failed. In a nutshell - revamped uk government website gov.uk launched
recently, using google analytics. When I questioned why as US company was
being informed about my interactions with my government a ticket was opened at
a helpdesk service and I was told that it was ok because google were not
allowed to use the data. The helpdesk service are based in San Francisco.

~~~
motters
I think at present that citizens interacting with government services online
is still relatively new, and they obviously havn't fully thought through the
potential national security implications of using things such as Google
Analytics and outsourced helpdesks.

~~~
Nursie
I've been using UK government services online for several years now. I'm not
sure if it's always been the way it is now, I never bothered to look at the
loaded artifacts and page source for the older sites, but I get the impression
that it wasn't like this before.

There was a big fanfare a few months back about how gov.uk was modern, useful,
using industry best practices, open source tech and was just generally awesome
and cool. I think what's happened is that they've either outsourced to or
hired in a bunch of hip, trendy web developers s who had no real comprehension
of data protection.

As someone with an interest in computer security, and who has in the past
lived with data protection consultants, this disturbs me.

Anyone know which minister or ministry in the UK government is ultimately
responsible for the UK government electronic data presence? Or who I might
approach about these Data Protection concerns?

~~~
grabeh
I would contact the ICO in the first instance. It would be the Department for
Culture, Media and Sport that would deal with internet-related issues
generally, then there is of course your local MP.

I must admit to being a little surprised that they are using Google Analytics
plus the site doesn't have a privacy policy either. It seems a little bizarre
to have a cookie policy but not one detailing usage of user information
generally.

~~~
Nursie
Ah yes, the ICO. I'll get in touch with them first, if only because they're
the most likely to actually respond to communication!

~~~
summerdown2
I wouldn't hold your breath. They've never replied to me on any of the times
I've filled in a complaint form.

------
nextparadigms
And they wonder why the anti-American sentiment is growing. I don't like these
trends of US dictating EU policy one bit. Sure, US has always had "great
relationships" with some European countries after WW2, and many European
countries liked US for its culture etc, and have been friendly towards them.
But this is getting pretty absurd, with US getting access to EU citizens data
and having them dictate the whole EU's privacy policies, too.

This is why we need to move towards having everything encrypted locally,
before sent to the cloud, and make it brain-dead easy for most people to do
that. Or maybe we'll all start using Bittorent Sync for our own devices.

~~~
gst
Did you even read the article? This has nothing to do with the EU. The US can
obtain data from persons that are not US citizens without a warrant, if this
data is stored on servers of US companies.

If the EU doesn't agree with this, it would be better to create an economic
environment that facilitates EU-based tech companies, instead of having its
citizens depend on US companies.

~~~
spdy
So the solution for the problem "seizing data from cloud service providers
without a warrent" is to blame the EU why they dont build some tec companies
that can hop in here? Following your argument we should have EU and US
services only?

We could even turn this around to "The EU can now seize data from US citizen
from companies that operate in the EU."

Seizing data without a warrent is always wrong and can never be right
regardles of citizenship to any country. Simple example the EU seizes data
from US citizen and the US from EU citizen and then they just create an
"foreign information exchange database" nobody knows about. Because we have to
fight terrorism.

This is the right way to go.

------
flexie
Related:

European companies considering hosting personal data on American servers need
to consult the so called Safe Harbour List, which is a list maintained by the
American Department of Commerce: <http://safeharbor.export.gov/list.aspx>

Now, what it means when a company is on the safe harbour list, is that the
company has declared that it adheres to a privacy policy that complies with
the U.S.- EU Safe Harbor agreements:
<http://export.gov/safeharbor/eu/eg_main_018493.asp>

As the OP shows, this is by no means adequate protection against American
government surveillance. But then again, many European governments also have
surveillance laws in place that allow certain government agencies access to
hosted data, emails etc. with or without warrants. Often, the scrutiny of your
local government is just as relevant a concern as that of being watched by the
US government.

~~~
Nursie
As much as they love to spy on us here in the UK, I'd still rather it was my
own democratic government doing it than someone else's.

~~~
flexie
Yes, your influence on the UK democracy is at least 2.17391304 × 10 * * (-6)
percent (1 out of the 46 million voters) whereas your influence on the
American government is 0 percent.

~~~
pestaa
Just a nitpick, but his influence is certainly not that high. Possibly 10 * *
(-6) is what you meant. :)

~~~
flexie
Yep :-)

------
cmircea
This is why I don't want to have anything to do with hosting providers who
only have US hosting available. My clients wouldn't be terribly happy; nor
would I about this.

Heck, it probably is illegal for us to store customer data in the US in this
case.

------
calgoo
"But a US judiciary subcommittee on FISAAA in 2008 stated that the Fourth
Amendment has no relevance to non-US persons.

FISAAA also forces US Internet giants and other tech companies operating
clouds in the EU to hand over the data or face sanctions, says Bowden."

According to this, they can request data stored in EU server if the company is
American. This means that it does not matter where the servers are, they will
still get the data.

So, time to start to migrate to EU companies for hosting any sensitive
information. Anyways, the cloud will never be secure, so the best we can try
to do is Encrypt as much as possible, and not use the cloud for any sensitive
information.

The one useful thing I see from the cloud is: Private Cloud in your house.
With fiber getting more, and more distributed, we can soon have our home cloud
with Music / Movies / series / news / email / phone all routed to our home
cloud then to the devices. Now that would be a nice usage of the cloud!

~~~
digitalengineer
"Private Cloud in your house" Agreed! TB harddisks with encription, fast
internet, mobile templates to access data. Add a little distrust into it and
boom! PrivateCloud for Average Joe.

------
netcan
Maybe there is an opportunity for countries with liberal internet/freedoms and
privacy laws to start make themselves more attractive as datacenter location.

Especially countries with natural advantages in this area that are already
trying to move in this direction. Iceland comes to mind.

------
venomsnake
Now see the future that the cloud brings? The huge benefits. 1984 was warning
not road map.

People will become more and more careful and uncomfortable with the cloud in
the coming years.

~~~
meaty
Some of us will.

Most of the human race are ignorant peons who can't spot a warning a mile
away. A fine example of this is the amount of people I saw in hospital gowns
outside my local hospital the other day with oxygen masks, yet they were
outside smoking.

Get the hint people!

------
obsession
I don't host anything sensitive on the cloud but this makes me think twice
before using Linode or Amazon. It's a shame really. I don't know any cloud
services that don't have any American presence.

~~~
gmac
You could try bigv.io, OVH or Hetzner as European Linode alternatives. AWS I'm
less sure on.

~~~
chrisboesing
Here are the AWS alternatives I could find when I was searching for them 2
months ago. They are both hosted in Germany and operated by German companies.

I haven't played with them yet, so I can't say if they are any good.

EC2 alternative: <http://jiffybox.de> Not as feature rich as EC2, but they do
have an api to launch, stop, and resize instances.

S3 alternative: <http://www.hosteurope.de/Cloud/Cloud-Storage/> They say it
works with S3 compatible desktop software, so I guess it uses a similar/same
api.

(I'm on my phone right now and can't find the English versions of the sites, I
have linked the German sites instead)

~~~
robotmay
Brightbox are a UK company with a pretty decent cloud offering:
<http://brightbox.com>

------
jakobe
Slightly off-topic, does anybody know of a good European email service
provider, that actually has servers in Europe?

I am currently using Fastmail, which is operated by an Australian company
owned by a Norwegian company, and apparently their servers are in the US.

Everytime I read stuff like this, I keep saying to myself that I should move
to a European company...

~~~
robotmay
Rackspace offer an email service, though it is paid. Also, despite it being
hosted in the UK, it is a US company.

------
forgottenpaswrd
This is backfiring the US.

Any Asian-European company that I had worked with forbids the management of
any critical information by any American company, not just cloud, for this
simple reason.

~~~
mpyne
> Any Asian-European company that I had worked with forbids the management of
> any critical information by any American company, not just cloud, for this
> simple reason.

This is just as they should though, it's not as if the U.S. would feel it's a
good idea to host their cloud services in China on Huawei kit. For better or
worse the days when "gentlemen do not read each other's mails!" fell by the
wayside decades ago.

Nations need to either agree specifically _not_ to read each other's data in
transit (perhaps this is the EU-US "Safe Harbor" that's being talked about?),
or assume that their data would be read and plan accordingly.

Note that we already have to do this planning as tech developers anyways. If
we had sensitive PII we wouldn't store it unencrypted on a shared host with
world-readable files, would we?

------
acd
I think this new Stasi 2.0 mass surveillance government programs is a bad idea
for liberty.

------
rapht
I saw this and wrote to my MEP asking that the EU makes it mandatory for
American companies providing services to European consumers to clearly and
distinctively inform said consumers that their data may be handed to American
authorities without notice or specific consent.

Also, I wonder what's going to happen when American companies hand data to the
US Gov't in compliance with US law but in breach of privacy laws in the non-US
territories they are operating in : large-scale breaches like this will not
only earn them hefty sanctions, but could also lead to some courts shutting
down their services altogether...

------
Nux
Just don't host with american clouds, problem solved. There are several cloud
providers in EU that are not american and their number is growing.

------
jostmey
Does all this electronic surveillance result in more unethical activity from
the authorities than it helps the authorities prevent?

------
DanBC
There are already EU laws about exporting data outside the EU.

US saying they can grab data just means US companies who want EU business need
to set up EU companies with servers in the EU. That means more work for EU
citizens, and more tax[1] paid in the EU.

For me (as a European) it all seems pretty good.

[1] Albeit minimal tax with their borderline illegal weird methods to avoid
tax.

------
linuxhansl
It boggles my mind how easy it is to throw principles over board when
convenient. Either you believe in freedom and democracy or you don't. If you
do you would extend your principles to non-citizens as well (with exceptions
in form of warrants of course)

Once security trumps liberties you are on a downward spiral.

------
meaty
Another step in the self-destruction of America.

This is resulting in the instant removal of Google Analytics for us.

~~~
eksith
That's a bit extreme. If anything it will force a lot of introspection among
the string pullers and any illusions people still have about privacy in the
cloud (without encryption) will hopefully be shaken. When you affect those
with capacity, you make things better for the less capable or incapable... All
this is noise, and noise is good.

After all that's what cleaned up business practices significantly at the start
of the industrial revolution.

In fact, this is just another growing pain in a new industry.

    
    
      Industrial Revolution => Child Labour
      Automobiles => Safety
      Data => Privacy
    

Are they perfect now? Of course not, but they became better.

~~~
meaty
There will be no introspection amongst the string-pullers. Have you seen the
state of things since the cold war?

------
mbesto
One way around this is to obfuscate the data that goes on the server.
Ciphercloud does this:

<http://www.ciphercloud.com/solutions/data-residency.aspx>

------
Revisor
Do you know a good non-USA based web analytics?

We're using Google Analytics and GetClicky.com right now, both from the USA.

~~~
Buzaga
These are open source:

<http://piwik.org/>

<http://www.openwebanalytics.com/>

~~~
schrijver
Yes, Piwik I can highly recommend! The fact that you are doing the analytics
by yourself also means they don‘t become part of a larger graph–in theory,
this is better for the privacy of your users because you can’t track them
outside your domain.

------
pinaceae
well, to inject a little bit of pragmatism here:

most big enterprise companies (banking, finance, pharma, manufacturing, etc)
have, regardless of their HQ, an office in the US. so, to be "protected", they
would need to cut those office off completely.

just sucks that the US market is one of the most important ones.

so where else would you like to host? China? India?

and what exactly guarantees your German super private cloud not to be attacked
by:

1., The classic internal employee with a USB stick

2., The NSA which won't stop at some magic fluffy national border which
doesn't even exist on the net.

3., The manufacturers of the hardware you're working on, from Chinese chips in
your notebook to the components in your networking equipment.

and don't get me started on ISPs.

You want to be secure? Do not connect to the Internet, ever. Good luck in the
economy though.

------
youngerdryas
> "binding corporate rules for data processors" was inserted into the European
> Commission’s data protection regulation proposal with loopholes built-in
> which allow for FISAAA surveillance.

The only conceivable reason for such loophole is a reciprocal agreement. We
can't spy on our people but you can and vice versa. Looks pretty bad.

