
Norwegian backup provider promises NSA-free data storage using Norwegian laws  - jensen2k
http://www.jottacloud.com/its-your-stuff-guaranteed/
======
vidarh
As a Norwegian, let me just say:

Yeah, right.

1\. The Norwegian security services have a long history of violating Norwegian
law (and when, for example, extensive illegal politically motivated
surveillance of mostly left wing politicians was uncovered in the 90's they
then had the gall to place an MP and member of the committee investigating
them under surveillance while he was working on the report about their illegal
surveillance), and have always been extremely cosy with the US.

2\. Most bandwidth to Norway goes via Sweden. Sweden is not a safe country to
pass data through if you want to avoid surveillance. See the FRA law:
[http://en.wikipedia.org/wiki/FRA_law](http://en.wikipedia.org/wiki/FRA_law) ;
unless they guarantee that they get their bandwidth via alternative means,
this is a risk. Sure, you can encrypt the data, but if you trust that this is
sufficient, then hosting your backups in the US should not a problem either.
If you think Sweden's neutrality means a shit in this case, consider that
Sweden has admitted to having been complicit with renditions of political
asylum seekers to the CIA in direct violation of Swedish laws, so clearly they
do not worry about cooperating with US intelligence agencies. To hand your
data over to the NSA would not even require them to break any laws, and
they've already demonstrated they don't have the moral backbone to stand up to
far worse requests.

3\. Norway is subject to the EU data retention regulations, and otherwise
likes to bend over backwards to comply with EU directives despite not being an
EU member (we're a member of the EEA, which means we get all the directives,
but don't have a say - how anyone thought that was a better alternative is
beyond me). In fact, Norway is "best in class" when it comes to implement EU
directives - ahead of most EU countries... This doesn't impact this to a great
extent, except it means all your communications with this company will be
subject to retention laws, and if you consider it important enough to avoid
the reach of the NSA for your hopefully encrypted backup data, this is worth
keeping in mind too.

In other words: If you encrypt your communications and backup files well
enough that you believe it is safe from the NSA in Norway, they'll likely be
just as safe from the NSA in the US.

~~~
ra
Is there a jurisdiction on the planet where data is safe from domestic
wiretapping _[1]_ (i.e. international espionage not withstanding)?

Serious question.

 _1\. Clarification: I mean warrantless wiretapping._

~~~
snowwrestler
No. Job #1 for a national government is national security, and governments
inherently have the power to intrude upon privately operated companies.

I think that in the long run, the U.S. is still a good place to keep data.

U.S. citizens have an instinctual distrust of government that Europeans often
mock, but in this case I think is an advantage.

In addition the U.S. has some of the strongest protections for freedom of
expression in the world, which means that everyone can learn and argue openly
about intel programs and other sub-topic of freedom vs. security.

~~~
derefr
> Job #1 for a national government is national security, and governments
> inherently have the power to intrude upon privately operated companies.

I would say that job #1 of a government is establishing and enforcing domestic
property rights (to allow an economy to function); and job #2 is building
public-good infrastructure like roads.

"National security" is job #1 of an _organism interested in its own survival_
\--but there's no reason a government needs to be such a thing; the only
reason I can see for it is the precedent set by monarchies, where each current
king wants the government to persist in its current form so that they
themselves will stay in control of it. A government _could_ run a country
perfectly capably while leaving itself undefended from being "eaten" by a
foreign government (or populist coup) at any time.

~~~
DannoHung
National Security is intrinsically about enforcing domestic property rights.
It covers issues like terrorism but also foreign hostilities. Don't be a doof
and pretend that National Security doesn't at least _start_ with the interests
of the citizens in mind. Seems like it gets awfully lost in the woods, but you
can't pretend that if people just had the right ideals things would be fine.

------
jgrahamc
If you want to have data storage that's secure from the NSA then you are going
to need to do client side encryption. Moving your data to a company/country
that promises not to access it isn't going to cut it.

~~~
noarchy
I have to agree. The user needs control over their encryption.

Taking advantage of Norway's laws is fine, until the day that those laws go
sour on you.

~~~
switch007
Don't you need a combination of encryption AND no law forcing you to reveal
the key?

~~~
vog
The law that might force you to reveal the key depends on where _you_ are, not
where your hoster is.

~~~
Sami_Lehtinen
Good luck, I have terabytes of random data. I can always provide you OTP key,
and create what ever content I want you to see. (Malleable encryption)

~~~
vidarh
Stay away from the UK - here a judge can throw you in jail for failure to
provide keys, even if there's no evidence you still have the keys, and said
judge would pretty much be guaranteed to believe that you did not hand over
the correct keys if the result is garbage.

~~~
aianus
If you claim the encryption was done using a One Time Pad, you can pick any
result you want, generate the corresponding key, and hand that over.

[https://en.wikipedia.org/wiki/One-
time_pad](https://en.wikipedia.org/wiki/One-time_pad)

~~~
vog
Unfortunately, the OTP is always as large as the encrypted data. So strictly
speaking, this is not really "encrypted data + password" but more of a "split
data into two random-looking parts". In particular, this is nothing you can
keep in your head or print on paper.

You'd have to keep it on a separate storage medium. And if you have to hand
out the done medium, what's preventing them to get your second medium? And if
you are able to keep that second medium secret and safe, why don't you store
the whole unencrypted data on it in the first place?

Either way: OTPs are really cool, but I don't think they have any relevance
here.

------
brasetvik
"In Norway, privacy stands firm like the mighty mountains of Jotunheimen.".

Let's not flatter ourselves _too_ much:
[http://no.wikipedia.org/wiki/Datalagringsdirektivet](http://no.wikipedia.org/wiki/Datalagringsdirektivet)
(in Norwegian,
[http://translate.google.com/translate?sl=auto&tl=en&js=n&pre...](http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=no&ie=UTF-8&u=http%3A%2F%2Fno.wikipedia.org%2Fwiki%2FDatalagringsdirektivet&act=url)),
or the less detailed
[http://en.wikipedia.org/wiki/Data_Retention_Directive](http://en.wikipedia.org/wiki/Data_Retention_Directive)

~~~
zokier
I don't think DLD/DRD is conflicting with the statements given in the post, as
DLD only concerns itself with metadata (and yes, that can be harmful), and the
article talks about the actual data. Both are important, but different,
topics.

~~~
e12e
Well, after reading Snowden's comments about what is available (everything) -
it would seem that DLD goes hand in hand with storing all traffic for a
limited time -- you would need help searching that to actually recover
something.

~~~
zokier
> DLD goes hand in hand with storing all traffic for a limited time

Nope? From the linked translated wikipedia page:

> Data that reveals the content of the communication must not be stored

~~~
e12e
I meant - if you already, illegally store everything - that everything is
problematic to search, and to store permanently. If you also, legally, through
DLD store metadata, then that makes your illegally collected data more useful.

------
honzzz
This is nice. But I think that the long term solution needs to be based on
something that does not depend on the ability of your host to protect your
data. The US is strong enough to pressure (almost?) any country to jump
through hoops for them (we have seen leaks about their pressure on Sweden [1]
or Spain) so just being out of their jurisdiction is not enough.

1\. [http://falkvinge.net/2013/01/06/banana-republic-justice-
behi...](http://falkvinge.net/2013/01/06/banana-republic-justice-behind-the-
scenes-of-the-pirate-bay-trial/)

~~~
pydanny
I agree 100%. Your country or company isn't going to make a difference when
the people maintaining it are threatened or bribed by a force that can and
does leverage power outside their jurisdiction. Honestly, the problem has to
be addressed at the source, not with bandaids applied by the hopeful or naive.

------
atirip
From the article "U.S. law enforcement could use the USA PATRIOT Act on a
U.S.-based organisation, like Microsoft, Google, Dropbox or Amazon, for
example, to force its local subsidiary companies across the world into handing
over user data to U.S. authorities."

Exactly how? By my understanding a company in EU operates under EU law and US
parent company is only stock owner. Stock owner can not by my understanding
force the company to do anything if the company does not want. Lets assume
that US company does not want to force daughter company, how can NSA to make
them?

EDIT: I'm fully aware that by harassment or blackmail anything can be done, no
question here. What I meant to inquiry, out of curiosity, is, is there a legal
way to _force_. I know that parent company can control and fire board etc, but
can they be forced to do so. Or more broadly, can some US agency take full
control of US company and run it like they please. Can f.e. NSA if they
really-really wan't to rise McDonalds burgerflippers salary by twofold? Does
Patriot Act or something allow that?

~~~
DannyBee
Your understanding is false. A sole stockholder (for example, the parent of an
independent subsidiary), always has control, even if not by specific
direction.

They can, after all, fire the entire board, and elect a new one that will
direct the company to do what they want.

Not to mention in most cases, parent companies do in fact, maintain control
over subsidiaries (IE they are not independent subsidiaries), and thus can
directly control activities.

~~~
Kimmono
The way company law is set up in Norway, you cant as a board member do
anything else than what is best for the company you are board member in. Doing
something different would mean you could be held responsible. They could fire
the board, but the next board have the same rules to go by.

~~~
DannyBee
"What is best" is of course, a matter of opinion. I'm not sure this is as
concrete as you seem to think this is, though i'll admit i'm not familiar with
the details of norwegian law, what you say is true of most countries in terms
of duties.

------
arkitaip
This might become a major trend in the EU if hosting/storage providers play
their cards right. Sure the low prices, performance and flexibility of US
providers are very tempting but surrendering your data to US intelligence
agencies and god knows who else might no longer be a viable option, especially
for government agencies and major corporations that might be targets of
industrial espionage.

~~~
toyg
It is already a trend, but until last week it was the realm of huge companies,
bureaucrats, weapon manufacturers and other security-industry types. Now
there's potential for going mainstream.

This said, I wouldn't trust a French provider or an Italian provider with
anything too sensitive: their police forces have a history of being incredibly
heavy-handed when dealing with data. I remember one occasion in mid-00's when
the Italian police investigating G8 riots (or something like that) raided a
data centre, took home all disks they could find, cloned them all, then went
through them with a fine comb, all because _one mailing list_ hosted on _one_
of those servers _might_ have been tangentially related to whatever they were
investigating. I'd be surprised if things were much better in other European
countries, to be honest, but I guess Norway is one of the best bets (with
UK/Ireland being among the worst, of course).

------
toyg
The whole computer security business couldn't have paid billions for the sort
of free advertising they got this week...

------
qw
The link should be updated to point to their own English version

[http://www.jottacloud.com/its-your-stuff-
guaranteed/](http://www.jottacloud.com/its-your-stuff-guaranteed/)

------
zokier
I thought that the NSA surveillance was at least partially illegal. Laws
(Norwegian or US) don't stop TLAs doing what they want.

Also in a related note I find the following fairly unconvincing:

"We will not hand over user data to authorities unless a warrant issued by the
Norwegian court of law is presented"

Warrants are in my view more about providing a paper trail than actually
preventing abuse.

Ultimately I think the only protection against surveillance is well-employed
cryptography. Especially if the law offers some protection for encryption keys
and/or passwords.

------
dotsid
I'm moving away from Dropbox today. Thanks for this jensen2k.

~~~
e3pi
If you crypt, Dropbox is fine. People need to use encryption. Every popular
computer language has encryption routines, scroll through the source code
until you find something accessible, twiddle something to personalize it while
keeping it functional, perhaps convince yourself it will remain secure, etc,
of course be cautious about that. Or simply, there's double encryption, fold
it again. Know big 100 meg, gigabyte file size encryption, becomes vulnerable.
Wikipedia is the best general crypto introduction I've see.

~~~
toyg
The main selling point of Dropbox is cross-platform support for umpteen
platforms, so you'd need to find an encryption tool that will work on all
platforms; say bye to iOS...

~~~
Spooky23
Check out boxcryptor, works in the OS's that you probably care about.

------
CRidge
"Vi vil ikke overlevere brukerdata til myndighetene om vi ikke mottar en
kjennelse fra norsk rettsvesen"

meaning

"We will not hand over user data to the government if we do not receive a
ruling from the Norwegian judicial system"

which is pretty much the same thing as the Patriot Act in the US...

But as far as PRISM goes - that's a whole other matter!

~~~
zokier
Well for better or worse you can not really escape that. Best to my knowledge
most (western) countries have the concept court orders/warrants or
equivalents.

------
gbrindisi
If you are in EU, Norway is pretty much transparent from a legislative pov.
For example:
[http://www.autistici.org/ai/crackdown-2010/](http://www.autistici.org/ai/crackdown-2010/)

------
ryguytilidie
United States Government:

-We are serious about creating jobs and supporting great American companies. -Makes the most lucrative young companies in the US unusable in the name of spying on their own citizens.

What in the actual fuck?

------
alan_cx
Encrypt all you like. It boils down to this: Will a government make you prove
a negative, and if you don't, will it lock you up?

If you have encrypted files, there must have been or still be a key to decrypt
it. You will be asked for the key. You will either given them the key, say no,
or say you don't have it. The first two are no good, so all you have is the
denial that you have the key. If government cant find the key, you will be
asked to hand it over.

And that's the crux.

What then does the government do? All it can then do is make it an offence to
withhold a key. How do they prove you have the key, if they themselves can't
find it? You then have to prove the impossible, that you do not have the key,
a negative. Which, even if you are telling the complete god's truth, you can
never, ever, prove.

So, having an encrypted file, that you cannot or will not decrypt on demand is
or will become a criminal offence. All encryption does, in the eyes of
government, act as evidence of guilt. The suspect has an encrypted file, we
can verify its contents, she wont give us the key, there for she has
"something to hide", and there for must be guilty.

I can well imagine encrypted files being stored like athletes blood samples,
waiting to be tested or decrypted by future methods.

We can not win unless we accept so risk and stop expecting our governments to
do _everything_ to stop the bad people. If a bomb goes off in Whatevercity, we
must not be angry if it happened because the NSA were NOT collecting mass
data, or something similar. We must make it clear to government that we are
prepared to trade the risk of being blown up for our privacy and freedom, and
that if that freedom contributed to the attack, we _MUST_ accept that, and not
suddenly switch and blame government. And the NSA, and the likes, must be
allowed to say, "look we could have acted, here is the evidence, but we had to
respect freedom and privacy", and not be lambasted for it. We have to reply,
"OK, fair enough, we understand and accept that." Equally, of course, we need
to know they did everything else legally and morally possible.

Question is, are we as a people able to do that? Or do we expect zero risk
lives?

And all that is assuming there is zero risk from the powers government wants.
Such laws and thinking creates a whole new avenue of risk.

Which is why I for one am quite prepared to say to government, cool it down,
back off, set some limits, respect those limits, and if you fail because of
that, I both accept it and forgive you, because I want to be free.

BTW, one of the few countries I have been to is Norway. Beautiful, stunning,
country and fantastic people. If I wanted to or had to leave the UK, it would
be one of the first places I would consider. I'd love Norway to be the savior
of privacy and freedom, but I sadly cant see it.

~~~
sigil
> You will either given them the key, say no, or say you don't have it.

There's a 4th option: give them a key that decrypts innocuous material.

[http://www.truecrypt.org/hiddenvolume](http://www.truecrypt.org/hiddenvolume)

------
znowi
The US has a great deal of influence in the west, especially NATO members.
They will readily comply to avoid complications. No country wants to find
itself on the US "terrorist" list.

------
Havoc
The memory stick under my pillow is pretty NSA proof too. Well unless someone
in combat gear rocks up at my house...then all bets are off.

------
simplexion
Spideroak...

------
read
What is the best country that you know of to store data safely in?

~~~
pilsetnieks
In the developed world? Your own. Hopefully then the data doesn't come in
contact with any other jurisdiction with different laws and there are much
fewer hops between you and the place data is stored, thus limiting the chances
that it is intercepted along the way. However, there is the issue that if you
store data with a local company, they may be forced to comply to the local law
enforcement while a foreign company may or may not comply.

------
pinaceae
erm, isn't this assbackwards?

intelligence agencies, aka spies, _exist_ to spy. that's their entire purpose.
now there are some laws to protect their own citizens, at least in the US.

once it's a foreign entity, it's fair game. zero fucks about legality given -
see any info ever about clandestine services. so if you store your data in a
non-US entity, you're _more_ likely to be monitored.

do you think STUXNET was LEGAL?

the NSA, CIA, MI6, BND, KGB, Mossad all ignore the laws of the countries they
are acting in. or what do you think a spy is?

------
contingencies
NSA.no!

