
The End of Safe Harbor and a Scary Path Forward - di
http://lucumr.pocoo.org/2015/10/6/end-of-safe-harbor/
======
gozo
We are dealing with the consequences of not taking this very seriously for the
last decade. It's not good enough to just hope that the Internet will remain
free in the face of legitimate concerns.

Yes, it's a concern that the Internet won't be global anymore, but it never
really was. Up until thing like Firesheep and Snowden, and still to some
extent, a lot of Internet traffic was only safe based on not passing any bad
actors.

~~~
the_mitsuhiko
> Yes, it's a concern that the Internet won't be global anymore, but it never
> really was.

So we're willing to throw all this interconnection away, the one thing that
made the internet the place it is? The interconnected nature of the internet
is what made me the person I am today. I have more friends from other
countries than I have friends from my own and from my friendship circles I
know I'm not the only one.

~~~
gozo
Not taking legitimate concerns seriously and securing the Internet we want is
what is going to throw away the positive things about the Internet. Something
that isn't technically secure nor robust in the face of arguments is bound to
change

------
coldcode
The end result may become a Balkanized internet - you can't share anything
outside your country's borders or access them from outside. Each country winds
up as a China, a government's dream situation. In the end though we all lose.

~~~
kawera
Not necessarily Balkanized if we concentrate our efforts in developing better
protocols and not larger centralized platforms. Decentralization is key to
internet freedom.

~~~
the_mitsuhiko
Not sure what you are proposing. This is not really something we can improve
as nature works against us. Unless someone finds a wormhole for data, we will
be bound by latency and thus the only solution is user segregation.

~~~
kuschku
Or one can use distributed protocols like XMPP.

I can send messages just fine from @jabber.de to someone on a US server.

~~~
the_mitsuhiko
Message delivery is not a problem that needs solving. You don't even need XMPP
for that, good old sockets do the trick. The problem is that you need to fetch
data over high latency network links and you are not even allowed to cache it
due to legal reasons.

~~~
kuschku
Eh, what? The EU data privacy laws have a specific paragraph directly and
specifically declaring that caching is exempt.

You can even use worldwide cloudflare caching for your site, and store
userdata in the EU, and still comply.

~~~
the_mitsuhiko
> Eh, what? The EU data privacy laws have a specific paragraph directly and
> specifically declaring that caching is exempt.

That works for actual short lived caching, but not for database replication
which is what you would actually need for services like facebook.

//EDIT: also the directive does not actually mention caching directly, it just
mentions various exceptions of the rule. Can I have a reference to what you
mean exactly?

~~~
Retric
Global latency is not that bad for a website. Sending light from one side of
the globe to the other is 133 milliseconds and it's not like your sitting in
the same room as Facebooks severs anyway.

~~~
bobfunk
133ms latency (in the best case) is insanely bad for a database connection!

Even just adding 100ms latency to Google's page load time had a clear
measurably effect on # of searches, and having 100+ms latency for each
database request during a pageview would absolutely kill performance of most
sites...

~~~
tlarkworthy
No it isn't, average page load is much higher. It's a _huge_ struggle to get
below 300ms. Adding 100ms on its own is not insanely bad, but the head of line
blocking would probably be terrible and that's what would annoy you most.

EDIT: to those downvoting try cold loading google.com, I get > 200ms within
San Francisco. 100ms is not "insanely" bad, and maybe a good price to pay for
regulated data privacy

~~~
bobfunk
But it's 100ms each way for every database request while rendering the page!
There's not a lot of apps out there that can do with 1 request to their
database during an average page load.

~~~
Retric
If you actually had that limitation you could redesign the overwhelming
majority of apps to only need 1 DB request/response. EX: Stored procedure or
map reduce

------
csense
If you're a US company and some of your users happen to be European, and you
just ignore this and store all users' data in the US, what kinds of sanctions
can be imposed by the European Court of Justice or national authorities in
individual European countries? Do they have some way to block your site at the
national / continental level or go after your users? Can they fine you, send
you a bill and ask US authorities to seize your company's assets if you fail
to comply, even though you're breaking no US laws?

If they can't take any enforcement action against non-compliant companies
outside European borders, how does this decision even matter for non-European
startups?

~~~
umanwizard
I'm no expert, but -- am I missing something? Why can't they just (after all
other due process is exhausted) just send the police to seize your servers
from your data center in their territory?

~~~
kijin
What if you have no servers in their territory?

~~~
Thimothy
Then you probably are so small that you aren't in nobodies radar, not for an
EU court and, hopefully, not for the NSA.

------
_pferreir_
Call me a hipster, but I really miss back when no-one cared about the
Internet.

~~~
TeMPOraL
Me too. In many ways, money basically ruined it. It happens everywhere where
builders get replaced by businessmen.

Don't get me wrong - I appreciate what money did here. But I also hate that
most of the Internet is now flooded with ads, SEO, "entrepreneurs" seeking
ways to make a quick buck and startups monetizing the most basic aspects of
human interaction.

~~~
kuschku
It’s funny that you say this on a website aimed at people who do exactly that.
Make a quick bucks by monetizing the most simple things.

You know, I’ve been thinking about it for a long time. In a lot of ways, the
internet was an anarchist society for some time. Then some people took
advantage of it, used anarcho-capitalism to get insane profits and violate any
normal laws, and nowadays, it’s a bit regulated, but still anarcho-capitalist.

The anti-spam measure re-captcha is effectively everyone giving Google
training data for their neural networks.

Maybe it would have been better if everything on the web was GPL. Maybe it
wouldn’t. Who knows.

But obviously, this should be a sign for entrepreneurs that maybe, just maybe,
your users might be more important than profits.

------
kawera
Snowden's tweet, to the point:
[https://twitter.com/Snowden/status/651383168650604544](https://twitter.com/Snowden/status/651383168650604544)

~~~
debacle
I don't necessarily agree with him. People who live in countries with strict
data protection laws are safer, but those who live in more lax surveillance
might actually wind up less safe.

------
k__
I must admit, after the NSA stuff, I feel safer without "Safe Harbor".

But I guess a bunch of US companies are pretty scared about the financial
implications right now. Kicking out EU citizens or moving their data to the
EU.

~~~
mercurial
I think Armin makes a good point that European intelligence services have as
little, or even less, regards for EU citizens' privacy as the NSA. Getting
spied upon by GCHQ, the EU branch of the NSA, or by the mothership itself,
makes little difference in practice.

~~~
neokya
Point is intelligence based in Europe is still under legal control, NSA is
not.

If there is big issue in future, you can summon European intelligence at
court.

~~~
the_mitsuhiko
GCHQ's operation legality has been put under question more than once.

~~~
neokya
That hasn't happened in past does not mean it won't happen in future.

------
ar0
Good article, but he almost lost me when he started with the passport thing:
European privacy laws apply to European _residents_ (regardless of
citizenship) and _not_ to European citizens living outside of the European
Union.

The latter would be unenforceable anyways. In fact, the United States is the
only major country exporting laws on their citizens living abroad (e.g.
taxes).

EDIT: And, in fact, detecting the location of an Internet user (while not
perfect) unfortunately works very well for "regular" users not well versed in
VPNs and proxying - think YouTube country restrictions or also Google Maps'
approach to display different maps depending on the user's location.

------
senjindarashiva
As a eurpean I can't help but feel like this is a step to move the internet
away from only "adhereing" to US "law" which would be nice change.

------
fixxer
My take away: What a massive pain in the ass it is to build/run a business,
especially in the EU.

~~~
baudehlo
The flip side is it's a better place to be a free citizen for the most part.
You can ask companies for all the data they have on you and they are legally
compelled to comply.

~~~
fixxer
Respectfully, do you think that is perhaps a false sense of security?
Government surveillance is ubiquitous and American companies are going to
track you regardless.

~~~
baudehlo
In some sense I absolutely agree. There's a difference to be seen in requests
for existing data and the realtime feeds we now know exist.

But I guess something could be considered better than nothing. Europeans
definitely do have better legal access to correcting incorrect data for
example.

------
Keats
So does that rule out a good chunk of US providers for european companies
(stripe/braintree/slack etc)? I could only find mention of Safe Harbor in
their privacy policy and not where the data is hosted.

~~~
the_mitsuhiko
Pretty much. From what I have heard so far the general assumption is that you
can still set up a contract to achieve what Save Harbor did, you users need to
explicitly agree with the provisions.

~~~
Silhouette
This is our concern, as a small business using a very small but non-zero set
of US services, all of which were previously covered by Safe Harbor
provisions.

This ruling is something we have always been concerned about from a business
point of view, because ever since it became untenable to claim US companies
could actually protect any personal data at all the basic legal premise on
which Safe Harbor was built has been shaky. We don't know now whether it will
still be sufficient to merely disclose our commercial partners in our privacy
policy (which we do, by name and with an indication of what we use them for)
or whether we need some sort of more active consent.

I haven't had chance to speak to our lawyer yet, but I'm expecting him to tell
us something along the lines of: the law now requires us to add yet another
prominent notice at the conclusion of a sale. On top of all the consumer
protection rubbish from the recent EU changes there -- which again were well-
intentioned but actually impose silly things that help neither us nor our
customers -- the number of such notices we need by law is making our sales
pages almost comical now. I can't believe all these notices really help to
protect anyone from much of anything in practice, and anyone reading this on
HN probably knows what effect compliance has on conversions.

The second to worst possible outcome is probably that we are now required to
seek active consent from our _existing_ customers before continuing to use
things like US-based payment services. The worst is that it actually becomes
illegal to use those services at all, though I don't think that is going to
happen.

It's sad, because from a personal point of view this mess is long overdue for
being cleaned up. But the authorities are so clumsy about handling these
issues that a lot of the time they just hurt small businesses and legitimate
international trade.

~~~
senjindarashiva
Is the "required to seek active consent" actualy a bad outcome? From a
customer point of view it seems better than "I assumend you wanted me to do x"
regardless of what x is

~~~
Silhouette
Think about this from a non-IT point of view. If you went to a store and paid
for your groceries with a card, would you expect to go to the checkout, hand
over the card, and then have the cashier stop you for thirty seconds while
reading a form disclaimer that by paying by card you were consenting to
information about the location and amount of your purchase together with your
own identity and the details of your card being sent to the operators of the
card scheme, who may be based outside Europe, for the purposes of completing
the transaction, and only then (assuming you haven't given up in frustration)
ask you to put in your PIN to confirm the purchase?

~~~
senjindarashiva
I kind of get your point however I believe that the inconvenience of having to
make decisions based on actual information is preferable to implicitly
trusting any country or company that the store chooses to use, especially in
the IT case where most of the time (if you live in EU) you also have to agree
that your information should be handled and protected by a foreign power
(which have showned itself to be hostile on several occasions, it's bascily
the same as US citizens trusting there personal data to russia) with no legal
obligations towards you.

The big issue is the fact that we have become accustomed to being relived of
both the choice and the information about which choices thats been made for
us. Which of course makes us a bit lazy since it's hard to make informed
choices which probably is going to make a system like the one you described a
hassle to implement but id say it's worth it to bring back at least a small
resemblance of choice and control of your own information.

------
gasull
As bad as it can be, it is still damage minimization compared to allowing the
NSA dragnet.

------
Animats
This is great! It gives users lots more privacy rights, rights that come with
teeth. See page 105 of [1]. It's going to force many US companies to register
with a European data privacy controller.

Here are the basic rights of a "data subject":

Everyone shall have the right under national law to request from any
controller information as to whether the controller is processing his or her
data.

• Data subjects shall have the right under national law to:

• access their own data from any controller who processes such data;

• have their data rectified (or blocked, as appropriate) by the controller
processing their data, if the data are inaccurate;

• have their data deleted or blocked, as appropriate, by the controller if the
controller is processing their data illegally.

• Additionally, data subjects shall have the right to object to controllers
about:

• automated decisions (made using personal data processed solely by automatic
means);

• the processing of their data if it leads to disproportionate results;

• the use of their data for direct marketing purposes.

What this means is that data collected by a company about an individual
belongs to the individual, not the company. The individual can look at it,
correct it, and take it back.

This isn't a problem if you're not a scumbag. If you're selling your customer
list for marketing purposes, or using data you collect about users for
marketing purposes, you have a problem.

The EU requires explicit consent for such things. A contract of adhesion EULA
is _not_ enough. Exceptions to data privacy must be opt-in, not opt-out.

Passing data about persons on to another party can cause serious liability.
You have to know where the data went, exactly who has it, and be able to
delete it even if it's now in the hands of another party.

This is EU-wide, and registration with one national data controller (a
Government agency which checks for privacy violations) in the EU is usually
sufficient. Here's a set of guidelines from the European trade association for
online marketing.[2]

The biggest practical implication here is that any data you collect and share
about individuals must remain within your reach, because you're responsible
for correcting it, blocking it, or deleting it. Mailing lists must now contain
info as to where the info was originally collected.

It's not really that bad. Europe has operated under these rules for decades.
Deal with it.

[1]
[http://www.echr.coe.int/Documents/Handbook_data_protection_E...](http://www.echr.coe.int/Documents/Handbook_data_protection_ENG.pdf)
[2]
[http://www.fedma.org/fileadmin/documents/SelfReg_Codex/FEDMA...](http://www.fedma.org/fileadmin/documents/SelfReg_Codex/FEDMACodeEN.pdf)

~~~
Silhouette
_It 's not really that bad. Europe has operated under these rules for decades.
_

It's really not that simple either. Many businesses, particularly very small
ones, depend on external services to be viable in the first place. It's right
that those businesses should pay attention to data protection and privacy
issues -- I'm a strong believer in such things personally -- but there also
has to be some reasonable framework for what can and can't be done by default,
without requiring explicit consent for every last detail.

The trouble with opt-ins for everything is that it instantly scales beyond the
point of being practical. Just as hardly anyone actually reads the 9,753 page
terms and conditions document before checking the box or pays any attention to
the "we use cookies" notices, so hardly anyone will pay attention to formulaic
"we might export your data outside the EU and foreign governments might spy on
you" warnings. Creating a system that no basically reasonable and ethical
business can actually comply with in practice will just result in no-one
taking the rules seriously and consequently no-one actually enforcing them,
again much like the cookie notices and so on.

Ironically, a good solution in this case is easy to see: the US government
could make it absolutely clear that interception of or interference with
personal data held by US companies can only be done following proper, legal
processes, and then the EU governments would need to update the rules about
Safe Harbor provisions to allow a reasonable exception for government access
to personal data following due process. Throw in mandatory encryption at a
level where the shortest path to getting data needed for legitimate government
purposes is to just get the appropriate warrant or equivalent and formally
request that the business in question hand over the relevant data, and
probably most people are happy.

No-one serious about the privacy debate seems to be suggesting that businesses
should never have to turn over personal data they have access to in order to
comply with something like a proper court order to provide evidence for a case
being heard by that court. It's the dubious access to the data _outside_ of
proper legal processes and oversight that causes the conflict here, and at
least parts of the EU government system take that sort of thing a lot more
seriously than most of the US government right now.

~~~
Animats
_" The trouble with opt-ins for everything is that it instantly scales beyond
the point of being practical."_

That's a feature, not a bug. It means you don't get to use personal
information for marketing purposes unless the customer really wants to to and
says so. It's the customer's information, not the retailers.

US businesses might think of it as the customer having a property right, like
copyright, in their own personal info.

~~~
Silhouette
_That 's a feature, not a bug._

I consider not being able to run an otherwise reasonable business at all a
bug.

 _It means you don 't get to use personal information for marketing purposes
unless the customer really wants to to and says so._

It also means, for example, that you can't charge them using a US-based
payment service, provide whatever product or service they are requesting if it
involves interacting with a US supplier and providing their personal details
for delivery or authorising access, or use US-based administrative services to
help run your business more efficiently, without your customers' explicit
consent, _even if this is only to provide exactly what they 've just asked you
to provide_.

~~~
pessimizer
> not being able to run an otherwise reasonable business at all a bug.

This is question begging. If your business model depends on openly breaking
the law, it's not a reasonable business model.

If the end of slavery causes your cotton business to become unprofitable, it's
not an attack on the cotton industry, it's still an attack on slavery.

~~~
Silhouette
_If your business model depends on openly breaking the law, it 's not a
reasonable business model._

Alternative possibility: The law is broken.

What if your business model is otherwise perfectly reasonable and acceptable
to all of your customers, and it doesn't rely on breaking the law at all,
until the very governments who are entrusted with producing reasonable,
consistent laws to support their populations are the ones who screw it up?
Should we just close down all European companies doing business with US online
services right now, today?

As far as I can see, that is technically what this ruling will lead to.
Somehow, I don't think most people in either Europe or the US would consider
the resulting collapse of both regions' economies to be desirable, and I doubt
that was the desired outcome when the European lawmakers established the basic
data protection principles at the heart of this. Those same lawmakers, after
all, are the ones who saw fit to provide a Safe Harbor mechanism to facilitate
reasonable international trade in the first place.

 _If the end of slavery causes your cotton business to become unprofitable, it
's not an attack on the cotton industry, it's still an attack on slavery._

And what about providing exactly the service your customers were asking for,
but using say a US-based payment service that is openly disclosed in your
privacy policy? Maybe that is now illegal on a technicality, because you
didn't get _active_ consent for using that US service to charge their card.
What if your Europe-based bank didn't have explicit permission from your
customer to communicate with a US-based card scheme to authorise your
customer's card, for that matter?

Will it really help to confront customers with yet more mandatory legalese at
the online checkout that just describes what everyone expects to be happening
anyway? Who is really going to benefit from that? I'm all for reasonable
protection of personal data and proper safeguards for privacy, but when you go
so far that you stop people transferring personal data in ways that are
necessary to provide the exact product or service that a customer is
deliberately requesting and would be reasonably expected by that customer,
you've lost the plot and your system needs fixing.

------
Kiro
So I can't use AWS to store stuff if I'm in EU? Whst happens if I just ignore
this?

~~~
junto
Can't you just chose the Irish or Frankfurt region foot your deployments?

------
spaceSub
I hear your words and all I can conclude is: What a _great_ ruling. Seriously.

Decentralization is a major thing we need right now. Also: the EU gov.
agencies are very unlike the US ones in that we have a political power over
them.

------
TACIXAT
What are the business implications for this? Does this only matter for
businesses registered in Europe operating off US servers? Or does it prevent
any US business from storing European customers' data?

------
pastycrinkles
So what happens if an EU country sees a BGP routing error that sends traffic
to the US?

