
Microsoft unveils German data plan to tackle US internet spying - tefo-mohapi
http://www.ft.com/cms/s/0%2F540a296e-87ff-11e5-9f8c-a8d619fa707c.html
======
nickpsecurity
This is utterly ridiculous, possibly even subversive, given two things:

(a) The number of intentional leaks in Microsoft products (esp new Window's)
that might be inspired by NSA surveillance

(b) The leaks showing German BND and Five Eyes cooperate very closely on
SIGINT with BND letting them use selectors that no patriot of German
government or industry should've tolerated.

Many articles, esp Der Spiegel, also indicate that German intelligence is lap-
dogging so hard in an attempt to join Five Eyes club. Additionally, remember
that the TAREX teams in ECI leaks were focusing on Germany, South Korea, and
China. Yeah, not all the terrorism they talk about on TV: one opponent and two
seeming partners. What do all three have in common? They're among the biggest
economies competing with American (and Five Eyes') business interests. Makes
sense among scheming intelligence agencies to use assets against them to get
privileged few tight with Washington a competitive advantage and do counter-
intelligence against their agencies doing the same.

So, Microsoft are either a bunch of idiots that have no awareness of Snowden
leaks or reporting on the situation with NSA and Germany. Or they knew that
while subverting their European offering to give NSA every chance to hit the
customers' data as a favor to them to avoid pressure and keep lucrative
contracts. I'm betting on the latter to be safe and continuing a boycott of
Microsoft tech where possible.

~~~
danieldk
Exactly. The only _real_ solution is client-side encryption. If the encryption
is implemented correctly, it does not matter where it is hosted.

~~~
nickpsecurity
The real solution is high assurance systems: those designed in a rigorous way
with an argument that they'll remain secure against any known classes of
attack. That's every layer of the stack and sideways as my proprietary
framework [1] used to show. Here's an example [2] of what that's like applied
to Tor. Ottela's Tinfoil Chat is only one I know that applies high assurance
at the design level to eliminate risk of High Strength Attackers. He took a
lot of feedback from us on Schneier's blog and applied it well.

Client-side encryption using C libraries on Linux or whatever is just asking
to be hacked. Best will be secure hardware, drivers, kernel, and trusted
components. See CHERI processor [4], EROS documentation [5] (esp "Principle-
driven...") and Mikro-SINA VPN [6] for examples of The Right Thing in
security-critical development. Need more like that.

[1] [http://pastebin.com/y3PufJ0V](http://pastebin.com/y3PufJ0V)

[2]
[https://www.schneier.com/blog/archives/2014/09/identifying_d...](https://www.schneier.com/blog/archives/2014/09/identifying_dre.html#c6678915)

[3] [https://github.com/maqp/tfc-otp](https://github.com/maqp/tfc-otp)

[4]
[https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/](https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/)

[5] [http://eros-os.org/eros.html](http://eros-os.org/eros.html)

[6] [http://genode-labs.com/publications/mikro-sina-2005.pdf](http://genode-
labs.com/publications/mikro-sina-2005.pdf)

------
dewiz
I'm really surprised by the number of negative comments. Data hosted in
Germany won't be accessible to Microsoft US nor the US government. So that's
one problem solved. If the German government can access that data so what? Do
you really expect to escape from that? Keep your data in house if you care
about privacy that much. Most of German companies offering services to German
customers now can say "your data is stored in your country" thanks to
Microsoft. Then if the European government can snoop in, what do you expect MS
to do? That's a problem that the German gov needs to address, a government
elected by people. And again, no one is forcing you to be "in the cloud". Say
what you want, "country clouds" are a step forward and a value some people are
willing to pay for.

~~~
danieldk
_Do you really expect to escape from that?_

Yes. Client-side encryption for cloud storage, end-to-end encryption for
instant messaging? Now it does not matter where the servers are.

This is just a show to regain customer trust, but the added privacy is
marginal.

~~~
zurn
Encryption does not address the security problems of "cloud" services if your
threat model includes eg BND. Traffic/metadata analysis is plenty to find out
what you're doing and who you're doing with. Secondly if you distrust the
"cloud" service provider, end-to-end encryption for IM/storage is moot if you
are still using service provider's client software for X.

(This for one microsoft-applicable meaning of "cloud". It baffles me why tech
people have so eagerly adopted such an ill-defined marketing term)

------
exelius
This is actually not a bad model at all for this. It leaves all parties
(except the US government, which ostensibly has no authority to block it) with
everything they wanted.

The US government is still undoubtedly going to get the data no matter who
stores it, but they're going to have to risk pissing off the German government
to get it.

~~~
mschuster91
> The US government is still undoubtedly going to get the data no matter who
> stores it, but they're going to have to risk pissing off the German
> government to get it.

Ahahaha. Our government is knee-deep in the dungheap. The GCHQ spies on
Americans to avoid US protections, the GCHQ spies on every European country
and the BND is also in the mix.

All that our "government" did was a couple harsh words towards the US, faking
a "no spy deal", and behind the records a "continue with spying" to the BND
and MAD.

------
merb
Telekom. Telekom also has backplanes to the BND. So either we have NSA -> BND
or BND -> NSA and even if they don't share anything we will still deal with
one of them.

~~~
nickpsecurity
You're getting it. ;)

------
slg
Are we going to pretend that the US is the only country that ever forces
companies to hand over data or tries to acquire that data through more
nefarious means? If you are worried about this sort of thing, it seems strange
to put your full trust in another provider regardless of whether they are
based in the US, Germany, or any other country. Aren't you better off just
keeping the data away from the provider in the first place (either through
encryption or simply using your own software/hardware).

~~~
bad_user
If the guvernament doing this is local, we've got options to fight it. But the
US government has made it clear that us foreigners don't count, that the US
constitution doesn't apply to us, that the whole point of the NSA is to spy on
us, and we can't vote in the US and we have no representatives to call there,
etc. The US is also in the awkward position of being the steward of the
Internet. So you know, you can thank the US government instead of pretending
that the rest of the world is just as bad, as if that would make it OK. And if
you are an US citizen be glad that your taxes are well spent.

~~~
lmz
On the other hand, if I was doing something my own government doesn't like but
the US doesn't mind too much, I would rather the US government have access to
it than my own (assuming the US do not then hand over data to my government).

~~~
bad_user
How would you know if your own government minds about something that the "US
doesn't mind too much"? Except for obviously illegal activities, how in the
world could you tell? And why do you think that the US won't simply tell on
you? After all, they are under no legal obligation to protect your interests
and sharing the things they find can be used for bargaining.

There's also another reason for why I prefer a local government to the US. My
country does not have spy agencies with a 50 billion USD yearly budget. The
NSA can get in places where my government cannot simply because of resources
available. Oh, and most of us are software developers and the NSA is probably
engaged in industrial espionage, so you know, if you're an European company,
that would be something to think about.

~~~
lmz
If your data falls under something that government agencies will actively
bargain over, you're probably screwed already.

Maybe from the point of view of a European software developer the greatest
concern is industrial espionage, I don't know. But let's say you are someone
exposing the corruption in the local police force. Would you rather host your
anonymous website in your country -- knowing that the local police can
threaten the company hosting it, then knock on your door and "get you to stop"
\--, or would you rather put it on some server in the USA, where they have no
power?

------
_Codemonkeyism
All because EUGH stopped Safe Harbor.

This is the first mover. Next wave will be SaaS companies (Email e.g.)
guaranteeing data stays in the EU. At the end of January no EU company can
transfer email addresses, IP addresses or HR data into the US. Only if there
is a Safe Harbor II coming where the US guarantees to not spy on data without
warrant/open procedure and legal recourse by EU citizens.

PS: I know this EUGH ruling does not make sense with UK and France having the
same intransparent all-people are spyed on. But this are the rules now.

~~~
iamsohungry
> Only if there is a Safe Harbor II coming where the US guarantees to not spy
> on data without warrant/open procedure and legal recourse by EU citizens.

That guarantee would be completely unbelievable at this point.

> I know this EUGH ruling does not make sense with UK and France having the
> same intransparent all-people are spyed on.

The EUGH ruling makes perfect sense, it's just a partial solution instead of a
complete one.

Given the US is believed to be the most powerful of the bad actors (i.e., they
NSA have the most backdoors and other capabilities) removing them from the
system is not an insignificant step. Shutting out UK and France as bad actors
will be more complicated.

~~~
_Codemonkeyism
From my point of view it's exactly not a partial solution, with the UK (and
perhaps Germany) sharing data with the US if I e.g. use an UK SaaS email
provider. It doesn't make any difference to EU citizens.

~~~
iamsohungry
It's a partial solution, not in the sense that it improves anything by itself,
but in the sense that combined with getting other countries to stop sharing
data with the US, it would prevent Europeans from being spied on by the US.

------
rmoriz
Besides the faux-security of this offer this is the first "real" public cloud
offer Deutsche Telekom does. Well, they don't - they have to partner up. A
couple of months ago they already announced to partner with Huawei to build a
public cloud (in late 2016, no further details), now they are renting out
space for Microsoft (in early 2016), like Equinix does in Frankfurt for Amazon
AWS.

Deutsche Telekom is still owned by the Federal Republic (31% iirc) so one
could argue that most substancial decisions, like preventing FTTH, undermining
net neutrality and the lack of innovation, is either accepted or even enforced
by the biggest single shareholder.

Or it's just another sign, that politics should get out of the business as
they are not qualified and not independent enough to control their stakes in
corporations which also includes a technological perspective for the
foreseeable future to secure the business.

Deutsche Telekom has no such perspective in its home country business, only
the US mobile business keeps growing. At home, Deutsche Telekom is just
fighting an rearguard battle. Whatsapp killed SMS, Skype killed Voice, AWS
kills the mid/large enterprise datacenter outsourcing business, margins fall,
jobs got cut. Venture Capital business "T-Venture" failed, was shut down, only
some SV investments will be made in the future, no focus on local/German
startups anymore.

Even their marketing department has no clue about "that cloud thingy",
releasing official media materials like:

"Cyber Security in German: Hackers need to stay out"
[https://www.telekom.com/static/-/106374/2/Foto-04_850x550-bi](https://www.telekom.com/static/-/106374/2/Foto-04_850x550-bi)

and more: [https://www.telekom.com/medien/bild-ton-und-
infografiken/fot...](https://www.telekom.com/medien/bild-ton-und-
infografiken/fotos/104770)

It's a shame that Germany has no investor person like Carl Icahn who is able
to force the management to deal with the consequences: Shutting down/selling
dying T-Systems, selling T-Mobile USA, revamping local access business to make
money and stay competitive.

~~~
doener
They tried to sell T-Mobile USA. They tried very hard.

~~~
rmoriz
Yes, but then it was a failed biz. Since the IPO business is going quite well,
at least they could further reduce their stake in T-Mobile USA.

Usually the next wave of technology also implies new investments into the
network and less profits, so IMHO right now it would be a great time to sell
as much of the T-Mobile USA stocks as possible.

------
esseti
This is interesting approach that works for what EU requires (that data stays
in EU). Basically, it solves the safe harbor to some extent. Still, they may
have leakage of data or something under the hood that can make this useless,
but on paper it has some value.

[ads]Btw, if you need to store sensitive data in EU then you should use
chino.io[/ads]

------
tiedmann
It's really amazing how all MS-related posts still seem to attract the people
wearing tinfooil hats. Not saying there's no truth in there but, you know,
just sayin'.

------
privacy101
At this point, Microsoft might as well be a branch of Government...

------
nickleefly
privacy is important for every one

------
happyscrappy
From the comments:

"Will be interesting to see whether customers will agree to pay a premium for
a risk that they do not understand much less can quantify.

The elephant in the room is that all European companies engaged in
international commerce are breaching European data protection laws in some way
on any given day. The vagueness and subjectivity of many obligations under the
legislation leave businesses in an almost impossible position. And most
citizens have no idea what benefits the legislation bestows on them because it
is so complicated and philosophical. The regime has been in place since 1995
and since that time the average Jo, Jean, Juan and Johannes have all had their
'privacy' massively eroded, however you define that term. The one benefit it
was meant to have was harmonisation to make the single market work, but that
hasn't really worked either. Frankly, it is a complete sham and failure.

Whilst the single market is powerful force for good, it is continually under
attack from this sort of well-intentioned but barmy 'social' protection
initiative. All it seems to benefit is the army of regulators at a national
and European level who engage in endless navel gazing, looking out for the
next hapless target to keep them gainfully employed."

~~~
TazeTSchnitzel
Oh not this nonsense.

Yes, Government surveillance is a problem. That doesn't make data protection
law worthless.

It's thanks to the Data Protection Directive that you can force Facebook to
hand over the data it's secretly collecting on you despite not using it, for
example.

