

NY Judge rules US cloud firms must provide overseas data - blawson
http://www.v3.co.uk/v3-uk/news/2341817/us-judge-rules-cloud-firms-including-microsoft-and-google-must-hand-over-data-stored-overseas
Link to the ruling: http:&#x2F;&#x2F;www.nysd.uscourts.gov&#x2F;cases&#x2F;show.php?db=special&amp;id=398
======
Fuxy
So... Anybody have a list of cool companies that don't have any business in
the US?

Lack of ties with the US is becoming more and more valuable every day.

Edit: I love how the reason the judge ruled like that is because it's too much
of a hassle for law enforcement. Guess security is not the only thing that
gets sacrificed just because we're too lazy.

~~~
cforster
I can recommend www.wuala.com. It uses client-side encryption and the servers
are in Switzerland, Germany, and France. It's a Swiss company that was bought
by LaCie.

------
mikestew
On the bright side, it opens opportunities for off-shore (in relation to the
U. S.) Dropbox clone startups.

I fully expect MSFT to drag this all of the way to the Supreme Court. I'm
curious to see how it shakes out from there.

~~~
Shish2k
Alternatively for file syncing, peer to peer? If a company doesn't have your
data in the first place, they can't give it up. It does require the user to
supply their own always-on internet-connected device, but that's increasingly
becoming a thing that people have (for modestly sized files, even a smartphone
would do)

~~~
mikestew
> Alternatively for file syncing, peer to peer?

I really just don't...want...to...maintain another server, or even P2P setup.
However, things like this ruling are piling up to the point that I may have to
take another look at what it would take to get my Synology box to use their
"Dropbox" functionality (Synology's dynamic IP->static IP mapping service has
proven to be flakey at best, though there are other options). Either that, or
that bittorrent P2P thingy.

Another problem is that Dropbox and the like have really gained traction, so
that other apps use them as a synchronization store. So there's the problem of
keeping, for instance, all of my 1Password stores in sync. I'm sure there's a
solution, but I need to overcome inertia and go look for it.

------
steven2012
This could absolutely destroy the US cloud-based services industry if this
gets reaffirmed. It actually doesn't make any sense though, but it continues
to chip away at global confidence in US-based companies.

~~~
mhandley
The UK university where I work uses Microsoft's cloud service for email. I've
always had concerns, but apparently we have a contract that states the data
will only be held in certain jurisdictions (can't remember if it's just the
UK, but I think so) so that we can conform with UK data protection laws. If
Microsoft lose at appeal, I guess we'll be legally compelled to change email
provider. Can't imagine we're the only ones either.

~~~
waps
Note that UK data protection laws do NOT exclude the NSA from reading your
email. They just restrict the data being sold to commercial third parties.

I mean I'm not saying that's necessarily a bad thing, just that you don't have
the protections you think you have. The UK intelligence services will actually
help the NSA collect data from UK firms in the UK, as has been extensively
reported.

So keep in mind that if it's the US government, or any EU government that
wants your data, it doesn't matter if it's stored in the US, UK, or anywhere
in the EU or Australia or New Zealand.

Add to that that UK citizens have less rights than US citizens when it comes
to government data collection. A US citizen gets a deal : if they hand over
data to the NSA/government themselves, that data cannot form the basis of a
criminal conviction against them (this of course means the US government will
try to hack you before asking you). So if you have encrypted kiddie prn on
your machine and you decrypt it when the government asks you to do so, they
may get to delete it, but that's it. Of course they can investigate you
further, but if you are the one giving them the key, they can't do anything in
court with the decrypted data.

In the UK or anywhere in the EU you have no such right, and there are plenty
of cases of people getting forced to hand over encryption keys only to have
the decrypted data be used to convict them.

So really, your data is safer with the NSA than with your own government (from
the perspective of how damaging it can be to you personally at least).

------
adwf
I've always assumed that this is how government agencies would try and
interpret the situation, but I also assume that this will go all the way to
the top to be properly decided.

Edit: Not to mention that other countries may disagree with this
interpretation and sue the local branch of the company if they send the data
outside the region. Then the issue will become a matter of international law.

------
AdmiralAsshat
So how long before the courts argue that NON-US cloud providers are also
subject to US search if they hold US citizen data?

~~~
venomsnake
Well Megaupload was close. Anyway the cloud is one of those bad ideas that
just cannot die soon enough for me.

------
mariuolo
This reminds me of what SWIFT did:

"After these articles, SWIFT quickly came under pressure for compromising the
data privacy of its customers by letting foreign government (United States
government) agencies access sensitive personal data. In September 2006, the
Belgian government declared that the SWIFT dealings with USA government
authorities were a breach of Belgian and European privacy laws."

Basically they were caught between a rock and a hard place and had to decide
which country's laws to break.

([https://en.wikipedia.org/wiki/SWIFT#United_States_of_America...](https://en.wikipedia.org/wiki/SWIFT#United_States_of_America_government_involvement_in_SWIFT_matters))

------
pfortuny
This go so against EU law that it is a straightforward attack on any
international business which includes the EU, run by a "cloud" firm. It also
places such a burden on local (EU) companies using, say, DO or Linode
services... which will have to switch provider like _right now_.

Or am I extrapolating wrongly? I certainly would like to know (yes, assuming
that this thing goes up and is held as definitive, obviously).

~~~
Nursie
You're not wrong. EU data is supposed to fall under safe-harbour provisions.
These are what allows EU companies (which have to obey various EU and national
data protection laws) to use US services which do not mandate such
protections.

I've never thought there was a reason to trust these, in light of the US
government's view of the rights (or lack of rights) of non-citizens. But this
seems explicitly to throw them out.

------
dang
This is a dupe of
[https://news.ycombinator.com/item?id=7651245](https://news.ycombinator.com/item?id=7651245).

------
qdog
That makes some sense to me, if you are a U.S. company you should have to
comply with US law regardless of where you store the data.

Whether or not this particular warrant is valid is another matter.

~~~
higherpurpose
Perhaps, but not very good news for US companies either way. The trust will be
even smaller in them now, and they won't be able to tell non-Americans that
their data is safe with them, unless their enable end-to-end encryption in
most, if not all, of their services, and they provide ways to check that they
aren't going around that encryption in some nefarious way (backdoors, etc).

------
briantakita
Well, I now have an incentive to use non-US cloud companies.

------
reuwsaat
so courts can force companies to relinquish users data globally, but corporate
taxes are still protected. we're such suckers.

