An interesting tidbit:
Sotomayor, at 09:44, pushes back against the U.S. attorney, referencing what I assume to be the CLOUD act as a more reasonable compromise than what the attorney has been advocating:
> And the problem that Justice Ginsburg alludes to is the fact that, by doing so, we are trenching on the very thing that our extraterritoriality doesn't want to do, what our jurisprudence doesn't want to do, which is to create international problems. Now I understand there's a bill that's being proposed by bipartisan senators that would give you most of what you want but with great protections against foreign conflicts. There are limitations involving records that are stored abroad.
A court found personal jurisdiction over an individual before the court, issued an order requiring the disclosure of information and then expected the person to comply with the order irrespective of where said information was stored. If you break American law in America, saying "the information is overseas" isn't--and shouldn't be--a valid excuse. Extending that to a third-party providers, when both the individual and provider are in America, makes sense.
Could this be abused? Sure. But the oral arguments show the Justices giving the question respectful concern.
So, by this logic, if a prosecutor in [country without privacy rights] claims one of their laws has been broken, they are able to seize emails, files, and VM images (even, say, from the US government) stored in any cloud provider that happens to have a business office in that country?
If that were true, I think we in the US wouldn't be hearing so much about the EU GDPR.
That doesn't mean you can ignore other countries laws if you want to do business there.
The EU GDPR only applies to companies doing business in the EU. Of course, if you have customers in the EU you do business there under the GDPR definition.
You are free to ignore it. Good luck trying to do any other business in the EU after that though.
> The European Commission hopes to set an international standard with its upcoming proposal to give police easier access to data from tech companies, and has already asked the United States to cooperate.
The US response was the CLOUD Act.
I’m hoping this gets abused in the midterm elections to replace the people that backed with more reasonable legislators, but I doubt it’ll play out like that.
This is probably the best we can get until that fabled day when they finally allow cameras in the courtroom.
: The idea was originally inspired by Last Week Tonight, I just automatically generate them.
Also I love that you coded cutaways to observers and the chicken stenographer - it makes it incredibly natural seeming. Did any news outlets end up using your outputted videos?
Also, any chance it’s open source? :)
GINSBURG: Mr. Dreeben, may I ask you a broader question? I think the starting point all would agree in, what was it, 1986, no one ever heard of clouds.
The SCOTUS only has audio, but the Ninth Circuit has a full video channel: https://www.youtube.com/channel/UCeIMdiBTNTpeA84wmSRPDPg
Personally, I think that's a good thing – having a platform for performance motivates just that, and I don't want a performance from judges, I want soberly considered and carefully constructed legal opinions.
It seems that the pattern is, there is one common face-value meaning of the sentence that is meant regardless of the emphasis, and then there is a secondary meaning that depends on the emphasis. Usually one of the words simply makes the sentence more emphatic, but emphasizing any of the other words establishes some kind of contrast (not too different from the way "if" is sometimes used to mean "if (and only if)"): e.g. "I didn't say you stole my money" implies "I did say <someone else> stole my money", "I love studying English" may imply "I don't love <doing something else with> English". Even "I didn't say you stole my money" probably implies "I did say <someone else> stole my <something else>". And often the secondary meaning is at least as important as the primary meaning.
I suspect this kind of expression is natural enough that forbidding everyone in the courtroom from using it is impractical.
Given that it can matter so much, trusting scribes to accurately record the emphasis, without keeping audio recordings around, seems dangerous. (One might say something similar about the transcription itself.)
Or are the German data centres of Azure safe as they're run by a German company?
If the us wants access to our data, they’ll need to go through the Danish courts.
We spend a lot of money though, but it afford us our own private servers in the Irish farm, that we have physical access to and our data never enters the public part of Azure.
If the US government wants to get access, it probably can, after a few months in various EU courts, but all they’ll find by the in our little vault will be a tape recorder playing twister sisters - we’re not gonna take it on repeat.
Of course American companies will be replaced by an European competitor if the US government doesn’t wise up and stops being dicks. If there was a real alternative to American clouds we’d have left by now.
Not a lawyer so pure speculation but would be interested if anyone has details.
Maybe this verdict changes things, but if it did, I’m fairly confident that I would’ve known by now considering it’s a sensitive issue.
We do have extensive exit plans at hand, for such an event. Plans that are really just us burning money because the US surveillance state can’t get it’s damn act together.
- Upcloud (based in Finland)
- Cloudsigma (based in Switzerland)
- Deutsche Telekom TelekomCLOUD (based in Germany)
- Online.net / Scaleway (based in France)
- Aruba Cloud (based in Italy)
- Swisscom (based in Switzerland)
Unfortunately none of them offer the breadth of services like Google Cloud, Amazon or Azure, but they most likely will be more than enough for many purposes.
It’s quite nice for tiny projects you don’t want to spend on.
Under these conditions, the provider can (and has incentives to) challenge the order requiring the production of the data. If the order is quashed, the US government would need to get an order from the local government under MLAT for the data.
As for your German datacenter question... Under the text of the law, it depends on whether that data is within a US electronic communications or remote computing service provider's "possession, custody, or control." In theory, a service provider might contract out the management of these aspects of its operations, but it would be hard to imagine a service provider feeling comfortable moving the data outside of its control.
 See p 2205 of bill text for the CLOUD act part. http://docs.house.gov/billsthisweek/20180319/BILLS-115SAHR16...
Is there actually a market for this that people would pay for, or is it just something that people would like to exist?
Even without the national boundary feature, good crypto APIs not bound to your compute vendor is a nice thing to have.
As long as everyone thinks everything is fine if they keep using the same old US services they've always used, none of those steps will happen. Expect to get a push-back from users who prefer continuing to use US-based services so they can justify their own choice.
To their credit, Microsoft have resisted US Government pressure  on this subject in the past.
If there is a way to sign up for Hetzner without giving them a copy of your passport, does anyone know?
I don't like the practice but believe their argument, hosting services attract a lot of bad actors and this will probably filter out most of them from the start.
So at least 3 months.
Unfortunately, you are not supposed to do it yourself because its complicated so you have to find a trusted third party to do it that has been vetted.
But now you have to come up with a system to vet the vetters.
What a complicated world we live in.
Not that I really agree with it, most of the time the secrecy is for secrecy sake imho, and to advantage government prosecution. It's pretty scary tbh. Does this mean it's ok for a US company operating in China to turn over US information?
What happened is roughly this:
Pursuant a warrant, USG wanted something from Microsoft, Microsoft said it was on a server in Ireland and outside the reach of the warrant, USG and Microsoft went to court to sort it out. Meanwhile US Congress passed a law addressing situations like and mooting this case. That's it. In the grand scheme of things, this didn't really change anything.
When they want to scare people, they say "the police will start asking ordinary citizens for ID". Its a huge deal when the pharmacist asks for ID for a controlled substance.
And add to that the privacy culture here (on HN and in tech circles). I would rather pay a few extra bucks for now. But if they dropped the requirement I would use it.
I bet I am not alone and there are many others who feel the same.
I wonder if it would feel different if they didn't ask for a copy of the ID, but just had someone look at it.
I think it also feels different because no one else asks for it (VULTR, AWS, Dig Ocean, etc)
Also a drivers license feels less intrusive (for whatever reason) than a passport, and I believe for foreigners they want a passport.
USA uses ID cards for banking and employment though.
The problem isn't necessarily a national ID card (after all most people have driving licenses, passports, etc). The problem is the data that's all linked and available to governments.
In today's world, where facebook knows far more than any government can, heroes like René Carmille become more and more important.
They managed to erase my entire environment, not have any way to recover anything, and once my case got escalated within their company the responses I received were the most unprofessional communications I've received in my career.
Honestly, I am amazed that this is a German company at all. You usually expect Germans to be more organized.. but I guess no matter where you go, the old saying is true: you get what you pay for.
I wonder if serverpilot etc will work equally well with these guys.
I think many US citizens would be outraged if a Chinese court could issue warrants to access their data stored at any company. Not sure if EU citizens trust the US judicial system much more.
A [service provider] shall comply with the obligations
of this chapter to preserve, backup, or disclose the
contents of a wire or electronic communication ... within such provider’s possession..., regardless of whether such communication, record, or other information is located within or outside of the United States.”
So, all US companies are now forced to store a backup, or copy, of all data they store off shore? To make sure this doesn't happen again?
> a U. S. provider of e-mail services
must disclose to the Government electronic communications
within its control even if the provider stores the
The requirement to backup, preserve or disclose is exactly the current requirement for data in the US, and only applies at the provider is given notice to produce evidence. It means the provider cannot destroy evidence once compelled to produce it. It doesn't mean you are required to preserve data "just because".
It also only applies to data > 180 days old.
It was news when he asked questions in 2016 for the first time in 10 years: https://www.npr.org/sections/thetwo-way/2016/02/29/468576931...
It is not a ruling on whether the US government can access other data stored by US companies abroad.
The original case started because Microsoft argued that the US Government has no right to access data stored abroad, because that would give unprecedented access to non-citizens' data. The government argued that it did.
I've been a web user since the early 90s and I honestly that we are going a little astray from the original spirit of the web. Back then, it didn't matter what you posted, anonymity was the default and people used to say that no personal information should ever be shared. This move by the United States government feels like they are crossing the Rubicon towards a highly regulated and almost dystopian view of the web.
It is my opinion and I think a lot of others on HN would agree that privacy should be the norm. Certainly, law enforcement has a right in some cases to extra information but when governments are able to reach across the ocean and pluck personal data from each other then there is a serious problem. This happened to my friend who ran a startup in the financial sector who was compelled to reveal a user's data. There was no recompense for him as he didn't have the resources of a big company like Microsoft at his disposal.
Tech companies and law enforcement should more of a conversation about these issues before they are forcibly put into law.
Here's a decent overview: https://columbialawreview.org/content/international-comity-i...
The critical thing to realize is that countries are not bound by other countries' laws, only by agreements they make with each other (or ones which are militarily forced on them).
Given that this flies in the face of the traditional US approach to extraterritoriality, and the EU is implementing GDPR, I'd be very surprised if this weren't heavily circumscribed in the future.
Those were easier times, but they also limited the usefulness of the medium. If it can't affect peoples' lives, it cannot be beneficial for them. Conversely, if it can be beneficial, it can also hurt them.
E-Commerce is the most obvious example: it's incredibly useful to do business online. But it's obvious that such economic activity will invariably lead to scams and frauds.
Having established that real things now happen online, the question becomes what to do about it. "Leaving the internet alone" in that context cedes all power to those with the most technical ability. That's a rather arbitrary distribution of power, and I'm not sure people would enjoy the outcome, long-term.
For better or worse, democracy and governments have long been the tool to decide and enforce the rules of societies. It's not entirely clear why that model should change just because is "..., but online!". And for all the faults of the US' democracy specifically, it's still far more legitimate than the CXOs of Google, Facebook, Netflix, and Comcast.
Not true: https://motherboard.vice.com/en_us/article/vbxxxd/unlock-iph...
The beauty of tech is how quickly things change and move. In a mere 2 months, Ive completed the entire front end of an app, solo.
The moment a programmer deals with government regulations, you require lawyers, not hobbyists.
Just think how much less toxic Reddit would be if there were no anonymity and employers, parents, and neighbors could see what people are really thinking about.
Also, privacy is not anonymity.
Is there any new data?
"Campaign targets Apple over privacy betrayal for Chinese iCloud users"
Then the cherry on top was Apple removing the VPN apps from their store in China and cutting their users off at the knees in being able to protect themselves.
"Apple removes VPN apps from the App Store in China"
EDIT: it also appears asymmetric. I doubt a French court can issue a warrant that forces OVH to turn over data stored at their Canadian data centre (similar with OVH and Finland).
Its important to note that United States v Microsoft involved a US company (Microsoft) controlling and storing data (emails) on behalf of a US citizen. The emails were physically stored on a server that was located in Ireland. MS argued that a US judge doesn't have the authority to issue a warrant for data that is stored outside the United States and the FBI needed to go through cross-boarder channels.
I haven't read the bill but everything I read about the CLOUD Act seems to indicate that the act is meant to apply to US companies and US persons, not to foreigners as a rule. It's an extremely unjustified jump to conclude that "all data stored at any of the large cloud providers fall[s] under US jurisdictions." Unless you have more information than me that you aren't sharing.
On the other hand: GDPR.
All countries try to pull the same moves on the internet, from Russia to Pakistan to the US and Europe. The difference is that a small market has little leverage. The EU already has data-retention laws that could be extended, and at that point any EU government would have quite a lot of leverage. It's politically unpalatable for now, but things change.
It generally doesn't grant access to prosecutors, it tries to protect consumers and can lead to fines in case of violation.
Similarly, a US company could relocate to Iceland and thumb its nose at the PATRIOT Act and so on, but then "good luck doing any business" in the huge US market. The principle is the same: big markets can impose rules that more or less the entire world ends up following.
The real leverage it has is the base of US users.
So for example, there is a major difference between the FBI vs the state of Washington vs the FISA courts asking/compelling the data. The fact that the data is on US soil, by definition means the US govt has fewer roadblocks to direct access.
1.) What 18 U.S.C. §2701 et seq. actually now says is that if you are a service provider in the US, you must have a backup of any record of your customers in the US. So if you use a cloud service that is situated outside the US, you still need to produce a backup in the US.
2.) The case is to be dismissed as mooted, because the government applied for a new warrant that replaced the original one. So the case has new grounds.
> A human being doesn't have to do it. It is a robot.
> A human being in, let's say, Redmond tells the robot -- it sends the robot instructions.
What does he mean by robot? Is this just software, or does an actual machine have to go spin up some servers in storage?
I feel like something about the use of the term seems to imply more than just "software". Is there a legal advantage to using this word instead of "the program" or "software"?
I wonder if a similar system is used for AWS Glacier..
So anyway, the only option for those who want protection against warrants is to hide. Sure, go with providers in places that are more privacy friendly. But that can't be the only defense. At this point, I believe that the best option is local encryption, plus network connectivity through nested VPN chains plus Tor.