What still surprises me is that nearly all of the major cloud companies are based in the US. Microsoft, Amazon, Netflix, Google, Apple, all of them US companies. If ever a law is going to create some EU competitors, it's the Cloud Act.
The other option is that either the US or the EU is going to water down their law. I'd be really sad if it's the EU, because that would legitimise and strengthen other countries' extraterritorial grasp over non-citizens' data. Like China with Huawei.
If the EU comany is a subsiduary of the US company, then it will have to follow its orders and won't really be separate.
Furthermore if people based in the USA have physical access to the servers located in the EU, then if the US government wants that data, it will probably be exfiltrated to the USA, regardless of what EU governments want.
The solution is for EU governments to have control over their own computing infrastructure. This obviously includes cloud computing and datacenters. But it also needs to include operating systems and chips, because otherwise the risk of a foreign power putting a backdoor in them is too great.
Ditto for all countries, of course.
Accenture and other US consultancies with global operations faced this problem when bidding for government contracts. They created a global parent corporation (in Accenture's case it was Luxembourg and in many cases it is Bermuda.) The US portion of the business is owned by the global parent. The EU portion of the business is owned by the global parent as well. Same for other subsidiaries.
(Not saying you’re advocating for this, just that it is the current plan it seems)
Polities that don't retain control over their computing infrastructure will in the future have effectively ceded independence to others.
Because controlling the full stack from silicon to cloud services is expensive (fabs can cost c. $20 billion), this has geo-political implications: namely that in the future there will only be a small number of loci of independent power. The USA will be one, China another. Does Europe want to make itself a third, or will it be content to be subservient to others?
Safe Harbour was shot down after the Schrems case.
Google and Facebook are being taken to task currently.
The huge fines for GDPR violations will come if the companies cited as in breach of the regulations fail to do what the EU asks.
The EU is doing a lot. Just because it can't act with immediacy it doesn't mean nothing is happening.
I’m ok with that. Efficiency doesn’t always need to be the end all goal.
Speaking of which, I believe Pakistan had two mutually distrusting nuclear weapons programs, reflecting the internal conflicts between parts of the state security apparatus.
Maybe the US company could be a holding which would "only" own 100% of its independent EU subsidiary (which would be its own legal entity, reporting in EU)?
This is why the EU should hedge its bets and keep the door open for Chinese companies.
The US hasn't bothered with such things as the ban on landmines, the ICC for war crimes, and the U.N. convention on rights of the child. The U.S. is only interested in law that binds other countries.
10 years ago, the NSA existed., Now the NSA exists.
The USA, like other big powers, is going to want to try to get access to information and computer systems.
> This is why the EU should hedge its bets and keep the door open for Chinese companies.
You appear to be saying that because the USA gets its hands on Europe's data, Europe should let China do so as well. That doesn't make sense to me, so I wonder what it is you are saying.
It doesn't abide by international conventions or laws, it engages in wars of aggression, it bullies smaller nations into accepting laws and trade agreements favourable to itself. It pushes crap like the DMCA globally.
Of course it doesn't care about international law.
Superpowers get away with this for a time, until everybody else wises up to the fact that nobody is following the rules.
> What still surprises me is that nearly all of the major cloud companies are based in the US. Microsoft, Amazon, Netflix, Google, Apple, all of them US companies. If ever a law is going to create some EU competitors, it's the Cloud Act.
Given that e.g. AWS alone "owns"/operates two regions in China and several GovCloud regions, at worst it'll have a slight impact on these cloud provider's business via mainly legal and not technical changes.
What it will do is show the Privacy Shield agreement is a farce, and the US cannot be trusted in these matters - well, hardly new insights, with things like ICANN et al, but these things were largely left unsaid. I suspect US foreign politics and their image will be harmed more than any of these cloud companies.
"All customer data and related systems reside in Germany
Controlled by a German data trustee"
I guess all companies ought to start tagging data with a jurisdiction tag of sorts now, if that data doesn't already come with a clear location indicator.
Maybe they should each own 49% of the other's stock?
Currently, the companies are getting away with it, but with people like Max Schrems, they might not be able to in the long run.
Here in Norway we can get the complete azure offering from a company called Evry using azure stack  and there is a data centre like this in Germany too at least that I know of, probably many more.
And sectors like government and banking are required to use them and not the parent companies offerings, especially if it contains PII.
If this goes on I suspect a lot of the revenue US tech companies see today will disappear even if (for now) most run the licensed version of azure stack and the like.
When it comes to GDPR it only talks about where and by who data is processed, it doens't really put any restriction on storage, except for some pretty vague (on purpose) requirements about data protection (read: encryption).
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
For services like AWS you can argue that they should be able to get ahold of these encryption keys, but most data protection authorities seems to think this is good enough.
Even if you would store the keys on a local service at some point your data will lie/transition decrypted on the remote hardware.
It's not a good idea at all to use hardware controlled by a hostile government regardless of what kind of encryption you plan to use.
Are you claiming HSM are unsafe?
>Even if you would store the keys on a local service at some point your data will lie/transition decrypted on the remote hardware.
Well no. You have TPM and HMS which should solve this problem sufficiently. Even hardware tokens for crypto e.g Nitrokey and/or yubikey should be sufficiently safe for most use cases.
>It's not a good idea at all to use hardware controlled by a hostile government regardless of what kind of encryption you plan to use.
It depends. You shouldn't host anything at any "hostile government", but who is the hostile government? Is this a hostile nation based on a threat model for your company? Or is this your personal opinion?
A government/state is hostile if it breaks the laws designed to protect the citizens and their freedoms(i.e privacy). I believe it's obvious by now that the U.S government seeks not only to apply its justice system over sovereign states but also to control the politics and get strategic information, even from its "allies".
A government/state acting under they own laws is still acting under a law so they would never have physical access to something like an HSM located in a DC on another continent. Or even your laptop that's sitting in another country.
A government/state acting around the law makes any discussion about laws superfluous. They will go around them anyway, as per the premise.
A government’s own laws may restrict what it can do outside of its own territory, but those restrictions, if they exist, don't always include following local law, and so it's entirely unjustified to conclude that a government acting under its own laws would not have the described access.
Short of a hidden vulnerability or a manufacturing defect there's no "official" way to physically access data from the device without destroying it. And accessing the data the normal way still requires access the cloud provider doesn't have (a certificate password for example).
If we're talking hackers that could successfully hack an HSM, they don't really care about laws. And if we're talking about acting under some law, that law has to compel the owner of the password to give it up. Not the cloud provider.
If they're working with Dell EMC, an American company, then it's still the exact same issue.
You mean not everyone believes the cold, hard truth?
That's unfortunate, because most of us here saw the evidence of this taking place.
"The Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen. And it has a network interface that is demonstrably insecure, which can allow an attacker on the network to inject rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a threat to freedom, security, and privacy that can't be ignored." - Hackaday
We saw photographs of this taking place in what looked like an assembly line or distribution centre, along with accompanying text from internal NSA presentation slides.
Uncle Liu hosting Co. and AWS are the same things underneath, running mainstream x86 hardware, and both buying from mid-tier OEM server assemblers.
The days of people buying $10k Dell servers are gone, and ones ability to capitalise on undercutting major hosters by buying directly from OEMs is gone too, because every large scale hosting co began doing the same.
Maybe not for long. Some providers (Amazon, Google) are working on their own processors.
We, Europeans, should follow our laws to their full extend and fine infringing companies with full power. No matter on whose request they break our laws.
Be it Russians, Chinese, Australian or Americans.
It is possible for companies to obey the Cloud Act, but as far as I can see, only by choosing between operating in the US and operating in the EU. If that's considered unreasonable, then it's a bad law.
Maybe the company should split up operations, or operate under licensing agreements with foreign companies rather than thwart the will of the people who they seek to fleece.
So I admit that the US is entirely within its rights to create a law that makes it impossible for cloud providers to simultaneously operate in the US and the EU.
It's still be sad though that the two major democratic power blocs in the world can't agree on something like this.
That's a convenient way to pass the buck, but the reality is that this is why we can't (any longer, lawfully) have nice things.
It's particularly hypocritical in this case that the EU itself is a facilitator of its member states' security services getting access to personal data in ways that would otherwise clearly violate its own privacy laws, yet it objects strenuously when other countries do exactly the same thing. There is no principled ethical argument at stake here. It's all about who has the power and everyone trying to grab more of it than they're really entitled to, instead of acting like grown-ups, recognising the limits of their own authority, and collaborating with others in areas of genuine mutual interest when there is wider international agreement on certain principles.
Perhaps we need another exercise in shutting everything down, to show how much the general public and the businesses in each place stand to lose if this chest-thumping carries on. Just choose a random week and then firewall off every US-based social network in Europe, fine any US-based financial services businesses that do any sort of data processing of EU individuals, and so on. And then a few years later, once the inept politicians have been replaced and when the catastrophic economic damage caused in just that one week has started to heal, maybe we can get back to a more sensible approach to the whole issue of international relations in the age of global communications.
And the GDPR.
And the proposals to force payment service providers to report or even automatically collect and remit taxes that the EU decides are due.
I'm not fan of the US government's invasions of privacy, but it is the height of hypocrisy for the EU in 2019 to complain about a foreign government attempting to enforce its laws extra-territorially.
Sounds like the "not operate" option.
Microsoft, for instance, was suing the US government over its abusive NSL-enabled secret data requests, which made up almost half of the data requests the gov was making to Microsoft.
But then Microsoft decided to drop the lawsuit and support the Cloud Act, which may have taken the actions of the US government from the shadows and into the light (somewhat), but it didn't really change the outcome of those actions. I imagine Microsoft and other cloud providers supported it because it gave them more legal cover. Well hopefully they'll live to regret that mistake with the EU blowback now.
I also think it's just a matter of time (a year?) until the Privacy Shield will be invalidated by the top EU court, and then a new much stricter agreement will have to be made that will make all but impossible data transfers to the US.
The EC is also to blame in this whole thing, because for some reason they decided to once again compromise with the US government on the type of EU-US data exchange deals they were making (which somehow always seem to go one way, from the EU to the US), because they gave the US gov the benefit of the doubt and thought the US gov would act in "good faith." Hopefully by now they've realized their error in thinking that.
Combine that with this with companies like Apple tracking your pulse in your clock(that gives them knowledge about your deep emotions an activities on real time).
Add companies like Google that track your phone, your car(with the maps abilities) on real time.
Add to this companies that track what your friends are doing on real time:
This gives the US secret services more control over people than Stasi had. With the difference that they control all the people in the world. Too much power with so small oversight.
Health data is encrypted to a point where Apple can't read it:
> Health data can be stored in iCloud. When configured for iCloud storage,
Health data is synced between devices and secured by encryption that
protects the data both in transit and at rest. H
Apple controls the encryption keys and the underlying OS. If the user is not in control of the encryption, then it's nothing more than a pinky-promise that they won't peek at your data, for example, if a new management team takes over tomorrow.
At least with Apple you can maintain a fairly small chain of trust, since they have greater control over their hardware. Being in control of the encryption keys is unlikely to protect you from hardware backdoors or state-sponsored attacks.
What I like most about their service is the intuitive user interface and API. However, the downside is probably that they offer little more than virtual machines and storage. But for my projects, those things are completely sufficient and I am very happy with their service.
I worked with AWS too but always hated it, because it takes so long to learn how they are doing things. Not because I am unfamiliar with the concepts, but because they seem to do things unnecessarily complicate (UX wise). Sometimes I ended up using CLI tools for AWS because they were more accessible and haunted by fewer bugs than their GUI.
That plus OVH and Hetzner aren't US corporations, my money and trust stay in Europe where they belong.
Linode 4Gb -> 30$/month
Exoscale Medium (4Gb) -> 34$/month.
However exoscale is ISO certified, will handle european VAT, and let you scale storage independently. We also don't overcommit our servers so you actually get what you pay for.
Sure, if you need an absolute minimum cost VM in an non-enterprise setting, you'll find cheaper at American companies. Nobody will dispute that :)
Disclaimer: SSWE at exoscale.
We've used their services happily and would recommend them to others.
As for companies which I don't know much about quality wise, there's Strato (German I believe), CloudVPS (Netherlands), Hetzner (Germany) and Upcloud (Finland).
I only know about North Western European hosting providers, but I assume there's loads more across the continent.
Might be cost effective if the pound takes another beating though.
It's also worth noting that a lot of Brexiters consider closer political ties and a strong trade deal with the US as an essential element of their ideal Brexit scenario, by weakening Britain's ties to (and dependency on) the EU. In a no deal/hard Brexit scenario, Britain may lack the negotiating leverage to assert any meaningful kind of sovereignty. Many pro-Brexit campaigners have described Britain as being trapped in vassalage to the EU, but a chaotic Brexit could make Britain just as dependent on the US, with everything that implies politically.
Politically I'm far more in favour of the EU than the US, the idea that we move further towards the US is horrifying.
If that happens I'm out the door.
A free trade agreement with the US will mean watering down (or 'harmonising' as the spin doctors like to put it) UK regulations to match the US.
Disclaimer: I work for exoscale.
We plan to offer some managed services, but I can't hint at an ETA for that (I don't know myself).
I think we need to communicate more around our roadmap in general.
If you’re looking for something more simple, as others mentioned, OVH and Hetzner are OK, although competing on price mostly. If you’re looking for a bit more quality, I can recommend Leaseweb.
I don't think there is any serious doubt that a US court or US law enforcement with a warrant would be able to order me to contact the storage company and tell them to ship the box back to me.
The European country the storage unit is in would not see this as some attempt at exercising extraterritorial jurisdiction. To them, it is just a routine interaction between me and a service provider I am using in Europe. That my motive for asking for my box back was to satisfy a court order rather than because I actually wanted to use my documents is irrelevant.
(This works both ways. A French court ordering a French company that had stored physical documents to retrieve those documents would not raise issues in the US if the French company was using a US document archiving service to hold them).
I don't see why there should be any difference between my physical documents that I keep in a box in a Paris storage unit, and my electronic documents that I keep on an Amazon server in the Paris AWS region.
What about this variation over your example: instead of contacting you, the US court bypasses you and asks directly the European storage company. This is much more questionable, since a US court shouldn't have jurisdiction over an European company.
The EU merely says that you cannot store Eu citizens data without the necessary safeguards in place and permissions asked.
This is a very different issue in my view. The US has an inflated sense of entitlement, whereas the EU is being protective and inhibiting of data collection on its citizens by foreign organisations.
Am I guilty of contempt of court if I do exactly as the court orders, knowing that the only way to accomplish the end the court desires is to do something the court has likely already ordered me to not do? The foreign entity could just as easily have instructions to not release the documents until presented with evidence of my death, then release them to my heirs, or respond only to requests from my lawyer that contain the word "cockatiel".
The only reliable and reasonable way to handle it, is for the US court to request extradition of the documents from the French authorities, and rely upon them to seize the documents and transmit them with clear chain of custody directly to the US court.
If the court is aware the documents exist, and that they lie in a foreign jurisdiction, they have no particular reason to rely upon me for their retrieval. It is dangerous to even try, if I am in any way uncooperative.
In the past we occasionally had rounds of "harmonization" where countries agree on one set of laws, as with copyright. We'll see what the future holds.
When the US was ruled as not trustworthy enough, the Privacy Shield agreement was quickly thrown together. That's currently why some sensitive information about European citizens is allowed to be stored on US soil.
However, acts like these (Cloud act, PATRIOT act, etc.) make me, as a European, very uncomfortable. I hope the EU will take action against the US. Russia and China already have regulations that certain information can only be stored inside their own country's borders and MS Outlook still works fine; there's no need for the EU to just take crap like this without putting up a fight.