Hacker News new | past | comments | ask | show | jobs | submit login
U.S. Cloud Act is raising concern about extraterritoriality (bloomberg.com)
216 points by DyslexicAtheist 26 days ago | hide | past | web | favorite | 137 comments

I think this CLOUD Act will basically force internationally operating US companies to split up into a US part and an EU part. This law makes it impossible for any company with access to personal data of EU citizens, to obey both US and EU law. The only solution seems to be to ensure that they are two different companies. The other option is to abandon the EU market.

What still surprises me is that nearly all of the major cloud companies are based in the US. Microsoft, Amazon, Netflix, Google, Apple, all of them US companies. If ever a law is going to create some EU competitors, it's the Cloud Act.

The other option is that either the US or the EU is going to water down their law. I'd be really sad if it's the EU, because that would legitimise and strengthen other countries' extraterritorial grasp over non-citizens' data. Like China with Huawei.

> The only solution seems to be to ensure that they are two different companies.

If the EU comany is a subsiduary of the US company, then it will have to follow its orders and won't really be separate.

Furthermore if people based in the USA have physical access to the servers located in the EU, then if the US government wants that data, it will probably be exfiltrated to the USA, regardless of what EU governments want.

The solution is for EU governments to have control over their own computing infrastructure. This obviously includes cloud computing and datacenters. But it also needs to include operating systems and chips, because otherwise the risk of a foreign power putting a backdoor in them is too great.

Ditto for all countries, of course.

>> If the EU comany is a subsiduary of the US company, then it will have to follow its orders and won't really be separate.

Accenture and other US consultancies with global operations faced this problem when bidding for government contracts. They created a global parent corporation (in Accenture's case it was Luxembourg and in many cases it is Bermuda.) The US portion of the business is owned by the global parent. The EU portion of the business is owned by the global parent as well. Same for other subsidiaries.

Here lies humanity, they tried to do the same things 15 different ways and squandered their resources doing so.

(Not saying you’re advocating for this, just that it is the current plan it seems)

> Here lies humanity, they tried to do the same things 15 different ways and squandered their resources doing so.

Polities that don't retain control over their computing infrastructure will in the future have effectively ceded independence to others.

Because controlling the full stack from silicon to cloud services is expensive (fabs can cost c. $20 billion), this has geo-political implications: namely that in the future there will only be a small number of loci of independent power. The USA will be one, China another. Does Europe want to make itself a third, or will it be content to be subservient to others?

The EU won't be content with it, but they still won't do anything about it.

Why not?

Safe Harbour was shot down after the Schrems case.

Google and Facebook are being taken to task currently.

The huge fines for GDPR violations will come if the companies cited as in breach of the regulations fail to do what the EU asks.

The EU is doing a lot. Just because it can't act with immediacy it doesn't mean nothing is happening.

Humans are good at building houses and have many standard plans detailing how to do so. Yet we still hire architects to design custom homes.

I’m ok with that. Efficiency doesn’t always need to be the end all goal.

That does seem to be a common occurrence when there is a sufficiently large number of people. I work for a large Fortune 150 company. At least once a year a new department is created that duplicates what my department has been doing for 15 years. Inevitably someone who knows of us tells the other group and they get in touch with us to find out what we actually do. I can't tell you how many meetings I've been in where the other group finds out that we already do 100% of what they've been tasked to do. They always look at each other with expressions of confused disbelief, wondering what they are supposed to do now. Sometimes they find some niche (on occasion we've thrown them some scraps of things we used to do that we no longer have any interest in pursuing), usually they are quickly dissolved. The worst was a group that had existed for more than a year and had already spent millions of dollars, only to be dissolved as soon as higher ups found out they existed and were trying (unwittingly) to duplicate our mature solution.

Well, yes. Merely duplicate effort is a great improvement over last century's plan to be able to destroy civilization at 45 minutes notice.

Speaking of which, I believe Pakistan had two mutually distrusting nuclear weapons programs, reflecting the internal conflicts between parts of the state security apparatus.

Here stands humanity, they tried to do the same things 15 different ways as a way of figuring out what was best for various situations.

And then there were 16: https://xkcd.com/927/

Humanity built the tower of Babel, all speaking one language, and was struck down and fragmented for their hubris.

>>If the EU comany is a subsiduary of the US company, then it will have to follow its orders and won't really be separate.

Maybe the US company could be a holding which would "only" own 100% of its independent EU subsidiary (which would be its own legal entity, reporting in EU)?

The question is: does America care about international law and treaties or will they just do whatever they want? Ten years ago I knew the answer to this question. Today not so much.

This is why the EU should hedge its bets and keep the door open for Chinese companies.

Ten years ago the answer was also no, but with a bit more lip service.

The US hasn't bothered with such things as the ban on landmines, the ICC for war crimes, and the U.N. convention on rights of the child. The U.S. is only interested in law that binds other countries.

> Ten years ago I knew the answer to this question. Today not so much.

10 years ago, the NSA existed., Now the NSA exists.

The USA, like other big powers, is going to want to try to get access to information and computer systems.

> This is why the EU should hedge its bets and keep the door open for Chinese companies.

You appear to be saying that because the USA gets its hands on Europe's data, Europe should let China do so as well. That doesn't make sense to me, so I wonder what it is you are saying.

Ah yes, the Chinese, those paragons of upholding international laws and agreements. They certainly won't end up just doing whatever they want to do.

The USA is by all accounts a 'rogue' state by its own definition of the term (China is too).

It doesn't abide by international conventions or laws, it engages in wars of aggression, it bullies smaller nations into accepting laws and trade agreements favourable to itself. It pushes crap like the DMCA globally.

Of course it doesn't care about international law.

Superpowers get away with this for a time, until everybody else wises up to the fact that nobody is following the rules.

Good luck trying to explain this to EU politicians. They'll just cry and demand to know European competitors to those services.

> The only solution seems to be to ensure that they are two different companies. The other option is to abandon the EU market.

> What still surprises me is that nearly all of the major cloud companies are based in the US. Microsoft, Amazon, Netflix, Google, Apple, all of them US companies. If ever a law is going to create some EU competitors, it's the Cloud Act.

Given that e.g. AWS alone "owns"/operates two regions in China and several GovCloud regions, at worst it'll have a slight impact on these cloud provider's business via mainly legal and not technical changes.

What it will do is show the Privacy Shield agreement is a farce, and the US cannot be trusted in these matters - well, hardly new insights, with things like ICANN et al, but these things were largely left unsaid. I suspect US foreign politics and their image will be harmed more than any of these cloud companies.

The AWS Chinese regions were handed over to a Chinese operator. They're "AWS Regions" in name only.

Precisely. But the code deployed there seems to offer the same functionality as other regions, right? So this is a legal/business trick, not a technical challenge.

The Microsoft response was to have a separate German trustee be the ones that held the data, and MS have access to the data as needed (but I guess MS could not just hand it all over to the US government when demanded to) https://azure.microsoft.com/en-us/global-infrastructure/germ...

"All customer data and related systems reside in Germany Controlled by a German data trustee"

Microsoft Cloud Germany with its trustee model isn't accepting new customers, you'll have to wait for their new regions that are only coming at the end of the year: https://news.microsoft.com/europe/2018/08/31/microsoft-to-de...

But those new German regions will be controlled by Microsoft, so they fall under the Cloud Act.

I don't think it will necessarily create a lot more competition inside the EU. All of those companies already have European data centers; surely it would complicate some technical deployments, but definitely not more so than the effort their legal, HR, accounting and other divisions already have to go through to comply with local regulations. I assume those companies already have multiple legal entities for all sorts of reasons.

I guess all companies ought to start tagging data with a jurisdiction tag of sorts now, if that data doesn't already come with a clear location indicator.

Of course it will, they were already bordering on it before that (see specifically Microsoft USA arguing it could not access Microsoft Ireland data when the US court told them to, which directly leads to the new situation)

Wouldn't the cloud act also apply to subsidiaries? It's be surprised if the giants can at the same time split (for the purposes of the cloud act) and stay one coherent entity with central steering.

I suppose that's going to be the big challenge. You'd want a structure where neither company controls the other, yet they still have every incentive to cooperate closely.

Maybe they should each own 49% of the other's stock?

The same lawyers who invented the Double Irish Dutch Sandwich can start working on this problem.

But someone's gotta own the other 51%. However, you could split it into 3 companies spread across 3 countries each owning 33% of each other. Thus, no company has a majority share.

I talked to a lawyer specializing in data protection a couple of years ago, and according to her, the problem is already there - you cannot satisfy both the GDPR and US law that requires that the US government can snoop whenever they want to.

Currently, the companies are getting away with it, but with people like Max Schrems, they might not be able to in the long run.

The European Commission's own view on this is here https://www.supremecourt.gov/DocketPDF/17/17-2/23655/2017121...

The situation you describe (companies "splitting") already exists, and it's also already not a good guarantee of actual privacy. I'm not convinced that this is any kind of solution.

As of today we have cloud offerings of for instance azure completely separate from the US companies due to this.

Here in Norway we can get the complete azure offering from a company called Evry using azure stack [1] and there is a data centre like this in Germany too at least that I know of, probably many more.

And sectors like government and banking are required to use them and not the parent companies offerings, especially if it contains PII.

If this goes on I suspect a lot of the revenue US tech companies see today will disappear even if (for now) most run the licensed version of azure stack and the like.

[1] https://www.evry.com/en/what-we-do/key-services/evry-cloud-s...

The German one at least was cancelled recently [0] (source in German).

[0] https://www.heise.de/newsticker/meldung/Auslaufmodell-Micros...

Outside of the government sector it seems like these laws are to make sure that the data is within legal jurisdiction, and has nothing to do with privacy.

Banking data is at least considered to be "important" enough to keep within the borders too, but privacy is important too in regards to GDPR. How do you prevent unauthorized access to the data (i.e. the US government) with the cloud act. Do you report those requests as a breech? There is really no difference between that and having the servers hacked in other ways.

Banking data is important because the police and tax authority wants to make sure they have access, privacy doesn't really come into play here. It's a nice side effect, though. It's the same with accounting data.

When it comes to GDPR it only talks about where and by who data is processed, it doens't really put any restriction on storage, except for some pretty vague (on purpose) requirements about data protection (read: encryption).

Storage is processing.

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction


But if the US government access PII without authorization via the cloud act wouldn't it count as a data breech when it comes to GDPR?

Then they should be getting encrypted or pseudoanonymised data, if you are following the regulations.

For services like AWS you can argue that they should be able to get ahold of these encryption keys, but most data protection authorities seems to think this is good enough.

Encryption is useless when you store the keys on the same infrastucture. U.S may ask for keys as well.

Even if you would store the keys on a local service at some point your data will lie/transition decrypted on the remote hardware.

It's not a good idea at all to use hardware controlled by a hostile government regardless of what kind of encryption you plan to use.

>Encryption is useless when you store the keys on the same infrastucture. U.S may ask for keys as well.

Are you claiming HSM are unsafe?

>Even if you would store the keys on a local service at some point your data will lie/transition decrypted on the remote hardware.

Well no. You have TPM and HMS which should solve this problem sufficiently. Even hardware tokens for crypto e.g Nitrokey and/or yubikey should be sufficiently safe for most use cases.

>It's not a good idea at all to use hardware controlled by a hostile government regardless of what kind of encryption you plan to use.

It depends. You shouldn't host anything at any "hostile government", but who is the hostile government? Is this a hostile nation based on a threat model for your company? Or is this your personal opinion?

Once the attacker gets physical access to your device/computer all bets are off. Not to mention if "your device" is actually provided by a hostile party(i.e amazon/microsoft in collaboration with various US agencies).

A government/state is hostile if it breaks the laws designed to protect the citizens and their freedoms(i.e privacy). I believe it's obvious by now that the U.S government seeks not only to apply its justice system over sovereign states but also to control the politics and get strategic information, even from its "allies".

What's your threat model here? Who's the actor you're protecting yourself from?

A government/state acting under they own laws is still acting under a law so they would never have physical access to something like an HSM located in a DC on another continent. Or even your laptop that's sitting in another country.

A government/state acting around the law makes any discussion about laws superfluous. They will go around them anyway, as per the premise.

> A government/state acting under they own laws is still acting under a law so they would never have physical access to something like an HSM located in a DC on another continent.

A government’s own laws may restrict what it can do outside of its own territory, but those restrictions, if they exist, don't always include following local law, and so it's entirely unjustified to conclude that a government acting under its own laws would not have the described access.

What I meant is if the US government wants to access data in a German datacenter it can either try via a warrant which I imagine would not be legally enforceable in the EU (at least not without the cloud provider breaking EU law), or via hacking which makes any law irrelevant.

The cloud providers provide the access controls for the HSM. Why break the encryption when you can just come through the front door?

That's not how HSMs work or they would be totally useless.

Short of a hidden vulnerability or a manufacturing defect there's no "official" way to physically access data from the device without destroying it. And accessing the data the normal way still requires access the cloud provider doesn't have (a certificate password for example).

If we're talking hackers that could successfully hack an HSM, they don't really care about laws. And if we're talking about acting under some law, that law has to compel the owner of the password to give it up. Not the cloud provider.

So your threat model includes the cloud provider?

It’s the other way around, the Europeans want to be able to snoop in the data. They don’t care if your data leaks to the US, as long as they have access themselves.

Well, no, we do care if the data leaks to the US; the ECJ struck down the Safe Habour Decision, and there are many critics of the new "Privacy Shield".

Didn’t Russia require something like this back in 2016 or so? All data pertaining to Russians had to stay in Russia?

Yes, it was ostensibly about privacy but the actual compliance requirements align with jurisdiction and access rather than privacy.

> We can now finally announce that, together with Dell EMC, and as one of the first companies in the world, successfully deployed a customer-ready, production version of Azure Stack.

If they're working with Dell EMC, an American company, then it's still the exact same issue.

One step at a time. Having physical control over data definitely is an improvement. Not everyone believes conspiracy theories about spy microchips in mainboards.

Microsoft Euro branch is still subject to US law. The US can still seize your data.

Yes, that is why you use azure stack and not azure. It's a licensed version of the software that you can run completely independent of Microsoft.

licenses usually include provisions for being disabled if the parent country requires it. see what happened to iran when US levied sanctions

Disabled != data changes hands.

Usually you want that unless you don’t and you don’t here :)

> believes conspiracy theories about spy microchips in mainboards.

You mean not everyone believes the cold, hard truth?

That's unfortunate, because most of us here saw the evidence of this taking place.

If you're talking about Intel ME, just use AMD or ARM.

I thought there is a great level of control over these and none of these run Minix and connect to the network. The actual functionality that ME is supposed to provide is purposeful.

No one outside of Bloomberg has seen any evidence of mainboard spy chips. You must be thinking about CPUs.

No, I'm thinking about what we read in the Snowden leaks (if you bothered reading them).

I did read them. Which part are you referring to? If it is GODSURGE then it is malware in the BIOS used by the NSA. I have seen nothing about China spying via motherboards, outside the propaganda hit piece Bloomberg wrote which everyone (even FBI and Amazon, etc) dismissed as total bullcrap.

Interesting. Can you provide a source?

How is that a chip in a mainboard? The mainboard story was a propaganda piece in Bloomberg aimed at China.

Afaik the processor is a chip on the mainboard. I personally don't care which part of the mainboard carries the backdoor.

With respect, what you linked to is a conspiracy theory that the ME is used in ways other than explicitly stated by Intel and unsupported by any evidence other than allegation.

"Can be used in ways other than explicitly stated" quickly turns into "is used": "https://hackaday.com/2017/12/07/another-defeat-of-the-intel-...

"The Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen. And it has a network interface that is demonstrably insecure, which can allow an attacker on the network to inject rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a threat to freedom, security, and privacy that can't be ignored." - Hackaday

A part of my machine which I have no control over and which I cannot remove is a backdoor. Some would call that even malware. I don't care whether it has been solely used for the intended purpose which I can't even verify.

The Snowden leaks.

We saw photographs of this taking place in what looked like an assembly line or distribution centre, along with accompanying text from internal NSA presentation slides.

That cloud thing is overhyped. The "Cloud" will never swallow the budget and mid-tier hosting industry for purely economic reasons.

Uncle Liu hosting Co. and AWS are the same things underneath, running mainstream x86 hardware, and both buying from mid-tier OEM server assemblers.

The days of people buying $10k Dell servers are gone, and ones ability to capitalise on undercutting major hosters by buying directly from OEMs is gone too, because every large scale hosting co began doing the same.

Cloud is not purely hosting, it's the services on top, the benefits of the company behind it. I don't know the statistics but probably bigger companies will pay a premium knowing that it's Amazon doing the hosting and not 10 different Uncle Lius.

> the same things underneath, running mainstream x86 hardware

Maybe not for long. Some providers (Amazon, Google) are working on their own processors.

If complying with CLOUD act would infringe on EU citizens rights, is there any legal reason why EU regulator should not fine a company that is infringing EU laws?

We, Europeans, should follow our laws to their full extend and fine infringing companies with full power. No matter on whose request they break our laws. Be it Russians, Chinese, Australian or Americans.

I agree. Companies need to find a way to operate within the law, or not operate. Throwing your hands up and saying it’s too hard is not an acceptable answer.

I'm not sure how I feel about this argument in light of article 13 of the EU's new copyright directive. Legislators also have a responsibility to make laws that are reasonable and possible to obey.

It is possible for companies to obey the Cloud Act, but as far as I can see, only by choosing between operating in the US and operating in the EU. If that's considered unreasonable, then it's a bad law.

A company choosing to operate in multiple jurisdictions with competing/contradicting laws does not put a requirement on lawmakers to make the laws more amenable to the company trying to satisfy both jurisdictions. If you take that path, consumers end up with little protection under the law.

Maybe the company should split up operations, or operate under licensing agreements with foreign companies rather than thwart the will of the people who they seek to fleece.

You're right, it's not the government's job to protect business models, particularly if they are considered harmful. A sensible government would probably want a healthy environment and market for companies to operate it, but exactly what that means is clearly something on which governments can radically disagree.

So I admit that the US is entirely within its rights to create a law that makes it impossible for cloud providers to simultaneously operate in the US and the EU.

It's still be sad though that the two major democratic power blocs in the world can't agree on something like this.

You're right, it's not the government's job to protect business models, particularly if they are considered harmful.

That's a convenient way to pass the buck, but the reality is that this is why we can't (any longer, lawfully) have nice things.

It's particularly hypocritical in this case that the EU itself is a facilitator of its member states' security services getting access to personal data in ways that would otherwise clearly violate its own privacy laws, yet it objects strenuously when other countries do exactly the same thing. There is no principled ethical argument at stake here. It's all about who has the power and everyone trying to grab more of it than they're really entitled to, instead of acting like grown-ups, recognising the limits of their own authority, and collaborating with others in areas of genuine mutual interest when there is wider international agreement on certain principles.

Perhaps we need another exercise in shutting everything down, to show how much the general public and the businesses in each place stand to lose if this chest-thumping carries on. Just choose a random week and then firewall off every US-based social network in Europe, fine any US-based financial services businesses that do any sort of data processing of EU individuals, and so on. And then a few years later, once the inept politicians have been replaced and when the catastrophic economic damage caused in just that one week has started to heal, maybe we can get back to a more sensible approach to the whole issue of international relations in the age of global communications.

I'm not sure how I feel about this argument in light of article 13 of the EU's new copyright directive. Legislators also have a responsibility to make laws that are reasonable and possible to obey.

And the GDPR.

And the proposals to force payment service providers to report or even automatically collect and remit taxes that the EU decides are due.

I'm not fan of the US government's invasions of privacy, but it is the height of hypocrisy for the EU in 2019 to complain about a foreign government attempting to enforce its laws extra-territorially.

No. They just stash the fine as operation cost. Every bank have been doing this for decades.

>Throwing your hands up and saying it’s too hard...

Sounds like the "not operate" option.

I hope this bites US cloud service providers hard. They need a strong blowback against their cowardly support for the Cloud Act in the US.

Microsoft, for instance, was suing the US government over its abusive NSL-enabled secret data requests, which made up almost half of the data requests the gov was making to Microsoft.

But then Microsoft decided to drop the lawsuit and support the Cloud Act, which may have taken the actions of the US government from the shadows and into the light (somewhat), but it didn't really change the outcome of those actions. I imagine Microsoft and other cloud providers supported it because it gave them more legal cover. Well hopefully they'll live to regret that mistake with the EU blowback now.

I also think it's just a matter of time (a year?) until the Privacy Shield will be invalidated by the top EU court, and then a new much stricter agreement will have to be made that will make all but impossible data transfers to the US.

The EC is also to blame in this whole thing, because for some reason they decided to once again compromise with the US government on the type of EU-US data exchange deals they were making (which somehow always seem to go one way, from the EU to the US), because they gave the US gov the benefit of the doubt and thought the US gov would act in "good faith." Hopefully by now they've realized their error in thinking that.

Ok, so there should be reciprocal European law: any company operating in the EU must provide access to the EU authorities (all countries) any data managed by it and stored in any country in the world (so including US data stored in the US), otherwise it would get big fines or interdiction to operate in the EU. (PS: I don't want that, it should work like extradition but with real reciprocity)

Just look at the new HoloLens: It uses the cloud in order to analyze the objects in front of you at your office, your house or whatever on real time.

Combine that with this with companies like Apple tracking your pulse in your clock(that gives them knowledge about your deep emotions an activities on real time).

Add companies like Google that track your phone, your car(with the maps abilities) on real time.

Add to this companies that track what your friends are doing on real time: https://www.apertus.org/facebook

This gives the US secret services more control over people than Stasi had. With the difference that they control all the people in the world. Too much power with so small oversight.

> Apple tracking your pulse in your phone(that gives them knowledge about your deep emotions an activities on real time).

Health data is encrypted to a point where Apple can't read it:


> Health data can be stored in iCloud. When configured for iCloud storage, Health data is synced between devices and secured by encryption that protects the data both in transit and at rest. H

It says data is encrypted in transit and at rest, it does not say that data is E2E encrypted. That's a big difference. They could (probably are) just using TLS and disk encryption.

> Health data is encrypted to a point where Apple can't read it

Apple controls the encryption keys and the underlying OS. If the user is not in control of the encryption, then it's nothing more than a pinky-promise that they won't peek at your data, for example, if a new management team takes over tomorrow.

For many people this is a reasonable risk. If they pulled something like that it would start a huge legal battle, and it would seriously harm their reputation. I suspect that pushing out a change of this sort would also require a system update, which you could always delay until it's been carefully vetted by others.

At least with Apple you can maintain a fairly small chain of trust, since they have greater control over their hardware. Being in control of the encryption keys is unlikely to protect you from hardware backdoors or state-sponsored attacks.

Is there a good European cloud provider?

There’s https://upcloud.com/ from Finland. They offer basic virtual machines at OK prices with some pretty fast disks.

Hetzner and OVH do cloud offerings, though they are more experienced in real hardware and shared hosting than actual cloud. The prices are competitive with AWS IMO.

For Hetzner: https://www.hetzner.com/cloud

What I like most about their service is the intuitive user interface and API. However, the downside is probably that they offer little more than virtual machines and storage. But for my projects, those things are completely sufficient and I am very happy with their service.

I worked with AWS too but always hated it, because it takes so long to learn how they are doing things. Not because I am unfamiliar with the concepts, but because they seem to do things unnecessarily complicate (UX wise). Sometimes I ended up using CLI tools for AWS because they were more accessible and haunted by fewer bugs than their GUI.

Personally, I prefer to build my stuff on top of baremetal. It costs more in personal/sysadmin time but you own the end result and it's less easily shut down by an overzealous AI at AWS HQ deciding you're a risk or competitor.

That plus OVH and Hetzner aren't US corporations, my money and trust stay in Europe where they belong.

Yes but sadly very expensive when compared to Linode or Digital Ocean.

I'm not sure I understand the claim that we are "very expensive" :)

Linode 4Gb -> 30$/month Exoscale Medium (4Gb) -> 34$/month.

However exoscale is ISO certified, will handle european VAT, and let you scale storage independently. We also don't overcommit our servers so you actually get what you pay for.

Sure, if you need an absolute minimum cost VM in an non-enterprise setting, you'll find cheaper at American companies. Nobody will dispute that :)

Disclaimer: SSWE at exoscale.

No need to leave EU for the absolute minimum cost, with Hetzner nearby and others.

That's somewhat true, I should have s/American/other/

Exoscale has the best support and privacy of any of the cloud providers. They also offer more enterprise features like prepaid accounts (with proper invoices!) that Linode doesn't offer.

We've used their services happily and would recommend them to others.

We have been caught in the middle of a big screw-up Exoscale did - they managed to rebuild a RAID array wrong, and lost all data of one of our boxes. This said, they have been very open and quick to respond and explaned what happened in great detail, so we will keep on using their services.

If you want bang for your buck, Contabo (Germany) might be for you. If you want reliable service, Leaseweb is based in the EU (Netherlands). There's also OVH (French) which provides decent service with their cheaper subsidiary Kimsufi (super cheap, older model dedicated servers).

As for companies which I don't know much about quality wise, there's Strato (German I believe), CloudVPS (Netherlands), Hetzner (Germany) and Upcloud (Finland).

I only know about North Western European hosting providers, but I assume there's loads more across the continent.

ByteMark over in the UK but given Brexit I'm not sure a mainland company would want to use a company here.

Might be cost effective if the pound takes another beating though.

Given the point of Brexit seems to be “sovereignty” which in turn seems to mean “no foreign courts ever not even for trade deals”, I think that even a 10:1 devaluation of GBP vs. EUR wouldn’t make a post-Brexit UK appealing for hosting EU-27 services. And even my worst-case estimates are not yet beyond 1.3:1 devaluation.

Transfers of personal data to non-EU countries are specifically regulated by Chapter 5 of GDPR. After Brexit, Britain is "foreign" as far as the EU is concerned.

It's also worth noting that a lot of Brexiters consider closer political ties and a strong trade deal with the US as an essential element of their ideal Brexit scenario, by weakening Britain's ties to (and dependency on) the EU. In a no deal/hard Brexit scenario, Britain may lack the negotiating leverage to assert any meaningful kind of sovereignty. Many pro-Brexit campaigners have described Britain as being trapped in vassalage to the EU, but a chaotic Brexit could make Britain just as dependent on the US, with everything that implies politically.

Agreed and that's a terrible outcome as far as I'm concerned.

Politically I'm far more in favour of the EU than the US, the idea that we move further towards the US is horrifying.

If that happens I'm out the door.


A free trade agreement with the US will mean watering down (or 'harmonising' as the spin doctors like to put it) UK regulations to match the US.

I'm using https://www.tilaa.com/en which is based in the Netherlands.

exoscale.com is based in Switzerland, and offers zones in several European jurisdictions as well.

Disclaimer: I work for exoscale.

What is stopping you to provide more managed services? A lot of smaller businesses don't run on Kubernetes. So compute power is not enough for them. They need managed services.

What kind of managed service do you have in mind?

We plan to offer some managed services, but I can't hint at an ETA for that (I don't know myself).

I think we need to communicate more around our roadmap in general.

Scaleway and Hetzner come to mind, although I have no idea how good they are.

I use Scaleway to host a personal Nextcloud [1] instance. I haven't had any issues with them thus far and their instances are pretty darn cheap.

[1] https://nextcloud.com/about/

I don't use Hetzner personally, but they've been in business for a long time and have only heard good things about them. They're cost competitive too.

If you’re asking for a cloud provider that is compliant with data protection laws, Azure is at the moment your best bet. I believe they have some deal with T-Mobile so that the legal entity that does the exploitation of the data centers is a European company, and the data is out of reach from any US subpoena or similar.

If you’re looking for something more simple, as others mentioned, OVH and Hetzner are OK, although competing on price mostly. If you’re looking for a bit more quality, I can recommend Leaseweb.

Microsoft has already scrapped the trustee model in Germany again: https://mspoweruser.com/microsoft-is-discontinuing-the-germa...

This reminds me of the crypto wars, except this time around it's the privacy wars. We didn't win the crypto wars for nothing, all we have to do is make use of it and we can win this again.

Suppose I, operating in the US, rent some physical storage space in Europe from a European storage company, and then ship a box of documents to them and tell them to put them in my rented storage space.

I don't think there is any serious doubt that a US court or US law enforcement with a warrant would be able to order me to contact the storage company and tell them to ship the box back to me.

The European country the storage unit is in would not see this as some attempt at exercising extraterritorial jurisdiction. To them, it is just a routine interaction between me and a service provider I am using in Europe. That my motive for asking for my box back was to satisfy a court order rather than because I actually wanted to use my documents is irrelevant.

(This works both ways. A French court ordering a French company that had stored physical documents to retrieve those documents would not raise issues in the US if the French company was using a US document archiving service to hold them).

I don't see why there should be any difference between my physical documents that I keep in a box in a Paris storage unit, and my electronic documents that I keep on an Amazon server in the Paris AWS region.

In your example, the US court is ordering you to request the documents. There's no question that the US court has jurisdiction over you.

What about this variation over your example: instead of contacting you, the US court bypasses you and asks directly the European storage company. This is much more questionable, since a US court shouldn't have jurisdiction over an European company.

Funnily enough, in the GDPR equivalent (you, a EU resident, hire a company in the US to store a box for you) the EU bypasses you and requires the storage company to have an effective security guard and fire suppression system...

The difference is that in this case the US considers itself the owner of all data on US and Eu citizens alike.

The EU merely says that you cannot store Eu citizens data without the necessary safeguards in place and permissions asked.

This is a very different issue in my view. The US has an inflated sense of entitlement, whereas the EU is being protective and inhibiting of data collection on its citizens by foreign organisations.

Further suppose that I prearrange instructions with the storage company such that they are to ship my documents back to me in the US, only if I ask that they be destroyed, and to ignore any other requests for shipment.

Am I guilty of contempt of court if I do exactly as the court orders, knowing that the only way to accomplish the end the court desires is to do something the court has likely already ordered me to not do? The foreign entity could just as easily have instructions to not release the documents until presented with evidence of my death, then release them to my heirs, or respond only to requests from my lawyer that contain the word "cockatiel".

The only reliable and reasonable way to handle it, is for the US court to request extradition of the documents from the French authorities, and rely upon them to seize the documents and transmit them with clear chain of custody directly to the US court.

If the court is aware the documents exist, and that they lie in a foreign jurisdiction, they have no particular reason to rely upon me for their retrieval. It is dangerous to even try, if I am in any way uncooperative.

Nationalism/Sovereignty vs Globalisn/OneWorldOrder.

In the past we occasionally had rounds of "harmonization" where countries agree on one set of laws, as with copyright. We'll see what the future holds.

What happens if say EU were to pass a law that no data stored in EU data centered be shared with non-EU countries ? In such case no company can obey both laws. How will this be handled ?

Actually, the EU privacy laws already forbid loads of data being stored in countries where the privacy of that data might not be maintained.

When the US was ruled as not trustworthy enough, the Privacy Shield agreement was quickly thrown together. That's currently why some sensitive information about European citizens is allowed to be stored on US soil.

However, acts like these (Cloud act, PATRIOT act, etc.) make me, as a European, very uncomfortable. I hope the EU will take action against the US. Russia and China already have regulations that certain information can only be stored inside their own country's borders and MS Outlook still works fine; there's no need for the EU to just take crap like this without putting up a fight.


Could you please stop posting unsubstantive comments to Hacker News?

Not before you vote me to reputation that will prevent me from posting. Before that, I have the same rights and privileges as you, with regards of posting.

I'm afraid that's not the case. HN moderators (of which I'm one—sorry if that wasn't clear) ban accounts that keep posting unsubstantive comments. It's just one of the things we have to do in the attempt to keep this site from degenerating too quickly.


Is there a guide on what comment is "substantive"?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact