Hacker News new | comments | show | ask | jobs | submit login
Did Obama Just Destroy the U.S. Internet Industry? (linkedin.com)
592 points by lukejduncan on June 10, 2013 | hide | past | web | favorite | 277 comments

One of the rather interesting side issues in this whole debate has been how casually the rights of foreigners are tossed aside as secondary to those of american citizens. There is intense debate about whether US citizens rights are being violated, but almost nobody questions whether there's any moral or ethical issue with completely unrestrained spying on everybody else.

While I understand that this is largely because the legality of the spying hinges on whether US citizens are subject to it, I still find it a rather fascinating aspect.

Absolutely. I remember how in 2001 when the US as the first country ever invoked article 5 of the NATO treaty, within hours all NATO members had followed through with support. And the minute of silence that was held all over Europe for the 9/11 victims. Then we joined them in two wars.

We bought their cell phones, their operating systems and productivity suites, their internet adds, hosting and email services and movies and music. We even let some of their largest corporations get away without paying taxes on the money they made in our countries.

We may not be citizens of their country but we are allies, not terrorists. When it comes to the bad things groups of people, such as governments, do to individuals, whether it's killing, torture, imprisonment with or without trial, surveillance or any other of the misdeeds that seems to have returned from the dark ages we deserve the same protection as American citizens.

> When it comes to the bad things groups of people, such as governments, do to individuals, whether it's killing, torture, imprisonment with or without trial, surveillance or any other of the misdeeds that seems to have returned from the dark ages we deserve the same protection as American citizens.

Despite the actions and statements of our government, most of us Americans feel the same way. (It's just that the shitty entitled xenophobes are just so damn loud sometimes...)

You'll note that in our declaration of independence, it states that the rights to life and liberty are the inalienable birthright of every man, endowed by his creator, before it says fuck-all about anyone's government.


No, we're vassals. The USA orders and we obey, whether it's supporting their military machine or handing over information, people, research, or economical advantages. It's a hegemony.

>the misdeeds that seems to have returned from the dark ages

You've been fed propaganda. The crimes have always been there. The USA has always supported tyranny, cruelty, and crimes against humanity if it served its best interests (like every other country, I might add.)

>we deserve the same protection as American citizens

If the government wants someone naked, chained, and tortured in some foreign place, it'll happen. No matter who it is. True? Maybe not (yet), but it's telling enough that it sounds plausible, no?

The poor helpless Europeans, laboring under the yoke of their North American oppressors. Exactly what method is being used to relieve you of your responsibility for your own country?

Um, well, the one-sideness of how everything is treated? An European boy charged with making a website aggravating an American corporation? Handcuff and to the plane (yep, that was stopped by a court, but still)! An American businessman charged with commanding the murder of an European chief of police? No, sorry, we won't hand you our citizen (search for the case of general Papała).

Even if this is not stated in any treaties, it's simply the practice.

>We bought their cell phones

To be fair, folks in the US bought a LOT of European cell phones first. :)

And to complete the circle (triangle?), nowadays we all but Korean/Taiwanese phones :-)

But not Chinese because lord knows they'll spy on us.


&#! # keyboard autocorrect...

Had to google what article 5 of NATO was:

The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right of individual or collective self-defence recognised by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area.

Any such armed attack and all measures taken as a result thereof shall immediately be reported to the Security Council. Such measures shall be terminated when the Security Council has taken the measures necessary to restore and maintain international peace and security.

I can't speak for others, but as far as I am concerned, every person on earth has the exact same rights. I see no difference between an American and someone from another country. This informs my stance on all of US foreign policy. To me, spying on an innocent Iraqi or Chinese citizen is just as morally reprehensible as spying on an innocent American citizen. That being said, not all people feel as I do, and you are right, the legality of it all, unfortunately, hinges on how Americans are affected.

At least in most countries, this is just not the way it works, legally.

Every country has different rights for citizens and non-citizens.

For example, the US has held the 4th amendment does not apply to non-citizens who are not "part of the national community" (IE if a bunch of canadians came down and fished every weekend, you could search them however without violating the 4th amendment. If they lived here illegally, you couldn't).

It's not just the US of course, almost all countries are like this (the EU has broader protections for EU citizens than random other people, like US citizens living in the EU).

I don't remember all the details, and i certainly agree with "morally reprehensible", but you are suggesting a "natural rights" based approach, which, while common, but not universal.

> Every country has different rights for citizens and non-citizens.

The rights are inherent in the nature of the situation (i.e., humans living in a social order based on equality of individuals under the law). The scope of the protection of those rights varies from jurisdiction to jurisdiction (and vanishes entirely where jurisprudence is slave to political demagoguery).

The fourth Amendment isn't the source of the right, it guarantees that the right won't be abridged by government action. As the Constitution is defined by and for the people of the United States, that the protections "guaranteed" (in quotes because the guarantee has to be maintained by vigilance) don't extend to those who are not the people of the United States isn't logically surprising, but can remain somewhat disappointing (politically and ethically).

Your assertion is essentially that all of these rights are natural rights.

This is, as I said, an interesting claim.

I'll point out the irony that the freedoms everyone considers so important didn't even make it in the original document, only the addendum :)

What I am stating is that "rights" are a necessity of creatures like human beings living in societies based on equality under the law. You can have national (and sub-national) jurisdictions that do not honor certain rights, but that doesn't make the concept of rights relative, it makes the ability to judge the jurisdictions by the protections they guarantee, and thus whether they are actually based on equality under the law.

They may be deemed "natural rights" by the nature of mankind living in what I will term "just" societies (where jurisprudence and justice coincide), but they are not "natural" in their springing forth from the natural sciences of physics, chemistry and biology.

There were a number of people involved in the Constitution of the US of A who did not want to enumerate the rights, knowing that they were not the government's to give and receive. The pragmatic reality of the day was a yield to legal codification, since most knew that a government not explicitly bound, was bound to implicitly violate those rights. The escape clauses were (probably, I'll let others debate that) the 9th and 10th amendments.

> For example, the US has held the 4th amendment does not apply to non-citizens who are not "part of the national community"

Could you please provide a reference for this?

United States v. Verdugo-Urquidez - 494 U.S. 259 (1990) at 264-266

From the headnote:

"The Fourth Amendment phrase "the people" seems to be a term of art used in select parts of the Constitution, and contrasts with the words "person" and "accused" used in Articles of the Fifth and Sixth Amendments regulating criminal procedures. This suggests that "the people" refers to a class of persons who are part of a national community or who have otherwise developed sufficient connection with this country to be considered part of that community."

Thanks for this. The OP suggested that non-citizens inside the US aren't afforded the same Constitutional protections as citizens. I believe this is incorrect.

From the Wikipedia article about the case you cited [1]: "...Fourth Amendment protections do not apply to searches and seizures by United States agents of property owned by a nonresident alien in a foreign country. [emphasis mine]"

[1] http://en.wikipedia.org/wiki/United_States_v._Verdugo-Urquid...

It is not incorrect. Heck, it's even been tested on the bar exam as part of the MBE, using the canadian fishing example I gave, which is a real MBE question based on a real case (I am a bit too lazy to look it up).

This is how the case has been interpreted by every court to follow it. See US v. Guitterez, 983 F.Supp. 905 for a fourth amendment example from the 9th circuit.

Here is another from the fifth circuit: UNITED STATES OF AMERICA v. ARMANDO PORTILLO-MUNOZ (i don't have cite handy)

"Portillo relies on Verdugo-Urquidez and argues that he has sufficient connections with the United States to be included in this definition of "the people," but neither this court nor the Supreme Court has held that the Fourth Amendment extends to a native and citizen of another nation who entered and remained in the United States illegally"

There are something like 2000+ cites to Verdugo, and and the general viewpoint of courts so far is as i said it is.

If you've got a court of appeals or SCOTUS cite to the contrary, where a court has held that they do apply, i'd love to see it.

Thanks, I stand corrected. For anyone else interested, The Volokh Conspiracy blog has a detailed post on this very topic:


Right that's the holding, but the dicta suggests that some non-resident, non-citizens (i.e. temporary visitors) also are unprotected by the fourth amendment.

Various lower court decisions have fleshed out what constitutes "substantial connections".

Foreigners don't want equal rights. Just equal protections from the government.

protection (from harm) is a right granted by the government.

Yes, but that you can identify one right that governments can/should afford non-citizens and citizens alike doesn't mean that's true of all rights. Venomsnake was trying to identify the kind of right that it should be true for.

As a British citizen I have a right to not be tortured by the government (under A.3 HRA1998), and a right to NHS healthcare. The former (a negative right) is one the government should afford to the whole world. The latter (a positive right) is not.

Maybe they should, but they usually don't.

You mean harm inflicted by the government, so it's the Mafia: join our club, or we extort you ... sound delightful.

Let's leave aside morality and focus on self-interest. Considerations of self-interest make FISA 702 an impresssively self-destructive piece of legislation for the US to pass and to see upheld in its courts. And I'm not talking about relatively nebulous things like sapping the US' moral authority to call for Internet freedom and so on, though they should be real concerns for Americans too. This is very straightforward.

The reason that foreigners want to have their contracts adjudicated in US courts, one of the main reasons they buy US real estate or buy US Treasuries and trade the NYSE for much lower expected returns than they would demand elsewhere, is that they have faith in the rule of law in the US. Not perfect faith, but real faith. Not faith in the moderation and good intentions of the US (or CA, NY or MD) government (though they have some of that too) but faith that their US interests are protected in law by things like the Takings Clause of the US constitution - and usually by statute law as well - even while they go on living outside the US as non-citizens of the US. Nor is this something that matters only to foreigners: this trust from foreigners is one of the major pillars of the US' wealth and power. Look at places like the PRC or the UAE http://en.wikipedia.org/wiki/DIFC_Courts which are avidly trying to cultivate an image as a place where your real estate won't be swiped and your court case won't be nobbled to favour a crony.

Now, slowly but steadily, these non-resident aliens (like me) are cottoning on to what FISA 702 means for them. And what it seems to mean is that the rule of law doesn't apply to their Facebook or Google accounts the instant the Federal government chooses to get involved. As a non-lawyer reading FISA 702 http://www.govtrack.us/congress/bills/110/hr6304/text the remarkable thing is that it's not establishing a process where the US government presents a vague counter-terrorism or national-security rationale to a secretive, questionably-independent court. It seems to be a process where the US government can help itself to anything it wants from any specified non-resident alien without even having to state any motivation at all, and in which the FISC court's only role is to confirm that the targets (probably!) aren't US citizens or residents. Does the government feel like doing a spot of industrial espionage on your company's email or file uploads? Sam's your uncle. There aren't any reasons even in principle why the FISC might refuse to issue the FISA order - and the government is spared even the embarrassment of having to state its intentions in court. Your internet company could appeal, but the whole process seems to work on the basis that as a non-resident alien you'll have no applicable Fourth Amendment rights, and 702 seems to clear aside any rights you might have under statutory law ("Notwithstanding any other provision of law"). And in any case what information about the Federal government's interest in you would Google or Facebook have to base an argument on? And once it has your data the US seems to be free to do nearly anything it wants with it - share it with your US competitors? Why not? - unless it tries to take the data to court. (See sec. 106 http://www.gpo.gov/fdsys/pkg/STATUTE-92/pdf/STATUTE-92-Pg178... )

Now it's true that CIA could (and maybe does) attempt to hack the EADS servers in (I'm guessing) Toulouse in search of engineering goodies to share with Boeing, with just as much impunity under US law. But at least EADS has a chance to try and secure its systems from hacking attempts, instead of being instantly defeated the moment the US decides to file some paperwork, and it can get whatever benefit it can from the fact that the industrial espionage would be illegal under French law. So FISA 702 seems to completely reverse the normal position: in legal terms your person and your property are usually better protected from the US government inside the US than outside it. And of course the final touch is that you'll probably never get to hear about any of the intrusions, so even if you're the world's richest person or organisation with all the best lawyers they won't be doing you any good. It seems that the only legal restraint on the US' behaviour with the online data of non-resident aliens is that it can't request a wide-ranging search like "everyone in Pakistan who searched for 'X'", though even that may not be the case: https://news.ycombinator.com/item?id=5845878 .

(Again IANAL. If someone qualified can correct important errors in my understanding of FISA I will be very grateful!)

So, imagine that the US Congress passed a law permitting the Federal government to expropriate any US property for almost any purpose from any non-resident alien at any time, for no particular reason, without compensation or even notice. Throw in some very effective judicial secrecy into the process established by law as well. Provide some unverifiable assurances that the Federal government will probably only choose to use the law against very bad people. Imagine that this law appeared to be holding up nicely against Congressional and legal challenge, at least for now. And please bear in mind that no non-resident alien would give a hot damn about which intriguing Constitutional arguments were being used to (rightly or wongly) deny them the protection of the Fifth Amendment. How would Wall Street, US real estate and the broad US economy be affected? It's not a perfect analogy at all, but it gives you some idea of what may be coming down the line for US internet companies.

>>Every country has different rights for citizens and non-citizens. And in some they are almost entirely equal if not better. (Social security, but it's a bit over the top here :/) Well they can't vote of course, but that's about it.

Is it possible, then, that my government can get hold of my private data without technically spying if another country (which could've been spying on me legally, as I'm not its citizen) would provide it?

Oh yes, and what I understand it is par for the course that intelligence agencies do trades with each other for that exact reason. Either explicitly or implicitly (As in - We know you operate in our country, but we'll turn the blind eye. Just remember to alert us, if you happen to find anything suspicious.)

this is just not the way it works, legally

While true, there is this bit in the Declaration of Independence about inalienable human rights. Unfortunately that doesn't seem to be a legal document anymore.

I think a better way to look at it is that rights are cultural, but that if we are serious about living in a decent and respectful world we should in our actions extend to others the rights we want to have ourselves.

Does free speech extend to advocating going out and killing all African Americans at a white supremacist rally? In the US it does, but only because of our bad experiences during the Red Scares. In Canada or the EU it wouldn't. What right do either side have to force their definitions on the other?

This being said, the argument can easily be made that spying is somewhat different. The general fear is that since governments monopolize violence their actions towards spying on their own must be more restrained than spying on others because the dangers in adopting a "show me the man and I will find you the crime" apply at home to a much greater degree than they apply abroad.

we should in our actions extend to others the rights we want to have ourselves

That belief is cultural too - it just so happens that almost every culture has independently arrived at it http://en.wikipedia.org/wiki/Golden_Rule is a fascinating read.

I think there is a natural necessity that when you accept someone as an equal partner in a process, you assume they are like you are.

It goes the other way in not so great ways also that we tend to project those things we do not like about ourselves onto our enemies.

If someone accuses everyone else of being a thief, expect that the accuser is the one responsible, but the person who respects everyone is probably respectable himself.

What you quoted is actually the Silver Rule, which deals in negatives. It's also much easier to consistently apply without people hating your guts for being a condescending, paternalistic imperialist.

To me, spying on an innocent Iraqi or Chinese citizen is just as morally reprehensible as spying on an innocent American citizen.

Prepare to be jumped on by "anti-imperialists".

There is intense debate about whether US citizens rights are being violated, but almost nobody questions whether there's any moral or ethical issue with completely unrestrained spying on everybody else.

Almost nobody in the US, perhaps, but this whole mess isn't doing the US any favours at all with the international community, certainly not here in Europe.

I'd say there's a fair chance the cavalier attitude towards the rights of non-citizens so overtly displayed by leading US politicians and security people over the past few days could ultimately swing the entire public debate in a way the US administration really doesn't want it to go. Those statements get broadcast on TV internationally, too, and everyone in the room cringes when they hear them.

Let's hope so. The sooner the US gets marginalized and put on the shelf internationally, the sooner the world will become a safer place to live.

So those fleets of warships keeping shipping lanes open and free from pirate activity have done nothing for safety?

I'm not saying america is perfect, but if we scale back our navy for example, there is going to have to be a lot of slack for other countries to pick up. And that means costs rising and more taxes for others. As well as the chance of increased conflict.

The world isn't so cut and dry as you make it out to be.

There will be costs to all of us, but at some point the US is costing more than it's saving us. I think we must be close to that point if not already past it.

That is a statement that can't even be backed up with anything but conjecture.

How would you even start measuring the cost/benefit ratio? What monetary value do you assign to things like privacy? How do you know where you're moving things to doesn't have a "better hidden" equivalent to what the US is doing? Do you even know if it would be worth moving things? What is the opportunity cost to moving? What is the cost if you're wrong?

As much as I'd love to agree with the pathos response to these things, its better to see and wait than to kneejerk react to things.

The sooner the US gets marginalized and put on the shelf internationally

FWIW, I certainly wouldn't go that far. However, I would prefer to see the administration of the US promoting more equal partnerships with other nations, rather than arrogantly presuming that they are somehow automatically qualified to lead the world in every field of human endeavour or that they should for some reason be exempt from normal standards of decent behaviour that they expect everyone else to follow.

I suspect the primary reason we (in the USA) are focusing so much on it is that these are the people appointed, promoted, funded, etc., by people we elected. Some people think that has meaning while many are cynical enough to think that they're all the same under the various masks.

This is a revelation for most people, especially younger people, and they're dealing with the immediate, personal, consequences.

As with the embarrassment created by the second Bush administration, whereby we squandered a great deal of global goodwill after 9/11, we've done a stellar job of undoing the redemption we thought we had gained by electing Obama in 2008.

Many Americans really thought we could be less embarrassed of our leadership with that decision.

The story is still unfolding. Our government will be measured by how it acts out the next few months and how it responds to the inevitable criticism from the rest of the world. As Americans, we will be measured by how we respond to our government.

But it is also that it is far easier for the police who have lots of surveillance to jail their own citizens than to swoop in and jail foreigners. The risk of abuses are there in both cases but they are orders of magnitude more when the police doing the arresting are from the same country as the ones doing the surveillance.

The risk for foreigners is the same when you consider the US gov sharing intelligence with other governments.

I wouldn't say it is the same. It would only be the same if all the governments shared everything they know, and I doubt that is the case.

Its more complicated than that, in fact. The likelihood of the US sharing data about a Saudi citizen and the Saudi gov acting against said citizen is less than than the likelihood of the us acting against a US citizen. But the consiquences are far worse for a Saudi. So the risk could in fact be higher. But you're right, we dont know what the US shares.

It was the same with the drone strike debate. The whole buzz was about the fact that the US president now could order a drone strike on US citizens.

No discussion about non US citizens. It was just assumed that drone striking them was OK. Made me really feel weird as an European.

It made me feel weird as an American.

The irony is that this issue (the universality of human rights) was the starting point of the dissent in the colonies in the 1760s that eventually lead to revolt against British rule in 1775. The people in the British colonies supported Parliament during the long revolutionary/counter-revolutionary period that lead up to the passage of the English Bill Of Rights in 1689, which everyone, in 1689, assumed applied to everyone under the rule of the crown. It was only the 1760s that Parliament adopted the attitude that the Bill Of Rights were privileges that only belonged to those who lived in Britain proper -- and the colonists were outraged that the rights they had assumed they had won 80 years earlier were now being denied to them. In 1774, when the government of Virginia asked Thomas Jefferson, to draw up a list of the grievances that the colonies had with Parliament, Jefferson referenced the long history of events that started under the Stuart Kings.

When the Founding Fathers eventually drew up a Bill Of Rights for the new nation, most of them wrote things that explicitly suggest that they felt the rights being granted were universal -- in particular, Benjamin Franklin was vehement on the subject, arguing that the Bill Of Rights extended to everyone, including the blacks who were being held in slavery (and when Congress met for the first time in 1789, Franklin pushed a bill to abolish all slavery).

Does anyone know how these companies, et al., actually differentiate US Citizens from Non-US Citizens? I don't remember clicking the "I'm a US Citizen box" on any website.

This is likely the root of the issue, which is that they probably capture all communications, but when they have a foreign target, that is when they actually "look" at the stuff they captured, trying to find stuff "related" to that foreign target.

The NSA at least was supposedly run as a very tight ship (I have no idea now, i have no friends who have worked there recently), so I'm sure they theoretically have really detailed redaction and other procedures meant to keep personal or private info of americans from appearing in reports, but that is not exactly comforting.

I do not think any decent human being has friends THERE.

> Does anyone know how these companies, et al., actually differentiate US Citizens from Non-US Citizens? I don't remember clicking the "I'm a US Citizen box" on any website.

I think you were just trolling but if not then one of hundreds possible ways to find that:

1. get a hold of your your email (or name and then facebook / gmail snoop)

2. your email leads to your paypal account

3. your paypal account leads to your dob and ssn, bank accounts

4. your banks accounts hold information whether you are citizen or not;

- OR -

4. your ssn codification tells whether by the time obtaining the number you were citizen or not

PayPal, Facebook and Palantr has the same co-owner, P. Thiel.

But seriously I don't think they discriminate. Last thing they look at is whether you are citizen or not. Your IPs (all the one you ever used while login to any website you have an account with) can quickly tell them whether you are on US soil or not. Most likely as long as you are here, you are consider us citizen, whether lawfully or not but you "operate" on US soil so the same rules apply to you. Good example would be if you are in US as a tourist -- you still need to obey US laws and regulations.

Doesn't this mean that they are spying on you without actually knowing if you are a US citizen? By your logic, only after step 4 they actually know if you are a citizen, but they have collected a lot of data about you in steps 1-3.

I think you were just trolling, but the GP was asking a very pertinent, reasonable question specifically about companies like Facebook, Google, etc, and how they differentiate. Your reply -- ostensibly about what an organization like the FBI might do to identify someone -- is not relevant to their question at all, making it all the more bizarre that you decided to question whether they were "trolling" (apologies to all others, but that is a growing peeve of mine -- this noisy declaration of things people say as trolling).

Google knows a lot about someone, but they have no idea what citizenship I hold. They can guess, of course, but that isn't a lawful way to discriminate.

Does anyone know how these companies, et al., actually differentiate US Citizens from Non-US Citizens? I don't remember clicking the "I'm a US Citizen box" on any website.

According to the whistleblower, they don't in any meaningful sense. They collect all the data they can, and then currently only use bits of it, when they feel that is justified. His point about checking the US president's email in the video was that all they need is one email from a foreigner in order to tie anyone in the US to an investigation, and look through all their records.

In addition I am in the process of composing a letter to my elected representatives. One thing I am noting is that the published standards are quite a bit more lax on this than the data, permitting the NSA to quite heavily over-select for Americans.

A 51% confidence that your target is not American when looking at a service where 15% of the users are American, or one where only 29% of the users of the users are Americans is a meaningless standard. Now the only hope right now is that companies push back but the question is how much given that they were not willing to push back enough to break silence.

That's what I've been wondering:

- if they aren't targeting specific persons, how do they know what country the person is from & if they (the govt) are violating the law?

- if I'm American living in another country, am I safer from or more likely to be tracked (terrorism aside) Am I being picked up "freely" as someone from outside the country?

- many, many, many similar questions I'm sure you are also asking

I realize these seem rather naive questions, but my first thought on reading Obama's response was, "How can you possibly know what country the person is a citizen of?"

Considering that that was a major part of his defense - "Don't worry, it's only those foreign people we're looking at"- I really think that needs to be a bigger part of the whole discussion.

I think it is quite obviously more bullshit.

It is unlikely bullshit. They are likely not indiscriminate in targeting. It's just likely post-hoc targeting. That's the question you really want to ask: "So do you capture all the data, and then only look at the data for foreign people, or do you only capture data for foreign people?"

At one point, with watchwords/etc, it was clearly the latter. I think they've moved to the former.

I have heard (no guarantees) that they collect information on everyone, and analyse it later as it is needed. They only investigate this information if and as if relates to a foreign suspect.

Doesn't seem like there's any way to abuse this .....

This is something that already pissed me off when drone strikes were discussed. While not caring about foreigners is probably the most important reason, there is another one that actually makes sense, and which is why I give Americans a little bit of benefit of doubt: Given the strict protections of your constitution, it is much easier to fight the parts that concern citizens of the US. Edit: accidentally submitted after the first word, rest of post added.

Drone strikes are also different. They represent currently a sort of danger to the world I don't think people really appreciate because they allow an elite to control more firepower with fewer henchmen than is possible otherwise. Air strikes are nothing new but in the past you had to contend with the fact that enough people might disobey orders to force a change of plans. With drones, the number of people you rely on is far less.

I remember a story that on 9/11 orders were issued to shoot down any aircraft left in the sky and that fighter pilots refused to carry out the order. How would things be different if it was 8 specially trained anti-terrorist folks commanding largely autonomous drones?

An excellent point, but you're not going far enough.

Machine intelligence keeps getting better, so it won't be long before we have entirely autonomous drones that just need general instructions to do their job. At that point..

The democratization of weaponry is what caused the end of feudal society, concentrating it might will cause its rebirth.

For a fictional take on this, see Kill Decision by Daniel Suarez.

Feudal society? I think at that point you won't be looking at something that resembles fiefdoms so much as global hegemonies....

I am not sure it will get that far though. More likely it will expand until the economic stress from an oversized national security budget and rising energy prices will force it to collapse with global consequences. For the record, no, I do not think those consequences will be pleasant for anyone :-P

I absolutely agree with you about drone strikes being even more dangerous. The analogy I saw was the mindset that causes people to be enraged about US citizens being killed/spied upon while being rather indifferent to the same thing happening to people in other countries.

"Show me the man and I'll find you the crime" though is very much more of a problem for citizens than non-citizens and so I think that it's reasonable to say that it is a lesser problem when foreign governments are spying on non-citizens abroad than when they are spying within their own borders.

As an American I would far rather be spied upon by the Chinese or the British than the American Government. I would further expect that if a British individual was concerned about the same thing, the NSA would be far less threatening than British intelligence.

'Foreigners' are customers too. They are expected to abide by the terms of service agreements (TOS) issued by these companies, which all include statements about protecting customers' data and privacy. As far as I can see, all these companies broke their contracts (their own TOS).

And from a legal standpoint just because there's a law that happens to force you to break a contract does not usually absolve you from liability for doing so. Of course, many of these contracts may contain some kind of "you have no rights if the law says so" clause, in which case the companies would be in the clear.

And this is a key point, a decision that many people said would never happen again: dividing the world into two groups of people is what started a few problems before.

Looking at some of the bigger selling newspapers in the UK, I don't think people get it or the writers believe people wouldn't get it. On the whole most people in the UK who are not technical appear to know pretty much nothing about it and do not understand why it might be bad for them.

The whole, "I have nothing to fear" point of view. It's the bigger picture they need to think about :(

I would imagine the UK expected this was the case all along. I mean, you guys arrest people for tweets, after all.

I think there's also a slightly different reaction to it, because most Americans like to feel like, at some level, the government works for citizens, and is ultimately responsible directly to them.

If the government is willing to spy directly on the people it should be serving, then it starts to feel like it's out of control.

I believe this gets to the heart of why Americans are (and should be) disturbed about programs like PRISM. When the US spies on a foreign citizen, the full weight of that citizen's government is there to protect their interests.

When the US spies on US citizens, who do we have to turn to?

The US legal system is only accessible by citizens of the USA.

It should be of no surprise then, that citizens of other countries have no ability to protect themselves from over-reaching laws and actions by the US government.

When you enter america as a tourist you (used to) sign a document saying you wave all rights of personal freedom. Now they make you pay for it up front online every couple of years.

As a non american; Thank you for caring!

This is a huge deal. I live in Australia and I have been running businesses on the cloud for the last 3 years or so. I have rarely heard the issue of the PATRIOT Act raised and in spite of there being laws banning the transfer of personal data outside Australia, most people are quite lax about the issue and take the view that the risks are too small to be counted.

Those days are most certainly over. This stuff will affect companies like AWS and Rackspace the most, given that they are competing for contracts with companies who are seriously concerned about who can get at their data. I imagine nobody will flaunt the laws in Australia regarding international data transfers in future, and that countries where no such laws exist will enact some very quickly.

Any cloud based software company in the US which holds large amounts of data that could in any way be deemed to be sensitive is going to have a much harder time pitching to clients overseas who will increasingly opt for a decent local alternative over a foreign one should the option exist. The only thing that American companies can hope for otherwise is that there is no foreign alternative.

The world is not going to come to an end but for a lot of people, their jobs are about to get much harder and the government should be worried about this.

My latest startup is Efficito (a Limited Company, registered in the UK). The web site is http://www.efficito.com and our servers are all in Europe. We have built the service up with a very careful eye for security (why we are going hosted cloud first, and multi-tenant is still in the works).

You have just given me what I think is a very good possibility regarding a marketing message, namely that we are not subject to NSA orders, and that we take security extraordinarily seriously. We are still looking into whole disk encryption for virtual instances, but key management is a non-trivial problem there to get right. For those who want it I can be pretty sure we'd be happy to work with you to find a way of making the system meet your needs. (Of course given a few customers, we could work with a server in Australia too.)

But I also think it goes beyond shipping the data overseas. Suppose you do business with an American company that has servers in Australia (for the record we are registered in the UK, not the US), and they get a FISA warrant? Of course they will send the info over. So you can't only look at where the business's servers are but also where what legal authorities they are obviously subject to.

You have just given me what I think is a very good possibility regarding a marketing message, namely that we are not subject to NSA orders, and that we take security extraordinarily seriously.

You certainly won't be the first with that idea. I've now lost count of how many blog posts, tweets, forum posts and so on I've seen in the past week that essentially say, "Is the next big selling point for European service companies that we're not subject to US laws?"

The UK is not exactly an ideal location to make a fuss about this from, given that the Regulation of Investigative Powers Act (2000) gives extensive rights to the government to demand covert surveillance, which includes requirements of confidentiality over interception warrants to the extent that they in some circumstances can not even be revealed in court.

On top of that Part III of RIPA makes it an offense to fail to disclose your encryption keys to the government in certain circumstances, and the court does not need to actually prove that you have the keys in order to sentence you for failure to produce them.

The UK has quite a strong military sector with their own secret agencies and a strong relationship with America.

Could that make them capable of similar monitoring? Does the UK have stronger information privacy laws that the US doesn't?

The laws are build on different principles making them somewhat different. However, one of the things that we pay a lot of attention to is security resilience. The question is, "what has to be compromised before your data is compromised? and is there a way to detect it?" The storage is still something we are working on but you can believe it is a design goal.

The EU has very different approaches again to privacy law. I don't know you can compare them. They tend to be more lax with collection and stronger with use.

However, we can also help you install the software (open source, reviewed by developers all over the world) on your premises if you would prefer. So our best shot is only for those who really want to cloud host.

If you're outside of the US, then yes you are not subject to NSA orders. But your data will still be accessed by the NSA, as the NSA won't require an order to read what you've got.

The point is they cannot get a court to compel you to hand it over. Yes, they can take what they can get.

The cannot get a US court to compel you to hand it over.

How likely do you think it is that any of the UK agencies that have powers to request interception under RIPA will refuse a "please scratch your back, and we'll scratch your back later" request from the NSA if the NSA actually cares about your data enough to try to get someone to compel you to hand it over?

And RIPA does provide basis for compelling you to hand over keys or face prison.

Being in the UK may protect us against NSA just taking whatever they feel like whenever they feel like it for no reason at all, but I very much doubt it does much good for anyone that actually ends up in the NSA's crosshairs.

And my point is that what they can get without a court order is more than they can get with one.

But the return on investment is likely to be far less. If it is harder, more resources have to be spent, then they will be more selective if just because it would be prohibitive to bug every system across the world, at least at present.

>But the return on investment is likely to be far less.

I am not so sure about that. The internet... well, many of the wide-open holes have been closed... BGP hijacking isn't as trivial as it was in '08[1], mostly because filtering has been implemented in some places, but it's still something that could be done by someone of, say, my resources. It's trivial to anyone with real resources.

And there are all sorts of other possible attacks. Hell, even ignoring the (probably easy, for one of the three letter agencies) possibility of putting a backdoor in the firmware shipping on popular routers, well, most ISPs end up using ancient router firmware revisions on their routers[2]

Yeah; read over that BGP hijacking attack; it sounds way easier than setting up a collector at every ISP. (You'd still need local collectors to not add too much latency, but a single (/very/ well connected) collector could cover a reasonable region)


[2]Cisco charges an arm and a leg for firmware upgrades... they give you some of the really old stuff? but usually the choice is used $BIGNAME hardware without firmware updates, or you roll-your own quagga. (at the 10G/sec traffic level my upstreams can push, quagga/vyatta work just fine... that's what I use.)

Metadata cannot be protected as well as the actual content can. One of the keys of good security is to ask what has to be compromised for your data to be compromised, though. If you have SSL-protected connections, BCG hijacking alone isn't going to reveal your communications but BCG hijacking along with a fake certificate issued by a trusted CA under court order or merely voluntarily) would allow a MITM attack.

The thing is, if you have your own CA, and expect certs from both sides from the same CA, then it is very hard for an MITM attack of this sort to be orchestrated because you can say, "Something isn't right here." So that leaves attacks against the cyphers involved or against the endpoints.

One service we offer is an ability to use an SSL cert issued by the customer, as well as appropriate VPN options to connect to the system at all. Between these, in general I would expect that MITM approaches can be protected against in high security configurations. But that still leaves cyphers and endpoints.

So the first thing we need is a better PKI which can more robustly handle fraudulent certificates. This is something I have written about a bit. (see my blog, http://ledgersmbdev.blogspot.com for more.) But we also need a lot more.

BTW, we build everything on the basis of compartmentalized security with the idea that compromising customer data will require working through quite a bit of depth, particularly in relatively high security configurations. It wouldn't protect against a court order, but it should protect against a lot of other things.

Could the NSA hack us? I am sure they could. Could we make it difficult enough that they would be much better going through legal channels (maybe making deals with local law enforcement or the like)? That's what I am shooting for. It is probably the best one really can shoot for.

>Could we make it difficult enough that they would be much better going through legal channels (maybe making deals with local law enforcement or the like)? That's what I am shooting for. It is probably the best one really can shoot for.

Yeah; my point was just that getting to that point (where it's easier for them to go through legal channels) is harder than it looks. It's certainly not the default state.

> Yeah; my point was just that getting to that point (where it's easier for them to go through legal channels) is harder than it looks. It's certainly not the default state.

As we went through our initial design, and started talking to others, it became quite clear that the being industry standard when it came to security is not something that either myself nor my business partner were comfortable with. We opted to start looking at everything very carefully and review eachothers' works regarding security, suggesting improvement, etc.

It's one of the reasons we decided to go hosted cloud first and only later multi-tenant.

>It's one of the reasons we decided to go hosted cloud first and only later multi-tenant.

So by 'hosted cloud' you mean 'every user gets their own VM?' I mean, you could mean that you use on-demand dedicated servers, but most people mean virtual instances when they say "cloud" (I hate that word "cloud" - it's so vague)

(personally, i still think of multiple VMs on one physical box as multi-tenant. But managing a VPS per user? thousands of times easier than managing a user-account per user and just having a bunch of users on the same box. In my opinion, more secure, too.)

How are you managing images? I mean, that's the thing you've gotta watch for, a backdoor in the install image.

One thing I've noticed about my customers is that they almost all prefer to use my image than to do a net-install. (I give my xen users a paravirtualized boot loader, so they can load the distro install kernel and go from there.) the interesting thing is that my dedicated customers are far more likely to do their own install (I provide only... a very rudamentary PXE menu.)

Or, maybe that's just my perception because I only notice what OS they are running when they ask for help... whereas on the dedicated servers, I've recently had to move a bunch of them, which required me to look at consoles. So I guess there could be a bunch of arch users or something like that who just don't ask for help.

It does seem like having your own physical hardware would make... a big difference, security-wise.

We can do either but our default is vm's, just because for smaller businesses that is a lot more practical. Customers typically do not have root access to their VM's unless they supply their own keys/x509 certs so we can take ours off. If we are managing the box we have, for example, stored root passwords (rarely needed and only two people have access) encrypted in PostgreSQL (which means we do not log when we are not debugging and we do not allow history to be stored since manual keys must be entered when retrieving this info).

> How are you managing images? I mean, that's the thing you've gotta watch for, a backdoor in the install image.

It's not the only thing you have to watch out for. If someone can compromise the host they should be able to compromise all vm's given a little time. We do have some automated ways of checking for changes though. In general the physical hosts are much less exposed but cannot guarantee that more generally. We are always discussing ways to tighten security (I am considering setting up a rediculously tight selinux policy on the physical hosts).

> It does seem like having your own physical hardware would make... a big difference, security-wise.

The big difference is actually where the hardware is located. The big difference is really having your own physical hardware on your own premises on your own intranet vs using someone else's physical hardware in their datacenter, with their intranet. In general though if you have someone else's hardware on your intranet you can better control it than if you have your hardware somewhere else.

Again, I don't understand why you think that it's harder for the NSA to hack / bribe / trick their way into data than it is to have to obtain court orders and convince everyone to work with them.

Before anyone else gets this idea, I'd encourage you to look at your organizations' resident country laws before thinking & acting on this.

Companies based in the UK, for example, can not make the claim found above ( http://m.washingtonpost.com/investigations/us-intelligence-m...).

I'm not a lawyer, but you could lose all credibility if you act on that and get it wrong.

"Suppose you do business with an American company that has servers in Australia (for the record we are registered in the UK, not the US), and they get a FISA warrant? Of course they will send the info over"

There's a way out. Those server offshore must be handled by subsidiary. Then the parent company in US does not have the data and they can not also command subsidiary to handle it over.

The big US companies have made it clear that they will give out data held by subsidiaries, even if this is illegal eg under European law.

That means the best option is not to use wholely owned subsidiaries and instead have a partnership with the parent owning a large plurality but non-controlling interest (say 10 partners from various countries, with the parent owning 49.9% of the subsidiary). You can set the agenda, more or less run things how you want, but anything you try to do as shareholder can be vetoed by the other 9 acting in unison.

Is this true? genuine question - have these companies stated this or done so in the past?

Yes, this has been an issue for a few years now eg see http://www.zdnet.com/blog/igeneration/eu-demands-answers-ove...

Australia isn't exactly a safe haven. There are only a handful of pipes in and out of the country, each of them probably well within the deep packet inspection capability of serious spy gear. I'd be amazed if one of the AFP, ACC, ASIS, ASIO or DSD didn't have their own rooms in selected Telstra and Optus facilities.

And not to mention that Conroy wants to do something like what the NSA are supposedly doing; he's just going to outsource it to the ISPs.

I've seen an AFP server in a certain government datacentre. Its security was a square of black and yellow tape and the assurance that I would be detained without charge under anti-terrorism legislation if I crossed the tape to take a closer look.

But as an Australian citizen we have our courts and public opinion to try and fight for us. Not to mention the people doing the snooping have far less incentive to pass commercial information along to a competitor.

I'm not sure I follow you.

Americans are, theoretically, in a much stronger position vs NSA snooping. US law is meant to make it illegal for their spy agencies to look inwards and the US Constitution has its famous "search and seizure" clause which can, if you find the right judge, have some formidable teeth.

As Australian citizens we have no such protections and we have no standing in US courts to get any restitution. We're fair game.

Further, as Australians, while we enjoy some protection from our own outward-looking agency (ASIS), the inward-looking agency (ASIO) can and does investigate Australian citizens with a broad range of powers, including powers to intercept telecommunications. Their powers compound of investigation with the Australian Federal Police's powers of arrest, sometimes without cause or notice.

In theory, ASIO requires the Attorney-General to grant warrants to exercise most of its powers. Statistics on the warrants haven't been published, so we have no idea if they're granted begrudgingly or rubberstamped. My guess is going to be the latter -- which Minister wants to the one who was "soft on communism/terrorism"?

In the same way that Americans are in a stronger position vs NSA snooping Australians are in a stronger position vs our own snooping.

As I noted elsewhere in the thread, Echelon taught us that the agencies can circumvent these protections by agreeing to spy on each other's citizens and then forward the intelligence.

The idea that would be just as subject to surveillance using Australian hosted servers is pure speculation and not supported by the so far leaked information on PRISM.

Great, as an American, now I have to worry about Australians snooping on me, too.

I think the issue for foreign governments is closer to countries not wanting other countries to have easy reach into their data. For them it's not a civil liberties issue, it's a security issue.

I'm, also in Australia.

NB: It's a real struggle to not make this sound paranoid.

Just at an individual level, I'm questioning whether it's wise to store my data in a US service that won't afford me the same protection as US citizens.

I've already started reducing my reliance on Google, and I barely use facebook, but things like Amazon and Linode are much harder for me to quickly divorce myself from.

Unfortunately, Oz is one of our spying partners, so your ASIO is probably just annoyed that the NSA can't keep its house in order.

If you're willing to pay a bit more, there are companies like Ninefold

But then again, that is just talk. I still use AWS and Linode religiously. The prices are really hard to beat

> I'm questioning whether it's wise to store my data in a US service

It definitely isn't, and I'm wondering why this issue wasn't on top of your mind before that?

The others I can understand, bur Linode? What about something like hetzner? Just checked, and their VPs have more ram and more HDD but only one core: http://www.hetzner.de/en/hosting/produktmatrix_vserver/vserv...

Aanyway, I though these hosting companies where a dime a dozen?

Australian here. Government departments are slowly starting to catch on to this sort of thing.

One application I work on stores data from DEEWR and FaHCSIA and this year they've "cracked down" on that data going overseas.

The application's data (and the bits we get back from the government) has always been stored in Australia on our hardware. My understanding is that some of our competitors using AWS and Rackspace had to work hard to quickly get their stuff hosted locally (or are in the process of bringing it back here).

You can get an idea of what DEEWR expects providers using cloud services to adhere to from here: http://foi.deewr.gov.au/documents/policy-use-cloud-hosted-so...

> in spite of there being laws banning the transfer of personal data outside Australia, most people are quite lax about the issue and take the view that the risks are too small to be counted.

I can tell you from working in the finance industry in Australia and APEA, larger companies/banks take this very seriously due to compliance obligations with regulators (APRA, MAS, HKMA, etc).

Wasn't Australia already implicated as a collaborator in ECHELON?

Yes Australia runs a SIGINT collection point for the NSA, at least since the 90s.

There are technological solutions to address this for US firms. Encryption on the client side, before data is sent to the cloud, would work. I would suspect (hope) that browser makers will quickly introduce features that make sending and receiving end-to-end encrypted communications (email etc.) a thoughtless process - since that is the only way to get people to use it.

Even better, perhaps someone will write software that sits on top of the network stack and automatically negotiates secure communications regardless of the origin client software. Maybe some sort of public key registry might come into play.


I am surprised that Amazon, Rackspace et. al. aren't coming out and letting their customers know where they stand in all of this.

You shouldn't be surprised about Amazon. They pulled the plug on wikileaks as a favor, and they give the CIA their own private $600M cloud:


As Facebook, Google, and Yahoo! have demonstrated so far, a company can only make itself look worse by making any statement.

Any denial will be rejected as dissembling or sophistry and admissions of complicity would be suicidal.

Pleading the fifth apparently...

It's odd, I hear people saying, "no big deal, nothing will change." But then I wonder, if you're saying it's no big deal, are you an American or not?

The point of this pst is that foreign business will be affected, AFAICT, Europeans have always held the Internet to a stricter standard than Americans and have passed stricter laws around everything from what data can be retained to the behaviour of tracking cookies.

If you've posted a "no big deal" comment, can you please go back and tell us whether you are an American or not.

It's not just about what people think. It's also whether they think hosting stuff on US servers is even legal.

I can imagine the Pirate Party suing some EU groups (governments, companies, whatever) because they are using US providers, and the US is not safe enough to conform with EU privacy law. And there's money on the line too, lots of EU companies will want the contracts that are going to US ones. And keeping jobs onshore is always popular with the masses.

I think its a big deal. I'm not American. I don't think things will change - at first.

The leading US internet companies are all built on a foundation of trust. Undermining that trust counterbalances the convenience of their services and over time new competitors without these trust problems are only a click away.

I dont think its the kind of thing that affects things commercially in a visible or predictable way. One of my first impression is that its humbling. Web companies are the ones that brag the msot about "building a better world" and this time there was collaboration to make it worse. I think the best or biggest change that could happen is better Whistleblower laws and protection (or high level of exposure to produce more).

I think it will change things; I'm an American. Having your customers trust is important for business---now data stored offshore has just become a feature.

I'm an American, and I think things will change - for the worse. I'd like to think that if morality or the Constitution didn't stop this shit, at least bidness would.

But I think what will really happen is that the administration, and the bureaucrats, and the security "services" in general will double down, be much more secretive about what they do, be much better at what they do (grants coming soon to a computer science department near you), be much more aggressive to prosecute and intimidate whistle blowers, and put more layers on the stonewall of denial.

The government has become self aware.

Your last line is a really interesting one. Most governments probably are to some extent self aware, insofar as there's an executive branch. But I think the self awareness you are referring to is a kind of secretive adaption of sorts, where the response is not aligned necessary with the public interest, but with the interest of those in power (to stay in power).


On consumers I would not expect much change to any other non-us service that keeps you invested and locked-in. There simply are no alternatives, some european services are currently shutting down.

Even Schneier is stating that if you aren't connected with us social media, you simply stop to exist for certain groups of people. That rule applies to nearly every european user too.

The point of this pst is that foreign business will be affected, AFAICT, Europeans have always held the Internet to a stricter standard than Americans and have passed stricter laws around everything from what data can be retained to the behaviour of tracking cookies.

I run businesses in the UK that deal with personal data and sometimes use US companies to do so.

There is a specific provision intended to fix the problem of exporting personal data outside the EEA to be processed in the US, which would otherwise be prohibited because US laws are inadequate in this area: the US Department of Commerce operates a Safe Harbor scheme, recognised by the European authorities, which US businesses can participate in to demonstrate that they handle data with sufficient care to satisfy European standards.

The problem is that if the US government is going to permit itself to access data contrary to the claimed protections anyway, then the Safe Harbor scheme is demonstrably unfit for purpose, and any legal shield it provides to European businesses that want to use US-based services to process personal data is in doubt.

This problem is hardly a new discovery, but until recently, the issue was being dealt with quietly, with European officials making occasional mutterings about being in contact with the US government to resolve the conflict here. As of the past week, I'm not sure that's going to carry much weight any more.

This leaves a paradoxical position for any business wanting to operate legally in both the US and Europe. It's not clear whether the huge players like Google or Facebook could avoid the problem by changing their corporate structures, if doing so means that a parent organisation in the US would not be required to disclose personal data held and processed only in Europe by a separate European legal entity under European data protection law. In practice, this might be worse news for US businesses that aren't yet big enough to play the corporate structures lottery, and for those European companies who benefit from services provided by such companies and might have to make other plans. Obviously quite a few smaller Internet services well known on HN would fall into that category.

If you'd asked me a year ago how the paradox would be resolved, I would probably have cynically suggested that the EU authorities would ask how high when the US authorities told them to jump, as they have done previously with things like travel and banking data. But now that this has become a major public issue that people are actually talking about, any attempt to do that seems likely to turn out very badly for European authorities whose popularity is already at an all-time low. I suspect far more Europeans resent the constant privacy intrusions and security theatre of modern life than many across the Atlantic may realise, probably because the consequences of excessive state surveillance are still within living memory in many European countries, and because all around the Med we've been watching timely reminders playing out over the past 2-3 years.

Europeans tend to have higher standards for protecting the privacy of the personal data of their citizens from access and use by private corporations.

But what the U.S. NSA is doing is sifting data for connections to foreigners who are suspected of being terrorists. I would be shocked if Euro intelligence agencies are not doing the same thing.

"Everybody's doing it!" isn't really a good excuse once you turn about 12 years old.

I'm not making an excuse. If the theory is that folks will pull out of U.S.-based cloud services, then the question is, where would they go instead?

The U.S. data-mining program has been revealed. I would not assume the lack of revelations from other nations is definitive proof that those nations aren't doing similar things. In the absence of data it is very easy to make convenient assumptions.


The old rules still apply. If you can't afford someone else to know something, you have to encrypt it in motion and at rest.

>But what the U.S. NSA is doing is sifting data for connections to foreigners who are suspected of being terrorists.

Demonstrably false. All of the terrorist laws are mostly used for drug enforcement and the like. They get nearly no terrorist usage because there are nearly no terrorists.

At least Sweden is publicly and legally doing it: https://en.wikipedia.org/wiki/FRA_law

At least Sweden is openly telling that FRA is allowed to legally monitor all international network traffic.

I'm Brazilian and in the corporate and government space there is considerable resistance to hosting systems and data outside our jurisdiction. What I don't think people have fully realized yet is that American companies are subject to the Patriot Act wherever the operate, so even data stored in Brazil might be exported by them to USA authorities without the customers being notified. I ask myself, how far does this extend? Not only to online services, but even to mainframes and storage systems? Application software? Operating systems?

It's odd, I hear people saying, "no big deal, nothing will change." But then I wonder, if you're saying it's no big deal, are you an American or not?"

There is a fear of having guns taken, but there is an even greater fear of using them against the regime.

One biggie that the author left out of the piece:

The US Gov continues to insist that they are not monitoring the data of US citizens because that would be unconstitutional without warrants. But that's a tacit admission that they are openly monitoring the data of non-US citizens. I think this is one of the most important revelations of this leak, the US Gov has made it clear that if you are a non US citizen using a web service based in the US your data is definitely under observation.

They'll be doing something like the old Echelon trick.

US spy agencies can't spy on Americans, so they spy on Australians, Canadians and Britons. In return, Australians spy on Americans, Britons on Canadians etc etc. Then they swap intelligence and get to claim that "we didn't spy, it was given to us by our allies who are under no such regulations".

There's still a major limit there. The issue of the Verizon and PRISM systems is that they probably involve the possibility at least of legal authority over the vendors. Court orders or possibilities of court orders....

If the NSA is spying on Australians clandestinely, then they don't have that authority and they are limited to what they can scavange. It would be far better if we were to a point where no courts would coerce cooperation of this sort, and the system you are describing is better than what we have. The problem is when the NSA gets a court to forcibly deputize an American business to spy on Australians, and that's a very, very different problem.

As an Australian, that's what I found most interesting as well about all the commentary going on. From the perspective of the NSA it seems my data is fair game under any and all circumstances.

Well fuck that. Google, Amazon, et al. - I'm out

Good luck. I don't see other countries innovating at even half the rate of the U.S. with tech stuff. Leaving the umbrella will be like turning out the lights. It gets boring and cold in the dark after a while.

That's possibly because of a few advantages that US companies had due to quicker exposure to leading edge technology. However, when privacy becomes a unique selling point that US corporations can no longer provide - suddenly the competition will see a reason to appear.

I'm on the lookout for reasonably good Google apps alternatives, if they don't exist right now - this is a time that a solid market just got created. I'm sure someone out there will be interested in making it happen!

Agreed. I see this as being a catalyst for the creation of greater competition to the US internet incumbents. There will likely not be an immediate impact for Google et al. but there will be much longer term consequences I think.

That might change... and not only for reasons related to privacy.

I live in EU and I remember that about two or three years ago every geek's wet dream was to get to Silicon Valley and build a startup. But that seems to be changing. I don't have any research to back it up - it's just some anecdotal evidence but many people now seem to consider alternatives like London or Chile... mostly because they are afraid of software patents and want to stay out of US jurisdiction.

These things are difficult to asses but there is a tipping point somewhere - once critical mass is achieved innovation can quickly move somewhere else. Fear of American government can help make it happen and I am sure that competitors are going to love playing that card.

same thing here, a friend recently refused work, because he would have to physically go to USA (he loves seeing the world) - money was waaaay above EU.

I don't expect non-Americans to be all that familiar with my country, and vice versa.

But think about it. The NSA has been around since 1952. They now have N billions of dollars of black budget. The relevant Congressional oversight committees are prohibited from talking about what they learn. They are (supposedly) constitutionally prohibited from spying on Americans. If they aren't (or say the aren't) spying on Americans, then they're spying on y'all.

Some of it, plus the rest of it, equals all of it. We're some of it. Venn says y'all are the rest of it.

Well obviously many governments have spies. There's even a genre of entertainment constructed around spies. And generally in the spy narrative the spy is after guys from the other country, not his own.

The revelation here is that if you are a non-American your data that you store via a company based in the US is available to the US government with virtually (maybe even literally?) no protections. And this isn't tin foil paranoia, the US Government just told you that in public discourse.

> And this isn't tin foil paranoia, the US Government just told you that in public discourse.

You know, if you had said that about anything else, it'd be a transparency win.

I'm not entirely sure why you think a non-us citizen using a web service in the non-us is not similarly targeted?

Either by other intelligence agencies, or even more likely, that the NSA shares these abilities with other friendly foreign governments (UK, NZ, AUS, etc) in order to ensure their tacit approval.

Even in the world of intelligence, diplomacy matters. Secrecy only counts for so much. You can't keep the fact that you have a huge listening post in NZ secret, huge dishes don't look like they belong in cow pastures. Same with fiber optic cable. It's not like they can splice them without someone noticing. Instead, the way you accomplish this is by providing NZ what it wants while still retaining plausible deniability if things go south for them ("We had no idea the horrible NSA had secretly placed all this stuff here. We're completely outraged!")

I'm Canadian. I'll be locking down my communications as best I can: email (GPG), instant messaging, chat, etc. I'd like to see my American neighbours do the same and hold their politicians feet the fire over this.

I feel like I should boycott the US companies on the list, at least to some degree. I have made the switch to DuckDuckGo and Mozilla. A Blackberry, as opposed to Android, will be my next smartphone. As a developer I'll be dropping my iOS support in the coming weeks. I haven't used a Microsoft product, including Skype, in a long time (exclusively Linux). I will likely phase out Google Drive and Gmail as well.

Not sure how many of my compatriots will follow suit or if that will have an impact financially.

There are lots of recommendations out there now to lock-down your browser, e.g. adblock/https/etc, if you haven't already. If this becomes mainstream then advertisers like Google may take a hit.

I'll be emailing my member of parliament (MP) to make sure we keep tabs on this in Canada, and keep our privacy laws intact.

How do you plan on telling everyone you communicate with, "I'm sorry, this channel is unencrypted, this conversation cannot continue."

Why aren't companies scrambling to provide a plug-in encryption product? Forget Google's default https, I want easy end user encryption.

Same here.

Ill be looking to expedite my move off of gmail, yahoo, rackspace etc. It's a shame , but it has to be done.

I'm doing some active research into sending an effective letter my my MP as well as I would like to have it as much weight as possible.

> I'll be emailing my member of parliament (MP) to make sure we keep tabs on this in Canada, and keep our privacy laws intact.

openmedia.org seems to have done a good job campaigning against the Online Spying Bill.

Nothing will change.

If you think that those involved were not prepared for the eventually of a leak, you'd be very naive. The fact that all of these companies have been sitting on boilerplate denial statements speaks volumes. Contingency plans have been put in place for this eventuality and the people making these plans are experts at dealing with these situations.

My guess is that the gameplan for the US government will be to stay silent and wait for general apathy to sink back in. Tomorrow is WWDC and, with the latest Apple news, the tech community rally will likely fall to 2-3 page in a week or so and then disappear altogether. Once that happens, the difficulty moving to alternate services (as per the other HN poll) will shadow everything, and the company bottom lines will be unaffected.

Add to that, if you believe that the US government and institutions are the only ones doing this, that would be even more naive. The Mossad, SIS, CSIS, KGB etc. are likely implementing very similar policies and procedures, if not directly involved with PRISM (or whatever it is actually called) and the outsourcing companies providing it. The likelihood of finding other territorial based services with capability, scale in an area not under surveillance is probably close to impossible.

The Arab Spring was a wake-up call to all governments/multi-nationals that these tools are power in the hands of the general public and steps were taken to mitigate and reduce this effectiveness.

It's depressing. I wish it were otherwise. I wish the companies involved actually had the ability to push back or outright deny involvement in these types of actions, but I suspect their hands were tied.

Silicon Valley is entrenched. We like to think that it is still our playground but we should know better. My only hope is that this time we learn and that brighter people than I figure out what we can do about it.

Tomorrow is WWDC and, with the latest Apple news, the tech community rally will likely fall to 2-3 page in a week or so and then disappear altogether.

Perhaps use that to gain more attention. Picket the WWDC.

> The fact that all of these companies have been sitting on boilerplate denial statements speaks volumes.

Can you show your work on this? How would we know this?

A bunch of people compared ~9 of the companies' statements in a past thread. They are all identical in structure, form, and style, with only minor differences like differing adjectives and emphases. They all also beat the exact same terminology to death. Namely, "direct access".

You don't care. I don't care. The EU companies which are running systems on US-based SAS platforms care.

That's an assumption. The fact remains, the ability to move to other countries is a fallacy in that the rest are looking at or are implementing very similar strategies.

No, because only those who were on the fence were swayed either way. As of right now, the Poll on how the HN community will respond ( https://news.ycombinator.com/item?id=5846564 ) is at :

  No, I'm ok with it								66 
  I'd like to do something but it's too difficult to avoid using cloud services	195 
  I'm going to try to use services from non-US companies hosted outside the US	99 
  I'm only going to use services that allow client side encryption.		37
  I'm going to host all my own services. 					47 
  I'm not changing anything because I already assumed all of my data was being 
  monitored anyway.                                                             151
A quick glance at what the rest of the public is thinking is quite illuminating as well.


Summary: People think in terms of "Privacy is a bit like oil. It's getting pricey, but I still like my SUV."

If anything, it may give a much needed boost to an existing sector of internet industry, privacy and security. I see several companies springing up (some already have) that delivery end-to-end encrypted communication and storage over different media (of course, there would be plenty of Snake Oil as well).

The real frontier of communication is the transmission of anonymized and encrypted data with services bought and paid for anonymously as well with no repercussions for the service providers.

"Privacy is a bit like oil. It's getting pricey, but I still like my SUV."

You do know that outside of the US, there are lots of people who don't drive SUVs because of the price of oil?

Not having being born in the U.S. and still having family in several countries, Yes, I do.

The implication is that U.S. Internet Industry is somehow "destroyed" as a result of this is hyperbole. If anything, all it did was give hope to those outside the U.S. that there's still a viable market for the same cloud services (sans FISA leash) even in smaller scales.

Yeah, but there are also lots of people who would drive SUVs, but SUVs are impractical. Roads that are hundreds or thousands of years old tend to be very narrow.

From the article you linked to:

"With the latest revelations just days – in some cases, hours – old, it’s too soon to know for sure."

I think it's still too early and I'd wait until all the facts are out. I can't speak for how people in other countries are feeling, but I can say this...

As an American startup founder, I'd be very worried about what my international customers would think if they knew I was working secretly with the U.S. government, publicly denying it, subsequently being caught in my own misleading statements, and allowing the government access to all of their data after I told them it was private. As a customer, I'm happy if you can use that data to serve better ads that are relevant to me. But I would be very angry if it was being served to a foreign government which wants to profile me a certain way, potentially to justify killing or detaining me.

True. We know so far that they've limited the original PRISM scope to major infrastructure providers and social media. This is obvious since that would cast the widest net.

As a startup founder, if your operation does get popular enough to catch the eye of the NSA, realistically there's absolutely nothing you can do to fight it. That's how far ingrained the instruments of our own deconstruction are. And they're buried in plain sight in U.S. law. I don't see that changing overnight with a few amendments or acts introduced here and there. It would take an overhaul of the very principles of government we've taken for granted (and quite possibly never really existed).

The fact that we're aware of this aspect of hopelessness will, in the end, be far more damaging to the U.S. economy than any foreign entities being aware of it.

After all, why would American founders found and base anything on U.S. territory if they cannot do it freely and on their own terms? They'd rather found a startup in Hong Kong.

I wonder if Dropbox are caught up in this too?

"If anything, it may give a much needed boost to an existing sector of internet industry, privacy and security. I see several companies springing up (some already have) that delivery end-to-end encrypted communication and storage over different media (of course, there would be plenty of Snake Oil as well)."

I think it's worth pointing out that this sector growing as a result of this will mean that those 195 people who responded "I'd like to do something but it's too difficult to avoid using cloud services" will find it easier and easier to make the switch.

Couple that opinion in the tech community with consumer protection laws that may technically forbid a business from storing customer data on these services and you do have a drive for foreign business to move away from US services.

When your talking about a principle such as a right to privacy that's not something that will disappear from society quicker than the time it takes for businesses competing on this principle can be set up.

I doubt it will have much of an impact, but I'd be reluctant to make a prediction about international growth based on an HN survey and a CS Monitor article that references American polling data.

Fair enough.

My gut feeling is about the same on impact of international growth. On one hand it may have been a blessing in disguise. The Internet is supposed to be global in the first place, but we have massive over-representation in pretty much every aspect of its commercial operation.

The same services outside U.S. jurisdiction and influence are suddenly more alluring.

The danger is that foreign governments will recognize that the US is using gmail to spy on them. They may ban the use of gmail or other cloud providers within their national boundaries.

I don't think most governments will go that far for casual usage, however I do see more restrictions on confidential, "official business" communication and storage through these (which, I hope is already the case).

Think of how much disruption would be caused if Hotmail, for instance, was forbidden in addition to Gmail. Many of the early adopters of the web in these countries flocked to the most popular platforms (in addition to their ISP email of course). Having to print new business cards would hardly be the only inconvenience.

There are levels, but the danger is that some person with sensitive information may communicate the information using an insecure service. For instance someone might remark that the military appears to be building a large underground structure near their farm, the US could then use this information to locate a newly build ICBM silo.

The levels of action that a nation could take to protect itself are:

1. They could train people who have access to sensitive information not to use any US service. This is what the US has done asking some members of the intelligence community to not use Skype and other services due to worries about its insecurity. This is probably common training for handling sensitive information in most nations.

2. They could filter such services at government offices, schools and sensitive sites. For instance no company can get defense contracts unless they have a policy that prevents their employees from using gmail. This is probably the most likely additional action that will taken and it will hurt US business.

3. They could filter such services at the national level. China (1 billion people) already does this, I wouldn't be surprised if Russia started. It's unlikely to happen on a global scale but each country that bans another US service hurts the economy.

We saw this happen with US crypto export controls, the market spoke and companies began switching to non-US software.

Additionally there is a very real possibility of backlash against US companies. It makes them uncool and political hot potatoes, who wants to use a phone made by some pet of the NSA.


Because most people don't care about privacy that much. See TSA scanners, foursquare, hell GMail scans your data everytime you read mails, Facebook doesn't even pretend there is a privacy. Damn, first thing any Apple computer do is taking your picture, getting your details and sending it all to Cupertino, before you even load the OS. Android tries to track all your phones under one account you have to add before starting up.

People don't really care about privacy. (Disclaimer: I am no better.)

There will be some anti NSA rallies, sure. Photos of those rallies will be geotagged with EXIF data and posted on tumblr, facebook and twitter from iphones and androids.

I don't care about privacy for my personal (not corporate) information from Google. The worst they can do is disconnect me, and I can always leave them.

I do care about that an organisation with the power to legally kill or imprison me without trial, with the world's strongest military and a penchant for punishing anyone who embarasses them has all of my data, including who I associate with, what I say and whereever I go. In fact not just my data, the data of their political opponents and the journalists that keep the system honest.

If not Obama, someone at the head of the table is going to abuse this information one day.

> The worst they can do is disconnect me, and I can always leave them.

No, the worst thing that Google,[1] can do is share that information with credit card companies, HR departments, health insurance companies, etc, who do have the power to ruin your life and are much more likely to do it than the government.

What happens when the advertising money hits the wall and can't support revenue growth sufficient to keep the Wall Street analysts happy? At some point some MBA is going to figure out that HR departments would love to be notified about e.g. their employees joining say a cancer support page. It sounds inconceivable today, but I bet people who started using credit cards in the 1960's and 1970's never expected that one day the various credit organizations would band together and sell your information to literally everyone, so that you could be denied a job because of your credit history.

I think it's important to keep some perspective, and I feel like people on HN aren't doing that here when they direct all their blame to the government over this issue and hold Google, Facebook, etc, who created this surveillance apparatus, blameless. Corporate America is much more likely to screw you over than the government. They have a profit motive to do so, and can get away with screwing you over on a mass scale in a way the government cannot. I don't know a single person who has been screwed over by the government. I do know people who have been screwed over by credit ratings agencies, having job offers revoked because they struggled financially in college.

Maybe it's not inevitable or even very likely that Google and Facebook will sell your information to the highest bidder. But it's a failure of imagination not to pretend that it isn't possible, and if we're going to engage in slippery slope reasoning with respect to the NSA, let's be intellectually honest and admit that we've built a vast surveillance apparatus in both the public and the private sector, and there are numerous entities within both sectors who have the ability and perhaps the motive to use that information to hurt you.

[1] Or Facebook or whatever. It doesn't matter. One day these companies will become mature and will be headed by some MBA who has never written a line of code...

>I think it's important to keep some perspective, and I feel like people on HN aren't doing that here when they direct all their blame to the government over this issue and hold Google, Facebook, etc, who created this surveillance apparatus, blameless.

Yes. The only reason the NSA/etc/all has this data is that people (probably a lot like you, dear reader) built these popular systems that make their money from tracking users. Worse still, they will always beat out a paid service because of friction and network effects.

We didn't just stand by and watch the creation of this situation, we actively participated.

Collusion among private corporations is scary, but it's not as scary as totalitarianism, mass imprisonment, and genocide. The precedents set for what governments end up doing once they get their hands on this level of social control are very bleak.

The amount you should reasonably be worried about something happening is the probability of the event multiplied by how bad that event would be. Government gone totally off the rails would be much worse, of course, but corporations going off the rails is much more likely.

How many liberal democracies can you point to that have gone the way of totalitarianism, mass imprisonment, and genocide? I don't see a lot of examples around. Yet I can look around and see tons of examples of corporations doing evil things with your information (health insurance companies dropping coverage when you get sick, credit card companies sharing credit history for any purpose other than setting interest rates, etc).

I think things you can see examples of every day are generally much more worthy of your worry. Or at the very least, it's not rational to be so worried about government surveillance while giving a free pass to the companies creating a surveillance apparatus that can be abused by corporations.

> How many liberal democracies can you point to that have gone the way of totalitarianism, mass imprisonment, and genocide?

How many 200 year old liberal democracies can you point to? There's no historical data to look at. This history of the United States itself is an indicator that democracy is self-defeating. Compare the amount of classical liberalism in 1800 and 2000. Whether that can continue past the middle and into full-blown totalitarianism is untested.

> It's not rational to be so worried about government surveillance while giving a free pass to the companies creating a surveillance apparatus that can be abused by corporations.

It's also not rational to give the government a free pass. Don't think that companies can collude with each other. The government can also collude with companies, as PRISM indicates that they have been doing.

> Compare the amount of classical liberalism in 1800 and 2000. Whether that can continue past the middle and into full-blown totalitarianism is untested.

You mean in 1800 when the Alien and Sedition Acts were in force and the government didn't even have to come up with some pretense and prosecuted and convicted people directly for what they said in the press? I don't think the U.S. circa 2000 suffers for that comparison! If you want to talk about which is a more free society, the U.S. in 1800 or the U.S. in 2000, you also can't leave women and blacks (combined more than 50% of the population!) out of the equation...

It's ahistorical to pretend that the U.S. has only gotten less free over time. Vis-a-vis "classical liberalism" the government claimed the power to regulate all interstate commerce in 1824--the only difference today is that you can't even buy a candy bar at a vending machine without engaging in an interstate commercial transaction. If you live today the way the vast majority of the population lived in 1800 (on a farm growing food for your own consumption and sewing your own clothes, etc), you'd probably find that government doesn't reach your activities appreciably more today than it did 200 years ago.

It's also ahistorical to pretend that our rights are universally weaker than they were in 1800. Remember, at that time, the Bill of Rights did not apply to the states. The liberal Supreme Courts of the 1960's and 1970's dramatically strengthened due process rights and habeas rights relative to what they were before. First Amendment rights are dramatically stronger than they were in 1800 (the "obscenity" exception to the 1st amendment has been whittled down to pretty much just child porn).

Now, I won't say the U.S. is the freest its ever been. When you take into account the experience of all Americans (not just rich white males), the freest the U.S. has ever been was probably the mid 1990's. But, it's been worse before. It was worse under the Alien and Sedition Acts. It was worse under Lincoln who governed under borderline martial law. It was worse under McCarthy. From an economic rights point of view--the country was far more regulated in 1935-1970 (vast swaths of the economy, everything from transportation to telecommunication, was deregulated from 1970-1990).

The idea that the trajectory of the U.S. has inexorably been in the direction of less freedom is nothing more than looking at the past with rose-colored glasses. It's not a perspective rooted in historical truth.

"How many liberal democracies can you point to that have gone the way of totalitarianism, mass imprisonment, and genocide?"

How many 'liberal democracies' have built international surveillance dragnets? How many have secret prisons all over the world? How many spend more militarily than the rest of the world combined? I wouldn't say the US is exactly your run of the mill democracy these days.

How many liberal democracies can you point to that have gone the way of totalitarianism, mass imprisonment, and genocide?

I can think of one very prominent example:


> If not Obama, someone at the head of the table is going to abuse this information one day.

I'd worry less about someone at the head of the table -- who has a lot of visibility and responsibility -- and more about the legion of prosecutors and officers (plus their friends they owe favors to) who all have incentives to catch bad guys... whether they're actually bad, or just barely find themselves on the wrong side of an interpretation of some statute, or just fit the profile.

And of course, the occasional less duty-oriented reasons for making your life difficult.

So true. The real danger here is that it's now easier for foreign governments to justify censoring the web, to "protect us against US invasion of privacy" or something.

I certainly wouldn't mind if PSA[1] got cut off of the rest of internet.

[1]: Police State of America

My personal experience with reselling Google Apps here in Australia is quite different, privacy of data is almost always the first or second question they ask. I also rejoiced at AWS coming to Sydney, but having servers physically located in Australia does nothing to protect data by law from the US Govt.

Another data point, I have used a ton of cloud services from US companies in the past with an attitude of not really being comfortable with it based on a belief that something like what was discovered was probably happening but it was just too damned convenient and easy to ignore.

I still made efforts to secure what mattered, like truecrypt containers on dropbox et al, but at the end of the day I just shouldn't have played the game at all. Lending economic support to this kind of behaviour is not acceptable.

I'm conflicted about this because I'm convinced that generally speaking, Dropbox and Google and various other companies that have no other choice than to behave in this way are otherwise really worth supporting.

I am as we speak setting up dedicated hosting with encrypted storage and obfuscated service paths to migrate all my existing services onto something I can reliably control, starting with gmail and dropbox.

I really should have just done this a long time ago, but it becoming abundantly clear that my suspicions were completely justified pushed me over the edge.

Is it true that Google does not protect the rights of non-US users from having their emails read and copied by the NSA?

If that is the case, then why would any foreigner ever use Gmail, Yahoo mail, Hotmail, etc?

because they are uninformed

I'm not sure how common this is on this site, but I happen to be an HN reader the vast majority of whose friends in the US and across the world don't know or follow technology/security stuff.

Out of my 600-odd 'friends' on Facebook, one (1) is posting stuff about the NSA allegations. The other 599, are posting pictures of cats, music videos, snaps from vacation, reflections about life, et cetera. I myself am extremely reticent about posting on Facebook due to the recent revelations.

As a result, I am afraid Edward Snowdon's fears might come to pass, atleast in the short run. Not enough people care. They crave the short-term dopamine bursts that result from people liking their posts, or pictures, or videos. Getting them to set that aside and care about the fact that the Government might potentially have access to it all is a very, very hard task.

In order to do this, you have to get people to switch en masse to new, secure social protocols. In short, you have to build a Facebook alternative, an client-side encrypted webmail service, or a document sharing site that JustWorks, is secure, and doesn't require any terminal commands to access / run. Otherwise the majority of the population is going to use products from Microsoft, Facebook, and Google. You can use your encrypted webmail and identi.ca, but very few people outside the "tech-aware" world will communicate with you.

I really concur and like to add there are now one or two generations of young adults and their kids out there, who have never even considered privacy (as in non-exhibitionism).

It is sad for me to see the course that the US and the European governments have taken in the recent years.

My company (a small european provider of mobile telephony and chat) has to store all traffic that is going over our service during the last six months for the government, which may request that data. They didn't yet try to get that data in bulk, but I am pretty sure that we will see that happen in the near future. And there will be nothing that we can do about it as a small company if we want to stay in business and out of prison.

I believe that at some point this will harm IT business, which hopefully will also cause the government to rethink their strategy, but I am afraid of how far they will have to go before they come to this realization.

In 1998 (as a 17 year old boy) I was able to board a plane in London to Vienna without passport. (because I've lost it during my trip) Today I have to give fingerprints and other biometric data like a criminal just to get a new passport. Tomorrow maybe it will be a standard procedure that robots do a body cavity search on me before boarding a plane.

It is funny that I, as a tech enthusiast, am hoping that I wont see the kind of progress in robotics during my lifespan, that enables them to do anal probing at scale in airports.

I am an American and I just want to point out that my latest startup (http://www.efficito.com) is a Limited UK company, and my co-founder is from the Netherlands. It would certainly be to my advantage if things change. We offer cloud-based ERP, and you might be interested to know our main hosting server is currently in the Czech Republic. We are also paranoid about security (all access is encrtpted, and we are looking at encrypted storage for virtual machines, and much more).

I would love for things to change. I really would. What I worry though is about attention span of even decision makers on the business side, and what the alternatives are. The ideal situation would be a bunch of smaller private social networks able to interop (the Diaspora model) but it isn't clear there is a financial way to make this work.

So I hope it changes. I really do. I just am somewhat pessimistic :-P

I'm a UK citizen with a startup http://microco.sm that has gone to some lengths to avoid US domains, companies and laws.

All of our domains are EU based, the company is UK based, and whilst we've used Linode for blog and basic site-hosting and will use Cloudflare for CDN, we are putting nothing on the server of a US company that could be a risk to privacy.

All of our data we are keeping within the EU which we feel holds much better standards and has stricter laws on data protection, and for user-generated content we feel that the EU E-commerce Act is better than the DMCA and risk created by the copyright lobby in the US.

Ultimately what this means is that for our core data and API, European companies with no US parent or holding company will win our hosting business.

We will still use US companies, but in a way that is little more than transport and performance increases for US-based users. But even then, we are not requiring real identity and we are implementing SSL everywhere and are happy if users use VPNs or Tor to connect.

Why all the fuss? I believe that through a persons' interests one can determine political affiliation. So I believe that to allow people to organise themselves freely around their hobbies and pastimes, that we must consider this and protect them from any entities that might use that information against the individuals. Further I believe that when people of shared interest come together that they are likely to organise to protect and preserve that interest, and this means that interest groups galvanise ad-hoc lobby groups and activists.

I also hope it changes, but I'm going to act as if I believe it will get worse on all fronts.

What I'm saying is that I foresee a hybrid approach in which company data officers will help guide all identifiable data and transactions to EU or local sovereign cloud companies, and that only data that is not personally identifiable, containing company secrets or in the form of aggregated data will be stored on US-linked cloud companies.

This seems to be the best approach and respects EU data protection laws, consumer expectations and rights, and still offers the company flexibility on choosing based on price/performance.

you'll be putting all your traffic through cloudflare?

if they do your SSL termination that makes all your careful US-avoidance completely redundant.

additionally, if you include some JS hosted on cloudflare, then that's susceptible to being tapped by the US intelligence agencies too.

No, I'll be putting some of my traffic through Cloudflare as we use several domain names, and each for a specific purpose.

also if they want to intercept a few of your high profile users, the fact you're using SSL really isn't going to stop them, when they can issue valid certs for your domain without asking you.

short of SSL pinning being widely deployed: you're powerless to stop them, and while it's an admirable goal, it's ultimately disingenuous to suggest that you can safeguard your user's privacy.

I'm not suggesting that I can safeguard user privacy, but doing something is better than doing nothing, and certainly I can do what I am able to. Ultimately the user is far more likely to give up their privacy by posting identifiable information online, and through graph analysis revealing their associates too.

What I can do though is: Leave the core data in Europe, not store anything that I do not need to offer the service (and I don't need your real identity), educate users and encourage the use of Tor and VPNs, implement what measures I can do protect users (SSL).

The author is guilty of thinking that the president is King, as if the entire federal government and all three branches weren't behind these things for that past 7 years.

The headline "Has the US Government's History of Acting Against its own Stated Values in the Protection of Civil Liberties and Privacy" is not nearly punchy enough to attract the desired clicks though.

The window ain't just 7 years, it stretches a lot further back than that.

I don't think it will have that big an impact.

The thing is that the grassroots organizers in other countries who care most about government spying tend to live in countries with much more meddling than that which the US government has demonstrated through PRISM. So compared to a locally-run service, keeping data in the US cloud is likely still much safer. I don't see Google handing over an activist's email logs to the Turkish government, whereas an email service based in Turkey could be strongarmed into it.

A legitimate, non-rhetorical question: does an activist in Turkey care whether the US government reads his/her emails, as long as they don't share them with Turkey?

I think most people with some technical savvy have already concluded that everything on the Internet is potentially subject to surveillance, both government and corporate. You can mitigate the impact on your privacy to some extent by going offline or using crypto but not totally. People need to choose what to share, when and with whom. The people who are loudly shouting on social media about the evils of government interception are still shouting on social media where everything they have ever said or done is able to be mined and analysed. Nothing really has changed except perhaps the perceptions of the naive.

The biggest problem with this article is that the only competitors the author can find who might supplant the US ones are located in China. Don't see US tech hegemony fading anytime soon, Prism or no Prism.

Not sure about Obama, but maybe Snowden did just for the timing and the linking in the public mind with these companies. For those who've been keeping track of this, this isn't all that entirely new - I mean articles going back over the past few decades in the Washington Post, at least 3 NYT bestsellers by James Bamford, what more do you really need in terms of "revelations"? My general gist of it was that the NSA probably was scooping packets somehow, and if they really wanted to get you, they could.

Somehow, this time, the story got traction. I agree w/ the general consensus that it's about damn time. The Mil Industrial Complex will keep rolling on w/ "Top Secret-creep" and "Surveilance-creep" until a proper re-evaluation of the Church reforms and the Patriot act and other contributory/relevant legislation for this day and age is conducted, and enforced.

I am hoping the earlier "All wars must end" speech on the part of Obama is hinting at a step in this direction.

Of note, it was probably worse pre-internet, when the NSA could just scoop radio signals out of the air...networked communications made it much harder for them - at least temporarily.

Also with SIGINT, the NSA is joined at the hip by the UK, Canada, AUS and NZ...the NSA technically could avoid spying domestically by sending intel requests to their counterpart agencies...

Was the industry just destroyed? That shouldn't be too hard a question to answer. A good indication is the stock market - so far all major U.S. Internet companies' stocks show no signs of collapsing (prices increased since the leak). If you think the market is wrong, it's good opportunity for you to cash in.

It's also a good indication that the rulling class is not much concerned about this leak of PRISM at all.

"destroy" is hyperbole, but it's certainly going to have a chilling effect. We can't ignore the elephant in the room any longer - our utopian global human internet is actually just a US government controlled plaything.

My company provides a service to the government sector in Australia, hosted on Google's Appengine. We've been negotiating a blanket deal with a government department, and I can see that we're going to have to answer some very hard questions about the security of their data after this. Winning this deal would make a ten-fold increase in hosting costs irrelevant, and I wouldn't be surprised if they even offered to pay us more to host in Australia just for their peace of mind.

Most of us learn as kids how asymmetrical trust is, and how once you're caught lying no-one believes your apologies or promises to mend your ways. Before PRISM, it was only the cynics muttering about how the US Government saw everything we did. Post PRISM, most non-US companies (and probably many US companies too) will be looking for neutral alternatives to US services.

And Richard Stallman... proved right yet again!

I don't think he's capable of destroying it, but he's certainly set things back quite a ways. We've known about domestic internet spying for quite some time, but its definately gotten bigger and badder under the current administration.

I hope people finally will stop with the "oh but nobody is looking at my stuff" attitude, because now they know BigBrother(tm) is watching.

I doubt many people will leave American companies real soon there are just not many good alternatives at the moment but given a choice between an American company and say one in a more privacy oriented country that advertises its position properly people may think twice.

Nobody seems to mention that the intelligence agencies of the world deal with information and their not shy of selling it. Say for instance a revolution is brewing over Facebook in a country the US would like to keep as is how likely is it that the CIA would provide intelligence to that country to stop the revolution?

Facebook may be a tool for revolution but it can be a tool to stop revolution as well and the US government gets to decide which one will it be.

I'd rather they stay out of it and the only way to do that is to not use US services.

I worked at a University in Canada, and we had a no USA hosted services policy from day one of that Patriot Act. Not everyone knew about it or followed it but if an IT department was involved in development we had to enforce it. It was really frustrating for me a lot of times because I couldn't design new useful solutions or suggest products like SurveyMonkey for example that would save everyone huge amounts of time.

This is totally the kind of thing that is going to happen to a lot of businesses now that less technical people that are higher up are aware of these issues. They are going to get a little fearful and mandate certain services are a no go.

A minor correction in terminology:

The US Constitution and case law makes no distinction between protections granted to US citizens and foreigners. All are treated equally under the law, and thusly "enjoy" the same "protections."

However, case law has determined that such protections are not granted outside of the US's borders. Thus, an American citizen and a foreigner have equal protection (again, in theory) when inside of US borders - and both are equally unprotected when outside of US borders (it's a bit more complex regarding the 'outside of US borders' part, but that's the general gist).

Here's two high level pitches someone should go and try to validate:

"Like Google with strong data protection."

"Like Facebook with strong data protection."

Feel free to send me some of your billions later.

I think there's some outrage now but by and large most citizens don't really care as long as there's some justification they can buy (ZOMG gotta protect us against those terrorists). Yes it's a sad state of affairs but that's what it is.

If I'm wrong on that the US has just created a pretty sweet incentive for European/Other entrepreneurs to grab a good chunk of the silicon valley business.

While I actually hope that the predictions in this article come true, as people should not put their data at risk by allowing it to pass through the US at this point, I am pessimistic that anything will change. I was sure that seizure of overseas internet poker domains, on the basis that .com domains are controlled by an American organization, would have been enough to drastically reduce .com registrations. That didn't happen. People have a tendency not to care about things until it directly smacks them in the face, and then it's too late.

I live i Germany. And whenever we try to sell cloud-based services to our customers there is this group of people that are not comfortable with Google, Amazon, and Microsoft. They like to keep data in their own racks on their own servers. The standard reply is to call it FUD and talk about all the advantages the cloud has.

It will be a lot harder to win an argument against them now that everybody knows that data which is stored in the U.S. is free bait for the NSA to play with. It's no longer fear, uncertainty and doubt. It's just fear now.

I've been wondering about this. The U.S. will be considered the anti-Switzerland with respect to our privacy. If you want your data safe, don't store it in the U.S.

Next question: how are Google etc treating my data when my own government wants to know what I say about them? Do they also bend over backwards to set up portals for different levels of ally, or are foreign citizens safer from their own governments than US citizens are from theirs?

Similar actions has been affecting other businesses earlier: "Due to this, Swedish-Finnish TeliaSonera has, as of June 5, 2008, moved their Sonera (Finnish) e-mail servers out of Sweden, as Finnish law requires communication to be confidential. They have also transferred Swedish customers from Finnish to Swedish servers, to prevent Sweden-to-Sweden e-mail from crossing the border."

I live in the UK and for me this is a big deal. While this issue was always in the back of my mind, I never had concrete proof that this was happening.

Now that my fears have been answered, I shall think twice before buying any cloud space on US companies servers. I will be speaking to my colleagues on the effects this will on our existing data and how will this effect the trust with our customers.

I think this is a huge deal.

I think 'destroyed' is a strong word, and it's still early. Damaged? That's probably fair.

I wonder if that's a major reason the Google-centric 'The Internship' movie kinda bombed this weekend. I mean, it might just be a crappy movie (didn't see the reviews), but I do suspect a lot of people weren't really into seeing a movie about Google after all this.

The average movie-goer wouldn't make the association unless the story were in the headlines for weeks, maybe months, on end. It just doesn't look like a great movie.

Heh, you're probably right.

This is the Europeans' "big break", and they need to take advantage of it. Hopefully they won't resolve around UK, because it's probably just as bad at this. Maybe Germany can be the center of innovation in Europe. At least they have some pretty strong laws and strict judges, and citizens can even create their own laws and referendums.

Nothing new at all, history just repeating itself. Everything mentioned in this article was already assumed by people. I did laugh when they aid we don't do domestic spying. I think they don't know in US how many people in the world are living outside the all mighty US. Maybe it's just bad geography and limited national political thinking.

While consumers may be too lazy to care, cloud providers will lose a lot of business. You can bet that every trade magazine outside the US will have articles discussing if it is even legal to store data with US providers given the particular country's regulation and the information we have.

That's already been a common discussion for many years. The business world outside the US is very much aware of the problem.

What we're likely to see now is article discussing how to get out of the US cloud, because it has now shifted from a potential legal issue to a commercial selling point.

Even clients with "nothing to hide" will start asking questions about where the data is stored. Not so much because they're worried about the US looking at their data, but because they want to know how well we as their service provider take care of their data.

Most of the comments are concerning politics and very little are concern the economics of smaller companies and individuals rejecting services from Amazon, Google and Microsoft.

(Microsoft's TechEd had a big push towards Azure this last week. Their timing sucks... Sorry about their bad luck...)

There went that fabled "moral high ground," right out the window.

This government wants to keep increasingly more secrets from its populace, while simultaneously decreasing our rights to secrecy.

More of the double standard which widens the gap between "We the People" and the ruling classes.

Whats interesting here in Australia is that mainstream press are largely ignoring this story. The number one story on news.com.au right now is "How the fabulously rich kids travel" - cant wait to read that! The Ed Snowden story is way down the page.

> "American companies have overwhelmingly dominated it. They have done so with astonishing innovation and technical achievement. Apple, Facebook, Google, Microsoft, Skype..."

Skype was in no sense an American company until it was sold, first to eBay and then to MS

This might answer the question in the title:


This is one of the most formulaic, most predictable comments on HN. It adds nothing to the discussion, offers no insight into the topic, and exists only as a cheap way to score magical internet points.

Please do not post such comments again.

IMO it should be a much bigger deal for totally commodity services (IMAP/SMTP, file storage, etc.) vs. "unique" services (it's not like you could run your own Facebook server in Iceland...)

There are local social networks, to give an example from Russia: vk.com, odnoklassniki.ru, etc. And these are more popular than Facebook.

Social networks aren't commodities, especially once your set of friends are on them.

You're right, what I meant with my comment was that for may countries Facebook is not the only social network. Many people are active in multiple networks and some of these social networks have no ties to the US, hence if users outside of the US decide to move away from Facebook it won't be that hard to do.

It's safe to say that if i find a real alternative to Google Apps i will be moving a few hundred people away from Google Apps. Right now we just have to live with the 1984 feeling.

No, this sort of thing has been going on long before Obama. If anything he will just be the one that got unlucky enough to be in charge when people found out some of the details.

Hey Europeans, does this mean your love affair with Skype is over?

No, because none of these laws have been enacted in the Obama administration.

And yes, because Candidate Obama said he was going to fix things, then discovered other priorities once in office.

Am I the only one who sees a tech-war coming in the next 10 years?I always suspected that as new tech arises the chances of seeing a war rises too.

The good news is, if we make this a big deal and companies start to feel the pressure, we'll have millions of lobbying dollars on our side.

What does this have to do with Obama? Genuine question, the article doesn't say. I thought this was a consequence of the Patriot Act.

This is child's play compared to the information they will gather from Google Glasses...Imagine what they could do with that...

Well, it's probably illegal for the US to sell its products in the EU. Certainly it's game over for the cloud industry.

It makes a mockery of the concept of the US being the bastion of freedom and being an example to other countries.

Baidu instead of Google

Renren instead of Facebook

Youku/Todou instead of Youtube

Weibo instead of Twitter


Yandex instead of Google

VK instead of Facebook

Only Beijing and Moscow saw this coming!

I think it will impact B2B e.g. big/sensitive projects will be much less inclined to use Skype.

That is brilliant.

I still think headlines with question marks are cowardly writing. Be bold! Take a stand! Come right out and say Betteridge's law is bullshit.

I kinda get the socratic effect the author is going for, but i still think it's a cheap trick. I didn't ask that question, the author did.

I don't see why this is the most downvoted option. It does seem on point that the piece doesn't have any hard polling data about worldwide reactions to the recent NSA revelations, and the stuff about alternative services mostly refer to Chinese competitors, who are large players locally, but not worldwide. Hence, you'd think Betteridge's law was applicable. No?

I never noticed till someone pointed the law out on HN this year. IMHO the trailing question mark is almost always lazy writing.

Now I'm looking for a decentralized social network

are non us people going to stop using microsoft windows, intel cpus, vmware... ? Wouldn't it make more sense for the nsa to bug these things ?

How much of it was Bush rather than Obama?

No I don't think Obama did anything.

Given that civil liberties were such a big part of his 2008 campaign, the best case scenario you describe is still a bit of a problem. I'm actually pretty angry at him right now. I donated a lot to his campaign in 2008 based on his focus on civil liberties, and he has only escalated everything I disliked about Bush. (And yes, I realize he made some questionable votes in the Senate before the 2008 election. I told myself it was what he had to do to get elected. By the 2012 election I had wised up and voted third party.)

How's that hole in the sand? Seeing anything good down there?

Couldn't agree more.

A core principle of politics is that you're responsible for everything that happens on your watch. If you don't believe that, go listen to the past 40 years of broadcasted debates, and count the number of things that the opponent didn't personally do but was called to account for.

I swear, it's like nobody ever read the USA PATRIOT act, even though its been law for 12 years. Obama's fault? For what, following the laws that Congress passed?

Chicken Little, is that you?


The damage was already done well before that. Individuals may not care that much (so Facebook is relatively safe), but businesses and governments have already been well aware that storing their data in US-run services is a bad idea, and in many ways not even legal because of existing privacy and security related regulations.

If you for instance store sensitive medical data, you can't do that somewhere where the US government may get access to it whenever they want (warrant or not btw, unless that warrant is server to you and not your service American provider).

Many of us are looking at ways of backing out or staying out of US services for the potential legal complications alone. This may accelerate things, but to most it was already clear: if you have any kind of liability concerning the data you store and process, you can't use American online services.

The question "does your product use American services?" will be asked with increasing frequency. Also, having "no" as an answer is a good selling point in many markets.

So much of internet business rides on trust. Yes, this is gonna damage the US Internet industry.

If you're selling cloud-based services in overseas markets, your non-American competitors just got a big helping hand.

It is now easy for any country to ban US based technologies in order to jump start their own tech industry.

This is the beginning of the end of the US tech industry in general.

Nowhere in the world can you escape from US omniscient powers nowadays, and I can't help think this may be the prophesied New World Order (or if you're a Christian, the "Great Abominable Church").

It's imperialism via information, and US corporations are the foot soldiers.

Yeah, it was Obama. He did it by himself. He just turned his evil black man powers on the internet industry and just blacked it all up. He did this because he is the entire federal government.


Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact