While I understand that this is largely because the legality of the spying hinges on whether US citizens are subject to it, I still find it a rather fascinating aspect.
We bought their cell phones, their operating systems and productivity suites, their internet adds, hosting and email services and movies and music. We even let some of their largest corporations get away without paying taxes on the money they made in our countries.
We may not be citizens of their country but we are allies, not terrorists. When it comes to the bad things groups of people, such as governments, do to individuals, whether it's killing, torture, imprisonment with or without trial, surveillance or any other of the misdeeds that seems to have returned from the dark ages we deserve the same protection as American citizens.
Despite the actions and statements of our government, most of us Americans feel the same way. (It's just that the shitty entitled xenophobes are just so damn loud sometimes...)
You'll note that in our declaration of independence, it states that the rights to life and liberty are the inalienable birthright of every man, endowed by his creator, before it says fuck-all about anyone's government.
No, we're vassals. The USA orders and we obey, whether it's supporting their military machine or handing over information, people, research, or economical advantages. It's a hegemony.
>the misdeeds that seems to have returned from the dark ages
You've been fed propaganda. The crimes have always been there. The USA has always supported tyranny, cruelty, and crimes against humanity if it served its best interests (like every other country, I might add.)
>we deserve the same protection as American citizens
If the government wants someone naked, chained, and tortured in some foreign place, it'll happen. No matter who it is. True? Maybe not (yet), but it's telling enough that it sounds plausible, no?
Even if this is not stated in any treaties, it's simply the practice.
To be fair, folks in the US bought a LOT of European cell phones first. :)
&#! # keyboard autocorrect...
The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right of individual or collective self-defence recognised by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area.
Any such armed attack and all measures taken as a result thereof shall immediately be reported to the Security Council. Such measures shall be terminated when the Security Council has taken the measures necessary to restore and maintain international peace and security.
Every country has different rights for citizens and non-citizens.
For example, the US has held the 4th amendment does not apply to non-citizens who are not "part of the national community" (IE if a bunch of canadians came down and fished every weekend, you could search them however without violating the 4th amendment. If they lived here illegally, you couldn't).
It's not just the US of course, almost all countries are like this (the EU has broader protections for EU citizens than random other people, like US citizens living in the EU).
I don't remember all the details, and i certainly agree with "morally reprehensible", but you are suggesting a "natural rights" based approach, which, while common, but not universal.
The rights are inherent in the nature of the situation (i.e., humans living in a social order based on equality of individuals under the law). The scope of the protection of those rights varies from jurisdiction to jurisdiction (and vanishes entirely where jurisprudence is slave to political demagoguery).
The fourth Amendment isn't the source of the right, it guarantees that the right won't be abridged by government action. As the Constitution is defined by and for the people of the United States, that the protections "guaranteed" (in quotes because the guarantee has to be maintained by vigilance) don't extend to those who are not the people of the United States isn't logically surprising, but can remain somewhat disappointing (politically and ethically).
This is, as I said, an interesting claim.
I'll point out the irony that the freedoms everyone considers so important didn't even make it in the original document, only the addendum :)
They may be deemed "natural rights" by the nature of mankind living in what I will term "just" societies (where jurisprudence and justice coincide), but they are not "natural" in their springing forth from the natural sciences of physics, chemistry and biology.
There were a number of people involved in the Constitution of the US of A who did not want to enumerate the rights, knowing that they were not the government's to give and receive. The pragmatic reality of the day was a yield to legal codification, since most knew that a government not explicitly bound, was bound to implicitly violate those rights. The escape clauses were (probably, I'll let others debate that) the 9th and 10th amendments.
Could you please provide a reference for this?
From the headnote:
"The Fourth Amendment phrase "the people" seems to be a term of art used in select parts of the Constitution, and contrasts with the words "person" and "accused" used in Articles of the Fifth and Sixth Amendments regulating criminal procedures. This suggests that "the people" refers to a class of persons who are part of a national community or who have otherwise developed sufficient connection with this country to be considered part of that community."
From the Wikipedia article about the case you cited : "...Fourth Amendment protections do not apply to searches and seizures by United States agents of property owned by a nonresident alien in a foreign country. [emphasis mine]"
This is how the case has been interpreted by every court to follow it. See US v. Guitterez, 983 F.Supp. 905 for a fourth amendment example from the 9th circuit.
Here is another from the fifth circuit:
UNITED STATES OF AMERICA v. ARMANDO PORTILLO-MUNOZ (i don't have cite handy)
"Portillo relies on Verdugo-Urquidez and argues that he has sufficient connections with the United States to be included in this definition of "the people," but neither this court nor the Supreme Court has held that the Fourth Amendment extends to a native and citizen of another nation who entered and remained in the United States illegally"
There are something like 2000+ cites to Verdugo, and and the general viewpoint of courts so far is as i said it is.
If you've got a court of appeals or SCOTUS cite to the contrary, where a court has held that they do apply, i'd love to see it.
Various lower court decisions have fleshed out what constitutes "substantial connections".
As a British citizen I have a right to not be tortured by the government (under A.3 HRA1998), and a right to NHS healthcare. The former (a negative right) is one the government should afford to the whole world. The latter (a positive right) is not.
The reason that foreigners want to have their contracts adjudicated in US courts, one of the main reasons they buy US real estate or buy US Treasuries and trade the NYSE for much lower expected returns than they would demand elsewhere, is that they have faith in the rule of law in the US. Not perfect faith, but real faith. Not faith in the moderation and good intentions of the US (or CA, NY or MD) government (though they have some of that too) but faith that their US interests are protected in law by things like the Takings Clause of the US constitution - and usually by statute law as well - even while they go on living outside the US as non-citizens of the US. Nor is this something that matters only to foreigners: this trust from foreigners is one of the major pillars of the US' wealth and power. Look at places like the PRC or the UAE http://en.wikipedia.org/wiki/DIFC_Courts which are avidly trying to cultivate an image as a place where your real estate won't be swiped and your court case won't be nobbled to favour a crony.
Now, slowly but steadily, these non-resident aliens (like me) are cottoning on to what FISA 702 means for them. And what it seems to mean is that the rule of law doesn't apply to their Facebook or Google accounts the instant the Federal government chooses to get involved. As a non-lawyer reading FISA 702 http://www.govtrack.us/congress/bills/110/hr6304/text the remarkable thing is that it's not establishing a process where the US government presents a vague counter-terrorism or national-security rationale to a secretive, questionably-independent court. It seems to be a process where the US government can help itself to anything it wants from any specified non-resident alien without even having to state any motivation at all, and in which the FISC court's only role is to confirm that the targets (probably!) aren't US citizens or residents. Does the government feel like doing a spot of industrial espionage on your company's email or file uploads? Sam's your uncle. There aren't any reasons even in principle why the FISC might refuse to issue the FISA order - and the government is spared even the embarrassment of having to state its intentions in court. Your internet company could appeal, but the whole process seems to work on the basis that as a non-resident alien you'll have no applicable Fourth Amendment rights, and 702 seems to clear aside any rights you might have under statutory law ("Notwithstanding any other provision of law"). And in any case what information about the Federal government's interest in you would Google or Facebook have to base an argument on? And once it has your data the US seems to be free to do nearly anything it wants with it - share it with your US competitors? Why not? - unless it tries to take the data to court. (See sec. 106 http://www.gpo.gov/fdsys/pkg/STATUTE-92/pdf/STATUTE-92-Pg178... )
Now it's true that CIA could (and maybe does) attempt to hack the EADS servers in (I'm guessing) Toulouse in search of engineering goodies to share with Boeing, with just as much impunity under US law. But at least EADS has a chance to try and secure its systems from hacking attempts, instead of being instantly defeated the moment the US decides to file some paperwork, and it can get whatever benefit it can from the fact that the industrial espionage would be illegal under French law. So FISA 702 seems to completely reverse the normal position: in legal terms your person and your property are usually better protected from the US government inside the US than outside it. And of course the final touch is that you'll probably never get to hear about any of the intrusions, so even if you're the world's richest person or organisation with all the best lawyers they won't be doing you any good. It seems that the only legal restraint on the US' behaviour with the online data of non-resident aliens is that it can't request a wide-ranging search like "everyone in Pakistan who searched for 'X'", though even that may not be the case: https://news.ycombinator.com/item?id=5845878 .
(Again IANAL. If someone qualified can correct important errors in my understanding of FISA I will be very grateful!)
So, imagine that the US Congress passed a law permitting the Federal government to expropriate any US property for almost any purpose from any non-resident alien at any time, for no particular reason, without compensation or even notice. Throw in some very effective judicial secrecy into the process established by law as well. Provide some unverifiable assurances that the Federal government will probably only choose to use the law against very bad people. Imagine that this law appeared to be holding up nicely against Congressional and legal challenge, at least for now. And please bear in mind that no non-resident alien would give a hot damn about which intriguing Constitutional arguments were being used to (rightly or wongly) deny them the protection of the Fifth Amendment. How would Wall Street, US real estate and the broad US economy be affected? It's not a perfect analogy at all, but it gives you some idea of what may be coming down the line for US internet companies.
While true, there is this bit in the Declaration of Independence about inalienable human rights. Unfortunately that doesn't seem to be a legal document anymore.
Does free speech extend to advocating going out and killing all African Americans at a white supremacist rally? In the US it does, but only because of our bad experiences during the Red Scares. In Canada or the EU it wouldn't. What right do either side have to force their definitions on the other?
This being said, the argument can easily be made that spying is somewhat different. The general fear is that since governments monopolize violence their actions towards spying on their own must be more restrained than spying on others because the dangers in adopting a "show me the man and I will find you the crime" apply at home to a much greater degree than they apply abroad.
That belief is cultural too - it just so happens that almost every culture has independently arrived at it http://en.wikipedia.org/wiki/Golden_Rule is a fascinating read.
It goes the other way in not so great ways also that we tend to project those things we do not like about ourselves onto our enemies.
If someone accuses everyone else of being a thief, expect that the accuser is the one responsible, but the person who respects everyone is probably respectable himself.
Prepare to be jumped on by "anti-imperialists".
Almost nobody in the US, perhaps, but this whole mess isn't doing the US any favours at all with the international community, certainly not here in Europe.
I'd say there's a fair chance the cavalier attitude towards the rights of non-citizens so overtly displayed by leading US politicians and security people over the past few days could ultimately swing the entire public debate in a way the US administration really doesn't want it to go. Those statements get broadcast on TV internationally, too, and everyone in the room cringes when they hear them.
I'm not saying america is perfect, but if we scale back our navy for example, there is going to have to be a lot of slack for other countries to pick up. And that means costs rising and more taxes for others. As well as the chance of increased conflict.
The world isn't so cut and dry as you make it out to be.
How would you even start measuring the cost/benefit ratio? What monetary value do you assign to things like privacy? How do you know where you're moving things to doesn't have a "better hidden" equivalent to what the US is doing? Do you even know if it would be worth moving things? What is the opportunity cost to moving? What is the cost if you're wrong?
As much as I'd love to agree with the pathos response to these things, its better to see and wait than to kneejerk react to things.
FWIW, I certainly wouldn't go that far. However, I would prefer to see the administration of the US promoting more equal partnerships with other nations, rather than arrogantly presuming that they are somehow automatically qualified to lead the world in every field of human endeavour or that they should for some reason be exempt from normal standards of decent behaviour that they expect everyone else to follow.
This is a revelation for most people, especially younger people, and they're dealing with the immediate, personal, consequences.
As with the embarrassment created by the second Bush administration, whereby we squandered a great deal of global goodwill after 9/11, we've done a stellar job of undoing the redemption we thought we had gained by electing Obama in 2008.
Many Americans really thought we could be less embarrassed of our leadership with that decision.
The story is still unfolding. Our government will be measured by how it acts out the next few months and how it responds to the inevitable criticism from the rest of the world. As Americans, we will be measured by how we respond to our government.
No discussion about non US citizens. It was just assumed that drone striking them was OK. Made me really feel weird as an European.
When the Founding Fathers eventually drew up a Bill Of Rights for the new nation, most of them wrote things that explicitly suggest that they felt the rights being granted were universal -- in particular, Benjamin Franklin was vehement on the subject, arguing that the Bill Of Rights extended to everyone, including the blacks who were being held in slavery (and when Congress met for the first time in 1789, Franklin pushed a bill to abolish all slavery).
The NSA at least was supposedly run as a very tight ship (I have no idea now, i have no friends who have worked there recently), so I'm sure they theoretically have really detailed redaction and other procedures meant to keep personal or private info of americans from appearing in reports, but that is not exactly comforting.
I think you were just trolling but if not then one of hundreds possible ways to find that:
1. get a hold of your your email (or name and then facebook / gmail snoop)
2. your email leads to your paypal account
3. your paypal account leads to your dob and ssn, bank accounts
4. your banks accounts hold information whether you are citizen or not;
- OR -
4. your ssn codification tells whether by the time obtaining the number you were citizen or not
PayPal, Facebook and Palantr has the same co-owner, P. Thiel.
But seriously I don't think they discriminate. Last thing they look at is whether you are citizen or not. Your IPs (all the one you ever used while login to any website you have an account with) can quickly tell them whether you are on US soil or not. Most likely as long as you are here, you are consider us citizen, whether lawfully or not but you "operate" on US soil so the same rules apply to you. Good example would be if you are in US as a tourist -- you still need to obey US laws and regulations.
Google knows a lot about someone, but they have no idea what citizenship I hold. They can guess, of course, but that isn't a lawful way to discriminate.
According to the whistleblower, they don't in any meaningful sense. They collect all the data they can, and then currently only use bits of it, when they feel that is justified. His point about checking the US president's email in the video was that all they need is one email from a foreigner in order to tie anyone in the US to an investigation, and look through all their records.
A 51% confidence that your target is not American when looking at a service where 15% of the users are American, or one where only 29% of the users of the users are Americans is a meaningless standard. Now the only hope right now is that companies push back but the question is how much given that they were not willing to push back enough to break silence.
- if they aren't targeting specific persons, how do they know what country the person is from & if they (the govt) are violating the law?
- if I'm American living in another country, am I safer from or more likely to be tracked (terrorism aside) Am I being picked up "freely" as someone from outside the country?
- many, many, many similar questions I'm sure you are also asking
I realize these seem rather naive questions, but my first thought on reading Obama's response was, "How can you possibly know what country the person is a citizen of?"
Considering that that was a major part of his defense - "Don't worry, it's only those foreign people we're looking at"- I really think that needs to be a bigger part of the whole discussion.
I think it is quite obviously more bullshit.
At one point, with watchwords/etc, it was clearly the latter. I think they've moved to the former.
Doesn't seem like there's any way to abuse this .....
I remember a story that on 9/11 orders were issued to shoot down any aircraft left in the sky and that fighter pilots refused to carry out the order. How would things be different if it was 8 specially trained anti-terrorist folks commanding largely autonomous drones?
Machine intelligence keeps getting better, so it won't be long before we have entirely autonomous drones that just need general instructions to do their job. At that point..
The democratization of weaponry is what caused the end of feudal society, concentrating it might will cause its rebirth.
For a fictional take on this, see Kill Decision by Daniel Suarez.
I am not sure it will get that far though. More likely it will expand until the economic stress from an oversized national security budget and rising energy prices will force it to collapse with global consequences. For the record, no, I do not think those consequences will be pleasant for anyone :-P
As an American I would far rather be spied upon by the Chinese or the British than the American Government. I would further expect that if a British individual was concerned about the same thing, the NSA would be far less threatening than British intelligence.
The whole, "I have nothing to fear" point of view. It's the bigger picture they need to think about :(
If the government is willing to spy directly on the people it should be serving, then it starts to feel like it's out of control.
When the US spies on US citizens, who do we have to turn to?
It should be of no surprise then, that citizens of other countries have no ability to protect themselves from over-reaching laws and actions by the US government.
Those days are most certainly over. This stuff will affect companies like AWS and Rackspace the most, given that they are competing for contracts with companies who are seriously concerned about who can get at their data. I imagine nobody will flaunt the laws in Australia regarding international data transfers in future, and that countries where no such laws exist will enact some very quickly.
Any cloud based software company in the US which holds large amounts of data that could in any way be deemed to be sensitive is going to have a much harder time pitching to clients overseas who will increasingly opt for a decent local alternative over a foreign one should the option exist. The only thing that American companies can hope for otherwise is that there is no foreign alternative.
The world is not going to come to an end but for a lot of people, their jobs are about to get much harder and the government should be worried about this.
You have just given me what I think is a very good possibility regarding a marketing message, namely that we are not subject to NSA orders, and that we take security extraordinarily seriously. We are still looking into whole disk encryption for virtual instances, but key management is a non-trivial problem there to get right. For those who want it I can be pretty sure we'd be happy to work with you to find a way of making the system meet your needs. (Of course given a few customers, we could work with a server in Australia too.)
But I also think it goes beyond shipping the data overseas. Suppose you do business with an American company that has servers in Australia (for the record we are registered in the UK, not the US), and they get a FISA warrant? Of course they will send the info over. So you can't only look at where the business's servers are but also where what legal authorities they are obviously subject to.
You certainly won't be the first with that idea. I've now lost count of how many blog posts, tweets, forum posts and so on I've seen in the past week that essentially say, "Is the next big selling point for European service companies that we're not subject to US laws?"
On top of that Part III of RIPA makes it an offense to fail to disclose your encryption keys to the government in certain circumstances, and the court does not need to actually prove that you have the keys in order to sentence you for failure to produce them.
Could that make them capable of similar monitoring? Does the UK have stronger information privacy laws that the US doesn't?
The EU has very different approaches again to privacy law. I don't know you can compare them. They tend to be more lax with collection and stronger with use.
However, we can also help you install the software (open source, reviewed by developers all over the world) on your premises if you would prefer. So our best shot is only for those who really want to cloud host.
How likely do you think it is that any of the UK agencies that have powers to request interception under RIPA will refuse a "please scratch your back, and we'll scratch your back later" request from the NSA if the NSA actually cares about your data enough to try to get someone to compel you to hand it over?
And RIPA does provide basis for compelling you to hand over keys or face prison.
Being in the UK may protect us against NSA just taking whatever they feel like whenever they feel like it for no reason at all, but I very much doubt it does much good for anyone that actually ends up in the NSA's crosshairs.
I am not so sure about that. The internet... well, many of the wide-open holes have been closed... BGP hijacking isn't as trivial as it was in '08, mostly because filtering has been implemented in some places, but it's still something that could be done by someone of, say, my resources. It's trivial to anyone with real resources.
And there are all sorts of other possible attacks. Hell, even ignoring the (probably easy, for one of the three letter agencies) possibility of putting a backdoor in the firmware shipping on popular routers, well, most ISPs end up using ancient router firmware revisions on their routers
Yeah; read over that BGP hijacking attack; it sounds way easier than setting up a collector at every ISP. (You'd still need local collectors to not add too much latency, but a single (/very/ well connected) collector could cover a reasonable region)
Cisco charges an arm and a leg for firmware upgrades... they give you some of the really old stuff? but usually the choice is used $BIGNAME hardware without firmware updates, or you roll-your own quagga. (at the 10G/sec traffic level my upstreams can push, quagga/vyatta work just fine... that's what I use.)
The thing is, if you have your own CA, and expect certs from both sides from the same CA, then it is very hard for an MITM attack of this sort to be orchestrated because you can say, "Something isn't right here." So that leaves attacks against the cyphers involved or against the endpoints.
One service we offer is an ability to use an SSL cert issued by the customer, as well as appropriate VPN options to connect to the system at all. Between these, in general I would expect that MITM approaches can be protected against in high security configurations. But that still leaves cyphers and endpoints.
So the first thing we need is a better PKI which can more robustly handle fraudulent certificates. This is something I have written about a bit. (see my blog, http://ledgersmbdev.blogspot.com for more.) But we also need a lot more.
BTW, we build everything on the basis of compartmentalized security with the idea that compromising customer data will require working through quite a bit of depth, particularly in relatively high security configurations. It wouldn't protect against a court order, but it should protect against a lot of other things.
Could the NSA hack us? I am sure they could. Could we make it difficult enough that they would be much better going through legal channels (maybe making deals with local law enforcement or the like)? That's what I am shooting for. It is probably the best one really can shoot for.
Yeah; my point was just that getting to that point (where it's easier for them to go through legal channels) is harder than it looks. It's certainly not the default state.
As we went through our initial design, and started talking to others, it became quite clear that the being industry standard when it came to security is not something that either myself nor my business partner were comfortable with. We opted to start looking at everything very carefully and review eachothers' works regarding security, suggesting improvement, etc.
It's one of the reasons we decided to go hosted cloud first and only later multi-tenant.
So by 'hosted cloud' you mean 'every user gets their own VM?' I mean, you could mean that you use on-demand dedicated servers, but most people mean virtual instances when they say "cloud" (I hate that word "cloud" - it's so vague)
(personally, i still think of multiple VMs on one physical box as multi-tenant. But managing a VPS per user? thousands of times easier than managing a user-account per user and just having a bunch of users on the same box. In my opinion, more secure, too.)
How are you managing images? I mean, that's the thing you've gotta watch for, a backdoor in the install image.
One thing I've noticed about my customers is that they almost all prefer to use my image than to do a net-install. (I give my xen users a paravirtualized boot loader, so they can load the distro install kernel and go from there.) the interesting thing is that my dedicated customers are far more likely to do their own install (I provide only... a very rudamentary PXE menu.)
Or, maybe that's just my perception because I only notice what OS they are running when they ask for help... whereas on the dedicated servers, I've recently had to move a bunch of them, which required me to look at consoles. So I guess there could be a bunch of arch users or something like that who just don't ask for help.
It does seem like having your own physical hardware would make... a big difference, security-wise.
> How are you managing images? I mean, that's the thing you've gotta watch for, a backdoor in the install image.
It's not the only thing you have to watch out for. If someone can compromise the host they should be able to compromise all vm's given a little time. We do have some automated ways of checking for changes though. In general the physical hosts are much less exposed but cannot guarantee that more generally. We are always discussing ways to tighten security (I am considering setting up a rediculously tight selinux policy on the physical hosts).
> It does seem like having your own physical hardware would make... a big difference, security-wise.
The big difference is actually where the hardware is located. The big difference is really having your own physical hardware on your own premises on your own intranet vs using someone else's physical hardware in their datacenter, with their intranet. In general though if you have someone else's hardware on your intranet you can better control it than if you have your hardware somewhere else.
Companies based in the UK, for example, can not make the claim found above ( http://m.washingtonpost.com/investigations/us-intelligence-m...).
I'm not a lawyer, but you could lose all credibility if you act on that and get it wrong.
There's a way out. Those server offshore must be handled by subsidiary. Then the parent company in US does not have the data and they can not also command subsidiary to handle it over.
And not to mention that Conroy wants to do something like what the NSA are supposedly doing; he's just going to outsource it to the ISPs.
I've seen an AFP server in a certain government datacentre. Its security was a square of black and yellow tape and the assurance that I would be detained without charge under anti-terrorism legislation if I crossed the tape to take a closer look.
Americans are, theoretically, in a much stronger position vs NSA snooping. US law is meant to make it illegal for their spy agencies to look inwards and the US Constitution has its famous "search and seizure" clause which can, if you find the right judge, have some formidable teeth.
As Australian citizens we have no such protections and we have no standing in US courts to get any restitution. We're fair game.
Further, as Australians, while we enjoy some protection from our own outward-looking agency (ASIS), the inward-looking agency (ASIO) can and does investigate Australian citizens with a broad range of powers, including powers to intercept telecommunications. Their powers compound of investigation with the Australian Federal Police's powers of arrest, sometimes without cause or notice.
In theory, ASIO requires the Attorney-General to grant warrants to exercise most of its powers. Statistics on the warrants haven't been published, so we have no idea if they're granted begrudgingly or rubberstamped. My guess is going to be the latter -- which Minister wants to the one who was "soft on communism/terrorism"?
NB: It's a real struggle to not make this sound paranoid.
Just at an individual level, I'm questioning whether it's wise to store my data in a US service that won't afford me the same protection as US citizens.
I've already started reducing my reliance on Google, and I barely use facebook, but things like Amazon and Linode are much harder for me to quickly divorce myself from.
But then again, that is just talk. I still use AWS and Linode religiously. The prices are really hard to beat
It definitely isn't, and I'm wondering why this issue wasn't on top of your mind before that?
Aanyway, I though these hosting companies where a dime a dozen?
One application I work on stores data from DEEWR and FaHCSIA and this year they've "cracked down" on that data going overseas.
The application's data (and the bits we get back from the government) has always been stored in Australia on our hardware. My understanding is that some of our competitors using AWS and Rackspace had to work hard to quickly get their stuff hosted locally (or are in the process of bringing it back here).
You can get an idea of what DEEWR expects providers using cloud services to adhere to from here: http://foi.deewr.gov.au/documents/policy-use-cloud-hosted-so...
I can tell you from working in the finance industry in Australia and APEA, larger companies/banks take this very seriously due to compliance obligations with regulators (APRA, MAS, HKMA, etc).
Even better, perhaps someone will write software that sits on top of the network stack and automatically negotiates secure communications regardless of the origin client software. Maybe some sort of public key registry might come into play.
I am surprised that Amazon, Rackspace et. al. aren't coming out and letting their customers know where they stand in all of this.
Any denial will be rejected as dissembling or sophistry and admissions of complicity would be suicidal.
The point of this pst is that foreign business will be affected, AFAICT, Europeans have always held the Internet to a stricter standard than Americans and have passed stricter laws around everything from what data can be retained to the behaviour of tracking cookies.
If you've posted a "no big deal" comment, can you please go back and tell us whether you are an American or not.
I can imagine the Pirate Party suing some EU groups (governments, companies, whatever) because they are using US providers, and the US is not safe enough to conform with EU privacy law. And there's money on the line too, lots of EU companies will want the contracts that are going to US ones. And keeping jobs onshore is always popular with the masses.
The leading US internet companies are all built on a foundation of trust. Undermining that trust counterbalances the convenience of their services and over time new competitors without these trust problems are only a click away.
But I think what will really happen is that the administration, and the bureaucrats, and the security "services" in general will double down, be much more secretive about what they do, be much better at what they do (grants coming soon to a computer science department near you), be much more aggressive to prosecute and intimidate whistle blowers, and put more layers on the stonewall of denial.
The government has become self aware.
Even Schneier is stating that if you aren't connected with us social media, you simply stop to exist for certain groups of people. That rule applies to nearly every european user too.
I run businesses in the UK that deal with personal data and sometimes use US companies to do so.
There is a specific provision intended to fix the problem of exporting personal data outside the EEA to be processed in the US, which would otherwise be prohibited because US laws are inadequate in this area: the US Department of Commerce operates a Safe Harbor scheme, recognised by the European authorities, which US businesses can participate in to demonstrate that they handle data with sufficient care to satisfy European standards.
The problem is that if the US government is going to permit itself to access data contrary to the claimed protections anyway, then the Safe Harbor scheme is demonstrably unfit for purpose, and any legal shield it provides to European businesses that want to use US-based services to process personal data is in doubt.
This problem is hardly a new discovery, but until recently, the issue was being dealt with quietly, with European officials making occasional mutterings about being in contact with the US government to resolve the conflict here. As of the past week, I'm not sure that's going to carry much weight any more.
This leaves a paradoxical position for any business wanting to operate legally in both the US and Europe. It's not clear whether the huge players like Google or Facebook could avoid the problem by changing their corporate structures, if doing so means that a parent organisation in the US would not be required to disclose personal data held and processed only in Europe by a separate European legal entity under European data protection law. In practice, this might be worse news for US businesses that aren't yet big enough to play the corporate structures lottery, and for those European companies who benefit from services provided by such companies and might have to make other plans. Obviously quite a few smaller Internet services well known on HN would fall into that category.
If you'd asked me a year ago how the paradox would be resolved, I would probably have cynically suggested that the EU authorities would ask how high when the US authorities told them to jump, as they have done previously with things like travel and banking data. But now that this has become a major public issue that people are actually talking about, any attempt to do that seems likely to turn out very badly for European authorities whose popularity is already at an all-time low. I suspect far more Europeans resent the constant privacy intrusions and security theatre of modern life than many across the Atlantic may realise, probably because the consequences of excessive state surveillance are still within living memory in many European countries, and because all around the Med we've been watching timely reminders playing out over the past 2-3 years.
But what the U.S. NSA is doing is sifting data for connections to foreigners who are suspected of being terrorists. I would be shocked if Euro intelligence agencies are not doing the same thing.
The U.S. data-mining program has been revealed. I would not assume the lack of revelations from other nations is definitive proof that those nations aren't doing similar things. In the absence of data it is very easy to make convenient assumptions.
The old rules still apply. If you can't afford someone else to know something, you have to encrypt it in motion and at rest.
Demonstrably false. All of the terrorist laws are mostly used for drug enforcement and the like. They get nearly no terrorist usage because there are nearly no terrorists.
There is a fear of having guns taken, but there is an even greater fear of using them against the regime.
The US Gov continues to insist that they are not monitoring the data of US citizens because that would be unconstitutional without warrants. But that's a tacit admission that they are openly monitoring the data of non-US citizens. I think this is one of the most important revelations of this leak, the US Gov has made it clear that if you are a non US citizen using a web service based in the US your data is definitely under observation.
US spy agencies can't spy on Americans, so they spy on Australians, Canadians and Britons. In return, Australians spy on Americans, Britons on Canadians etc etc. Then they swap intelligence and get to claim that "we didn't spy, it was given to us by our allies who are under no such regulations".
If the NSA is spying on Australians clandestinely, then they don't have that authority and they are limited to what they can scavange. It would be far better if we were to a point where no courts would coerce cooperation of this sort, and the system you are describing is better than what we have. The problem is when the NSA gets a court to forcibly deputize an American business to spy on Australians, and that's a very, very different problem.
Well fuck that. Google, Amazon, et al. - I'm out
I'm on the lookout for reasonably good Google apps alternatives, if they don't exist right now - this is a time that a solid market just got created. I'm sure someone out there will be interested in making it happen!
I live in EU and I remember that about two or three years ago every geek's wet dream was to get to Silicon Valley and build a startup. But that seems to be changing. I don't have any research to back it up - it's just some anecdotal evidence but many people now seem to consider alternatives like London or Chile... mostly because they are afraid of software patents and want to stay out of US jurisdiction.
These things are difficult to asses but there is a tipping point somewhere - once critical mass is achieved innovation can quickly move somewhere else. Fear of American government can help make it happen and I am sure that competitors are going to love playing that card.
But think about it. The NSA has been around since 1952. They now have N billions of dollars of black budget. The relevant Congressional oversight committees are prohibited from talking about what they learn. They are (supposedly) constitutionally prohibited from spying on Americans. If they aren't (or say the aren't) spying on Americans, then they're spying on y'all.
Some of it, plus the rest of it, equals all of it. We're some of it. Venn says y'all are the rest of it.
The revelation here is that if you are a non-American your data that you store via a company based in the US is available to the US government with virtually (maybe even literally?) no protections. And this isn't tin foil paranoia, the US Government just told you that in public discourse.
You know, if you had said that about anything else, it'd be a transparency win.
Either by other intelligence agencies, or even more likely, that the NSA shares these abilities with other friendly foreign governments (UK, NZ, AUS, etc) in order to ensure their tacit approval.
Even in the world of intelligence, diplomacy matters. Secrecy only counts for so much. You can't keep the fact that you have a huge listening post in NZ secret, huge dishes don't look like they belong in cow pastures. Same with fiber optic cable. It's not like they can splice them without someone noticing.
Instead, the way you accomplish this is by providing NZ what it wants while still retaining plausible deniability if things go south for them ("We had no idea the horrible NSA had secretly placed all this stuff here. We're completely outraged!")
I feel like I should boycott the US companies on the list, at least to some degree. I have made the switch to DuckDuckGo and Mozilla. A Blackberry, as opposed to Android, will be my next smartphone. As a developer I'll be dropping my iOS support in the coming weeks. I haven't used a Microsoft product, including Skype, in a long time (exclusively Linux). I will likely phase out Google Drive and Gmail as well.
Not sure how many of my compatriots will follow suit or if that will have an impact financially.
There are lots of recommendations out there now to lock-down your browser, e.g. adblock/https/etc, if you haven't already. If this becomes mainstream then advertisers like Google may take a hit.
I'll be emailing my member of parliament (MP) to make sure we keep tabs on this in Canada, and keep our privacy laws intact.
Why aren't companies scrambling to provide a plug-in encryption product? Forget Google's default https, I want easy end user encryption.
Ill be looking to expedite my move off of gmail, yahoo, rackspace etc. It's a shame , but it has to be done.
I'm doing some active research into sending an effective letter my my MP as well as I would like to have it as much weight as possible.
openmedia.org seems to have done a good job campaigning against the Online Spying Bill.
If you think that those involved were not prepared for the eventually of a leak, you'd be very naive. The fact that all of these companies have been sitting on boilerplate denial statements speaks volumes. Contingency plans have been put in place for this eventuality and the people making these plans are experts at dealing with these situations.
My guess is that the gameplan for the US government will be to stay silent and wait for general apathy to sink back in. Tomorrow is WWDC and, with the latest Apple news, the tech community rally will likely fall to 2-3 page in a week or so and then disappear altogether. Once that happens, the difficulty moving to alternate services (as per the other HN poll) will shadow everything, and the company bottom lines will be unaffected.
Add to that, if you believe that the US government and institutions are the only ones doing this, that would be even more naive. The Mossad, SIS, CSIS, KGB etc. are likely implementing very similar policies and procedures, if not directly involved with PRISM (or whatever it is actually called) and the outsourcing companies providing it. The likelihood of finding other territorial based services with capability, scale in an area not under surveillance is probably close to impossible.
The Arab Spring was a wake-up call to all governments/multi-nationals that these tools are power in the hands of the general public and steps were taken to mitigate and reduce this effectiveness.
It's depressing. I wish it were otherwise. I wish the companies involved actually had the ability to push back or outright deny involvement in these types of actions, but I suspect their hands were tied.
Silicon Valley is entrenched. We like to think that it is still our playground but we should know better. My only hope is that this time we learn and that brighter people than I figure out what we can do about it.
Perhaps use that to gain more attention. Picket the WWDC.
Can you show your work on this? How would we know this?
No, I'm ok with it 66
I'd like to do something but it's too difficult to avoid using cloud services 195
I'm going to try to use services from non-US companies hosted outside the US 99
I'm only going to use services that allow client side encryption. 37
I'm going to host all my own services. 47
I'm not changing anything because I already assumed all of my data was being
monitored anyway. 151
Summary: People think in terms of "Privacy is a bit like oil. It's getting pricey, but I still like my SUV."
If anything, it may give a much needed boost to an existing sector of internet industry, privacy and security. I see several companies springing up (some already have) that delivery end-to-end encrypted communication and storage over different media (of course, there would be plenty of Snake Oil as well).
The real frontier of communication is the transmission of anonymized and encrypted data with services bought and paid for anonymously as well with no repercussions for the service providers.
You do know that outside of the US, there are lots of people who don't drive SUVs because of the price of oil?
The implication is that U.S. Internet Industry is somehow "destroyed" as a result of this is hyperbole. If anything, all it did was give hope to those outside the U.S. that there's still a viable market for the same cloud services (sans FISA leash) even in smaller scales.
"With the latest revelations just days – in some cases, hours – old, it’s too soon to know for sure."
I think it's still too early and I'd wait until all the facts are out. I can't speak for how people in other countries are feeling, but I can say this...
As an American startup founder, I'd be very worried about what my international customers would think if they knew I was working secretly with the U.S. government, publicly denying it, subsequently being caught in my own misleading statements, and allowing the government access to all of their data after I told them it was private. As a customer, I'm happy if you can use that data to serve better ads that are relevant to me. But I would be very angry if it was being served to a foreign government which wants to profile me a certain way, potentially to justify killing or detaining me.
As a startup founder, if your operation does get popular enough to catch the eye of the NSA, realistically there's absolutely nothing you can do to fight it. That's how far ingrained the instruments of our own deconstruction are. And they're buried in plain sight in U.S. law. I don't see that changing overnight with a few amendments or acts introduced here and there. It would take an overhaul of the very principles of government we've taken for granted (and quite possibly never really existed).
The fact that we're aware of this aspect of hopelessness will, in the end, be far more damaging to the U.S. economy than any foreign entities being aware of it.
After all, why would American founders found and base anything on U.S. territory if they cannot do it freely and on their own terms? They'd rather found a startup in Hong Kong.
I think it's worth pointing out that this sector growing as a result of this will mean that those 195 people who responded "I'd like to do something but it's too difficult to avoid using cloud services" will find it easier and easier to make the switch.
Couple that opinion in the tech community with consumer protection laws that may technically forbid a business from storing customer data on these services and you do have a drive for foreign business to move away from US services.
When your talking about a principle such as a right to privacy that's not something that will disappear from society quicker than the time it takes for businesses competing on this principle can be set up.
My gut feeling is about the same on impact of international growth. On one hand it may have been a blessing in disguise. The Internet is supposed to be global in the first place, but we have massive over-representation in pretty much every aspect of its commercial operation.
The same services outside U.S. jurisdiction and influence are suddenly more alluring.
Think of how much disruption would be caused if Hotmail, for instance, was forbidden in addition to Gmail. Many of the early adopters of the web in these countries flocked to the most popular platforms (in addition to their ISP email of course). Having to print new business cards would hardly be the only inconvenience.
The levels of action that a nation could take to protect itself are:
1. They could train people who have access to sensitive information not to use any US service. This is what the US has done asking some members of the intelligence community to not use Skype and other services due to worries about its insecurity. This is probably common training for handling sensitive information in most nations.
2. They could filter such services at government offices, schools and sensitive sites. For instance no company can get defense contracts unless they have a policy that prevents their employees from using gmail. This is probably the most likely additional action that will taken and it will hurt US business.
3. They could filter such services at the national level. China (1 billion people) already does this, I wouldn't be surprised if Russia started. It's unlikely to happen on a global scale but each country that bans another US service hurts the economy.
We saw this happen with US crypto export controls, the market spoke and companies began switching to non-US software.
Because most people don't care about privacy that much. See TSA scanners, foursquare, hell GMail scans your data everytime you read mails, Facebook doesn't even pretend there is a privacy. Damn, first thing any Apple computer do is taking your picture, getting your details and sending it all to Cupertino, before you even load the OS. Android tries to track all your phones under one account you have to add before starting up.
People don't really care about privacy. (Disclaimer: I am no better.)
There will be some anti NSA rallies, sure. Photos of those rallies will be geotagged with EXIF data and posted on tumblr, facebook and twitter from iphones and androids.
I do care about that an organisation with the power to legally kill or imprison me without trial, with the world's strongest military and a penchant for punishing anyone who embarasses them has all of my data, including who I associate with, what I say and whereever I go. In fact not just my data, the data of their political opponents and the journalists that keep the system honest.
If not Obama, someone at the head of the table is going to abuse this information one day.
No, the worst thing that Google, can do is share that information with credit card companies, HR departments, health insurance companies, etc, who do have the power to ruin your life and are much more likely to do it than the government.
What happens when the advertising money hits the wall and can't support revenue growth sufficient to keep the Wall Street analysts happy? At some point some MBA is going to figure out that HR departments would love to be notified about e.g. their employees joining say a cancer support page. It sounds inconceivable today, but I bet people who started using credit cards in the 1960's and 1970's never expected that one day the various credit organizations would band together and sell your information to literally everyone, so that you could be denied a job because of your credit history.
I think it's important to keep some perspective, and I feel like people on HN aren't doing that here when they direct all their blame to the government over this issue and hold Google, Facebook, etc, who created this surveillance apparatus, blameless. Corporate America is much more likely to screw you over than the government. They have a profit motive to do so, and can get away with screwing you over on a mass scale in a way the government cannot. I don't know a single person who has been screwed over by the government. I do know people who have been screwed over by credit ratings agencies, having job offers revoked because they struggled financially in college.
Maybe it's not inevitable or even very likely that Google and Facebook will sell your information to the highest bidder. But it's a failure of imagination not to pretend that it isn't possible, and if we're going to engage in slippery slope reasoning with respect to the NSA, let's be intellectually honest and admit that we've built a vast surveillance apparatus in both the public and the private sector, and there are numerous entities within both sectors who have the ability and perhaps the motive to use that information to hurt you.
 Or Facebook or whatever. It doesn't matter. One day these companies will become mature and will be headed by some MBA who has never written a line of code...
Yes. The only reason the NSA/etc/all has this data is that people (probably a lot like you, dear reader) built these popular systems that make their money from tracking users. Worse still, they will always beat out a paid service because of friction and network effects.
We didn't just stand by and watch the creation of this situation, we actively participated.
How many liberal democracies can you point to that have gone the way of totalitarianism, mass imprisonment, and genocide? I don't see a lot of examples around. Yet I can look around and see tons of examples of corporations doing evil things with your information (health insurance companies dropping coverage when you get sick, credit card companies sharing credit history for any purpose other than setting interest rates, etc).
I think things you can see examples of every day are generally much more worthy of your worry. Or at the very least, it's not rational to be so worried about government surveillance while giving a free pass to the companies creating a surveillance apparatus that can be abused by corporations.
How many 200 year old liberal democracies can you point to? There's no historical data to look at. This history of the United States itself is an indicator that democracy is self-defeating. Compare the amount of classical liberalism in 1800 and 2000. Whether that can continue past the middle and into full-blown totalitarianism is untested.
> It's not rational to be so worried about government surveillance while giving a free pass to the companies creating a surveillance apparatus that can be abused by corporations.
It's also not rational to give the government a free pass. Don't think that companies can collude with each other. The government can also collude with companies, as PRISM indicates that they have been doing.
You mean in 1800 when the Alien and Sedition Acts were in force and the government didn't even have to come up with some pretense and prosecuted and convicted people directly for what they said in the press? I don't think the U.S. circa 2000 suffers for that comparison! If you want to talk about which is a more free society, the U.S. in 1800 or the U.S. in 2000, you also can't leave women and blacks (combined more than 50% of the population!) out of the equation...
It's ahistorical to pretend that the U.S. has only gotten less free over time. Vis-a-vis "classical liberalism" the government claimed the power to regulate all interstate commerce in 1824--the only difference today is that you can't even buy a candy bar at a vending machine without engaging in an interstate commercial transaction. If you live today the way the vast majority of the population lived in 1800 (on a farm growing food for your own consumption and sewing your own clothes, etc), you'd probably find that government doesn't reach your activities appreciably more today than it did 200 years ago.
It's also ahistorical to pretend that our rights are universally weaker than they were in 1800. Remember, at that time, the Bill of Rights did not apply to the states. The liberal Supreme Courts of the 1960's and 1970's dramatically strengthened due process rights and habeas rights relative to what they were before. First Amendment rights are dramatically stronger than they were in 1800 (the "obscenity" exception to the 1st amendment has been whittled down to pretty much just child porn).
Now, I won't say the U.S. is the freest its ever been. When you take into account the experience of all Americans (not just rich white males), the freest the U.S. has ever been was probably the mid 1990's. But, it's been worse before. It was worse under the Alien and Sedition Acts. It was worse under Lincoln who governed under borderline martial law. It was worse under McCarthy. From an economic rights point of view--the country was far more regulated in 1935-1970 (vast swaths of the economy, everything from transportation to telecommunication, was deregulated from 1970-1990).
The idea that the trajectory of the U.S. has inexorably been in the direction of less freedom is nothing more than looking at the past with rose-colored glasses. It's not a perspective rooted in historical truth.
How many 'liberal democracies' have built international surveillance dragnets? How many have secret prisons all over the world? How many spend more militarily than the rest of the world combined? I wouldn't say the US is exactly your run of the mill democracy these days.
I can think of one very prominent example:
I'd worry less about someone at the head of the table -- who has a lot of visibility and responsibility -- and more about the legion of prosecutors and officers (plus their friends they owe favors to) who all have incentives to catch bad guys... whether they're actually bad, or just barely find themselves on the wrong side of an interpretation of some statute, or just fit the profile.
And of course, the occasional less duty-oriented reasons for making your life difficult.
: Police State of America
I still made efforts to secure what mattered, like truecrypt containers on dropbox et al, but at the end of the day I just shouldn't have played the game at all. Lending economic support to this kind of behaviour is not acceptable.
I'm conflicted about this because I'm convinced that generally speaking, Dropbox and Google and various other companies that have no other choice than to behave in this way are otherwise really worth supporting.
I am as we speak setting up dedicated hosting with encrypted storage and obfuscated service paths to migrate all my existing services onto something I can reliably control, starting with gmail and dropbox.
I really should have just done this a long time ago, but it becoming abundantly clear that my suspicions were completely justified pushed me over the edge.
If that is the case, then why would any foreigner ever use Gmail, Yahoo mail, Hotmail, etc?
Out of my 600-odd 'friends' on Facebook, one (1) is posting stuff about the NSA allegations. The other 599, are posting pictures of cats, music videos, snaps from vacation, reflections about life, et cetera. I myself am extremely reticent about posting on Facebook due to the recent revelations.
As a result, I am afraid Edward Snowdon's fears might come to pass, atleast in the short run. Not enough people care. They crave the short-term dopamine bursts that result from people liking their posts, or pictures, or videos. Getting them to set that aside and care about the fact that the Government might potentially have access to it all is a very, very hard task.
In order to do this, you have to get people to switch en masse to new, secure social protocols. In short, you have to build a Facebook alternative, an client-side encrypted webmail service, or a document sharing site that JustWorks, is secure, and doesn't require any terminal commands to access / run. Otherwise the majority of the population is going to use products from Microsoft, Facebook, and Google. You can use your encrypted webmail and identi.ca, but very few people outside the "tech-aware" world will communicate with you.