Hacker News new | past | comments | ask | show | jobs | submit login

From the point of view of any non-resident alien who has US cloud data, this is a very ponderable answer. We know what the Fourth Amendment says. The problem is that apparently (IANAL!) the US courts are upholding the idea that the Fourth Amendment does not apply to the US-based cloud data of non-US-resident non-US-citizens. I've heard a couple of people suggesting that this interpretation is based on the idea of border search, but that's neither here nor there: the upshot is that, unlike for example the US property of non-US-resident non-US-citizens, which is protected by the Takings Clause, the US cloud data of non-resident aliens seems to have no Constitutional protection. This seems to be the Constitutional foundation of FISA http://www.gpo.gov/fdsys/pkg/STATUTE-92/pdf/STATUTE-92-Pg178... 702 http://www.govtrack.us/congress/bills/110/hr6304/text , the law which allows the NSA to get Foreign Intelligence Surveillance Orders against non-resident aliens. Absolutely the only thing the government has to prove to the FISC court to get one of these orders is that the targets are (more likely than not!) non-resident aliens. No probable cause, no standard of suspicion for anything: the government doesn't even have to state its motivation. And the "Notwithstanding any other provision of law" language in 702 seems to sweep away any other statute law you (or Rackspace etc.) might want to use against the order. (Again IANAL.)

So how are we to interpret

"Based on our interpretation of the Fourth Amendment and ECPA, we are of the view that Rackspace is prohibited from accessing and turning over customer data stored on a customer’s server or other storage device in a U.S. data center without a properly issued, lawful request ( e.g. search warrants, court orders, Foreign Intelligence Surveillance Orders) from a U.S. court with appropriate jurisdiction over Rackspace and the data sought."

? Coming right after the recitation of the Fourth Amendment, this gives the impression that Rackspace will only hand out your data in response to a warrant (or warrant-like-thing) that demonstrates probable cause. But in fact, when the customer is a non-resident alien, the order is a FISA 702 order, and the court is the FISC, probable cause never comes into it: the US can (completely properly and lawfully!) get such an order for no stated reason at all. Imagine the following conversation in 1860:

Q: I hear that you have slaves on your Virginia cotton plantation. Is this really true?

A: The Fifth Amendment to the US Constitution states that 'No person shall [...] be deprived of life, liberty, or property, without due process of law'. No-one is forcibly detained on this plantation except fully in accordance with the law and the Fifth Amendment.

This answer seeks to suggest that the only prisoners on the plantation are convicted criminals, which is false - the plantation is worked by slaves. But in fact the answer is precisely true though devious: slaves have no rights under the law, while the Fifth Amendment does not apply to slaves. I really hope this isn't the correct way to interpret Rackspace's statement as well.

"The problem is that apparently (IANAL!) the US courts are upholding the idea that the Fourth Amendment does not apply to the US-based cloud data of non-US-resident non-US-citizens."

And further - it's not just "US-based cloud", it's almost certainly "cloud resources physically based _anywhere_ if it's owned/operated by a US based company". I'm pretty sure Rackspace[1] would consider any data that I (a non-US resident/citizen) store on a Rackspace instance intentionally provisioned in their Sydney Australia datacenter to be subject to US law instead of local Australian law[2] - and would most likely hand over any and all of my data with no need for a warrant.

[1] for completeness/fairness, I'm pretty sure Amazon would treat and Sydney AZ instances I spin up exactly the same way. [2] actually, I suspect I'd get the worst-case scenario of the least protection available under either US or Australian law - if push ever came to shove...

"[1] for completeness/fairness, I'm pretty sure Amazon would treat and Sydney AZ instances I spin up exactly the same way. [2] actually, I suspect I'd get the worst-case scenario of the least protection available under either US or Australian law - if push ever came to shove..."

Totally. These points completely nail it for me (A non-US consumer of US based services).

Anyone who was concerned about "the subpoena risk" [1] before, but was satisfied if their data resides in (eg) Australian data centres will now be forced to think again.

I see this as a huge opportunity for non-US domestic PAAS / IAAS providers who keep everything in a single juristiction.

[1] http://www.cisco.com/web/about/doing_business/legal/privacy_...

Ninefold (http://www.ninefold.com) push this pretty hard (see the Data Jurisdiction link in their footer), but unfortunately I fear their (and my) local Australian legal system doesn't provide me with any protection against even medium-level US law enforcement "friendly requests".

When you see just how far the New Zealand law enforcement rolled over and violated national law at the request of US copyright enforcement in their shoddily executed raid on Kim Dot Com, I have very little doubt that in spite of Ninefold's marketing using legal jurisdiction nightmares if you use their major competitors AWS or Rackspace - if the NSA showed up even without local law enforcement on their side, me and my data would likley get "thrown under the bus" (especially in the light of stories like this: https://mailman.stanford.edu/pipermail/liberationtech/2013-J... )

You know what, you're absolutely right. For a long time I've favoured OrionVM over AWS for this reason.

Something needs to change. What do you think are the chances of Senator Scott Ludlum's "Get a Warrant" bill [1] making it through before the election?

[1] http://www.guardian.co.uk/world/2013/jun/11/greens-warrant-p...

Perhaps one solution is to store your data in a jurisdiction that is not the US or Australia.

If some nation can step up and provide some guarantee that your data is not subject to law enforcement without rigorousness due process, they might be able to attract substantial investment.

Perhaps - I don't have any real knowledge here, but I suspect most countries probably have something similar to the stated (but clearly abused) special protection for citizens privacy rights over non-citizens (kinda inevitably in one sense - if you have no ability to vote in elections in the country making the laws, you have very little reason to be protected as much by those laws as those who can vote poor lawmakers out).

So for my personal situation - there are two juridictions I have citizenship in (Australia and The UK), neither of which I have much confidence in the amount of resistance they'd provide at a policy or law enforcement level to requests for my personal data from US agencies - and both places where I suspect that companies capable of storing data for me reliably and availably enough probably all have enough of a US presence that they'd be easily "leaned on" by agencies as powerful as the NSA (and probably even the MPAA) in such a way that it'd be "the right thing for them to do" to give up my data rather than incur the costs to the company of fighting.

My current "solution" is increase my (and as many people as I work and communicate with as possible) use of encryption (and hope that as well as "not doing anything wrong, so I've got nothing to fear", that things like AES & PBKDF2 with strong passphrases and tools like EncFS, TrueCrypt, 1Password, OpenSSL are still viable options even against the NSA).

Maybe it's time to compile a list of alternative non-US cloud services? I would be particularly interested in a non-US hosting company comparable to Linode.

I've started a checklist of sites and services that I will need to migrate away from. The list is extensive.

The question of whether to migrate to other cloud services, or to host my own private cloud is up in the air.

I use Bytemark, based in the UK. They have a cloud service in beta: http://bigv.io/

Is the privacy outlook for the UK very good?

I second this. Any suggestions appreciated.

I suggest http://www.copernico.net/ ,who are in Spain. I've no affiliation, other than being a customer; in my experience, the service is excellent, the boss, Miguel Angel, is very easy to reach, and I've come to know him as an independent spirit, who does not like governmental intervention at all.

But the US of A has absolutely no obligation for the welbeing or privacy of any non-US citizen. if their data happens to be within US jurisdiction, the US gov't can do anything they like, provided that what they do is "lawful".

I m not saying PRISM is lawful (that remains to be seen?), but i think many non-US citizens are feeling too entitled to the protection of US law.

I don't think it's a sense of entitlement at all but rather decades of trust (and reliance) that was built after World War II when the only thing standing in the way of Soviet domination was the USA. It was always a little naive to think that the USA had everybody's best interest at heart but now it is now clear and unambiguously painted in big bold letters that the USA* are in it for themselves and only for themselves. All the talk of shared values and common purpose, spreading democracy and freedom, etc. etc. all rings rather hollow.

It's seems stupid that given recent events that the uproar over whether the US government is reading your Facebook posts has rammed the point home to many people but I guess this is just the final prod that woke a lot of people up.

*Purely from the perspective of the government. I've nothing but admiration (mostly) for large parts of the culture, attitude and hard work of the good citizens of the 50 states.

You're correct about the US of today, but you're making the common mistake of thinking the US of today has much in common with the US of 1950 (etc). We're a radically different nation today, even than what we were 15 or 30 years ago. This kind of rapid change isn't uncommon in our history, the US of 1840 was vastly different from the US of 1890.

There have been at least four or five major epochs for the US, which saw fairly substantial changes (good or bad) to the rule of law and social cohesion. We started as a constitutional republic and nearly laissez-faire capitalism; then we had a massive federal explosion post civil war, that saw the power of the states greatly diminished; we shifted to a mixed economy, welfare state with a heavy bent toward democracy; now we're speeding toward police state socialism with oligarchs, the facade of property rights, and blended government-corporations, aka fascism (or as some call it in our incarnation, corporatism).

Not quite. If you are in the US as a tourist, it doesn't matter what you have signed. They can't go and strip search you just because they felt like it.

What you have to realize is that 4th Amendment law is largely tied to searches for prosecution reasons and so usually the issue is "well, the 4th Amendment is violated and so to punish the government and give them the right incentives, we won't let them use the following set of evidence in their prosecution." It's really hard to make such rules effective regarding surveillance of foreigners conducted overseas.

Non-citizens in the US for whatever reason do have relevant liberties. This does not extend to say buying tv advertisements for candidates in elections, but it does extend to unreasonable searches and seizures. Non-citizens with no real ties to the US, and not in the US are different.

> Non-citizens with no real ties to the US, and not in the US are different.

But their US property is still protected. If I'm a Russian orthodontist in Minsk and I buy 500 shares of Google, the Fifth Amendment protects me having them expropriated by the US government even if I never go near the States. (IANAL, but I did check this one.) However if I open a Google Mail account then apparently (under current interpretations) I have no similar protections.

I can't say if this apparent discrepancy is actually legally justified, or not. Without even getting into the question of whether it's morally justified, it is going to come as a significant surprise to a lot of people, who have got used to the idea that they're largely protected by the US rule of law when they do business with the US. And one way or the other, it's reasonable to point out that Rackspace's Fourth Amendment-based reassurances seem to be (no doubt accidentally) crucially misleading to many or most of its customers.

Right, but one has a nexus to punitive power by the government and the other does not.

Not sure I follow you there actually. Is that a legal concept?

The 5th and the 14th amendment cover all people, not just citizens. Here is an informative read on how and why and the history of the question of non-citizen rights. http://scholarship.law.georgetown.edu/cgi/viewcontent.cgi?ar... Found this after a discussion of the rights of Boston Marathon suspects as non-citizens. Pretty much they have every right of a non-citizen, except the right to vote.

that's an interesting read. I m about to reform my opinions (pending, since its quite a long read, and i've only skimmed it).

Does the US constitution really only apply to US citizens in a global marketplace? Perhaps we'll look back on Bush and Obama as presidents who struggled with a dated viewpoint of the world, who tried to change the constitution into 'no rights for anyone' instead of 'freedom for all'?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact