Takeaway for fellow hackers: If you are building a system that stores user-generated data, prepare for the eventuality that someone other than the user will demand to see it.
In general, the prevailing theory is that all companies are required to release private keys or passwords needed to unlock evidence. As a consequence of Lavabit fighting, they likely got slapped with some pretty harsh contempt of court rulings, including a demand to record all private keys needed for decryption going forward. The worst case (that I can talk about) I saw involved requiring a specific employee be demoted due to improper care of a company's systems.
What's sad is that because Lavabit was such a small service provider, they never had the previous rounds of government threats and must have been caught off guard. As I've said in past posts (before Snowden), it is common knowledge among large-scale service providers that the local government can always come in to take a look. Doesn't matter if you are in the US, EU, or China, you have to comply. I've seen the US DOJ threaten pretty harshly a customer who simply asked about 'options' of how to comply.
Past post with explanation: https://news.ycombinator.com/item?id=5754641
P.S. Right or wrong is a separate conversation...
Would you expand on this? Are you saying that a court was meddling directly with an individual company's hierarchy?
If it's not clear, there were strong personalities involved. One way to tell the story is the director went out of his way to poke a bear and got mauled. Another way to tell the story is that a bear went walking down main street looking for trouble ("How do we know you didn't change the retention policy to protect the individual?"). In both cases the guy lost his hand and the bear is still loose.
More concerning are key disclosure laws  and their crazy penalties that seem to be creeping in all over the world.
You also need to take reasonable measures to preserve relevant data when you have reasonable cause to suspect that litigation or an investigation will begin.
Not having a policy can hurt you. If you have no deletion/retention policy, and happen to destroy data for some random reason when a litigation begins, you or your company may be in trouble.
Note: IANAL, and different industries or data categories have specific legal requirements or best practices for retaining things.
we simply can be guilty hiding the nothing we have to hide
As long as you can't comply, I don't think there's an uncounterable risk in the US, since we don't have any key disclosure requirements (the exception being CALEA, which only applies to the PSTN; I'd skip CALEA for an interconnected VOIP system and fight them in the courts/media, personally). Presumably they could put other weird pressure on you like threatening to investigate your nanny's immigration status or whatever, but enh.
I still maintain that if you do things properly, you can operate safely in the US while resisting pressure from USG. You can't literally wipe your ass with an NSL in front of the agents, but if you don't have it, and can't get it, they're at worst a DoS. Forcing a provider to implement a huge new logging infrastructure would be an interesting 14A issue, and one could have a system where even that wouldn't recover customer keys.
IANAL of course.
I don't see why his 10 years of work would be lost.
It's risky to relocate the servers in another country. You will have to obey the other country's laws, but the US gov will still claim jurisdiction if the staff and/or owner is in the US. The US will even claim jurisdiction as soon as you use a ".com" domain 
Of course the hosting nation will also claim jurisdiction. So relocating your servers to one country while staying in another will expose you to two national laws as well as any international agreements between these nations.
 Richard O’Dwyer, a UK citizen who ran a UK-based web site, was facing extradition to the U.S. because he used a .com domain. - http://www.theguardian.com/law/2011/jun/17/student-file-shar...
If the purchasing party is less scrupulous, you've thwarted nothing. In extreme cases (or for smaller companies), the purchaser could even be a government front.
No it's not. This is wrong, plain and simple. Wrong is wrong, and black is black.
Not that defend Hushmail. I do not, fuck 'em for that. There are plenty of services like Lavabit that avoid that problem, but that requires intelligent users/criminals/what-have-you.
Which is equally insecure, as the company could easily insert a back door the next time you load the applet. Hushmail was and is snake oil.
"The issue originally revolved around the use of the non-Java version of the Hush system. It performed the encrypt and decrypt steps on Hush's servers and then used SSL to transmit the data to the user. The data is available as cleartext during this small window; additionally the passphrase can be captured at this point. This facilitates the decryption of all stored messages and future messages using this passphrase."
"Hushmail has stated that the Java version is also vulnerable in that they may be compelled to deliver a compromised java applet to a user."
In  "Brian" working for hushmail responds to a wired journalist agreeing that the applet was an attack vector and Brian even points to a schneier.com article stating the same.
He did weasel around a bit about "viewing applet/HTML source" which he admits is no use for determining the validity of the applet as it is compiled.
It is not just about having a court order. The court order is not some kind of secret key that decrypts messages, it is just a way to compel Hushmail to decrypt those messages. Pointing a gun at a sysadmin would work just as well. Paying a sysadmin would also work. Getting a spy to work for Hushmail would also work.
Let's say you are trying to protect the names of activists in China. There is no reason to think that the Chinese government could not find a sympathetic Chinese immigrant / national with an IT background who is willing to pass on some messages every so often. You can imagine other scenarios -- maybe you have highly valuable business secrets, maybe you are running a political campaign, etc.
Snake oil is the right term for Hushmail, because that is what they deliver. The only term that is more polite than snake oil is "key escrow," but why should we be polite here?
Unfortunately, the trust problem you mention is pervasive. It was a signed applet IIRC, but we both requires you trust the original and modified applets from the developer. I am wishing someone released an auto-encrypting PGP service and client, open-sourced on purpose.
We all know only four people would read the source of that, and two of those would verify the dev key given with the release. :-)
I kind of wish there were a (well armed) organization which did this for other projects.
Spence: You think too hard.
Sam (DeNiro): Nobody ever told me that before.
The warning they gave out was to point out lower security, it does not absolve them of the obligation to try to keep their severs secure.
I was curious to know, of course, but I'm afraid that this could somehow be used against him later.
No, this has nothing to do with common criminals and everything to do with Snowden.
He shut it down because that was the only way to legally prevent the government from spying on his users.
I wonder why he didn't challenge it.
The Government has been trying to get into Lavabit longer than that.
Although, perhaps they already knew that Snowden was using Lavabit and started the process immediately after his flight to HK.
If anyone can recommend someone who can provide counsel pro-bono let me know and I'll forward the message along.
I bet that data are still valuable to the government.
I have been thinking of starting a business in the privacy space. This has shown me that that all customer data needs to be periodically obliterated in safe way and that a kill switch or nuke button is needed as well to destroy everything on a moment's notice.
Where and how to host is a major concern. Cloud, etc., is obviously out of the question.
If you'll be trying to keep this secrect by creating small cells of people not knowing each other and smart mailboxes preventing people exchanging t identify each other, you'll become suspect of supporting spying activity.
So you better work for the minimal number of clients and charge a lot to remain sustainble.
My understanding is that as long as keep the info concentrated in one spot (i.e. Paper mail) it is easy to grab it. If you dilute and spread the info using shared secret and hide it smartly in images or random text, this info would be much harder to catch but could use conventionnal transport means.
Extending this idea further, turn the mail network into one big world wide hologram. The information would then be spreaded, available from everywhere, very hard to censor, and private since you need some specific reference signal to extract the info. It's like shared secret.
Note however that the need to catch evil people using such communication system for evil means is needed. Just considering our own privacy regardless of what can go wrong with such system is in my opinion selfish. We will always need method to protect against abuses.
(might have to have multiple vessel's for redundancy purposes)
At least when the ship disappeared off the face of the earth it would be easy to figure out what happened.
The problem is that you have to connect up to the Internet somewhere, and they can always get you there. Either tapping and listening in on sessions, or just plain disconnecting you.
Of course, an MITM attack could hide the STARTTLS option and there are questions around the strength of the CA cert infrastructure, but SMTP is not just plaintext.
So even if I setup and host my own SMTP server, and even if I verify the TLS certs on my side, I have no way to verify that I'll get (1) A TLS connection (2) with an authenticated cert all the way to the ultimate destination.
It's beyond my control to ensure that I'm secured when emailing to an arbitrary domain with arbitrary configuration.
The whole protocol and mail delivery system is fucking hopeless.
As an ex-ISP mail architect and ex-operations guy, I hope the whole existing email protocol suite and architecture dies in a fire.
Can the US serve a warrant to a server in Europe run by Europeans? I was assuming the answer was no, in which case you don't need violate any laws or worry about repercussions.
Companies could at least insist that intra-company email is encrypted, which would be a huge amount of their normal communications, and then extend that outside their boundaries with partners who also accept (say) S/MIME.
At present I sign my mails but like you have no clients who use encryption.
The core problem with widespread crypto use today is not encryption, it's trusted key exchange.
But as it happens, yes, I trust our crypto developers. They're much better at it than most of HN.
And the rest of the code is pretty shitty in places.
how is that possible? I'm curious to know as to how they achieved that technically. I mean if the user is reading an email in their browser, then it would've had to have been created on the server first.
> a federal prosecution of alleged steroid dealers reveals the Canadian company turned over 12 CDs worth of e-mails from three Hushmail accounts, following a court order obtained through a mutual assistance treaty between the U.S. and Canada.
This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.
The worst thing about this situation is that other governments like the UK, France and Germany are equally guilty.
For history on lavabit, see the cache, this page is now gone:
Where did you get this one from? I think its a bit of a stretch to say he is "standing up to his users". I would rather say he is standing up against the GOV, and that's nice for a change, but we have no idea what has happened with all the emails residing on their servers.
Knowing just a bit that I know how the us gov operates, I am pretty sure he was given two options at exact the same time: either you accept our black box, OR you will not. If you not, then you are not allowed to delete or alter any messages on your servers. Given the business lavabit was in, I am sure Feds will punish him to the extends of the law (or more) if he decides to "stand up to his users" and delete content of their mailboxes.
It was too late for his users' data the moment representatives of the government walked through the door of their data centre/offices, but their rights he can stand up for, which is what he has done.
Despite the annoyance of not being able to use my e-mail the past couple of days, and the possibility that the US Gov may have some copies of my e-mail (which I imagine will be perfectly useless to them) I am immensely gratified at the stand Lavabit's owner appears to have taken, and having chosen them in the first place due to these values which I am in broad alignment with, I feel it confirms that it was a good choice, despite the fact that I now have to find another provider. I am sorry for the guy that he's effectively had his business - perhaps his livelihood - pulled out from under him, and I will be donating to his defense fund out of sympathy, though I am not an American.
EDIT: Relevant XKCD for people calling for technical solutions to the problem: http://xkcd.com/538/
- Politically, we should punish anything associated with the NSA.
- Socially, we should shun everyone from this date forward who works directly with or as a contractor for anything associated with NSA/FBI/CIA/DEA/DIA. We should not hire any programmer who, from this date point forward, has worked in those capacities. They are destroying our profession and businesses.
- On the engineering front, we should be designing technologies for evading the NSA et al, and spread those technologies. We need to do everything possible to make them easy to use and make them widespread.
- Any person or company who stands up to these organizations should be lionized and we should try to patronize their businesses or employee them. Especially if the suffer consequences like jail and torture.
- Facebook, Google, especially Palantir are known collaborators and we should treat them as such
Google, Microsoft, and Facebook basically have had billions of dollars shaved off of their future market capitalization -- though I have not seen anyone say this yet.
For everyone abroad who is technically adept and talented, the vaults of wealth have been unlocked for you; just copy the successful offerings of American companies. Don't worry about software patents or trademarks unless your country is complicit, you'll have the autonomy of a oligarch (said with some sarcasm.)
There is one solution here: open source, distributed software. If you want to build a company to promote real security this is your only option.
If you are non-US citizen and your customers request a product similar to US product please do exactly as AJ007 says. It will help you, the world, and the US long term. I say this as US citizen and SW dev. Please take our jobs and customers! We don't deserve those customers if we can't protect them and their data.
However, you should only build it if customers are requesting SAAS (or other offerings). Be very careful about blindly copying US business b/c many are successful simply b/c they are almost "Apparatchik" entities, supplying and protected by the US Gov. For example, if you copy Palantir or even Google/Facebook you may not succeed b/c you won't have customers in the same way the US does. But overall, this is a great opportunity for devs from Switzerland (and the like) to get some new customers.
Likewise, this is also very bad news if you are a Chinese or Russian internet company and expect to become a dominant player in the US consumer web/digital/mobile market place.
What are you doing on your own checklist? Those are some pretty extremist notions.
If part of your hiring criteria was to exclude anyone who had worked for a contractor or directly for a government organization, I doubt many people would want to work for you. Not because they had violated your criteria, either.
I'm referring to a very small percentage of the government and contract workers who are involved in security and surveillance. I'm not talking about VA or even the regular marines/navy/police.
I won't be doing this explicitly.
Whether people would want to to work in a place that explicitly will not work with former NSA contractors depends on the area. In SF, Boston, NYC, Portland, maybe LA it would probably help you hire good workers. Obviously, in DC or Houston it would be more controversial and hurt the company. Remember these organizations/contractors are destroying our jobs, especially in silicon valley.
Not to mention, most countries will pretty much cooperate with the US when it comes to intelligence. The only ones that might not are countries like Russia or China that have their own military-industrial complexes, which are just as eager to get at your data and a lot less scrupulous about using it.
Germany is a better bet. While they are no doubt tapping lines, Germany and the EU have made no moves to actually perform hostile interventions into data-centers or private servers. This means that encryption is still a very viable security measure for protecting your data in the EU. The EU simply has a far better track record with privacy related issues.
It's not about perfect security, it's about getting the best security you can hope for - and that means moving away from anything USA hosted.
And Germany has also laws which force every mail provider to install an access point to the German authorities and intelligence agencies. I am not sure if also a generic saas platform would have to do it, but it is quite possible.
Better pick Switzerland or Island.
Thanks for the heads up - as I said in the OP, it really is a difficult task. Those kind of laws are exactly what need to be avoided when choosing a country to host in. I don't believe that this kind of thing can be carried out in absolute silence though, so if a country is actively modifying and silencing hosts it's fairly likely that word of it will leak somewhere.
If I get a chance, I might try to put together a red/orange/green overview of known laws and practices in different countries that would affect hosting services there. Unless someone is already working on that and needs a hand?
It's up on github, so hopefully everyone can submit pull requests with data and we can crowd source ourselves a very informative map.
EDIT: I also submitted a link to it on HN. Hopefully interested people will see it and can help out with data.
We have a great privacy commissioner ( http://www.priv.gc.ca/index_e.asp ) but the office holds no power so far as I can see, and the Canadian government has a pretty solid track record of being obsequiously cooperative with u.s. interests
Cooperative with U.S. interests is generally assumed by almost any country - this map is more about the (hopeful) safety of your servers in data centers in different countries.
The short-term answer is to encrypt everything users have to store, and don't handle their keys, but it's a stop-gap: the only real answer is political and that's where things have to be fixed for good.
How that actually manifests itself, depends on how desperate people become to retain some sovereignty over their livelihoods… which begs the question, where are we now and who could provide the resources/environment to foster the type of change that is needed?
Users can not and will not securely manage key material.
But in regards to cryptography and chances for legally fighting against such orders it could be better. At least on paper. The most likely outcome if lavabit would be hosted in germany would be a police raid that would take all servers for investigation with them. This happenend e.g. for poeple running Tor exit nodes.
If you're in the US it seems kinda pointless to try to move to overseas hosting; the NSA will probably just focus on the client side.
It is quite possbible that, come September, some of the government parties might lose a few percentage points due to the citizens being annoyed about the erosion of the rule of law. We'll see.
The culture that brought us the SS and the Stasi.
Current German culture is equivalent to German culture under the Third Reich? Really?
Is current American culture equivalent to early-through-mid 19th century American culture? Should we discount everything the USA does because you once kept/traded/abused black people as property? Then continued to legislate such thinking via Jim Crow well into the 20th century?
Now that I look, I notice your post history is littered with anti-German racism rooted in complete historical ignorance. I'm wondering what your angle is.
There are very strong open source, transparency and anti surveillance movements in Germany. Stasi is the entire reason WHY we have strong privacy laws here.
How does one do that?
Well, I don't know if this is still done today, but when I was in 7th or 8th grade, they (school) drove us, by the busload, to visit a concentration camp.
We were shown the lampshades and wallets made of human skin. The place to stand where inmates would be executed during what they thought were medical examinations. And so on and so on.
It is quite possible that the next "Western" genocide will happen somewhere in Europe. But as somebody who has grown up here, I can assure you it won't be in Germany.
I just wish that history was thaught like this everywhere.
But the tolerant and open minded strain is pretty dominant. Germany is 9% foreigners. Frankfurt is like 30%
The culture that brought us the SS and the Stasi.
I don't. You just disqualified yourself from any meaningful discussion, ever.
My wife treated people with mental issues for some time and I have the utmost respect for people that can handle this stuff.
You, instead, are without protection. You post stuff like this and shout out to the world that you have no clue, that you have no idea what your are talking about, what the topic of this thread is and .. just show that HN really should provide a feature to ignore other people.
Please - go away. You didn't contribute and you're a sad, sad idiot.
Focus instead on encryption.
While it's true that they are victims, they are in a far better place to demand change or to defend themselves. Money buys the ears of lawyers that the average person couldn't even afford to speak to.
Fighting the USgov isn't a decision to take lightly regardless of how much money & resources you have. I cannot condemn a company that backs down from that battle. It could hurt an employee(s) significantly, or the whole company.
While I agree they have the most resources to fight it, they're not immune to harm from USgov.
Unless of course, what you referred to is that most of the traffic goes via the US soil anyway. But then again, why to stay in the US? Move whole business and yourself abroad :-)) Ironically, I found much, much, much more freedom in post communistic Poland than - oh irony! - Land of the Free.
For example I also live in a small EU country. By no means this is a 3rd world country - we have pretty strong IT industry (e.g. some globally successful antivirus companies etc.) and the country is certainly developed enough to host companies providing SAAS. Yet we have certain advantages against the US:
1. our government is way weaker than the US government - their resources are obviously not even close and they would not be able to do what US government does even if they wanted to. But we are still an EU state and we can use EU as a shield when Americans come knocking.
2. it is a post-communist country and people still remember the experience of living in totalitarian/authoritarian country. Opposition against any sign of 'bad old times coming back' seem to be much stronger than the opposition of common American people against recent freedom-stripping. For example there was a proposal that our internet providers should be required to block un-licensed online gambling. The public backslash against 'censorship' was so big that the plan had to be abandoned in few days and the politician who proposed it had to apologize. Many things that are now normal in US or UK and some other western countries would not be possible here.
3. we are still an 'American ally' but the US are not nearly as popular with common people as they used to be here and anti-Americanism seem to be growing. Many politicians exploit that and see opposing to American requests as an easy way to score political points (we have seen this for example when US government wanted to build a part of their missile defence system here).
I am much more worried by corrupt workers in my ISP or telephony provider than I am about my government.
Many governments are much worse than the US; they not only snoop on data but they imprison or kill people as a result of the things they find.
I'd be interested to hear about countries who will i) stand up against the US & ii) not be at large risk of corrupt employees.
After all, those countries wouldn't be 3rd world countries, if they had the power to resist US threats/requests.
Or they are part of the "axis of evil" (or whatever the current propaganda term is), in which case the internet connection to that country could either be cut off, or be heavily censored, if it isn't already happening.
Focus on encryption, to keep ahead and protect the data.
Move out of the US, because it sucks, is far from 'the land of the free' anymore and needs to learn that its place in the digital world is not at the top, but more around the center. Between lots of other states that fail and fail again, in terms of surveillance..
Encryption is OK but doesn't solve the problem. There's always metadata and whom can your trust with your encryption? You have to assume that hardware and software you use has backdoors. Mobile phones for example has even official backdoors, your SIM card can be remotely changed and so on …
Hoping that this is true, moving to services from one’s home country would make some sense. Of course, this is more easily possible for people from larger countries than, say, Luxembourg.
That's infuriating. It's the same as having an insecure system and then charging a hacker millions of dollars in restitution to re-architect the system to do it right.
Those firms wouldn't have to leave the US cloud providers if they had assurances that the US wasn't spying on them for no good reason.
This was a concern earlier but my guess is that this will only increase in the near future.
Also, practical key management is still an unsolved problem. The web of trust never took off and the PKI is fucked. Encryption is only as useful as the keys being used to encrypt.
If enough people leave US based companies for foreign companies it will put pressure on the government. I have a feeling this pressure is already underway.
If they were outside of US-and-friends jurisdiction, they wouldn't be shut down and there wouldn't be a gag order.
You should try finding a SSL cert retailer that's outside of the US. The only ones I could find that would actually sell me certs without a phone call charged at least $200 for a basic certificate. https://swisssign.com/en were the most sensible looking ones I could find.
Though, if you are pinning in an app and not just in-browser, you can bundle your internal CA cert in the binary and sidestep the whole mess.
This is what I advise my customers that have security-sensitive stuff do. The PKI can no longer be trusted.
As a community, let's shun and shame all those who continue work for those agencies (NSA/CIA/FBI/DIA/DEA) both directly and as contractors from this date forward. If you didn't quite in August 2013, we don't want to hire you. If you quite now in disgust, we should view that in a positive light. If you or your company stand up to the US Gov, that should view that in a VERY positive light and we should be looking to hire them.
Let's shun and shame FB, Google, et all as collaborators. Let's make it a point to avoid google app engine and other Google services.
It would be one thing if Google, Facebook, Microsoft, and other big firms were selling out their customers' privacy for money. They do it all of the time for advertising. I wouldn't like that, but it would be somewhat understandable that a big uncaring firm would look at their bottom line as the only determining factor. But are they making more money by being the government's snitch?
The really weird thing here is that what's going on isn't even in these companies' self-interest because they're going to make people and businesses not trust online storage of their data in any way. So all of these cloud services, all of these online storage services, anything that impacts peoples' privacy in any way is going to be put at risk of customers choosing other options for managing their data.
Things like Google App Engine/Data store are an issue b/c your backend is Google's backend...fundamentally the same issue Gmail faces. If the NSA/FBI/DEA/TSA mistakenly fingers one of my customers as a drug dealer or "terrorist" or thinks they are associated with a drug dealer/whistleblower/"terrorist", google will hand over all my apps data.
Then again, you hear about Microsoft or Sun/Oracle passing notes to the NSA about insecurities in the OS or JVM so that they can go about their stealthy ways. I wouldn't be surprised if the same happened with Go. But good point, it's open source.
There is also an issue with Go dependencies that may make it easier to introduce vulnerabilities. The solutions are discussed here: http://kylelemons.net/blog/2012/04/22-rx-for-go-headaches.ar...
The companies with the ability to move all operations out of US jurisdiction/coercion who don't do so are complicit in all of this.
I can imagine what would happen to Google if, through some dark miracle, their leadership decided to do this.
Most of their top engineers live in America. So do the leaders, but ignore them, we've already decided they want this. The employees don't, though: There are eleven thousand people, there, who'll need to be relocated to - where? Europe, probably Ireland, where many of them have never been.
Certainly not where they have roots, or where their family is.
Google has deep pockets. They can afford to pay massive relocation bonuses, and they'll have to do so. Still, this is eleven thousand people; we're probably talking about a billion plus, just to get a reasonable number of them to follow. After all, most of these engineers would be perfectly capable of finding work at a different company.
Okay, so they've done that. They lost a lot of good people; probably a lot of their best people, the ones that care least about money. Still, they're now in Europe.
Most of their infrastructure is still in the US. Compute clusters, god only knows how many. Storage clusters. User data, placed in the US under safe harbor provisions because an attempt at keeping it in Europe is unfeasible given the rather diverse tapestry of privacy laws here.
They'll need to move it all to Europe. They'll need to figure out a place to put it, and they'll need to pay billions - quite a few - to rebuild and expand their infrastructure here.
By the time this is all done, they'll have new problems. Realistically, they'll go bankrupt somewhere in the middle. And that's not mentioning possible reactions from the US government.
It would be great if leaving the US was an option, but it really.. just isn't.
It's not that I didn't know that Google was ok with the spying before, but seeing the difference between the reaction of Lavabit, to the non-reaction from Google -- well THAT gave me the final push to stop doing business with the company.
I really like Google's products. I really like All Access, but I don't think I'll be supporting the company financially anymore.
It probably won't matter much, but it's still something.
They receive warrants and subpoenas with which they have to comply to keep doing business, if you don't care for that blame the politician and the legal system, focusing on Google is not only missing the point, it's unfair
Not to mention that there is no US equivalent to the rampant human rights violations and censorship in China.
Also, the U.S. government is censoring Ladar Levison of Lavabit and others in his situation.
I've never been to China to see anything for myself, so I won't make further comparison, but prison state thing definitely bothers me.
Yep, I can tell. I can tell you haven't read about it either.
Of course we see more violations in china, but who's to say you don't have 10 times more of that from the US?
Just because they don't do it to US citizens (in most cases) it doesn't mean they don't do it.
Believing the other side is worse just cause you "see" more of that stuff, ends up being just blissful ignorance. Every party has it's faults and I have no doubt in my mind that the US has the most.
But we shouldn't worry... that's all to "protect the american citizens from terrorism" :D
So that makes it okay for them to systematically spy on their own citizens and violate their own constitution?
Saying "this country is worse" doesn't make it okay in the US.
As to the US market - meh. The US is third world in terms of purchasing power. Only reason to base there is the pro-corporate corruption.