Hacker News new | past | comments | ask | show | jobs | submit login
Dear USA, my data has left your building (cpbotha.net)
256 points by cpbotha on Sept 16, 2013 | hide | past | web | favorite | 151 comments

Nitpickers aside (yes, what they had they may still have or at least in digest form) this is a single instance of a tidal wave of people doing this. EU datacenters are doing quite well because of the NSA revelations.

The economic impact of this could very well counteract any net plus the US had while they were able to spy at will. Likely it's not going to be the same parties that will end up footing the bill.

The practical effect from a security point of view of this exodus is likely not very significant, I take it as read that EU pipes & major hubs are also bugged in much the same way, possibly even by the NSA and their friends with tacit approval or blind-eye-turning of local authorities, presumably under some data sharing agreement.

Just this morning it was revealed that Belgacom (the Belgian major telco) has concluded that their communications are being spied on and I'm sure that even though the Belgian government is reacting very much upset about this that when the final verdict is in we'll find that that very same government at some level of the bureaucracy knew about this since day one.

Plausible deniability will protect those in charge.

So, you can move your data around as much as you want, it won't make much more than symbolic difference unless you go to really exotic or lawless places.

Maybe Switzerland or Iceland could re-invent themselves as data bastions but that would merely shift the attention to lines running into and out of those places.

Much as I'd like to see some kind of "tidal wave of people doing this", purely in the interests of sending a message to somebody somewhere that data sniffing = not cool, I don't personally know anyone who's taken the time or energy to move all his data off of bugged U.S. servers onto bugged European or Asian ones or attempted to host it himself in less-efficient email clients, etc., nor plans to, nor do I hear very many people online talking about doing this, nor planning to, nor have I done this myself, nor do I plan to.

There's a lot of pulling of hair and gnashing of teeth going on right now in the blogosphere, but strikingly few people actually doing anything, and the actual movement looks more like a tiny ripple in an otherwise calm tide pool than it does a 100-story wave.

I suspect that until better, easier-to-use services come along than the ones being skewered in this post, most people are simply going to stay right where they are.

And once those services do come along, and attract a large enough user base, I'm pretty certain they will in turn attract agencies like the NSA (or whatever the local government equivalent may be, if not in the U.S.), showing up with hands out and secret court orders up.

If privacy was paramount to people, no one would be on Facebook (I'm certainly not, and haven't been for years). Yet, Facebook, much as everyone constantly complains about its blatant disregard for users' privacy, seems to be doing just fine, with its billion or so users and its $80 billion valuation.

The Internet is living, breathing, functioning proof that, at least to 99.9999% of human beings, utility > privacy. Unless the U.S. government starts skimming off the top of people's bank accounts, I don't think there's going to be much of a mass exodus any time soon - the motivation simply isn't there.

U.S. policy is greatly influenced by corporations. Let's assume that an alternative non-american gmail shows up with most of the key functionality in place but with extensive user privacy being a selling point. I for one would switch in a heartbeat. I think a lot of other technically minded people would as well. Many of which are probably influential when it comes to technology decisions among their peers. It doesn't have to be a mass exodus. A trickle of influential can turn into a tide. We've see it before, especially with internet companies.

Google's a data company. They're definitely going to see this and if it's non-trivial then they're going to react. Lawyers and lobbying ensues. Policy may be affected.

I admit I'm kinda waiting for someone to say: "We're exactly like GMail/Dropbox/whatever but we take security seriously and we're outside US jurisdiction. Click this button and we'll migrate your data for you."

I guess I just don't value my boring private data enough to put much work into this right now. But if I ever need a new cloud service, being outside the US will definitely count as a big plus.

Large companies have a pretty strong set of rules to guide them in the EU DPD en privacy laws of individual countries, that means that they need to subcontract with others in such a way that they can fulfill this.

From a few months ago if you were serious about trying to comply with the law in Europe then by now you are either migrating to EU hosting, you've already migrated or you are planning your migration. If not you run the risk of being found non-compliant at some point in the future or to get very pointed questions when a new investor decides to step on board or when you're in a position to sell your company to a larger entity.

This is not going to be advertised, it isn't going to be in the headlines, it is just happening underwater and out of sight. But it definitely is happening. Individuals making those same choices are doing so for different reasons than corporations.

I completely agree that the technologies used for self-hosting have been neglected during this era's obsession with what I call the "plain cloud." As you point out, convenience is paramount. The plain cloud has seen the lion's share of R&D and has been sold to consumers as the pinnacle of convenience.

However, I contend that had an equal amount of R&D been invested in a distributed cloud (what we used to refer to as "the Internet," not to be snarky)--especially one that provided federated encrypted data backup among trusted friends and family, a model that would embrace high-bandwidth symmetric connections to consumers' homes and the notion of self-serving--we'd be better off now.

In other threads at HN, I believe this has been covered sufficiently, so I'll cut that short.

I think your first paragraph may be correct insofar as there are many of us who were already doing self-hosting of our data. Those concerned with privacy were already assuming the situation was fairly bad, although I think even we were surprised at how bad it is.

My data is no more interesting than the OP's. Boring e-mail, boring family photos, boring unpopular music, boring documents. Yet out of principal, I self-host it. Self hosting is not that remarkable, but it is a rapidly disappearing practice. As recently as five to ten years ago nearly everyone in the world self-hosted their personal data.

Since my first DSL line in 1998, I've always splurged a bit for a symmetric connection. Since then I've found it disheartening that symmetric connections were and remain marginalized. Today, I can connect to my home VPN relatively easily from any of my devices to access my data. It could certainly be a lot better (I've ranted elsewhere that VPNs suck; they've not seen genuine R&D in ages).

Running a personal mail server is pretty simple too. With so much *-as-a-service out there, I admit that some people are losing the will to install a service of their own, but assuming you do a little bit of research, some modern options are more or less install-and-play, with decent anti-spam.

Again, had a distributed cloud continued to see bountiful R&D as the plain cloud has, the self-managed options would be 5-10 years more mature today. Had Thunderbird not been effectively neglected for the past ~4 years, it would probably be a (slightly) nicer e-mail client.

> I don't personally know anyone who's taken the time or energy to move all his data off of bugged U.S. servers onto bugged European or Asian ones or attempted to host it himself ...

Hi there. This is, in fact, exactly what I've been working on over the weekend.

I have ~8 GB of mail spread across three e-mail accounts hosted by Google (excluding my original @gmail.com account, which I never use). I've now got my own server set up and about 0100 UTC today (Monday) I "flipped the switch" (changed MX records) and have been keeping an eye on it since then.

I did an initial run with imapsync to move the bulk of the mail over and, after 0100 UTC (when the TTL expires) I'll do another run to make sure I've gotten anything that ended up in the mailboxes on Google's servers since then.

Afterwards, I'll delete all of the messages in those Google accounts and, finally, remove the whole domain and such. I'm sure that Google will still have a copy of all of that for a good while but, at some point, they'll delete it.

In the grand scheme of things, I know that it isn't really going to make a difference. It's more symbolic than anything but I can feel a little bit better knowing that my data is more secure/private than it was.

I've been meaning to do it for the last few months and I'm happy that I finally devoted the time to making it happen.

(For the curious... a RHEL derivative, configured according to the CIS RHEL6 Benchmark and DoD/DISA RHEL6 STIG (for the most part), running Postfix and Dovecot (w/ SSL/TLS and a "real" certificate although I'm starting to think I'd be more comfortable if I had just made my own) w/ AMaViS and ClamAV thrown in as well.)

>The Internet is living, breathing, functioning proof that, at least to 99.9999% of human beings, utility > privacy.

Imagine, for a moment, that evidence comes forward that Snowden wasn't the first.

Imagine that someone in Snowden's position did exactly the same thing, only for financial gain, say, selling private company secrets to a competitor.

That would change the situation, would it not?

+1, the NSA is one player amongst all the countries, corporations, and ...work colleagues who might be interested in your files. There are more commercial agencies around than we'd like to think, who are given 10 grands to ruin your reputation or make your laptop disclose your next commercial move...

I don't think the worst consequences are in people moving their data off services now -- the real impact is how this affects long term IT strategy. Even small changes to the slope of the adoption curve now will result in massive accumulated losses over time.

A lot of companies with a lot of data are asking themselves whether or not to put that data in the cloud. Storing data in the US right now is a bit like suggesting you store your confidential files in 1980s Soviet union -- only, they would probably have been a lot safer in the 1980s Soviet union.

It's scary that they don't care but not surprising. We live in a world where the majority of people with privilege are comfortable with the fact that racial profiling still pervades the criminal justice system. In fact, such a statement will be viewed as controversial and debate will be diluted by meaningless argument about whether racial profiling exists or whether the use of the term, "privilege," is even fair. Privacy, I believe, faces the same conundrum: it's a problem but the consequences of it are so divorced from the individual that most people won't even think about it.

The rub for me is not that some NSA goon could snoop on where my gaming group is meeting up next week. It's that they could use the scale of their surveillance powers to profile and target groups of individuals in much finer strokes. They don't need to mobilize a state police force to stop random persons and check their papers anymore. It's much more quiet now and less noticeable. We can let our imaginations run rampant about what they could do with this information but I think there's evidence of what they do use it for already and the reality is often much more frightening because it seems so benign.

Please explain what "the reality" is in regards for what they use it for that is more frightening.

From: http://www.nsa.gov/public_info/_files/speeches_testimonies/2...

     When conducting 702 FISA surveillance, the only information NSA obtains results from the use of specific identifiers (for example email addresses and telephone numbers) used by non-U.S. persons overseas who are believed to possess or receive foreign intelligence information.
     Foreign terrorists sometimes communicate with persons in the U.S. or Americans overseas. In targeting a terrorist overseas who is not a U.S. person, NSA may get both sides of a communication. If that communication involves a U.S. person, NSA must follow Attorney General protects the privacy of U.S. persons.

     The collection under FISA section 702 is the most significant tool in the NSA collection arsenal for the detection, identification, and disruption of terrorist threats to the U.S. and around the world.
It's probably all true. I'd wager the majority of information gathered from surveillance activities under the FISA is to spoil terrorist threats against the U.S. However denials like this have a way of avoiding the definition of, "terrorist threat," or explaining the scope and restrictions the information so gathered must be used.

I suspect they might use the aforementioned section of the FISA to enable the extradition and persecution of whistle-blowers as terrorists. This would allow them to black-van these people and remove them from the world. However one can only speculate that this is true. And therein, in my opinion, lies the danger.

Edit formatting issues...

   echo "my quote" | fold -s -w 77 | sed "s/^/   /"
append pbcopy if on a mac: echo "my quote" | fold -s -w 77 | sed "s/^/ /" | pbcopy

   When conducting 702 FISA surveillance, the only information NSA obtains 
   results from the use of specific identifiers (for example email addresses 
   and telephone numbers) used by non-U.S. persons overseas who are believed to 
   possess or receive foreign intelligence information.
        Foreign terrorists sometimes communicate with persons in the U.S. or 
   Americans overseas. In targeting a terrorist overseas who is not a U.S. 
   person, NSA may get both sides of a communication. If that communication 
   involves a U.S. person, NSA must follow Attorney General protects the 
   privacy of U.S. persons.
        The collection under FISA section 702 is the most significant tool in 
   the NSA collection arsenal for the detection, identification, and disruption 
   of terrorist threats to the U.S. and around the world.

also, to address the lies you're spreading:

I have no idea about 702 fisa surveillance, but what we do know is:

1 - the nsa collects intelligence

2 - if you, as an american, communicated with a foreigner, you're fair game.

2b - if you, as an american, communicated with an american who communicated with a foreigner, the nsa collects your communications.

2c - if you, as an american, communicated with an american who communicated with an american who communicated with a foreigner... the nsa collects your communications.

2d - why yes, if you're observant, you might think this is virtually every american.

3 - if they accidentally collected your, as an american, communications, they keep it. "Accidentally".

4 - since all pigs are liars, they distribute this to, amongst others, the irs and the dea, along with a guide to whitewashing where the information came from. So the dea can, what do you know, pull over a random van for a busted tail light or not signaling a lane change or signaling a lane change to early or just cause they feel like it -- there is always, 100% of the time, a reason for a cop to pull over a car if they want to. Then they randomly find drugs! Who knew, must be just a coincidence! [1]

   The undated documents show that federal agents are trained to recreate the 
   investigative trail to effectively cover up where the information 
   originated, a practice that some experts say violates a defendant's 
   Constitutional right to a fair trial. If defendants don't know how an 
   investigation began, they cannot know to ask to review potential sources of 
   exculpatory evidence - information that could reveal entrapment, mistakes or 
   biased witnesses.
   I have never heard of anything like this at all, said Nancy Gertner, a 
   Harvard Law School professor who served as a federal judge from 1994 to 
   2011. Gertner and other legal experts said the program sounds more troubling 
   than recent disclosures that the National Security Agency has been 
   collecting domestic phone records. The NSA effort is geared toward stopping 
   terrorists; the DEA program targets common criminals, primarily drug dealers.
   It is one thing to create special rules for national security, Gertner said. 
   Ordinary crime is entirely different. It sounds like they are phonying up 
   investigations. [1]

5 - yes, regarding #4, all pigs are liars, and this would be lying directly to the court. Not that they will be prosecuted for it.

6 - since this already migrated from "omg terrarism" to drugs, you may wonder where it will end. tip: it won't just be with drugs, it never is.

[1] http://news.yahoo.com/exclusive-u-directs-agents-cover-progr...

European chest-beating in the wake of the NSA revelations is fairly hypocritical. The difference between the US and the EU is that in the US, the snooping was icky, secret and very possibly illegal. In the EU, it's done out in the open, required by law:

According to the directive, member states will have to store citizens' telecommunications data for six to 24 months stipulating a maximum time period. Under the directive the police and security agencies will be able to request access to details such as IP address and time of use of every email, phone call and text message sent or received. A permission to access the information will be granted only by a court.


Concerns about spying on foreigners vs. nationals? Does not apply in the EU. All the chatter about mission creep in the PRISM data, how it's used by the DEA, IRS etc., rather than use national security? That's routine, by the book usage of the very same data in the EU.

DRD is in many ways incompatible with DPD, this is well known and a source of much industry confusion.

Note that the DRD applies to specific requests and that the data is kept by the corporations (typically telcos and ISPs) rather than turned over wholesale to government institutions, in other words, you need a warrant to get specific data.

As such, there is a huge difference here.

Where the hypocrisy comes in is where the EU nation states were actively aiding the NSA in exchange for access and tricks regarding nationality to side-step local limitations ('I spy on your citizens if you spy on mine').

And I still don't like the DRD either.

Another thing, hypocritical maybe, even if the EU is being "just as bad" in a certain sense, piggybacking on the US outrage on this topic may help matters in the EU as well. Even if it's just increased privacy-consciousness among the public. For real, like people have pointed out, we already knew about surveillance in the EU months (or longer) before Snowden leaked his info, it was public knowledge and nobody said anything because it wasn't really in the news. Now it is, and some of it may stick to what the EU is doing as well.

The data retention directive is undoubtedly problematic, but if it is implemented according to law, it means that telcos will hand over metadata on individual accounts at the request of a court. There are no secret courts, no gag orders and no dragnet mining of content as opposed to metadata.

But of course that says nothing about what European police organizations are up to ... secretly. I'm thinking of things like the "Bundestrojaner".

How un-secret are they? Is there a room I can go sit and watch search warrants being requested and issued? If not, why do you believe it's better than the US situation?

The existence of such a room is not the only way in which the situation could possibly be better than in the US. In fact, such a room would itself be a gross violation of privacy.

I think I explained in which ways I think it is better as far as the data retention directive is concerned. Whether or not it is really better in practice considering what police in any particular country might do, that I don't know. Maybe we need our own Snowden to tell us that.

I was asking a question, not saying you're wrong. I'm genuinely curious what forms of transparency exists in the EU, and how it curbs abuses.

It's more about pragmatism than hypocracy. Everyone in Europe has a lot to win on painting the US as the bad guys and themselves as innocent. Major European tech firms are going to play this story very hard to gain fat government contracts rather than their American competitors. That's what might change things, when profits are being hurt politicians are very quick to act.

Short sighted pragmatism.

As Europeans turn against Americans (or more precisely, non-Anglos turn against the Anglosphere/Five Eyes), the West begins to fracture precisely as the East begins to rise again with force.

It's going to be an interesting decade.

The west fractured or not, the east is going to rise. Turning a blind eye to this concrete opportunity makes no difference to that end result, but does affect the quarter's earnings.

Also, these quarrels will hardly damage international relations in any significant manner as to prevent the west unite in whatever manner they see fit to face the east.

Will it? People are getting fired up, and the anti-American feelings in Europe are strong. The politicians might understand better but will the people? Or will, after years of being told how evil the Americans are, functionally see their choice as one despot or another? Which is sad, because all of this hoopla over spying... isn't a hoopla in the east. It's just the status quo.

The rest of the world has known for a lot of years (more than thirty) what has just been confirmed an publicized in the US itself with the latest developments: The US government is not at all a BDFL, but behaves more like a bully.

These revelations don't change things much, macropollitically.

The only thing that could, maybe, be changing is the US people perception of their country but, again, many western democracies are not keen on listening to the people.

More to the point, this is a problem of layers. It's not just where you decide to host.

Most every national government is probably involved in data sniffing to one degree or another, major hubs are/can be bugged, and undersea fiber connections are especially vulnerable. This, in addition to all of the insecurities found in common consumer gear.

There's probably a tidal wave of folks moving, but I agree: the move is nothing more than hugely symbolic. The only thing you might accomplish is change the organization that's capturing your data and perhaps the method. But that's about it.

The method is significant. I don't really have any issue with NSA trying to MITM, hack phones and tap cables: as long as my endpoints are safe and I'm using encryption between them, they have to work for it, so only real baddies will be seriously targeted.

What we cannot defend from is the liberal use of NSLs to subvert endpoints controlled by Google, Facebook etc, which make it way too easy for them to mass-dragnet, leading straight to LOVEINT abuses and the like. Moving away from these services should help in this regard.

This said, moving away from these services does take some work, which is why OP deserves lots of kudos.

> as long as my endpoints are safe and I'm using encryption between them, they have to work for it, so only real baddies will be seriously targeted.

This technical barrier is getting weaker every year (or month or week?), we cannot be sure that encryption is still holding up, or at least: that it will always hold up. And besides that, endpoint security may be acceptable for real experts, but never for the layman (probable backdoors in Windows, MacOS - maybe even Linux OSes).

If we as a society decide to accept what the NSA does, then we accept the total loss of privacy - it's then just a matter of time. And without privacy, democracies will die and corruption will flourish.

To think that...

> only real baddies will be seriously targeted.

...is a grave mistake.

You can also encrypt the data before it gets to the server by a third-party who holds the key in your own country. (these services do exist btw) The question is then if those companies chose to give up the key to decrypt the information.

It will however have an economic impact on US, if you do that. Think of it as "voting with your wallet". You're voting with your wallet against US.

It's also a political stand. As a foreigner who can't vote against the current US government, or even as a US citizen, your action can have a political impact.

Our political system sucks. I'm deeply affected by the US or Russian government's actions - because the Internet is mostly American and Russian, yet I don't have rights to influence decisions in either of those countries. Our country's minimum monthly wage is $211 and our average - $500, so there isn't even a lot of voting with our wallets that we can do. The only choice I had is to donate to Fight for the Future and plan moving everything to a home server, essentially reverting to my setup from 5 years ago.

At least there is a glimmer of hope (no matter how delusional) that the political process in Europe can be influenced and at some date in the future the monitoring can be turned off or at least put under more rigorous oversight.

Perhaps the only language that the US will understand is a loss of business?

Obviously we[1] sympathize with this, since we've been running a swiss location since 2006 - one that has become increasingly busy in the last 3-4 months.

However, I personally don't store my data there - even though I am deeply disturbed by the recent revelations and invoke all manner of security precautions in my own digital life.

First of all, it appears that intra-US Internet traffic is subject to less scrutiny and open to a much more narrow interpretation of the laws that (supposedly) allow this snooping to happen. Once your traffic leaves the US, the 4A (and other) protections seem to relax significantly. Let's set aside for the moment the bad behavior of other global and national "observers" on the network, which we have to assume are at least as bad as the US NSA ... and let's just concern ourselves with the US side of things. From that perspective, moving your traffic out of the US appears to have a lot of unintended consequences.

Second, it really shouldn't matter. SSH is SSH and duplicity is duplicity and storing a fragmented TC container is ... well you get the idea. If I have the right toolset[2], I should be able to store my data on a USB stick that I leave in the NSA lobby every night. You should ask yourself how large and unwieldy your digital life has become if you can't just trust the math.

Oh, and also ...[3]

[1] rsync.net

[2] SSL/PKI is not the right toolset. gmail is not the right toolset. Weirdo walled garden dropbox gdrive non-standard private API garbage is not the right toolset.

[3] We support synology devices perfectly, right out of the box, and right through their GUI config. Just saying.

I don't know much about rsync.net or if you guys provide a quick client-side encrypted storage method (though a quick glance at your FAQ seems to suggest otherwise).

But the reason Gmail is not being trusted is that there is some possibility the NSA has backend access to their servers via various kinds of legal arm-twisting they are not allowed to talk about. I don't encrypt the mails I send via Gmail before they hit Gmail's servers. You can't "trust the math" unless you do said math and encrypt content before you send it out. As soon as there is any unencrypted data on an external service, you've (theoretically) lost it to the grubby paws of said flunkies.

Or at least that's what I think (crypto experts of HN, feel free to correct and/or chastise me).

Duplicity is a quick, client-side method that works over plain old SSH. There are some fancier ways to do it with git that we have recipes for.

The answer to your question, though, is no - we don't have anything. We just have raw disk that you access over SSH.

So you can do whatever you want. That's the point. If any party had backend access to our servers, it wouldn't matter if you used a reasonable (and simple) toolchain.

I have a Synology device (exact same model as the article author actually, and likewise I love it).

However I'm having trouble finding a way to back it up securely. The built-in backup methods don't seem to account for encrypting the backups (even if the volume is encrypted). Any suggestions?

However I'm having trouble finding a way to back it up securely. The built-in backup methods don't seem to account for encrypting the backups (even if the volume is encrypted). Any suggestions?

Two suggestions:

A) Download the source [1], and see if it is complete and then you can port in cryptsetup and the LUKS stuff from Linux.

B) Run Linux. If you're at the point where you're worried about encrypted backups, then you should probably be running some form of Linux instead. You can get a small form factor PC that includes the motherboard and processor for not much more than the Synology box. That'll give you a lot more options for software and services too.

We're using this for all the offsite backup drives, and it wasn't too hard to get going. If you (or anyone reading this) can't figure out cryptsetup, just PM me and I'll help you out.

[1] http://sourceforge.net/projects/dsgpl/files/?source=navbar

Actually the Diskstation runs Linux already, and I have full SSH access to it. It uses ecryptfs already, and I love the thing. I am glad I chose it over building my own (and that's not something I expected to be saying before I bought it).

My question was purely about backing it up securely. I'm guessing rsync'ing the encrypted volume is the answer, just need time to look into it.

Re: other global "observers", I think most of us are assuming that the NSA is the most capable and powerful among them. While in general this may be true, I wonder how much we don't know we don't know about other agencies.

Over the last month I have cancelled all our servers in US, setting up a new one this morning in Amsterdam

One thing I am worried about is potential liability of having someone sueing us under data protection laws here in Ireland, claiming their data was inspected by US and we couldnt protect their privacy

Here in Europe we get to have data protection commisioners and strong laws on the subject unlike across the pond.

One thing I don't entirely understand is whether having an EU-based server provided by an US company (Rackspace, AWS, Digital Ocean, you name it) makes any difference at all.

No one can say - although at the moment you can be sure they are subject to US intercept orders.

The companies are incorporated in the US, so subject to US law. But the physical servers are located in other jurisdictions, and sometimes US law conflicts with that law.

In practice, so far I suspect that the US law has won out, because other jurisdictions haven't known to fight it. In the future that might change, but... secret orders supported by secret laws enforced by secret courts can be pretty hard for other jurisdictions to fight.

Rackspace wrote a blog post about this: http://www.rackspace.com/blog/government-surveillance-and-yo.... They say it depends on jurisdiction and location of data, not whether the holding company is in the US or not.

A server that is located in the EU is almost certainly owned and operated by a EU-based legal entity that is a wholly owned subsidiary of the US parent. So strictly speaking you would be getting your services from a EU company that is owned and controlled from the US but that is subject to all the relevant local laws.

As I understand it the Dutch government are pretty much in bed with the Americans on a lot of things (we have some of their nukes dotted around the country for a start). I would be very surprised if the government aren't playing nicely with the NSA as well.

That's been the case ever since the PATRIOT Act was passed, back in 2001. So you were screwed even before Snowden came along ;)

"My webhoster (WebFaction) receives mail for all my domains. My Synology retrieves mail every 5 minutes via POP (you can set this up via Roundcube on the Synology) and deletes it from WebFaction."

but even if you can delete your mail from your mailhost after downloading it to your private machine, isn't the point that the NSA probably collected the email before it even hit your mailhost?

I think you're right. Even moving your mail or web server to another country won't help deter the actual collection with prism.

However, I think responses like this create tension between the companies agreeing to give their information, and the government. If google, yahoo, and facebook start to lose money they might potentially fight legislation like this going forward and may advocate in reverting these policies.

This is probably the biggest thing we need to work towards. Sure, leaving gmail might be painful and it might not really help us out in the end (regarding preventing spying) but hurting the big players enough for them to move into offense mode is a great scenario.

Reading this comment made me feel uneasy, and I couldn't tell why. After giving it some thought, I found the reason.

There is nothing wrong with the argument, it is sound logic, and reasonable. In fact, I agree with it. No, this comment made me recoil because for a second, it made me envision a reality where our political influence, as people, can only be exercised through corporations.

And, (maybe, I confess, because I am so deep into the lecture of cloud atlas) I can't help but sense that it is a dangerous road to be embarked on. But these are just my two cents...

That probably depends on whether your ISP's mailserver uses opportunistic encryption. Any email I send to Google from my mailserver is always sent over a TLS-encrypted connection for instance, because Google's mailservers agree to encrypt where possible.

In this scenario, the NSA wiretaps will get direct access to any email sent over unencrypted connections to the ISP mailserver, but they'll have to work harder to get at the encrypted data.

Of course, as we know they've suborned the encryption used by many, many organisations so this is no guarantee of protection against an NSA fishing expedition, but it's a lot better than nothing.

I haven't looked at the revelations in detail, but I don't think they're recording copies of every e-mail they intercept to anyone. If your account is already of interest to them, they're probably watching your e-mails, but if they take an interest in it 10 years in the future, that's when they go to GMail and grab all your past e-mails. So storing your e-mails on a computer you control probably still has some effect for most of us.

I suspected there was going to be a mass exodus. NSA basically killed cloud-computing. I don't think it will come back soon. And while on the subject, consider selling your Microsoft stock. How many enterprise customers will choose Microsoft products again after 2013?

> NSA basically killed cloud-computing.

I don't think the current disgust will last too long. A lot of people will move, at some point they'll realize the grass isn't all that much greener on the other side.

There is a definite activation energy required for such a move and I'm sure that the NSA debacle provided just that for a fairly large number of parties but in the very long term the difference will be small. (In the short term it will be quite significant, at least as long as this issue is on the front-burner in the media).

The response to things like this is usually an impulse with a strong attenuation over time. It'll never quite become 0 but it will get close to 0 in a fairly short time.

The reason why right now we are seeing all this movement is because Glenn Greenwald specifically is doing an extremely good job of keeping the focus on this subject. Mainstream media would normally have completely passed an issue like this by as too technical and not enough human interest to spend a lot of time on (both of those are negatives in a news cycle that thrives on eyeballs and associated advertising).

The longer this story is kept in the public eye the bigger the fall-out will be. For now, I'm very impressed with how they are managing this, considering the adversary.

Greenwald somewhere mentioned that there's material for months to come if I am not mistaken. So besides that he's doing a good job (agreed), I think Snowden simply provided a huge amount of information.

If there really is months more worth of information I wonder if the public, US or otherwise (as we find more countries with intelligence agencies working as accessories), will experience outrage fatigue. I guess it will depend on how bad each revelation is but I could easily imagine a lot people picking the one revelation that really bothered them and then framing all others relative to that: "they're doing Y too? What's the point when they are already doing X?"

My armchair quarterback opinion, reveal the rest now and hope for a critical mass of outrage.

>I wonder if the public, US or otherwise (as we find more countries with intelligence agencies working as accessories), will experience outrage fatigue.

That's a valid concern about something which I consider the most disgusting stance a citizen could have.

As if news and outrage are supposed to be novel and entertaining. It shows that those who feel that way are not active citizens of a democracy, but passive couch potatoes, overstimulated with media BS and their own private affairs, and unable to think or act to better their country and communities.

Consider the enormity of using the same excuse for black rights ("Jim Crow laws? Seggregation? Who cares about this, didn't we already have a civil war and a KKK discussion for so many years?") or anything that took time to fix.

> will experience outrage fatigue.

That is already happening, even here on HN where people consider this off-topic because it is also mainstream news.

"I wonder if the public, US or otherwise (as we find more countries with intelligence agencies working as accessories), will experience outrage fatigue."

Unfortunately, I fear the mainstream mindset towards this issue will hinge on how the major political candidates in the 2016 election choose to frame the issue. If there's widespread consensus from the leading Presidential candidates in both parties that this is not an issue - then the mainstream populous is likely to get in-line with that mindset in-support of "their" candidate.

I hope the public perception of these issues doesn't get dumbed down to political-party allegiance, but I fear it may be the case.

This is a very insightful way to look at things and it highlights the role of the leadership. In current world not much of the stuff matters, actually, as it is very high on the Maslow's pyramid. So it has to be thought leaders who define the course of action for the "careless masses" (TM).

No, current disgust won't last too long, but it is currently being transformed into future policy at almost ever shop that uses cloud services, from governments, major corporations to small companies that outsource their IT needs.

And those policies, which can be summarized as "we won't store our shit with US companies" will last for decades.

It may take many years before they are fully implement because nobody wants to throw money at migrating legacy with no immediate financial upside. Besides, in many cases there aren't yet sufficient competing non-US services that meet all requirements.

It will be a slow exodus, but it will also be a massive and irreversible exodus.

For who? None of our customers have even voiced concern over the NSA let alone foot the bill to migrate their data to the eu. I think HN in particular has tunnel vision over this situation.

Unless shown otherwise I'd warrant a guess that outside the tech community the overwhelming majority or people and businesses don't care about what the NSA does.

I'm curious to know why you advocated just selling Microsoft stock when Google and Amazon and IBM also have cloud computing/services businesses. Will they not be affected?

I suspect the author was implying that the NSA backdoors in Windows will affect use of Windows by business.

Personally I doubt it - those backdoors have been known for years[1], and nothing happened.

[1] This report is dated 1999: http://www.heise.de/tp/artikel/5/5263/1.html

Microsoft's not included in the silivon valley good ol' boys club.

I thought there might be a mass exodus, but that hasn't happened yet. What I think might happen is people will keep using the vanilla cloud for day to day, but then switch platforms for "sensitive" topics. IE. you send me an email about the special project, then we go on Silent Circle to continue the discussion. Kinda like talking on the phone and then meeting in person.

This of course does not solve the metadata problem. But I don't think the populace is really considering this angle. Protecting content is much more visceral.

One hacker moving is data to his own country is a mass exodus? This site's users represent a small fraction of the general population. Most people don't know or care about what's going on. There isn't and won't be a mass exodus. Will it have a large enough impact to make companies take action? Quite possibly. But there is no way it's going to kill cloud computing.

It's the bottom line that's important. As long as the current surveillance regime is in place, there's nowhere you can be online that isn't watchable by them.

The NSA is the largest practitioner and consumer of surveillance among its allies and other targets, and likely drives and influences most surveillance activity among its allies and other targets. The NSA gets its funding from US tax collections, and those taxes are controlled by US politicians.

So at the least, non-US citizens and corporations should move their data and activity out of US-controlled or affiliated corporations. There is only one way that this surveillance can be changed at all, and that's by US corporations and their rich executives and shareholders feeling a rumbling in their bottom lines. This will rouse them to direct the recipients of their political and lobbying dollars to cut this shit out.

I'm sorry, but we citizens of the US have long lost control of our government. It's money.

Vote with your feet. Don't fund the US surveillance state.

This is true, but there is also some reason to think that surveillance may be somewhat more difficult if outside the immediate operational reach of the US government. So yes they can listen. But if you make it as hard as you can, you make them spend more effort for less.

If we could make the internet run more secure encryption generally, then the NSA, forced to target specific end-points, would howl in frustration....

In most cases I'll agree with you, money controls the us government. In this case thought, the nsa might have secret knowledge on politicians, it's job might be critical to national security or at least seem so, and I bet there's some support from the military industrial complex.

It would be quite hard for tech companies fight this fight.

Actually, there's a potential error in what I said. If corporate America benefits from economic espionage (e.g. spying on PetroBras), then it will never stop.

As much as I love Synology NAS, I wouldn't trust it for keeping what's essentially my entire life (email, photos, music, files, everything). The author has a backup system which involves two laptops, a workstation and a separate file drive. However, at the bottom he/she adds "I will probably add an extra external drive to the mix and try to keep that off site." My advice: do it. Now. Murphy's law states that a flood/power surge will hit your house as soon as pull the plug on your external storages.

I don't want the NSA to snoop through my email and family photos, but the fear of data loss easily trumps my fear of not having privacy. To me, that's the tradeoff for using public services like dropbox/Gmail: I get more redundancy at the cost of privacy.

I currently backup to (encrypted volumes on) external USB drives at home. I just recently moved and now have much more upstream bandwidth (FTTH, yay!) so I wanted to do off-site backups as well. After careful consideration, I decided to occasionally make an "encrypted full backup" and then permanently archive those to Amazon's Glacier service.

Edit: Just read your comment further down where you also mention using Glacier. Have you restored any data from it to test it out yet? If so, are you happy with it? Thanks.

free cloud services!=backup

No, you're absolutely right. And I didn't state they are, nor that they are free. For backup purposes, I use my NAS, an external hard drive that I use off site, and Amazon Glacier for when things go really bad. (With Glacier, you pay mere pennies for storing gigabytes, but you pay a lot if you ever need the files).

What I meant is that the author is so focused on privacy issues that he/she forgets about redundancy.

It's a bit naive to believe that after Google may have deleted your emails (no good reason to trust them, I'm afraid), the NSA also no longer has access to them. They picked them up as they arrived at or left your Gmail account and will keep them forever.

But may not get his future email and future data, which is still much better to him than if he stayed with Google.

may not being the key phrase. Thankfully for the NSA, they can add to his profile this how-to on how he's managing his data moving forward.

"may not" is still better or at the worst case the same as "certainly true" ;)

I hate responses (and attitudes) such as this. It's as if you've concluded that anything you do going forward is pointless and a waste of time.

I am not yet ready to come to that conclusion and have recently stepped up my efforts to better protect my data -- both at rest and in transit -- and encourage everyone else to do the same.

You forgot the backdoors in your hardware.

Yours faithfully,

The United States of America

Maybe it's time EU, Latin America, and most of the Asian countries start banning US hardware, too - you know, just like US started banning Huawei, for the same reasons.

So, would we use Chinese hardware? It probably has backdoors too..

And at least here in Latin America I believe there aren't enough hardware providers to build anything resembling a modern computer.

> So, would we use Chinese hardware? It probably has backdoors too..

Indeed, but at least the backdoors aren't used to feed an establishment that has a track record of rendition, UAV assassination and technology-based lethal sabotage.

The problem is that all of your email conversations are with people who still use gmail. Game over.

You are correct.

However, I am simply taking all MY email out of gmail, so that MY database is not the one that's used to get information about others. Besides this, because I'm not using gmail anymore, I'm using OpenPGP more often to sign and encrypt emails.

I agree that it's a drop in the bucket, but it's a drop that I had to add.

> Game over.

Never surrender.

"Educate" your friends. Provide them with the facts/sources they need so they open their eyes.

At least you're not informing on other non-Gmail users.


Yeah, because nothing protects you from the NSA like being outside the USA.

Edit: Oh I see I've been voted down. I guess that makes my statement untrue.. My point was that outside the USA the NSA has free reign. Only inside the USA does the NSA have restrictions. Obviously they crossed some lines and we are still fighting for privacy around the globe. But moving data outside will not stop them.

It's interesting to see people doing this as it's something I've been planning to try. I've backed the Lima project on Kickstarter which will hopefully become my Dropbox replacement:


and the Mailpile project on Indiegogo which will hopefully work as my email frontend on a local server:


I'm planning on buying a small server for running all my services on a VPN (mail server, GitLab, Mailpile etc.) and a decent NAS with RAID'ed backups of server + lima drives + time machine and if possible send that to a safe off-site backup.

I have a HP ProLiant N40L and couldnt recommend it enough.

Actually, your data is still in their building.

You've only removed the particular copy that you had access to.

"The loss of GMail conversation view was initially really REALLY painful."

I recently experienced the same pain with Thunderbird after moving away from the new Gmail compose interface however I've since moved on to Airmail [1] which deals with conversations (and other Gmail behaviours (shortcuts etc) in a very similar way to Gmail and am extremely happy with the move.

[1] http://airmailapp.com

Thanks for the tip!

I use Linux on all my laptops and workstation, so unfortunately I can't use airmail or postbox (windows + osx) for this.

Geary is a mail client for Linux with a similar interface to conversation view. It's still fairly young, so not entirely polished, but it is usable.

Edit: usable, but seemingly with no support for encryption/signing, among various other things. Maybe it needs a bit more time to be ready.

Where are you going to move your data where it's less likely reachable by the NSA and the GCHQ? Another UKUSA member country? Any country in Europe? A third world nation?

You're only shifting eyes from western intelligence to a third world dictatorship, or Russia's FAPSI and GRU units. And in some cases, moving your data out of the US may subject it to even more scrutiny or dragnets.

I recently deleted my Google+ profile. I have to say that Google is among the nice ones out there. They have a no-nonsense process with tools in place to export the data and delete accounts. Facebook/Quora make it really difficult to delete your data.

It's ironic that it's easier to leave the good corporations than the bad ones.

Facebook doesn't really make it difficult either: https://www.facebook.com/help/delete_account

Was your data actually deleted, or does Google still have it?

They said that they will delete the data "over a few days". I only deleted my Google+ profile, not the entire Google account and I had manually emptied the profile anyway.

Since when Quora too make the cut to the baddies?

Dear cpbotha,

No it hasn't.

-- USA.

As for Google - yes it has. If this is done en masse it will hit their bottom line. Only this will make them lobby for better rules. So even if the USA can still snoop there is a chance for change.

Can anyone recommend a linux VPS host outside the US as an alternative to Linode or Digitalocean?

http://www.hetzner.de/en/hosting/produktmatrix_vserver/vserv.... German company, servers in Germany. Cheaper than Linode, AWS, etc.

European companies will be pleasantly surprised that the prices listed include VAT - which means that if you provide your company's VAT number on sign-up, you won't have to pay VAT. So a €7.90 VPS will cost a European company €6.64 (roughly equivalent to $8.86).

If you are speaking German (site is in German) you could try http://uberspace.de. I am one happy customer of these guys.

I'm also a happy Uberspace user, but they don't offer any VPS. They're more like a standard webhosting provider with shell access.

I've been using http://www.cheapvps.co.uk/ for bots and simple websites, and am pretty happy with it.

EDIT: as other people pointed out elsewhere, the UK may not be that much better (if at all better) than the US. The question is, though, where is safer?

I've been trying out http://www.exoscale.ch , and while slightly more pricy than similar offers, they seem to offer a pretty good service, with high focus on privacy and security. Also, they're hosted in Switzerland.

Just checked out the pricing - really expensive, if you compare with the Germans at Hetzner http://www.hetzner.de/hosting/produktmatrix/rootserver-produ...

I think the Swiss market has ample room for more competition.

I'm a happy user of https://www.transip.eu/ (no other affiliation). Cheap and has a fast connection.

Look out for the prices, though: the discount showed is not permanent, just a first month promotion.

http://www.bigv.io/ is UK based and seems rather popular.

Why is a US lapdog country like the UK, any better in the context of this post?

I think the UK is just as bad as the US when it comes to spying.

Dediserve is based in Ireland, and they are pretty good too.

www.greenqloud.com in Iceland

I strongly suggest watching Jakob Appelbaum's speech at the NSA hearing in the European Parliament:


Here's a question he asks to people who think that because they're Americans they're "more protected" against NSA spying than foreigners:

Who would be me more afraid to call someone like Appelbaum or Julian Assange? Someone from US, or a foreigner?

I think everyone knows the answer to that question, and you also have your answer for how protected Americans really are against this total surveillance.

> On my Android telephone (whoops…) I am using the Kaiten IMAP client.

Check out: http://www.ubuntu.com/phone

Devices supported: https://wiki.ubuntu.com/Touch/Devices

Currently, the Galaxy Nexus seems to be the best option; see its hardware support progress here: https://docs.google.com/spreadsheet/ccc?key=0ArLs7UPtu-hJdDZ... (column "Maguro")

Even better: Firefox OS

The only thing I'd miss there is the lack of support for "native apps" (meaning everything runs in the browser). But it's still great to have another open-source mobile OS alternative.

I don't believe that there is enough information yet to take action, for example moving data out of US Datacenters. Too little is know about what the NSA is actually doing with the stuff, what they do and don't have access to, and what kind of risks businesses are incurring as a result.

The most important question is whether or not the NSA or other agencies in the US are actively committing industrial espionage, meaning not only that they are spying on foreign companies but also passing on data to US competitors.

This used to be called setting up a mailserver and fileserver back in the day. Some people never gave up the goods and kept their personal files and email accounts on their own hardware.

> The loss of GMail conversation view was initially really REALLY painful

Considering all the shit going down lately... we've seen a recent surge in use of things like DuckDuckGo and OwnCloud, but no good replacement for the Gmail UI. I'm surprised no one's seen that opportunity and created something similar, but installable on your own personal server so that you can have access to a good web UI from anywhere.

If I can make the time, I'd love to do something like this.

All well and good — I suspect that OpenPGP is one of the few reliable tools out there for file and email security — but BitTorrent Sync is closed-source. We have no way of knowing that it doesn't automatically provide copies of all data to interested third parties. Better put those cat pictures in TrueCrypt (another tool which probably works) volumes before syncing them out. (Assuming your hardware doesn't compromise the encryption.)

GCHQ is not exactly any rosier than the NSA. I don't know why OP imagines that WebFaction (UK company) is immune to spying in a way that Google isn't.

I'm afraid this will be characteristic of the anticipated mass exodus. People will move away from US services because it makes them feel good, but their destinations are going to be either Five Eyes territory or countries that don't even feel a need to hide their surveillance apparatus.

At least for e-mail, I think the idea is to ensure that a cloud provider doesn't have a long backlog of his e-mails. Of course, if the NSA take an interest in him, they'll still find a way to monitor his current e-mails, but this makes it harder for them to pull all his past e-mails. I doubt WebFaction is secretly storing all the e-mail he has deleted, because that costs money, and they can't show advertising next to it.

We know that the Five Eyes have ISP-level taps. Why do we think they aren't reading SMTP as it flows across WebFaction's datacenter?

They are quite probably reading it, and I think I read something about a buffer of a few days that they kept things for. But they're probably not keeping all of everyone's communications in case they want to refer to them in five years time. Whereas on GMail they can dig back through years of old e-mails as well.

At the very least, it adds a small per-person cost to their surveillance, because they have to store copies of e-mails themselves rather than getting Google to do it.

Just as a thought exercise, this might not be a good trend for US businesses, but perverse reversion of this is that the less foreigners store their data at US companies, the less rational the NSA has to snoop there, meaning we may only have to worry about FBI, DEA, etc and they aren't as sophisticated as the NSA at this. I actually don't have a problem with any of these agencies personally, just a thought.

dirvish is dead. Use obnam http://liw.fi/obnam/

7bn people on earth, but the NSA has a direct interest in cpbotha hence his actions make total sense.

because if the US intelligence services took interest in him, moving his data to other servers would totally stop them. i can see the agents shaking their fists at the sky, helplessly staring at the server just beyond their reach.

so fulfilling to finally act out those ultimate nerd fantasies. just as awesome as the PGP mail users in college back in the days. sending plain text mails with pgp signatures, because somenone else could forge your identity - riiiiight.

i wonder if there is a direct correlation between this mindset and stuff mounted on the belts of said users. giant keyrings, led flashlights, multitools, etc - always prepared for the movie in your head.

If your data, encrypted or not, travels through the US or any of it's allies, don't you think they already have access if they want it. Privacy is an illusion.

It's not clear to me if you dropped your gmail address? Running email outside of gmail is easy enough, but changing email address to another domain is a total pain.

Fortunately I've been using my own domains on top of gmail for the past few years.

I still have my gmail account to see what mail ends up in there (and then notify people), and to use google+ (not going to stop that yet).

Already probably about 98% of important mail is going directly to addresses on my own domains.

It' odd that perma-address providers like pobox.com aren't more popular.

pobox is US-based.

He could have been using Google Apps with a custom domain.

The problem is the "normals" don't know the spying is going on, don't know what it means, and don't know how to roll their own solution.

For me everything was clear before these NSA leaks. That's why I have hosted my own services and servers already for 15 years.

The author is an ignorant puppy. [\ad hominem] What's the use of all those spendings if his email is not encrypted and hosted on his own hardened server behind a firewall he knows how to configure himself? And even then, if his counterparts are not doing the same, we're back to the original problem.

> And even then, if his counterparts are not doing the same, we're back to the original problem.

Not necessarily. It means he removes the "trove" aspect of his email inbox. Putting together all his communications from the recipients adds to the difficulty (not impossible since "they" have all the metadata and others are probably compromised), but at least he removes the major point of failure.

Great post. Appreciate all of the details of how to leave Google vs just a rant.

all major nations do exactly the same as the nsa. yes france. yes germany. becauqe theyve not been exposes as publicly does not mean nobody is watching.

source: used to work in eu intelligence agencies

Technical decision, or just nationalism? Some people never get over old historical issues.

Dear cpbotha,

You can run, but you can't hide.


Dear USA,

You are probably correct. My point is that I can make it slightly more complicated for you to sniff around in my data, and that was the whole point of this move.

If more people do this, it will get progressively harder for you to do your mass surveillance job as you do it now.

I'm sorry I had to leave you, cpbotha

If you think the USA is alone in their desire to surveille you're going to have a rough time around the world. The USA had the means, but the will is there worldwide.

This is true, but outside of the US, China, and probably Europe, few countries' governments have the money to do this or the priorities to do it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact