On its way: A Google-free, NSA-free IT infrastructure for Europe This really wasn’t in the script. All conquering, “disruptive” Silicon Valley companies were more powerful than any nation state, we were told, and governments and nations would submit to their norms. But now the dam that Max Schrems cracked last week has burst open as European companies seek to nail down local alternatives to …
Given, say, the epic failure of telecos to address the rise of yankee imperialist running OTT services via the GSMA (see Joyn and Firefox OS as examples), I wouldn't get my hopes up just yet about them managing to coordinate IMAP, certificate, and secure DNS services between themselves.
The beauty of the Internet is that we don't need much coordination of that. We have secure DNS facilities, we just need to enable them ourselves. I did on my domains ages ago - TheReg, of course, is a decade behind as usual: no IPv6, no DNSSEC, no SSL: http://dnsviz.net/d/theregister.co.uk/dnssec/
IMAP's a bit of a red herring here - it's normally used over SSL anyway, the weakness is actually in the SMTP delivery of mail between systems, where TLS is optional. That's one security facility TheReg *does* actually have enabled ... but only because they outsource their mail to Google.
If we have decent crypto on each end, the bits in the middle don't actually matter any more. If I email theregister.co.uk, tapping the backbone or submarine cables will get GCHQ and co nothing but encrypted gibberish - they'd have to rely on something like PRISM to get the mail from inside Google itself to know what the message said.
The problem is that even if Microsoft has stuff stored in Europe the US courts can demand that their Ireland Branch produces the data without due process in Europe in violation of international agreements like Safe Harbour. Given that Microsoft has a court order to do precisely this, it's not a hypothetical issue.
US companies could even be required by the US courts not to disclose having been made subject to an order, which makes it impossible to challenge said order or even monitor for misuse, which means that no agreement an American owned company can make is worth anything.
"The problem is that even if Microsoft has stuff stored in Europe the US courts can demand that their Ireland Branch produces the data without due process in Europe in violation of international agreements like Safe Harbour. Given that Microsoft has a court order to do precisely this, it's not a hypothetical issue."
They're still debating/resisting that though, or did I miss any recent news?
If M$ Ireland are indeed forced to hand over the data to the US slurpsters, then it only goes to show that the US haven't understood the gravity of the situation yet; it would worsen the situation by quite a margin (for US companies trying to do business over here)
It is still being fought and it is a fight the US government cannot afford to win since if they do, US businesses (who after all control all of the US legislation that goes through) will loose USD billions.
Microsoft know that which is why they are fighting it tooth and nail. It has nothing to do with any previous history of data sharing.
> The problem is that even if Microsoft has stuff stored in Europe the US courts can demand that their Ireland Branch produces the data without due process ...
And in this case, you need to look a bit deeper.
AIUI, Microsoft recognised this train crash was coming along - some time in advance. They have structured things so that the datacentre in Ireland is operated by an EU based company and with access restrictions that prevent the US company staff from directly accessing the data. AT least, that's how I've been reading things.
So regardless fo the outcome of the legal case, Microsoft US cannot hand over the data as they simply can't access it. The bosses there can "instruct" the management over in the EU to hand it over, but of course will get a blunt "no, that would be illegal" response. In effect, the very worst that MS US can do is start firing managers of the EU business unit - but if they try that then they'll quickly find out about "unfair dismissal" laws as well !
So if MS lose the case, the TLA still don't get the data, but the US makes itself look even more foolish. I suppose it also means that the EU managers refusing to break the law will also have to forego ever setting foot within US jurisdiction for the rest of their lives as well since I guess the same idiot judge would probably file a warrant for contempt of court against them.
Really, the US government, TLAs, and courts need to find a way to back down on this before it blow up big time in their face.
It's a very different situation from a US based company directly owning/operating, and having access to a datacentre that just happens to be located in the EU.
This post has been deleted by its author
To be fair to MS its a different agency asking for the data - one without a War On Terror mandate and less sweeping legislation supporting it, and one without a capability to have black bag jobs performed on request.
If you were a yank (or a yank business) and the spooks rocked up at your door you would most likely comply out of fear, whereas if it were the Plod you'd tell them to f*ck right off and come back with a warrant - which is precisely what MS are doing. (for warrant read follow an existing process).
It was interesting how their antitrust thing just disappeared.
Then they bought Skype. Which previously had a reputation for being hard to monitor.
Then they gave Nokia a huge bung to drop Symbian. (An OS not covered by the patriot act.)
Obviously just a coincidence.
To be missing that GCHQ is just as bad as the NSA when it comes to data hoarding and from the sounds of it the French want in on the game too, and they'll all share your information as required. I've also said for a while that "if you think the US Intelligence services are above using the information they acquire to bolster the nations economic position I have some magic beans I'd like to sell you"
Isn't there a bigger question around politicians selling their ignorant populations down the river for a "little bit more security"?
Britain has had a pretty shady history with surveillance and still does~~~
And as if to hammer home the point http://www.theregister.co.uk/2015/10/14/wilson_doctrine_gchq_can_will_spy_politicos/
Very well said. When you read US Empire, don't forget where we learned that from, UK Empire. Sure, we're all friendly to the third-world NOW, but hey look at Putin; he's doing Empire building old school and isn't that a big enough problem yet? I guess not. Look you idiots, Ed Snowden did the right thing to expose what GCHQ/NSA already know, and the US "cloud" industry is fully culpable and capable of handling the fallout from this massive US spying. Unfortunately it's 2015 and I can't begin to tell you how enormously pathetic it is that any first-world country does not already have it's own Internet infrastructure that can be decoupled from the rest of the world. You bitch about spying, just cut off the US/China/USSR/WHOEVERTHEFUCK and do biz elsewhere, like at home, until whatever ill you perceive is rectified. You act like Facebook is the only game in town. Get off that crap and talk to real people in the real world. Facebook is just a colossal waste of time, why does anyone need to be on it? Grow some local flavour and stop trying to treat the Internet as some fucking US-owned freeway. It's TCP/IP, go make some content and stop all this "safe harbour" bullshit. Any company worth it's salt will be able to compete on a global scale, and abiding by local laws, or don't appear on their Internet. No one is forcing you to go to Facebook/Google/MicroSoft/Apple/etc, you made that mistake yourself. Live with it, or work around it. Unless you really are stupid, then keep sending clear text messages and leaving your stupid wifi open and that will ease your passing.
Indeed. Every country's intelligence services do anything they think they can get away with, and act with greater impunity the farther from home. If I wanted to hide information from the NSA, I'd do it in Arlington, Virginia, right across the river from Washington, D.C.
Let us not forget about respect for civil liberties either. The only way to be convicted of failing to spy in the U.S. involves bringing the entire affair in front of a grand jury made up of random citizens. Yes, a secret intelligence court can issue a double-hush mega-secret search warrant. But if you tell them whoops, sorry, you simply cannot find the requested information, the path to criminal conviction runs through a grand jury, followed by a second trial jury. It's a constitutional requirement. Spooky McFBI has a hard time getting convictions of brazen spies, let alone honest men who had enough of political games pretending to be national defense.
If you want to be afraid of secret courts making their own laws, go to the authoritarian and inquisitorial courts of Europe. The judge, or a small panel of judges, decides what to investigate, how to investigate it, and whether to keep public records. Their standard operating procedures would be considered nearly an act of war in the U.S. Even the British courts are viewed with a jaundiced eye by Americans. That's a nice database your employer has, be a shame if a pedophilia ASBO were to happen to you. Do you seriously think companies like VW are honest, loyal white knights come to rescue you from the evil barbarian Americans? They will cheerfully sell you out for pocket change.
(re: DanielN)
I'm not sure I agree fully, but the points are essentially correct. Understated is the fact that although one ultimately must be tried, in open court, and either convicted or not by a jury of ordinary citizens, law enforcement agencies and prosecutors can easily cause a lot of trouble and expense even when the final verdict is "not guilty". In addition to that, prosecutors, by overcharging, often can avoid the messiness of a trial and the risk of a not guilty jury verdict and get the defendant to plead guilty to one of the lesser charges. The fact is, however, that this happens far less often in cases involving national security than on the local level with more ordinary crimes like murder, assault, robbery, theft, fraud, and drug peddling. National security, pedophila, or pornography, the most likely to involve electronic data collection, are quite uncommon.
Still, I suspect all these are roughly as common as here pretty much anyplace there are police and prosecutors.
I doubt European telco's can do particularly well with Cloud services except via what amounts to protectionism via the courts (which in itself, in this case, isn't a bad thing). But even then I suspect they will get nowhere and because we will see is some big effort on the part of the US cloud providers, Amazon, Google, Apple, MS Azure, Salesforce, Rackspace etc to provide secure cloud facilities in Europe who will each establish a European cloud operation subject to European law with the relevant protections the law demands (if they don't already have such or are not working on such already). Just as they have done, but for different reasons, in China. And that will be a good thing.
On a separate note here, logically, it should be perfectly possible for a datacenter/cloud service to meet European law from anywhere in the world. The law shouldn't limit the delivery of service to a particular geography. There is, of course, the very real practical issue of verification and trust (how do you verify the NSA haven't obtained access) but that shouldn't be insurmountable. If protectionist practice is bad, logically there should be no geographic requirement.
sorry but that does not work, as the patriot act is in effect on every US corp, they have to breach EU data laws if asked to. therefore any US corp cannot guarantee the required levels of security and privacy. they could have a separate EU company that they own all the shares of that has servers in the EU and that would work, but they would never be allowed to export that data back to the mothership.
I don't think that would be sufficient. After all, isn't that exactly the situation with Microsoft? There's a separate EU company (HQ in Ireland, I would guess) and it's wholly owned by Microsoft. Yet the U.S. is trying to force disclosure of the data in the EU datacentre.
I think that the EU company would have to be fully independent for the separation to work.
"trying" - not succeeding. See the other comments. This is all posturing and a battle that the US cannot afford to win. The real battle is over the currently negotiating EU/US trade agreement.
If Microsoft loose the "battle", they will immediately loose billions of dollars of EU and other territory revenue. Many EU governments for example have heavily invested in Office 365 and Azure. This would have to be canned if the US were to force the issue.
MS have also hedged their bets by restructuring world-wide so that they can spin off segments in a hurry if absolutely necessary.
It is nowhere near that simple. And as stated above, Microsoft in particular have already restructured themselves in different territories to prepare for such an issue. However, as previously stated, the US government cannot afford to win such a battle. It is all posturing. The main battle is that of the current EU/US trade negotiations.
If we take at face value that European versions of existing US based services will need to be created to address the European market, where does this leave the matter of patents? Some services are only realistitcally created in certain ways. If a US company holds the patent on this method, how can a European company create a similar service? Does this require a re-evaluation of the patent issue or do we accept that such a service will not be available in Europe?
Its worth noting that the European position on software patents whilst fubar is several orders of magnitude less fubar'd than that stinking mess in America. Therefore most of them wouldn't apply as the concepts they cover simply aren't patentable in Europe.
The Epo states that they don't issue software patents full stop but there a few things they have allowed that are yellow, waddle and quack.
I don't trust the European goverments to be any better than the US - especially when there isn't even a constitution to argue about.
The reality is those in "power" (might be government, could be your local mobsters) will always want to be able to control the flow of information, and to know "what are the private thoughts of the troublemakers".
Not sure if I have an opinion on this, other than use PGP/OTR etc.. where I can.
I just wish I had a one-time CC number, so I did not have to share that!!!
See Icon - we are all f*cked.
P.
This post has been deleted by its author
It is about time european startup's get more exposure and operate within a secure european framework.
There is a reason I only trust my most confidential data to a company based in Europe and not in the US.... Not that it contains anything of interest for them, but it is my privaye data and I like to keep it that way. I can access it anywhere as the complete communication is encrypted.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
