back to article Privacy winds blow through Clouds towards Switzerland

Cloud services are one of the major changes to the way companies use computing services, but the weather may be changing as a consequence of increasing activity of European Data Protection watchdogs. Whereas US citizens and companies have to contend with ever decreasing rights to privacy, EU companies will come under pressure …

COMMENTS

This topic is closed for new posts.
  1. Silverburn
    Black Helicopters

    Point of order: Privacy is not secrecy, before anyone asks. But yes, privacy ftw here - just don't ask about the communal naked sauna's. Some exceptions are allowed.

    1. Gannon (J.) Dick
      Mushroom

      And secrecy is not a cultural value

      And, communal naked sauna's are way too much information. Considering the old goats invited to Davos, the mere mention of com ... commmu ... Shit, I can't even say it.

  2. Anonymous Bosch

    So, who are these Swiss Cloud providers?

    Inquiring minds want to know. And to see if they also have facilities in Canada.

    1. Evil Auditor Silver badge
      Trollface

      Re: So, who are these Swiss Cloud providers?

      Ask Peter Houppermans. As a privacy and IT security expert based in Switzerland he surely can help... Honi soit qui mal y pense.

      1. p.houppermans

        Re: So, who are these Swiss Cloud providers?

        <i>he surely can help</i>

        Sure, but it's a "piece of string" question - without knowing requirements it's hard to point you at the right people (each have their own focus). A useful trick is to see if they carry banks, because that means the providers has to conform with FINMA standards and you just enjoy the benefits of annual audits without having to do them yourself.

        1. Anonymous Coward
          Anonymous Coward

          Re: So, who are these Swiss Cloud providers?

          PH is completely correct - the banks here are extremely anal about this sort of thing.

          Try starting with Swisscom, who do provide a "benchmark" secure hosting service that is "bank approved", and work outwards into the market from there, depending on your specific requirements.

          Note: Secure hosting is not the same as cloud hosting, even in CH.

  3. Anonymous Coward
    Anonymous Coward

    Switzerland is NOT a safe haven

    US authorities have forced the shutdown of their oldest bank where our (more affluent) cousins stashed their (ill-gotten, no doubts) profits, safe from the hands of the US tax man. Well, it appears those hands are MUCH longer than the good Swiss bankers banked on. So I will venture a guess; similar assurances about Swiss data vaults and clouds are, well, just a fluff.

    1. This post has been deleted by its author

    2. p.houppermans

      I was expecting this argument to come up, and there are a couple of answers to that. I'm going to keep away from the political dimensions, because that's a whole story in itself.

      First of all, if you do something illegal, Switzerland is no help to you either because agreements for international collaboration are in place. Privacy is a right, but you also have an obligation to behave lawfully or the state can use its privilege to lift your privacy and check what you're up to.

      Secondly, Switzerland is a democracy, and what the US did to gain that bank data was blackmail (a fishing expedition instead of normal due process). This story is long from over, because what happened broke Swiss law and not all of it has been dealt with. You can see that, for instance, with what is now happening with the collaboration with Germany where the government have (a) written out <a href="http://www.spiegel.de/international/europe/germany-and-switzerland-wrange-over-tax-offical-arrest-warrants-a-825443.html">arrest warrants for the Germans officials involved</a> and have (b) told Germany that investigations based on illegally obtained information are out of the question. The net result is what I alluded to in the article: the Swiss stance to privacy violations is hardening, with positive consequences for the legal framework protecting your information. In Europe, the EU Justice Article 29 Working party is looking at improving privacy, but as long as the use of the backdoors to this law is not controlled and audited you retain IMHO the problem.

      Thirdly, get the corporate lawyer to compare privacy laws. Switzerland is the only nation which has no uncontrolled backdoors in its privacy laws. When I help corporations with client privacy, I don't need to say much on this topic - I just ask the corporate lawyer to investigate and point him or her where to look. That way, the corporation has its own independent confirmation.

      1. Silverburn

        In addition to PH comments, there is the law of unintended consequences...

        The swiss know they got shafted by US gov, so now, you'll be hard pressed to find any CH bank that will accept *new* US customers - there are only a few now that will, and there are restrictions and agreements you have to sign. Some have even got rid of *existing* US customers.

        They don't want to comply with the US playground bully in the future, so this is merely the Swiss way of politely exiting the playground altogether and saying "We have no US customers to disclose on, so f* off".

      2. Anonymous Coward
        Anonymous Coward

        @p.houppermans

        So, in other words, the Swiss will respect your privacy right up until the US shouts "jump!" —at which point they'll join in the global chorus of "How high?", just like every other lickspittle nation on the planet.

        So the point of this article was...?

  4. Dare to Think
    IT Angle

    If you are concerned about your intellectual property

    ....you might as well create a private cloud, apply to be a CA, include good x509 attributes, set up a well encrypted VPN, etc. It's easier than you think, gives you more control about your security archtiecture and in the long term - from what I have seen - is cheaper.

  5. Khaptain Silver badge

    This article is not really very detailed or factuelle

    Please read the following link ; most notably articles D and E.

    The link is direct to the Swiss Governmental website

    http://www.admin.ch/ch/f/rs/235_1/a6.html

    Here is a translation for the non French speakers ( Its a Google translation because I am tooo lazy ) the sub article 2 and then 2.d

    There are definately excpetions which will allow data to be comunicated to other countries outside of Switzerland

    Title : Transborder communication of data

    1 No personal data can be communicated abroad if the data subject should be seriously threatened, especially because of the absence of legislation providing adequate protection.

    2 Despite the absence of legislation providing adequate protection abroad, personal data may be communicated abroad, the following conditions only:

    a.des sufficient safeguards, including contractual, can ensure adequate protection abroad;

    b.la person concerned, in this case, given his consent;

    C.The treatment is in direct relation with the conclusion or performance of a contract and the processed data concerning the other party;

    d.la communication is, in this case, is essential to the preservation of an overriding public interest or for the establishment, exercise or defense of legal claims;

    e.la communication is, in this case, necessary to protect the life or physical integrity of the person concerned;

    f.la subject has made the data accessible to everyone and she has not formally opposed to treatment;

    g.la communication takes place within a legal person or company or between legal entities or companies united under a single direction, to the extent the parties are subject to data protection rules which guarantee a level of protection adequate.

    The Swiss will not protect your information in all circumstances.......They will definately open up the links when required...

    1. p.houppermans

      Re: This article is not really very detailed or factuelle

      The article would be 3x as long and no longer fit if I had to fill in all the detail :).

      The exceptions you quote only come into play <i>after due process</i>, and that is by default quite rigorous in Switzerland..

      1. Khaptain Silver badge

        Re: This article is not really very detailed or factuelle

        I work for an international company and we have an office in Geneva , we asked our "Swiss" lawyer to verify data security in Switzerland compared with several others European countries most notably , France, UK and Poland. ( most of you can probably guess who the Cloud provider was.......).

        For obvious reasons I cannot publish her response but basically it came down to the fact that our data was no safer or more insecure in any of those countries than it was in Switzerland

        In the end we chose a company based in Switzerland but solely based on the fact that they we managed to strike a cheaper deal with them than one of the major players. We heavilly discussed the security side of things and we accepted the fact that even though the data was held in Switzerland it held no advantage whatsoever other than the fact that I could easily visit the data centre.

        One of the other problems with the "Cloud" providers is that their terms and conditions often include clauses whereby other succursals in other countries also have access to the servers. The hell desks/service desks can actually be found in some strange places outside of the hosting country. It's not easy for Data centers to pay onsite 24 hour staff....

        It's simple: nothing that requires true security should ever go into the cloud.

        after due process, This does not present a major issue for large corporation or governments - in Switzerland, as in many other places, money talks...

        Can you please reason arguments as to why Switzerland is truly any safer...

        1. p.houppermans

          Re: This article is not really very detailed or factuelle

          You've touched on the major issue here:

          "One of the other problems with the "Cloud" providers is that their terms and conditions often include clauses whereby other succursals in other countries also have access to the servers. The hell desks/service desks can actually be found in some strange places outside of the hosting country. It's not easy for Data centers to pay onsite 24 hour staff...."

          Personally I'm uncomfortable with the term "Private Cloud" because the "private" means you should be very clear about what works where and with who, whereas the "cloud" part is too vague.

          I spent quite a lot of time with various lawyers looking at the same issue - you *can* do this if you have a 100% Swiss company and know what the complete picture looks like. There are also plenty call services in the country itself and almost all of them are multilingual as the nation itself is, so you can contain that aspect too.

          As for service access: choose a provider who hosts banks. Their admin interfaces are not allowed to be reachable from outside Switzerland. This is why, for instance, Postini had to get themselves an office in Zürich when it was filtering email for Swiss companies (with a Swiss data centre). When Google bought them this service was terminated.

          As I observed somewhere else before, the picture is a tad more complex than I can drop into a short article - it needs a strategic view. In the end it remains a risk assessment, just with more variables. You look at the law and how it is applied, the politics, national attitude in general, availability of talent and during company evaluation you also look at the other work they do, how they go about it, how staff is screened - the full picture. The technology and security elements are pretty much the more standard elements of the mix. This leaves a few providers that are capable of making it happen as described, and I suspect that number will grow.

          1. Khaptain Silver badge

            Re: This article is not really very detailed or factuelle

            I agree with your reply, it is a very difficult subject.

            <quote>you *can* do this if you have a 100% Swiss company </quote>

            Again I agree but all of the servers would have to be held within "100 % Swiss" data centers which are not so easy to find and that same provider would also have to have several locations and not "rent" space/servers from the larger providers..

            Personally I do not know of any 100% Swiss solutions, although they probably do exist. In the Geneva region I only know of IBM and Interoute neither of which are Swiss.. I don't know if Equinix is Swiss or not ?

  6. ratfox
    Happy

    Switzerland does not cooperate when sources were acquired illegally

    So, suppose just for instance that a rogue bank employee went to the German government with a CD full of Germans trying to hide their money in Swiss banks. Since revealing the name of bank customers is a crime in Switzerland, Switzerland will not help with the investigation.

    This is of course a purely hypothetical example!

    1. p.houppermans

      That is my understanding of this (rather recent) change in approach, which makes sense IMHO (although I'm not a lawyer). If the Swiss would help, they themselves would start an investigation on the basis of illegally obtained information..

  7. Anonymous Coward
    Anonymous Coward

    isn't "Crypto AG" Swiss?

    I wonder if they will host an impressively secure cloud? (there's a back-story to Crypto AG, allegedly)

    Furthermore FISAAA §1881a (Foreign Intelligence Surveillance Act Amendments Act 1881a http://www.gpo.gov/fdsys/pkg/PLAW-110publ261/html/PLAW-110publ261.htm. includes >> PROCEDURES FOR TARGETING CERTAIN PERSONS OUTSIDE THE UNITED STATES OTHER THAN UNITED STATES PERSONS.) FISAAA was successfully voted on December 29th 2012 in the US Senate for extension until Dec 2017

    1. p.houppermans

      Re: isn't "Crypto AG" Swiss?

      The Crypto AG story is probably the best known story of communication subversion by the US. In that context it is indeed worth examining US law, and the sum total of the US PATRIOT Act and FISAAA seems to suggest that when you plan to procure any secure private cloud services requires a check that the organisation in question is free of any US connections or you have a legal problem from the start.

      This is what I tend to find with a lot of private clouds: technically from OK to very well designed, but holed under the waterline by applicable laws..

  8. Anonymous Coward
    FAIL

    au contraire

    "Companies with intelligent lawyers will eventually discover that cross-jurisdictional IT deployment offers the only route to secure storage."

    Bollocks, Bollocks and thrice I say Bollocks. Companies with intelligent lawyers will avoid The Cloud(tm) altogether. Only an idiot subjects themselves to the misery of multiple legal jurisdictions unless they have to.

    1. p.houppermans

      Re: au contraire

      Any sizeable company has to handle multiple jurisdictions. The intelligent approach is to make that work for you.

      Incidentally, there is no trademark on "The Cloud" - the US PTO decided in 2008 after a Dell trademark application for "Cloud computing" that it was a generic term, seen as merely descriptive.

      (see http://www.informationweek.com/cloud-computing/infrastructure/no-one-owns-the-cloud/229100115).

      1. Anonymous Coward
        Stop

        Re: au contraire

        'Any sizeable company has to handle multiple jurisdictions...'

        Wrong. Or at least wrong in the way you mean. The set of companies that are transnational and at the same time don't already have their own IT infrastructure in place is far smaller than you seem to think. Now if I have my own infrastructure I'm not going to be easily seduced by a carpetbagger spruiking their cloud because I don't need it and despite what you seem to think, keeping data in multiple legal jurisdictions is a damn nightmare if for no other reason than the compliance rules are often contradictory.

        So if I'm currently operating in the EU only, then I'd have to be almost criminally stupid to store my data outside the EU. SwitErland, the US, China, doesn't matter because I've immediately magnified my legal and compliance pains beyond any possible benefit. In a nutshell, you can't outsource risk.

        Incidentally, there is no trademark on "The Cloud" ..

        Congratulations, I've been doing that schtick for almost a year now and yours is the first case of sarcasm failure ..

        1. Anonymous Coward
          Anonymous Coward

          Re: au contraire

          Oh, I've only seen large UK law firms decamp their IT to Switzerland, clearly they don't have a clue..

          /sarcasm

          Maybe you should examine the applicable laws. EU Data Protection laws have backdoors introduced by anti-terror legislation which forego due process. If you're a company handling confidentiality, that alone is enough to worry about EU based hosting. Swiss laws don't, plus they have had their fingers burned by the US often enough to now be very strict about it. Check with any lawyer who works in more than one country - the facts are clear.

  9. JetCityOrange

    Switzerland? That's why I use Wuala!

    Yes, Dropbox is convenient and easy to use. I much prefer Wuala for two reasons: files are encrypted on your machine *before* being uploaded to the cloud and b.) Wuala's servers are in the EU with their stricter privacy laws and controls. Wuala has its servers in France, Germany, and Switzerland. http://JetCityOrange.com/wuala/

  10. Anonymous Coward
    Anonymous Coward

    get a clue on US-CH Safe Harbor

    Switzerland signed roughly the same (possibly worse) Safe Harbor agreement with the US as the EU, the latest rev in 2008. There's absolutely zero oversight as to what happens to data once they enter those US "safe harbors". See Hackin9 mag's May 2011 piece on cloud jurisdiction for a blunt take. Anyway, as long as clueless organisations like the private banker's association use Google Analytics, there's enough connect-the-dots data to piss off US investigators -- say when a UBS director tries a poker bluff and lands in jail -- at that point, whether evidence is court-admissible is irrelevant. Switzerland's "secrecy" evaporated years ago; whoever still believes in it deserves to be caught.

    1. Anonymous Coward
      Anonymous Coward

      Re: get a clue on US-CH Safe Harbor

      Switzerland's "secrecy" evaporated years ago; whoever still believes in it deserves to be caught.

      Maybe, just maybe you should examine where you got that impression from. If you just follow the publicity you have indeed fallen for the key reason why the US went after Swiss banks: to create that impression. The US strategy here is clear: it is badmouthing Switzerland, and so conveniently taking the spotlight off the one entity which caused real harm (aka the 3rd global economic crisis): Wall Street.

      This has little to do with "evil tax evasion" and other BS (the US has plenty routes of its own): what you see is economic warfare because Wall Street has once again screwed up badly so it needs someone else to point to.

      The problem with the Swiss is that they are far too naïve - it has taken their government several years to realise what was really going on, which is why the original US blackmail for data succeeded. It took years for their stance to harden (the word "clueless" has been uttered in many places in this context). Given that Switzerland is a real democracy where people vote almost monthly on issues it is more and more evident that the show is now over for the US. Blackmail works when you have leverage, but the mass exodus of Swiss banks from the US has done one thing which hurts: their capital has left with them. Hence the warfare - the US *desperately* needs that money to leave Switzerland.

This topic is closed for new posts.

Other stories you might like