Cheers Ireland! That sorts our Safe Harbour issues out – Dropbox Following Twitter’s lead, Dropbox will treat Africans, Asians and Australians as Europeans from June 1. The file transfer site has updated its privacy rules so that all accounts outside North America will be managed by Dropbox Ireland. This means that stricter European data protection laws will apply, rather than US rules. …
Doesn't the patriot act allow the us to order any company with a presence there to hand over any data whereever it's held? Microsoft seems to be in an ongoing battle about something like that (which isn't even a 'real' patriot act case, if I remembe correctly, because nobody would know about it if it was).
So when Safe Harbour is axed, american companies will simply start losing their customers (the ones that have their brains in gear, that is...), whether they store their data outside the us or not.
Good for Dropbox. I know of two significant cases where US companies have lost out on deals because of lack of trust that the US government wont just take the data. I'm honestly starting to think that the US government wont be satisfied until they have driven all data business offshore.
In response to the OP's question about what good it will do, it's a legal commitment from the company to protect your data so you have assurance that they're not handing it over to the US government. They COULD hand it over, but just because the US government tells them to, wont mean that they aren't breaking laws in Europe to transfer that data over. It's a pretty clear statement from a company as to what they will and wont do. It's the difference between saying "we make no promises" and "we're making a promise and it will severely damage our business if you catch us breaking it and you can probably sue us for it, too".
Worst case scenario if US government plays really hard, is to take their ball and go home (to Europe). MS would find that really painful as well as it damaging relations with the US government so for them it would be an absolute last resort that I don't know they'd ever do (though they're fighting extremely hard to keep from handing over data so credit to them). A company like Dropbox? Yes - they could relocate.
They COULD hand it over, but just because the US government tells them to, wont mean that they aren't breaking laws in Europe to transfer that data over.
Most such demands come with gagging orders. Breaking the law is easy when nobody knows it's happening.
As for data being stored in Ireland, has any assurance been given that employees in the US won't be able to access it remotely? Without that assurance the location of the server or who it's being managed by is irrelevant.
As things stand US company = US law. If safe harbour isn't acceptable then neither is using a US company for services.
>>"Most such demands come with gagging orders. Breaking the law is easy when nobody knows it's happening."
Well obviously there are no consequences to breaking the law if you don't get caught, that's not the point. The point is that they would now be breaking the law and they really don't want to do that.
>>"As for data being stored in Ireland, has any assurance been given that employees in the US won't be able to access it remotely"
Access to the data is part of the data protection laws. You don't get around them by simply saying the file the person was reading was on a server in Ireland - you're still granting access to people who shouldn't have it and transmitting it outside the agreed jurisdiction.
This is utter tosh - seriously. If the US gov approach Dropbox with a s215 order (which always comes with a gag attached) are you seriously going to tell me that the executives from Dropbox are going to refuse and go to jail instead? Don't be ridiculous.
This is a PR stunt and nothing more, it makes absolutely zero difference to the US surveillance machine being able to access that data. Furthermore, the Irish DPA can't do jack about it - they don't even have the power to issue fines/penalties.
Please go and educate yourself on the matter, it might save you the 5 minutes it took you to write that nonsense you wrote above.
Absolutely correct, in the Microsoft case the DoJ is using the Stored Communications Act because it really is that easy for the US gov to demand data from US companies. Of course s215 of the PATRIOT Act could have been used as well and will probably be the instrument used in these situations where US companies are setting up subsidiaries in Europe (Twitter, Dropbox etc.) as it comes with a gag order.
I wrote about the situation here:
http://itsecurity.co.uk/2015/03/eu-data-centers-are-not-safe-from-us-surveillance/
The problem is there is a huge amount of mis-reporting on the issues in the general press and I am still trying to figure out if that is down to a lack of fact gathering or a vested interest to support the deceptions.
Isn't this just the sort of thing that Worstall has been hammering on about? namely just because you're the bbiggest game in town now doesn't mean that people won't look elsewhere if you make unsuitable to continue to do business with a country.
Also, so much for America's much vaunted freedoms. How do they not see the damage they're doing to they're reputation?
"Also, so much for America's much vaunted freedoms. How do they not see the damage they're doing to they're reputation?"
I think they do, for some values of "they". In fact, the whole affair is shaping up as the irresistable force of money meeting the immovable object of the security hawks. (Given the difficulties of amending the US constitution to turn it into a police state, my money's on the, er, money.)
In fact, the whole affair is shaping up as the irresistable force of money meeting the immovable object of the security hawks.
As it generally does. US history is one long tussle between the public and private sectors for access to resources. As Heilbroner pointed out in 21st Century Capitalism (and it's hardly a novel observation), one advantage liberal capitalism has over centrally-planned economies is this tension between Business and State, which helps obstruct the worst excesses of both.
Of course the surveillance state is good business too, for many, just as other aspects of the Eternal War on Everything are. But as you suggest, it reaches a point of diminishing returns, and then more and more of the moneyed interests start pushing back. Add to that the normal pendulum of public opinion ("We don't know anything, but we don't like whatever's happening right now!") and we'll likely see another period of "reform" where government overreach is trimmed back a bit for a little while, and everyone nods sagely and observes that we've learned our lesson this time.
I'm in the middle of an ongoing correspondence with Dropbox about this. So far they have been unable to list a single concrete example of the specific benefits that being a customer of Dropbox Ireland will give me.
It's rather suggestive to me of the fact that they're doing it for tax purposes rather than out of the goodness of their hearts and concern for their global customers' privacy.
This article might be absolutely on the money, but it feels more like someone's fishing around for a justification after the fact.
If it had anything to do with data legislation, then the little clause about dealing with legal issues would point to a european court, instead the T&C's they give for overseas customers still point to all legal issues being dealt with in a Californian court.
The problem is that this only works if Dropbox Ireland is entirely independent off Dropbox US, and not a subsidiary because they are otherwise exposed to political and judicial leverage. Ditto if Dropbox Ireland management has US passport holders in it, and if Dropbox Ireland uses US capital.
It's not just about laws, it's also about leverage. Come to think of it, what evidence is there that storage isn't, err, "leaking"?
If Dropbox are still transferring data outside of the EU, then they are still going to be relying on SafeHarbor regardless of where the account is managed.
The only way it makes any difference is if Dropbox change the way their system works and they specify that data doesn't leave the EU.
The way I read it is that all non-US data will be hosted in the EU. If a customer is non-EU and moves data in/out of that storage there is no problem as it is their data so Safe Harbour does not apply. The problems would only come if Dropbox move it without the customer asking them to.
It's not about where your data is hosted, it's about where your legal agreement with the company is hosted.
A legal agreement hosted in Ireland will need to meet different legal requirements and will answer to different courts than a legal agreement hosted in the USofA (according to International law at least, even if the Merkins disagree)
Within that legal agreement will be the terms that cover where your data is hosted and those should be in line with the regulations in force in the country where the legal agreement is hosted.
It's not about where your data is hosted, it's about where your legal agreement with the company is hosted.
It's a bit more complex than that, because the company also has to comply with the laws where it is located, and on top of that you also have the jurisdictions of all the countries through which your data travels - a factor you usually have no control over but which could in Europe involve countries such as Sweden where the FRA law was only tuned down a bit after protest.
Dropbox irish company is a wholly owned subsidiary of Dropbox in the US as far as I can tell and as such PATRIOT and FISA still apply - US gov can force Dropbox to hand over data/give access to systems with the same secret court orders and gag orders as they could if the data was held in the US.
This is nothing but sleight of hand intended to mislead customers into thinking that their data will no longer be subject to US surveillance laws - it is wholly unethical and intentionally misleading. Personally I trust any company which uses such tactics even less than I trusted them before.
I recently wrote about the situation here:
http://itsecurity.co.uk/2015/04/is-twitter-misleading-its-users-on-data-protection/
I really wish the press would start to make this point clear in their articles - by failing to mention it they are basically complicit in the deception. It is poor reporting at the very least.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
