back to article On its way: A Google-free, NSA-free IT infrastructure for Europe

This really wasn’t in the script. All conquering, “disruptive” Silicon Valley companies were more powerful than any nation state, we were told, and governments and nations would submit to their norms. But now the dam that Max Schrems cracked last week has burst open as European companies seek to nail down local alternatives to …

  1. Dan 55 Silver badge
    Meh

    Telecos. Oh.

    Given, say, the epic failure of telecos to address the rise of yankee imperialist running OTT services via the GSMA (see Joyn and Firefox OS as examples), I wouldn't get my hopes up just yet about them managing to coordinate IMAP, certificate, and secure DNS services between themselves.

    1. Mephistro

      Re: Telecos. Oh.

      At least they're trying!

    2. James 100

      Re: Telecos. Oh.

      The beauty of the Internet is that we don't need much coordination of that. We have secure DNS facilities, we just need to enable them ourselves. I did on my domains ages ago - TheReg, of course, is a decade behind as usual: no IPv6, no DNSSEC, no SSL: http://dnsviz.net/d/theregister.co.uk/dnssec/

      IMAP's a bit of a red herring here - it's normally used over SSL anyway, the weakness is actually in the SMTP delivery of mail between systems, where TLS is optional. That's one security facility TheReg *does* actually have enabled ... but only because they outsource their mail to Google.

      If we have decent crypto on each end, the bits in the middle don't actually matter any more. If I email theregister.co.uk, tapping the backbone or submarine cables will get GCHQ and co nothing but encrypted gibberish - they'd have to rely on something like PRISM to get the mail from inside Google itself to know what the message said.

    3. Anonymous Coward
      Anonymous Coward

      Re: Telecos. Oh.

      I have worked for 15 years for Telcos.

      I just don't think they have the expertise. They have long outsourced almost everything...

      1. Gordon 10

        Re: Telecos. Oh.

        Not to mention that they were totally penetrated by the spooks shortly after the telegraph was invented.

  2. tkioz
    Holmes

    It was only a matter of time, American businesses will scream bloody murder but they only have themselves and their government to blame for ruining their reputation.

    1. kmac499

      I'm sure they will, citing all sorts of anti trust and freedom of speech guff no doubt.

      Maybe we could suggest that they could always host stuff in Europe, but then of course they might have to pay tax in europe on profits created here..

      1. Peter2 Silver badge

        The problem is that even if Microsoft has stuff stored in Europe the US courts can demand that their Ireland Branch produces the data without due process in Europe in violation of international agreements like Safe Harbour. Given that Microsoft has a court order to do precisely this, it's not a hypothetical issue.

        US companies could even be required by the US courts not to disclose having been made subject to an order, which makes it impossible to challenge said order or even monitor for misuse, which means that no agreement an American owned company can make is worth anything.

        1. sysconfig

          "The problem is that even if Microsoft has stuff stored in Europe the US courts can demand that their Ireland Branch produces the data without due process in Europe in violation of international agreements like Safe Harbour. Given that Microsoft has a court order to do precisely this, it's not a hypothetical issue."

          They're still debating/resisting that though, or did I miss any recent news?

          If M$ Ireland are indeed forced to hand over the data to the US slurpsters, then it only goes to show that the US haven't understood the gravity of the situation yet; it would worsen the situation by quite a margin (for US companies trying to do business over here)

          1. a_yank_lurker

            I wonder how fast America's Native Criminal Class aka Congress (hat tip Mark Twain) would change the law if say Apple, MS, and few other big buys reorganized themselves as say Irish companies.

          2. Anonymous Coward
            Anonymous Coward

            It is still being fought and it is a fight the US government cannot afford to win since if they do, US businesses (who after all control all of the US legislation that goes through) will loose USD billions.

            Microsoft know that which is why they are fighting it tooth and nail. It has nothing to do with any previous history of data sharing.

        2. John Smith 19 Gold badge
          Unhappy

          "US companies could" "be required by the US courts not to disclose"

          Could ?

          Could ?

          Have.

          Multiple times.

          THE PATRIOT Act trumps pretty much anything.

        3. SImon Hobson Bronze badge

          > The problem is that even if Microsoft has stuff stored in Europe the US courts can demand that their Ireland Branch produces the data without due process ...

          And in this case, you need to look a bit deeper.

          AIUI, Microsoft recognised this train crash was coming along - some time in advance. They have structured things so that the datacentre in Ireland is operated by an EU based company and with access restrictions that prevent the US company staff from directly accessing the data. AT least, that's how I've been reading things.

          So regardless fo the outcome of the legal case, Microsoft US cannot hand over the data as they simply can't access it. The bosses there can "instruct" the management over in the EU to hand it over, but of course will get a blunt "no, that would be illegal" response. In effect, the very worst that MS US can do is start firing managers of the EU business unit - but if they try that then they'll quickly find out about "unfair dismissal" laws as well !

          So if MS lose the case, the TLA still don't get the data, but the US makes itself look even more foolish. I suppose it also means that the EU managers refusing to break the law will also have to forego ever setting foot within US jurisdiction for the rest of their lives as well since I guess the same idiot judge would probably file a warrant for contempt of court against them.

          Really, the US government, TLAs, and courts need to find a way to back down on this before it blow up big time in their face.

          It's a very different situation from a US based company directly owning/operating, and having access to a datacentre that just happens to be located in the EU.

          1. Anonymous Coward
            Anonymous Coward

            Yes, +1 for a good analysis.

          2. dan1980

            "Really, the US government, TLAs, and courts need to find a way to back down on this before it blow up big time in their face."

            But The US is awesome. Bowing the EU would would admitting the US is not awesome. And that would be bad. Because they are awesome.

            1. This post has been deleted by its author

    2. Thought About IT

      With GCHQ acting as a subcontractor of the NSA, won't the Yanks get our data anyway?

      1. Anonymous Coward
        Anonymous Coward

        Yes

        And Microsoft has been cooperating with the NSA from time immemorial - the other guys just copied them.

        Clever move by Microsoft to suddenly raise a loud objection in a lawsuit as if up till now they had never given NSA anything prior to this. It is truly misleading.

        1. Gordon 10

          Re: Yes

          To be fair to MS its a different agency asking for the data - one without a War On Terror mandate and less sweeping legislation supporting it, and one without a capability to have black bag jobs performed on request.

          If you were a yank (or a yank business) and the spooks rocked up at your door you would most likely comply out of fear, whereas if it were the Plod you'd tell them to f*ck right off and come back with a warrant - which is precisely what MS are doing. (for warrant read follow an existing process).

        2. Anonymous Coward
          Anonymous Coward

          Re: Microsoft has been cooperating

          It was interesting how their antitrust thing just disappeared.

          Then they bought Skype. Which previously had a reputation for being hard to monitor.

          Then they gave Nokia a huge bung to drop Symbian. (An OS not covered by the patriot act.)

          Obviously just a coincidence.

    3. big_D Silver badge

      With Safe Harbor and the current case against Microsoft having to hand over data from a European subsidiary to the US Justice Department, the US Government seems to be doing everything in its power to sabotage the US Internet industry, at least internationally.

    4. Anonymous Coward
      Anonymous Coward

      It was only a matter of time...

      See "The History of the Decline and Fall of the US Empire".

      1. hplasm
        Boffin

        Re: It was only a matter of time...

        "See "The History of the Decline and Fall of the US Empire"."

        It peaked in 1969 and has gone downhill since.

    5. a_yank_lurker

      Or shut and demand US law mirrors European privacy law

  3. Anonymous Coward
    Anonymous Coward

    We all seem

    To be missing that GCHQ is just as bad as the NSA when it comes to data hoarding and from the sounds of it the French want in on the game too, and they'll all share your information as required. I've also said for a while that "if you think the US Intelligence services are above using the information they acquire to bolster the nations economic position I have some magic beans I'd like to sell you"

    Isn't there a bigger question around politicians selling their ignorant populations down the river for a "little bit more security"?

    Britain has had a pretty shady history with surveillance and still does~~~

    And as if to hammer home the point http://www.theregister.co.uk/2015/10/14/wilson_doctrine_gchq_can_will_spy_politicos/

    1. Dadmin
      Paris Hilton

      Re: We all seem

      Very well said. When you read US Empire, don't forget where we learned that from, UK Empire. Sure, we're all friendly to the third-world NOW, but hey look at Putin; he's doing Empire building old school and isn't that a big enough problem yet? I guess not. Look you idiots, Ed Snowden did the right thing to expose what GCHQ/NSA already know, and the US "cloud" industry is fully culpable and capable of handling the fallout from this massive US spying. Unfortunately it's 2015 and I can't begin to tell you how enormously pathetic it is that any first-world country does not already have it's own Internet infrastructure that can be decoupled from the rest of the world. You bitch about spying, just cut off the US/China/USSR/WHOEVERTHEFUCK and do biz elsewhere, like at home, until whatever ill you perceive is rectified. You act like Facebook is the only game in town. Get off that crap and talk to real people in the real world. Facebook is just a colossal waste of time, why does anyone need to be on it? Grow some local flavour and stop trying to treat the Internet as some fucking US-owned freeway. It's TCP/IP, go make some content and stop all this "safe harbour" bullshit. Any company worth it's salt will be able to compete on a global scale, and abiding by local laws, or don't appear on their Internet. No one is forcing you to go to Facebook/Google/MicroSoft/Apple/etc, you made that mistake yourself. Live with it, or work around it. Unless you really are stupid, then keep sending clear text messages and leaving your stupid wifi open and that will ease your passing.

      1. Gordon 10

        Re: We all seem

        Sir - I wish I could award you both an up vote and a down vote for that magnificent rant. Total class.

    2. DanielN

      Re: We all seem

      Indeed. Every country's intelligence services do anything they think they can get away with, and act with greater impunity the farther from home. If I wanted to hide information from the NSA, I'd do it in Arlington, Virginia, right across the river from Washington, D.C.

      Let us not forget about respect for civil liberties either. The only way to be convicted of failing to spy in the U.S. involves bringing the entire affair in front of a grand jury made up of random citizens. Yes, a secret intelligence court can issue a double-hush mega-secret search warrant. But if you tell them whoops, sorry, you simply cannot find the requested information, the path to criminal conviction runs through a grand jury, followed by a second trial jury. It's a constitutional requirement. Spooky McFBI has a hard time getting convictions of brazen spies, let alone honest men who had enough of political games pretending to be national defense.

      If you want to be afraid of secret courts making their own laws, go to the authoritarian and inquisitorial courts of Europe. The judge, or a small panel of judges, decides what to investigate, how to investigate it, and whether to keep public records. Their standard operating procedures would be considered nearly an act of war in the U.S. Even the British courts are viewed with a jaundiced eye by Americans. That's a nice database your employer has, be a shame if a pedophilia ASBO were to happen to you. Do you seriously think companies like VW are honest, loyal white knights come to rescue you from the evil barbarian Americans? They will cheerfully sell you out for pocket change.

      1. tom dial Silver badge

        Re: We all seem

        (re: DanielN)

        I'm not sure I agree fully, but the points are essentially correct. Understated is the fact that although one ultimately must be tried, in open court, and either convicted or not by a jury of ordinary citizens, law enforcement agencies and prosecutors can easily cause a lot of trouble and expense even when the final verdict is "not guilty". In addition to that, prosecutors, by overcharging, often can avoid the messiness of a trial and the risk of a not guilty jury verdict and get the defendant to plead guilty to one of the lesser charges. The fact is, however, that this happens far less often in cases involving national security than on the local level with more ordinary crimes like murder, assault, robbery, theft, fraud, and drug peddling. National security, pedophila, or pornography, the most likely to involve electronic data collection, are quite uncommon.

        Still, I suspect all these are roughly as common as here pretty much anyplace there are police and prosecutors.

  4. SuccessCase

    I doubt European telco's can do particularly well with Cloud services except via what amounts to protectionism via the courts (which in itself, in this case, isn't a bad thing). But even then I suspect they will get nowhere and because we will see is some big effort on the part of the US cloud providers, Amazon, Google, Apple, MS Azure, Salesforce, Rackspace etc to provide secure cloud facilities in Europe who will each establish a European cloud operation subject to European law with the relevant protections the law demands (if they don't already have such or are not working on such already). Just as they have done, but for different reasons, in China. And that will be a good thing.

    On a separate note here, logically, it should be perfectly possible for a datacenter/cloud service to meet European law from anywhere in the world. The law shouldn't limit the delivery of service to a particular geography. There is, of course, the very real practical issue of verification and trust (how do you verify the NSA haven't obtained access) but that shouldn't be insurmountable. If protectionist practice is bad, logically there should be no geographic requirement.

    1. <shakes head>

      patriot act

      sorry but that does not work, as the patriot act is in effect on every US corp, they have to breach EU data laws if asked to. therefore any US corp cannot guarantee the required levels of security and privacy. they could have a separate EU company that they own all the shares of that has servers in the EU and that would work, but they would never be allowed to export that data back to the mothership.

      1. Peter 39

        Re: patriot act

        I don't think that would be sufficient. After all, isn't that exactly the situation with Microsoft? There's a separate EU company (HQ in Ireland, I would guess) and it's wholly owned by Microsoft. Yet the U.S. is trying to force disclosure of the data in the EU datacentre.

        I think that the EU company would have to be fully independent for the separation to work.

        1. Anonymous Coward
          Anonymous Coward

          Re: patriot act

          "trying" - not succeeding. See the other comments. This is all posturing and a battle that the US cannot afford to win. The real battle is over the currently negotiating EU/US trade agreement.

          If Microsoft loose the "battle", they will immediately loose billions of dollars of EU and other territory revenue. Many EU governments for example have heavily invested in Office 365 and Azure. This would have to be canned if the US were to force the issue.

          MS have also hedged their bets by restructuring world-wide so that they can spin off segments in a hurry if absolutely necessary.

      2. Anonymous Coward
        Anonymous Coward

        Re: patriot act

        It is nowhere near that simple. And as stated above, Microsoft in particular have already restructured themselves in different territories to prepare for such an issue. However, as previously stated, the US government cannot afford to win such a battle. It is all posturing. The main battle is that of the current EU/US trade negotiations.

    2. big_D Silver badge

      Deutsche Telekom has a large number of data centers and provides a wide variety of cloud services and cloud computing.

      There are also some large independent cloud providers in Europe as well.

      1. Anonymous Coward
        Anonymous Coward

        Deutsche Telekom's hosting isn't exactly cheap though. :(

  5. Madeye

    Patents?

    If we take at face value that European versions of existing US based services will need to be created to address the European market, where does this leave the matter of patents? Some services are only realistitcally created in certain ways. If a US company holds the patent on this method, how can a European company create a similar service? Does this require a re-evaluation of the patent issue or do we accept that such a service will not be available in Europe?

    1. big_D Silver badge

      Re: Patents?

      As it is mostly software, no problems, you can't patent software...

      Or the cloud companies could start selling their technology to European companies to run independent cloud services in Europe, with a no competition clause for US territories.

    2. Laura Kerr

      Re: Patents?

      A fair point, but I'd guess that if it's considered sufficiently important, the European response to the lawsuit will be that given in Arkell v Pressdram.

      1. Justin Clift

        Re: Patents?

        Yeah, the Arkell v Pressdram response would be appropriate. :)

    3. Gordon 10

      Re: Patents?

      Its worth noting that the European position on software patents whilst fubar is several orders of magnitude less fubar'd than that stinking mess in America. Therefore most of them wouldn't apply as the concepts they cover simply aren't patentable in Europe.

      The Epo states that they don't issue software patents full stop but there a few things they have allowed that are yellow, waddle and quack.

  6. phil dude
    Paris Hilton

    accept...

    I don't trust the European goverments to be any better than the US - especially when there isn't even a constitution to argue about.

    The reality is those in "power" (might be government, could be your local mobsters) will always want to be able to control the flow of information, and to know "what are the private thoughts of the troublemakers".

    Not sure if I have an opinion on this, other than use PGP/OTR etc.. where I can.

    I just wish I had a one-time CC number, so I did not have to share that!!!

    See Icon - we are all f*cked.

    P.

  7. Anonymous Coward
    Trollface

    Usual suspects, I see

    What a lot of fuss over nothing by lefties! Must have something to hide!

  8. Tom Chiverton 1

    Umm

    "Carrier grade intermediaries will host the private key,"

    All together now... man in the middle.

    Is there some issue with running SMTP and IMAP over TLS ? It's not exactly hard...

    1. Anonymous Coward
      Anonymous Coward

      Re: Umm

      > Is there some issue with running SMTP and IMAP over TLS ? It's not exactly hard...

      Yes. That encrypts the payload during transit, not while it's sitting on the server, waiting for a bored and unprofessional sysadmin to vi your emails, or worse.

    2. Anonymous Coward
      Anonymous Coward

      Re: Umm

      Who's your certificate signed by?

  9. Anonymous Coward
    Anonymous Coward

    Wishful thinking

    With cloud ransom-ware, privacy as a token phase and undermining of property rights all as the current standard of software sales it's about time we had something to shake things up.

    I hope that more competitors will mean greater end user choice.

  10. This post has been deleted by its author

  11. The HLM

    Good news for European startups

    It is about time european startup's get more exposure and operate within a secure european framework.

    There is a reason I only trust my most confidential data to a company based in Europe and not in the US.... Not that it contains anything of interest for them, but it is my privaye data and I like to keep it that way. I can access it anywhere as the complete communication is encrypted.

  12. Anonymous Coward
    Anonymous Coward

    Well, this is a half measure. It'll get Europe off of Gmail if it works well enough, but if it does, it'll be a huge target. The security/encryption gaps WILL be exploited.

  13. A Non e-mouse Silver badge

    Business & Data

    It's not just where the data is (Stored or processed) that's the problem, it's who controls the servers. If the Microsoft/Ireland data case goes the wrong way, American companies can look to loose even more EU business.

  14. Anonymous Coward
    Anonymous Coward

    "“The public-private keypair is generated on the server when the passphrase is entered. In theory that key cannot be trusted. Security experts will say you should never leave your key on the server. But the likelihood that the NSA sits and waits and in that nanosecond grabs it from memory is almost zero."

    No, they'll just find a way to pwn the servers themselves, perhaps use a hacked hardware chip, and just learn the points where the keys are being made, then pass it off as encrypted packets (hey, everything's encrypted; who'll notice a few more?) to the data center in Utah (through a few Tor relays, perhaps, just to disguise it).

  15. Caff

    review?

    Any chance of an article reviewing the software offered by Open Xchange?

  16. D Moss Esq

    Long and boring (I refer to my comment, of course, not the Register article)

    "Kids today", even "phone bloggers", don't pay to lobby the government. Businesses do.

    Living under surveillance causes psychiatric disorders. We know that but it has no traction with the unconverted.

    You get political traction when you lobby government, as businesses do, and with them it's not so much privacy that they need as confidentiality. The secrecy they need when they have a new product coming to market or when they're planning a takeover is generally regarded as legitimate in a way that lying to an insurance company about HIV, to take Andrew's example, is not.

    To get political traction on the downside of surveillance, may I suggest, the argument needs to move from personal privacy to commercial confidentiality.

    NSA pays £100m in secret funding for GCHQ, the Guardian told us in August 2013.

    Money.

    Money is changing hands.

    Surveillance costs money and that money has to come from somewhere.

    While the security services are surveilling all and sundry that must include businesses, not just phone bloggers. The security services must come across not just personal but commercial confidences, e.g. the takeover by Berkshire Hathaway of Heinz, please see Heinz bought by Warren Buffett's Berkshire Hathaway for $28bn: "Shares in Heinz soared nearly 20% in New York to hit the $72.50 price being offered".

    Armed with their advance knowledge, the security services could have secretly bought £100 million-worth of Heinz and tucked a £20 million profit into the budget a few days later.

    That wouldn't go down well with Berkshire Hathaway or any of the other rich-as-Croesus enterprises who spend a fortune on political lobbying. That's where to get the traction.

    And if the result is secure-ish email for businesses then individuals as well will get secure-ish email.

  17. Afernie

    This is a good start

    But there also needs to be the level of usability and feature set we see with the Google/MS offerings. Target hearts and minds, because there are plenty of users out there who will NEVER consider the privacy implications. For their own good they need to be sold on features with the privacy angle seeming to be a bonus.

  18. Tikimon
    Happy

    YESSSS!!!!

    This is exactly what's needed to MAYBE get some useful change happening.

    Until now, US business has been the beneficiary of the "steal whatever you want" regime. More data = more profit, so it's all good and screw those pesky individuals. Well, now this behavior will begin to LOSE business for them. That's the only thing that will force a change, and as an American citizen I'm thrilled to see it beginning. Because yanno wot? I don't want to be spied on and data-raped either. The rollback has to start somewhere.

    MORE EU OUTRAGE PLEASE!!!

  19. JaitcH
    WTF?

    " ... any data protection guarantee that a US company makes in Europe is worthless ..."

    Given that GCHQ would be on the 'inside' and that NSA'a main EU spying office is Germany - where it accesses Russia and satellite InterNet signals - where is the protection?

    Another scene from Security Theatre.

    1. heyrick Silver badge

      Re: " ... any data protection guarantee that a US company makes in Europe is worthless ..."

      Another scene from Security Theatre. - not necessarily. If an EU company running an EU service shares data with an American spy outfit... one would imagine it would be done secretly, but if such a secret got out (and note how well the Americans managed to keep their secrets), all hell would break loose as we Europeans have a slightly different approach.

      At the end of the day it comes down to a matter of trust and the simple fact is that no American data service can be trusted. It isn't necessarily their fault, it is their government making a situation where trust and confidentiality simply cannot exist.

  20. Anonymous Coward
    Anonymous Coward

    Back to roots

    In the beginning, the internet was this decentralised, cooperative network, built on standards and technologies, rather than on a small bunch specific providers.

    None of the features and functionality provided by the usual suspects (Gurgle, Farcebook, Twatter) require any level of centralisation, from a technical and practical point of view (from a shareholder point of view, that's a different story). It could, and probably should, all be replaced by decentralised systems based on protocols that anyone can implement and which can cope with the actual providers being untrusted.

    On a tangentially related subject, email-wise, things have been getting a bit latter recently. With the latest releases of Enigmail set to encrypt opportunistically by default, I find that 90% of email exchanges with my regular correspondents are PGP encrypted without me even noticing, apart from occasionally typing up the passphrase.

    It felt a bit weird when I realised that my love letters were all being sent encrypted, but sod it, you can never be too careful. :-)

  21. Anonymous Coward
    Anonymous Coward

    “Everyone has the personal right to be naive,” he says. “That’s why I like the Hotel California metaphor. It’s a state of mind these Californians are in: it was drugs. now it’s data. Maybe young people will realise in 10 years, when they try and sign up for heath insurance and find they can’t get it - maybe because they’ve been flying too much.”

    Flying high, perhaps. The Drug War is far from over.

  22. g00se
    Linux

    MUA

    In the OX mail client a traffic light indicates the relative security of the sender. Green for trusted. Gmail remains permanently lit red.

    Where do i get this colourful mail client and where do i get its source code. Because obviously it IS open source, right?

    1. This post has been deleted by its author

      1. g00se

        Re: MUA

        ?? Are you perhaps confusing OX and OS X?

    2. DryBones

      Re: MUA

      That poses an interesting question. It sounds like the lights are from a list that's maintained, not any automated security check for encryption being present, etc. I presume it'll get political pretty fast.

    3. Hans 1

      Re: MUA

      > Where do i get this colourful mail client and where do i get its source code. Because obviously it IS open source, right?

      Download

      Source

      I tried openxchange OVER a decade ago, version of the time beat Outlook 2016, feature-wise.

  23. Anonymous Coward
    Anonymous Coward

    Not a great start

    The OX website produced a "certificate not trusted" warning. Hmm. ...

    1. Hans 1

      Re: Not a great start

      Weird, my browser "trusts" the certificate, but complains that not all data is encrypted, still got my upvote ...

  24. Anonymous Coward
    Anonymous Coward

    Rubbish really

    I'll believe 'Europe', by which you mean the EU, not the countries of Europe, has some power in this game when I find no web sites using, for example, google.apis. Just a joke idea by the olde worlde Eurocrats. I know. Let's move to X25...

  25. Jess

    What about if the data is stored on servers within the EU

    that have their system update facility controlled (ultimately) by the same company you aren't allowed to store your data with?

  26. Chris Cartledge
    Meh

    EU Hosting and Control

    Hosting and control are surely the issues. M$ shows how it can be done and the other US suppliers will follow. I would be astonished if EU startups made a killing out of this, even more astonished if EU Telcos could get their act together and ecstatic if new more secure standards could become used across the EU. It would nice to be proved wrong, though...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like