13 posts • joined Tuesday 15th January 2013 18:25 GMT
Re: classic computing
I'm currently restoring my 1979 Apple II
Wow - trip down memory lane :). I built one (you could buy the bare motherboards), and it was quite a soldering job...
Set some to the Swindon Computer museum
I sent some of my Psion Organiser II kit to the Swindon Computer Museum. I know the people who dreamt up the museum idea, and that way it benefits more people, as I still have plenty of other things to collect dust with :)
I must ask them if they're interested in a pretty much new top-of-the-line Roland A3 flatbed plotter ("new" as in "printed maybe 20 A4 sheets in its life" new). This sort of tech is now only found in 3D printers, but I don't have the time for a hardware project, and retiring kit to a place where others can learn from it is IMHO much better than eBaying it...
Re: The point is?
The point is?
Marketing, and there is a LOT more coming - I predicted as much quite a while back.
As others in the comments here have already pointed out, such statements can be comfortably made without any risk of retribution even though there are a tad creative with reality - after all, they are a US company. When (not if, IMHO) they are required to cough up user data they are bound to keep it secret, so if it ever leaks they have done so, they can blame the government for forcing them to keep it quiet.
surely you are still stuffed in the UK even if the data is in Switzerland? Can they not compel you to turn over the keys,login etc....?
You're correct. The issue that is being addressed is the risk of outsourcing. If you're a bank or a law firm in the UK, your core competency is probably not in running an IT shop or keeping security up to date, so you buy in that service from somewhere else (also has a neat side effect that you can blame someone else if you get hacked).
The problem is that the combination of the Regulation of Investigative Powers Act and enhanced powers when you bandy the word "terrorist" around allow a bypass of due process when it comes to intercept, so your provider could be ordered to hand over your data without you ever finding out .. or so you'd think.
The second problem is that the rules surrounding such an investigation do not really do much for your privacy either, so even the most junior policeman fresh out of school could see really confidential data - once that data has been obtained, it's a big question if it remains protected as well as you would need it to be. This is why I said "or so you'd think" - when some of that data leaks you may not have an idea how this has happened, and with all the secrecy it will be hard to discover, less prove it was actually law enforcement who caused this to happen. Either way, you will end up shouldering the blame and liability as the "National security" meme will get very much in your way.
Last but not least, the UK also has a problem with the disposal process after an investigation has been closed down. For example, until recently, DNA taken during an arrest would remain on file in contradiction with EU law and it took a court case to change that. It is now slowly being addressed.
Your next question will be "what if the UK simply asks Switzerland for the data?" and the answer to that is the next reason why you'd want your data in Switzerland: a cross-judicial request for assistance has to fulfil the conditions of the target country. In other words, if the request does not satisfy Swiss law, it will be rejected.
BTW, it's not enough to just decamp to Switzerland and then declare yourself the defender of privacy (as I see with many Swiss email providers). There is a lot more work to do before you have closed all the backdoors. I've been through that exercise and it's hard work, but you may recall I saw this trend well before Snowden came onto the scene.
The above also indicates how I knew that not all was well with US "secure email" providers even before they started up. Having your HQ in the US makes it pretty much irrelevant where you host your data as the decision power (and thus the leverage for law enforcement) is subject to US law. The latter should also give you a hint as to (a) what a massive problem Silicon Valley is presently trying to hide from you and (b) just how little value the Safe Harbour scheme has, even if you ignore the inherent conflict of interest in a self certification scheme in the first place.
The US is now in a situation where all chickens come to roost at once, and -pardon me for butchering the expression- many feathers are flying. There was a reason why we have due process: handing powers to the state is perfectly OK if it can be checked they are used for the purpose for they were given (pretty much in the same way you don't give everyone in your company the right to sign corporate cheques). Take transparency and supervision away and it becomes a mess. The bad guys have a party, and the good guys (because they exist too) no longer have a way to prove they still follow the rules. If you do this in law it takes a LONG time to sort it out. I reckon it'll be close to a decade, and that's IMHO a conservative estimate.
Some final remarks: this is not just a UK issue. A number of EU countries have implemented anti-terror measures in ways that do not exactly inspire trust, the Swedish FRA is but one example. Also, the fact that the Swiss are careful about intercept does not mean they don't have the capability, it's just that they go about it a bit more carefully.
Re: US cloud suppliers "Foreigners are dumb and can't read."
As I have previously remarked if you don’t want your data seen by anybody else then don’t either put it on the web or in the cloud
Agree on the Web thing, less so on the Cloud, plus you're ignoring the fact that data is sometimes shared between parties, which makes the whole jurisdiction thing a heck of a lot more complex.
I honestly wasn't expected a Snowden style disclosure when I wrote the Swiss private clouds article, but it appears eerily prescient now. The Op is actually right: you need to lawyer up if you want to do it right. I spend most of my time now helping larger organisations develop global privacy strategies which MUST start with the legal picture (otherwise you're frankly wasting your time).
There are a number of ways in which you restructure an organisation to shield corporate information from uncontrolled government snooping (to call warrant free intercept by its proper name), but you must start with making sure your HQ is not in a nation which has such legalised or you're wasting your time. If you can meet that basic first requirement, then there are a number of ways in which you can make a presence in multiple jurisdictions actually work FOR you.
Only once you fixed those fundamentals can you develop global privacy policies, and then acquire or organise the required technology to implement them. Notice that I use the word "privacy" instead of "security" - policies too must address laws, rights, compliance obligations - the hard work is usually bringing some structure into what is a complex mix of aspects that had a firm stirring since the intercept disclosures.
That doesn't mean those issues didn't exist before, but the awareness thereof has now finally entered the boardroom. I see that as a positive development.
Re: au contraire
Any sizeable company has to handle multiple jurisdictions. The intelligent approach is to make that work for you.
Incidentally, there is no trademark on "The Cloud" - the US PTO decided in 2008 after a Dell trademark application for "Cloud computing" that it was a generic term, seen as merely descriptive.
Re: This article is not really very detailed or factuelle
You've touched on the major issue here:
"One of the other problems with the "Cloud" providers is that their terms and conditions often include clauses whereby other succursals in other countries also have access to the servers. The hell desks/service desks can actually be found in some strange places outside of the hosting country. It's not easy for Data centers to pay onsite 24 hour staff...."
Personally I'm uncomfortable with the term "Private Cloud" because the "private" means you should be very clear about what works where and with who, whereas the "cloud" part is too vague.
I spent quite a lot of time with various lawyers looking at the same issue - you *can* do this if you have a 100% Swiss company and know what the complete picture looks like. There are also plenty call services in the country itself and almost all of them are multilingual as the nation itself is, so you can contain that aspect too.
As for service access: choose a provider who hosts banks. Their admin interfaces are not allowed to be reachable from outside Switzerland. This is why, for instance, Postini had to get themselves an office in Zürich when it was filtering email for Swiss companies (with a Swiss data centre). When Google bought them this service was terminated.
As I observed somewhere else before, the picture is a tad more complex than I can drop into a short article - it needs a strategic view. In the end it remains a risk assessment, just with more variables. You look at the law and how it is applied, the politics, national attitude in general, availability of talent and during company evaluation you also look at the other work they do, how they go about it, how staff is screened - the full picture. The technology and security elements are pretty much the more standard elements of the mix. This leaves a few providers that are capable of making it happen as described, and I suspect that number will grow.
Re: So, who are these Swiss Cloud providers?
<i>he surely can help</i>
Sure, but it's a "piece of string" question - without knowing requirements it's hard to point you at the right people (each have their own focus). A useful trick is to see if they carry banks, because that means the providers has to conform with FINMA standards and you just enjoy the benefits of annual audits without having to do them yourself.
I was expecting this argument to come up, and there are a couple of answers to that. I'm going to keep away from the political dimensions, because that's a whole story in itself.
First of all, if you do something illegal, Switzerland is no help to you either because agreements for international collaboration are in place. Privacy is a right, but you also have an obligation to behave lawfully or the state can use its privilege to lift your privacy and check what you're up to.
Secondly, Switzerland is a democracy, and what the US did to gain that bank data was blackmail (a fishing expedition instead of normal due process). This story is long from over, because what happened broke Swiss law and not all of it has been dealt with. You can see that, for instance, with what is now happening with the collaboration with Germany where the government have (a) written out <a href="http://www.spiegel.de/international/europe/germany-and-switzerland-wrange-over-tax-offical-arrest-warrants-a-825443.html">arrest warrants for the Germans officials involved</a> and have (b) told Germany that investigations based on illegally obtained information are out of the question. The net result is what I alluded to in the article: the Swiss stance to privacy violations is hardening, with positive consequences for the legal framework protecting your information. In Europe, the EU Justice Article 29 Working party is looking at improving privacy, but as long as the use of the backdoors to this law is not controlled and audited you retain IMHO the problem.
Thirdly, get the corporate lawyer to compare privacy laws. Switzerland is the only nation which has no uncontrolled backdoors in its privacy laws. When I help corporations with client privacy, I don't need to say much on this topic - I just ask the corporate lawyer to investigate and point him or her where to look. That way, the corporation has its own independent confirmation.
Re: This article is not really very detailed or factuelle
The article would be 3x as long and no longer fit if I had to fill in all the detail :).
The exceptions you quote only come into play <i>after due process</i>, and that is by default quite rigorous in Switzerland..
That is my understanding of this (rather recent) change in approach, which makes sense IMHO (although I'm not a lawyer). If the Swiss would help, they themselves would start an investigation on the basis of illegally obtained information..
Re: isn't "Crypto AG" Swiss?
The Crypto AG story is probably the best known story of communication subversion by the US. In that context it is indeed worth examining US law, and the sum total of the US PATRIOT Act and FISAAA seems to suggest that when you plan to procure any secure private cloud services requires a check that the organisation in question is free of any US connections or you have a legal problem from the start.
This is what I tend to find with a lot of private clouds: technically from OK to very well designed, but holed under the waterline by applicable laws..