So... Anybody have a list of cool companies that don't have any business in the US?
Lack of ties with the US is becoming more and more valuable every day.
Edit: I love how the reason the judge ruled like that is because it's too much of a hassle for law enforcement. Guess security is not the only thing that gets sacrificed just because we're too lazy.
I can recommend www.wuala.com. It uses client-side encryption and the servers are in Switzerland, Germany, and France. It's a Swiss company that was bought by LaCie.
I think moving off-shore is an avoidance tactic, not a solution. I live in Jersey which is an offshore finance centre, and some local companies are already marketing 'offshore data warehousing'. These are smart people but they are absolutely no match for the US government when it comes to securing cloud data here. They cannot possibly be attracting savvy customers. Jersey already hands over banking data to the US and UK and they will have to hand over stored 'cloud' data, too.
Best practice is to eliminate third-parties from the trust chain by encrypting locally prior to syncing. This is what I do and I wish it were simpler to set up. I can keep my private key on my machine(s) and mobile devices and securely access my decrypted content, but it's not simple enough yet that I can walk my parents through the steps over the phone.
Once this gets easier the cloud providers are just 'dumb pipes' (for lack of a better term) and can be used interchangeably. It seems they are stuck between two difficult positions here - you need to trust them with your unencrypted data, and they and you need to trust the US government not to snoop too much. Neither is likely so we're back to eliminating the companies and the US government from the trust chain.
Alternatively for file syncing, peer to peer? If a company doesn't have your data in the first place, they can't give it up. It does require the user to supply their own always-on internet-connected device, but that's increasingly becoming a thing that people have (for modestly sized files, even a smartphone would do)
I really just don't...want...to...maintain another server, or even P2P setup. However, things like this ruling are piling up to the point that I may have to take another look at what it would take to get my Synology box to use their "Dropbox" functionality (Synology's dynamic IP->static IP mapping service has proven to be flakey at best, though there are other options). Either that, or that bittorrent P2P thingy.
Another problem is that Dropbox and the like have really gained traction, so that other apps use them as a synchronization store. So there's the problem of keeping, for instance, all of my 1Password stores in sync. I'm sure there's a solution, but I need to overcome inertia and go look for it.
How do you convince user to store arbitrary data? Usually, when I chose a cloud service, I want data off my computer. And I think, ISPs will not be fond of such a service. They already suffer from existing peer to peer services like Bittorrent.
This could absolutely destroy the US cloud-based services industry if this gets reaffirmed. It actually doesn't make any sense though, but it continues to chip away at global confidence in US-based companies.
The UK university where I work uses Microsoft's cloud service for email. I've always had concerns, but apparently we have a contract that states the data will only be held in certain jurisdictions (can't remember if it's just the UK, but I think so) so that we can conform with UK data protection laws. If Microsoft lose at appeal, I guess we'll be legally compelled to change email provider. Can't imagine we're the only ones either.
Note that UK data protection laws do NOT exclude the NSA from reading your email. They just restrict the data being sold to commercial third parties.
I mean I'm not saying that's necessarily a bad thing, just that you don't have the protections you think you have. The UK intelligence services will actually help the NSA collect data from UK firms in the UK, as has been extensively reported.
So keep in mind that if it's the US government, or any EU government that wants your data, it doesn't matter if it's stored in the US, UK, or anywhere in the EU or Australia or New Zealand.
Add to that that UK citizens have less rights than US citizens when it comes to government data collection. A US citizen gets a deal : if they hand over data to the NSA/government themselves, that data cannot form the basis of a criminal conviction against them (this of course means the US government will try to hack you before asking you). So if you have encrypted kiddie prn on your machine and you decrypt it when the government asks you to do so, they may get to delete it, but that's it. Of course they can investigate you further, but if you are the one giving them the key, they can't do anything in court with the decrypted data.
In the UK or anywhere in the EU you have no such right, and there are plenty of cases of people getting forced to hand over encryption keys only to have the decrypted data be used to convict them.
So really, your data is safer with the NSA than with your own government (from the perspective of how damaging it can be to you personally at least).
I've always assumed that this is how government agencies would try and interpret the situation, but I also assume that this will go all the way to the top to be properly decided.
Edit: Not to mention that other countries may disagree with this interpretation and sue the local branch of the company if they send the data outside the region. Then the issue will become a matter of international law.
You say that as if it's new. International law 101 will teach you that countries claim jurisdiction on any business that happens within their borders, which means if any of the involved parties is within their borders at the time.
In other words, your suggestion, claiming jurisdiction over business relationships between US-based US-citizens and foreign firms is no more than business as usual for the courts. This is not new, strange, or ... It's just that nobody "normal" ever sues because it is so expensive to do international cases, and so this is not all that well known outside of lawyers.
The same goes, with variations (but not much variations), for any other country. Remember how Amazon got sued and convicted for selling "Mein Kampf" to a French guy and shipped it to France ? (note: Amazon's french branch does not sell that book, for obvious reasons, that did not help them. If you do that, and the french justice system comes after you, the US court system will let them extract a fine from you (though it won't let them throw you in jail, as would happen in France)).
"After these articles, SWIFT quickly came under pressure for compromising the data privacy of its customers by letting foreign government (United States government) agencies access sensitive personal data. In September 2006, the Belgian government declared that the SWIFT dealings with USA government authorities were a breach of Belgian and European privacy laws."
Basically they were caught between a rock and a hard place and had to decide which country's laws to break.
This go so against EU law that it is a straightforward attack on any international business which includes the EU, run by a "cloud" firm. It also places such a burden on local (EU) companies using, say, DO or Linode services... which will have to switch provider like right now.
Or am I extrapolating wrongly? I certainly would like to know (yes, assuming that this thing goes up and is held as definitive, obviously).
You're not wrong. EU data is supposed to fall under safe-harbour provisions. These are what allows EU companies (which have to obey various EU and national data protection laws) to use US services which do not mandate such protections.
I've never thought there was a reason to trust these, in light of the US government's view of the rights (or lack of rights) of non-citizens. But this seems explicitly to throw them out.
Perhaps, but not very good news for US companies either way. The trust will be even smaller in them now, and they won't be able to tell non-Americans that their data is safe with them, unless their enable end-to-end encryption in most, if not all, of their services, and they provide ways to check that they aren't going around that encryption in some nefarious way (backdoors, etc).
If you're a US company doing business in a another country, you have to comply with the laws of that country, and part of that is confidentiality. If the NSA, FBI, whoever can secret warrant any data overseas on companies that operate outside their jurisdiction if the data say, was simply in a file cabinet in that country, it will be rife with abuse.
Lack of ties with the US is becoming more and more valuable every day.
Edit: I love how the reason the judge ruled like that is because it's too much of a hassle for law enforcement. Guess security is not the only thing that gets sacrificed just because we're too lazy.