Slashdot Mirror
French, German Leaders: Keep European Email Off US Servers
jfruh writes "In her weekly podcast, German Chancellor Angela Merkel said she'd be discussing European email security with French President Francois Hollande. Specifically, in the wake of the NSA spying revelations, the two leaders will try to keep European email off of American servers altogether to avoid snooping. This comes as Merkel's government faces criminal complaints for assisting aspects of the NSA's programs."
You COULD mandate end-to-end encryption if you were really that worried about it. That probably also wouldn't avoid snooping, but it'd make it a bit more difficult. We should probably also move away from using the browser as a mail client. But you're not really worried about snooping, are you? You're just worried about US snooping.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
The German Prism: Berlin Wants to Spy Too
French officials can monitor internet users in real time under new law
And some of the reports of "NSA spying" were in fact NSA being given phone data from European agencies.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
> This comes as Merkel's government faces criminal complaints for assisting aspects of the NSA's programs."
> twitter facebook linkedin Share on Google+
My favorite part of the whole thing is that they are facing criminal complaints for assisting the NSA, all while having also been spied on by the very people they assisted. Hmm a happy satisfied feeling from seeing others get what has been coming to them? I believe the Germans just might have a word for that.
"I opened my eyes, and everything went dark again"
You mean if one were to send an email from Munich to Paris, it'd cross the Atlantic and come back?
Depends... Sometimes the German Army brings it directly in person.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
If you're sending an email from anywhere to anywhere, odds are that at least one or both of you are using an email account with one of the big US-based internet companies (Google, Yahoo, Microsoft, etc.). Or you don't even bother with email and use Facebook instead.
So your message is very likely to not only cross the Atlantic, but also get stored and backed up redundantly in several datacenters including servers in the US. This has nothing to do with internet architecture, just market forces and poor consumer options.
Internet routing only begins to matter to email security if your email account is hosted privately or by a local organization - and even then, you're better off securing the email by encryption than trying to compartmentalize a network that was designed from the beginning to ignore physical locations and borders.
Traffic on the Net is routed according to the cheapest route, not the most direct or most efficient.
you're not gonna stop us from reading or listening to any of your conversations. We're the proud, the strong, and we own all of your communications :)
You mean if one were to send an email from Munich to Paris, it'd cross the Atlantic and come back?
NSA aside, that's a pretty sucky setup.
It's how the Internet works. To quote directly from the experts: A target's phone call, e-mail or chat will take the cheapest path, not the physically most direct path.
Physical distance is not as important as congestion on the routes. So it might very well be that your data takes a much longer path that what you'd think, simply because it uses the fastest way, not the shortest.
Angela Merkel's approach is pretty idiotic, and it cannot fix the problems. First of all, most emails are routed through the US either because the sender or the recipient has an American email provider (Germans love Gmail, too). Secondly, even if that is not the case, can you be sure that the NSA doesn't spy on traffic in Frankfurt? It wouldn't surprise me.
Only true end-to-end encryption can be a solution. The government in Germany is currently pushing for DE-Mail, which relies on transport encryption only. So that means that your email provider can still snoop and so can the German government, which is probably the reason why they designed it like that in the first place. End-to-end encryption would have been possible, especially since the German government is spending much money rolling out their own PKI, with keys for every citizen right on their new national ID card.
There's a presentation about DE-Mail from last December's Chaos Communication Congress, it's worth watching (video also has an audio track with English translations).
You're looking at it at too low a level. The cheapest route to communicate between two parties is free webmail. Guess which country hosts the largest number of free webmail systems?
You are not alone. This is not normal. None of this is normal.
It's even a law in Canada to prohibe company with data on canadians people to avoid any storage/transport of these data using any IT infrastrure in the USA.
Ceci n'est pas une Signature !
It's not just that the French and German government are going to move to doing business with non-US companies for email. There are many reports [citation needed] of governments and companies throughout the world choosing non-US cloud providers who promise not to have servers in the US. This is showing up on companies earnings reports in reduced overseas sales.
At first I thought it was silly - all governments want to be able to get their hands on data stored in their domain, so moving from the US just changes the potential actor. Then I thought "why would you store your secrets in a place you don't control?" If you've got something very, very secret, you don't store it in a bank, you hide it somewhere on your property (and no, I do not have anything very very secret :-) ) so it makes sense for governments to store their data on their own servers. And if they're technically capable, their own government cloud (sadly, not built by the US).
-- Everything is wonderful until you know something about it.
You mean that if google has a gmail server sitting in Germany that it won't be able to access all the content on that server? What?
If some NSA/FBI/CIA goon walks into an google/yahoo/whatever office in the US and hands a secret court order for a US citizen to dig through the German server the guy is going to dig through the German server. If anything a google run German based server is actually more legally friendly to the CIA/NSA as now they can be fairly certain they aren't trolling through US-US communications.
So if the US passed a law tomorrow (that was actually obeyed) that 100% banned any interception of communications of one US citizen with another then setting up European only servers would be something the NSA would want Google to to.
If Europe is truly serious about defending their privacy they would insist upon audited servers stationed in Europe run by natural born European citizens with single nationality and no family or economic ties outside of their legal reach. Then they would need to make a ferociously punitive fine for any employes, management, or companies that violate these privacy rights with a huge portion of the fines going to any whistleblower.
Another suggestion I have is for some European company to buy blackberry and make those phones truly and uncompromisingly secure with features such as one time pads.
The latency is only about 150ms. This is simply unnoticable for email, so major US email providers aren't going to have servers in the EU for latency reasons.
That would probably be true for classic client server email, but consumers (and by consumers I mean people who don't read Slashdot) expect their email to be a web based client. And for all of the back and forth an interactive web client is going to have with the server, 150ms could be killer.
EU Data Protection laws require a company to protect the privacy of the people it receives email from. Now the fallacy of the Safe Harbor agreement has become clear, using US providers means knowingly placing privacy in jeopardy.
Silicon Valley has a MASSIVE problem on its hands in this context: even if a US company WANTED to protect client information (and let's be honest, lots of them actually do), they are legally not in a position to do so. The biggest problem is that this is a legal issue, and that will take at least a decade to fix...
Insert
Given that GCHQ is a loyal lapdog of the NSA, you'll have to exclude ole Britannia Servers as well.
We already have nodes running inside both countries which tap the main lines.
Illegal? Of course.
Unconstitutional? Only if, as they are designed to do, they capture American emails too.
Stupid? Heck, this is America ... does that answer your question?
-- Tigger warning: This post may contain tiggers! --
Yes. This is the last one, and if this isn't true and Slashdot.org will permanently resemble a wife married for 28 years with a fifteen year old son and a twelve year old daughter so be it, I spent most of my early life without sex (ie Please tell me the browser cache is screwing with me. Please tell me that my wife wants to have sex more often ( ok that isn't going to happen, I have a 12 and 15 year old) Do we really have Slashdot.org back? Isn't that better than writing a curse word in caps? No. Please tell me this SHIT,SHIT,SHIT,FUCKING,FUCKING,FUCKING,JACKASS,JACKASS,JACKASS beta experiment is dead and buried. Excuse my French.