Slashdot Mirror
Europe Frightened By US 'Cloud Act', Fearing National Security Risks (straitstimes.com)
"A foreign power with possible unbridled access to Europe's data is causing alarm in the region. No, it's not China. It's the U.S.," writes Bloomberg (in an article shared by hackingbear).
"As the U.S. pushes ahead with the 'Cloud Act' it enacted about a year ago, Europe is scrambling to curb its reach." Under the act, all U.S. cloud service providers, from Microsoft and IBM to Amazon -- when ordered -- have to provide American authorities with data stored on their servers, regardless of where it's housed. With those providers controlling much of the cloud market in Europe, the act could potentially give the US the right to access information on large swaths of the region's people and companies.
The U.S. says the act is aimed at aiding investigations. But some people are drawing parallels between the legislation and the National Intelligence Law that China put in place in 2017 requiring all its organisations and citizens to assist authorities with access to information. The Chinese law, which the US says is a tool for espionage, is cited by President Donald Trump's administration as a reason to avoid doing business with companies like Huawei Technologies. "I don't mean to compare US and Chinese laws, because obviously they aren't the same, but what we see is that on both sides, Chinese and American, there is clearly a push to have extraterritorial access to data," said Ms Laure de la Raudiere, a French lawmaker who co-heads a parliamentary cyber-security and sovereignty group. "This must be a wake up call for Europe to accelerate its own, sovereign offer in the data sector."
"As the U.S. pushes ahead with the 'Cloud Act' it enacted about a year ago, Europe is scrambling to curb its reach." Under the act, all U.S. cloud service providers, from Microsoft and IBM to Amazon -- when ordered -- have to provide American authorities with data stored on their servers, regardless of where it's housed. With those providers controlling much of the cloud market in Europe, the act could potentially give the US the right to access information on large swaths of the region's people and companies.
The U.S. says the act is aimed at aiding investigations. But some people are drawing parallels between the legislation and the National Intelligence Law that China put in place in 2017 requiring all its organisations and citizens to assist authorities with access to information. The Chinese law, which the US says is a tool for espionage, is cited by President Donald Trump's administration as a reason to avoid doing business with companies like Huawei Technologies. "I don't mean to compare US and Chinese laws, because obviously they aren't the same, but what we see is that on both sides, Chinese and American, there is clearly a push to have extraterritorial access to data," said Ms Laure de la Raudiere, a French lawmaker who co-heads a parliamentary cyber-security and sovereignty group. "This must be a wake up call for Europe to accelerate its own, sovereign offer in the data sector."
Set up a parent shell company in Panama that owns all of the data centres, thus it is not subject to US laws and as a bonus you get to pay $0.00 taxes.
When you put your data elsewhere than on your own iron, expect it to be as good as public. Everybody has known this since the beginning of the internet. Security-conscious IT folks don't do cloud, even if it costs more.
In my opinion, the Cloud Act is just an official recognition of what's already going on.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
"Under the act, all U.S. cloud service providers, from Microsoft and IBM to Amazon -- when ordered"
;)
Guess if you have already move on board(to the cloud) you have some thinking to do. Your data is in someone elses hands.
Just my 2 cents
Why not? SCOTUS has pretty consistently taken the 4th Amendment to not apply to non-Americans, those outside US borders, or a combination of both. Meanwhile, the 4th/5th Amendment doesn't apply to subpoenas which are set at much lower standards. Couple this with NSL, and you create the obvious situation where one company could exploit the Cloud Act for corporate espionage against rivals in other countries without any clear illegality to anything involved--unless there's some prevision of the Cloud Act I'm not aware of. Then, of course, there's generally espionage that the NSA would wish to exploit the Cloud Act for.
No matter how you look at it, the US extending its tendrils into other countries is obviously something that should scare multi-nationals. In China, they often wait for a company to come along to China, make things, then wholesale copy them. In the US, they will wait for a company to come along to the US, make things, then can use the Cloud Act to justify the legality of their copying by extracting information from the host country. In either case, both countries may decide to just take from other countries even if they never do production in their own country.
All of this is a mess. It's why Obama tried to push against the whole cyber-warfare. In almost all ways, I blame China for being the aggressor in this situation. I don't think the solution, though, is to fight back with equivalently inane laws. Couching them in the trope of law enforcement does nothing to placate my fears when the US's government behavior when it comes to international law enforcement varies between mediocre to atrocious depending on which part of the government is doing it. SCOTUS rulings almost always leave the full force of abuse available without any sort of repercussions.
Every fucking article on China controlling state is written like they are bad guys and we are good guys.
No, fucking morons. Our leaders are exactly the same.
I have to agree, it sounds a lot/too dang much like China. My data used to be mine.
As I look at what today says about the future, I'm profoundly grateful to be old now, having enjoyed my youth when it was still fun. I don't believe today's crop of eager, ambitious, hopeful young people have a real idea of what their future holds. The Cold War scared me a lot when I was that age, and now the Cold War looks very tame. The climate we old folks have made for them, the surveillance society that's evolving, and similar scary sh...tuff ought to scare the crap outta young people.
-Fight it, while you still can! Good luck, kids!
America has NO RIGHT doing this. It was what Russia did within USSR and CHina does. Now, we are becoming no different than other dictatorial nations.
I prefer the "u" in honour as it seems to be missing these days.
We have issues with sharing data, taxation, laws, patents, etc. This needs to be re-done, and hopefully, without Trump/Pence as American president. We really need leadership, which the west's leadership is currently controlled by Putin.
I prefer the "u" in honour as it seems to be missing these days.
Hardly news, and this has been "news" in the computer world since the beginning.
This is not a new concern. People have been renting out hardware long before Amazon was invented, computer time has been rented out . Back in the 1960s and 1970s many mid-sized banks were hesitant to avoid computers not because they didn't trust or couldn't afford the machines, but because they didn't trust the companies who owned the machines or the governments where the computers were located. IBM with locations around the globe was the biggest and generally considered most trustworthy, but (looking up history online) you could rent computer access from Honeywell, Sperry Rand, Siemens, EMI, Olivetti, and others. Noting their location, that could mean you were subject to US laws, or UK laws, or Germany or France or Italy or wherever the computing center was located.
I recall discussions a decade ago asking how much we valued hosting our own data, if we were willing to sacrifice the security of controlling it versus the convenience of letting Google Docs control access to all our documents. There are companies who trust every bit of their digital data to Amazon or Google or other companies. They figure that the cost savings is a benefit, and they don't care about (or don't realize) the security implications.
There are companies that decide that maintaining control is important. For them, even if it would be cheaper or easier to lease out hardware remotely the value of maintaining control is greater than any cost savings.
//TODO: Think of witty sig statement
...is that companies, organisations, & individuals outside the US can't do business with US data farm companies if they value their privacy, R&D secrets, & IP. Add this to the revelations outed by Edward Snowden & it's a wonder that anyone in their right mind would want to get entangled in that mess.
Isn't this in combination with the GDPR just going to make it plain illegal for European data controllers to put their data on US owned servers?
Oh, I totally agree.
I understood correctly, this will only apply to brown people and ones with big noses, right?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
... we need some way of obfuscating data with secrets that are not stored on the cloud provider ... we could call it ENCRYPTION.
Say it ain't so!!!
So, just make it impossible for even the vendor to read the (unencrypted) data. The most the vendor could do is hand over encrypted data, leaving authorities to try to decrypt it without the key. Or try to force the owner to give up the key.
One such new offering is IBM Hyper Protect DBAAS:
Hyper Protect DBaaS: the evolution of cloud databases
Getting started with IBM Cloud Hyper Protect DBaaS
BTW, this doesn't run on Intel hardware. It runs on IBM Z hardware, on dedicated cores per instance, which should minimize the potential for Spectre-type attacks.
IBM is rolling this out aggressively. How aggressively?
For now, they are handing out well-provisioned Postgres (8G memory, 80G data) and MongoDB (8G memory, 40G data) experimental instances for free.
Only reason I am not taking them up on this is that I know we won't be able to afford the price, once it is not free. I'll stick with out 1G memory Databases for PostgreSql instance for our little educational app.
Hyper Protect DBaaS (pricing)
Not an IBM shill. Just happy to not be drinking the AWS kool aid.
They're not a threat. They're competition.
The flip side of this is that if you're European and can evade being identified locally, you can use American hosts to protect your speech since federal law protects American hosts from being taken to court for speech that is legal under the first amendment.
In a previous life, pretending to be a bog-data person, we could use US-based Google BigTables only because
- the most sensitive information had to be published in a political-contributors report later, and
- the personal (personally identifying) information was only kept there for the duration of the election campaign.
Otherwise, we would have had to store it in Canada on equipment we owned.
davecb@spamcop.net
In a word, no. There could be some concerns in some cases, but generally not an issue.
The Cloud Act relates to what a warrant or subpeona may reach, and doesn't change anything - it just affirms what existing law, stating explicitly what had been implicit.
It says that the pre-existing power of US courts to order US companies to turn over data material to a case cannot be thwarted by the US company stashing the bits on disks which are physically overseas. That was already a bit of a "duh, no shit" to anyone who has studied law, but Congress saw fit to state it explicitly.
GDPR doesn't say you can't comply with a subpoena or warrant. It explicitly says you can comply. So no problem, there, no conflict between Cloud Act and GDPR, generally.
The one wrinkle is that GDPR says when you send data to another country, one of two things needs to be in place
A mutual legal assistance agreement
Or
The other country has approved privacy law
The US has both. A new data privacy safe harbor agreement with the US was approved by the EU in 2016, after the previous one was found lacking. We also have a Mutual Legal Assistance Agreement (MLAA).
There could be cases, however, in which a subpoena is issued which doesn't comply with the MLAA. Then one could argue complying with that particular subpeona could violate GDPR. Except we ALSO have the 2016 safe harbor agreement, so the MLAA isn't actually necessary anyway.
So in rare cases you could argue that there might be a conflict, but you'd probably lose that argument.
OK, OK, here it is. I know the answer.
All Europe has to do is to pass a law, claiming extra-jurisdictional access to data, any time they want it. No let me finish! It gets better. And the GDPR claims that no one else can do that (or something, I might be making that up, but seriously no one understands the GDPR. The first rule of GDPR is that no one talks intelligibly about the GDPR).
So, here's the ideal setup. China claims extra-jurisdictional access to data but no one else can do that. So do Russia, the US, the EU, and let's throw Brazil in there for shits and giggles too.
The result is a set of mutually incompatible, conflicting, incomprehensible and non-resolvable claims over access and authority, with internal contradictions so bad that it's best to just mumble something about 'might makes right' and look downcast!
It's perfect!
TFA reminds of us the 2013 DoJ / Microsoft Ireland case: Now, the US is claiming "It's not illegal when the president does it" and entire countries don't have the guts to enforce their sovereign laws on US corporations.
Make Europe great again! Yeah!
Trump and Putin are in a love triangle with China compared to you and all your China hate.
The US has no jurisdiction in Europe, so it doesn't matter what overreaching laws they pass.
The EU wanted EU nation data kept in the EU for "privacy" and law enfacement on speech, laws on who can publish.
No going to a low cost and much better US site to sell back into the EU.
The USA said that was a new trade barrier put up by the EU to keep out low cost US cloud products and services that should be able to have equal and fair access to EU markets.
That a US company should be able to bid equally for any EU nation/gov/mil project from the USA as a secure US cloud service.
That the US cloud product in the USA could meet any EU privacy, law enforcement and encryption regulations.
The USA was ready to support the EU over access and privacy. But it was not going allow the EU to block US brands from the EU again.
The US products been cheaper, of better quality offered advanced services people in the EU wanted.
Productive and more advanced US brands started winning contacts in EU nations on price and quality.
Freedom and quality from the USA won over EU prices, EU tax rates and EU political control.
EU nations then attempted to use more "privacy" laws to stop the flow of wealth out of the EU nations and into the USA.
That local hosting in the EU could further try and stop low cost US services from offering better global peering prices.
To try to attract jobs to EU nations by offering EU wide "privacy" away from US could products?
The US does not want to see the EU become a place to hide wealth again and for banned groups to set up under the cover of EU "privacy" laws.
Consumers in EU nations should have the freedom to select from US cloud products. Like they did with US computer hardware in the 1980's.
No having to buy a French desktop computer that is years behind advanced US computers. The freedom to buy a much better OS and hardware from a computer company in the USA. The freedom of ranking many different US computer designs rather than having to accept a French gov computer.
To network with the US networks and enjoy freedom of speech.
Not having to stay on a French only national network using a French gov approved desktop computer.
The EU is using "privacy" to go back to its 1970's idea of national computer networks and national server designs keeping out much better quality US products and services.
New trade barriers by the EU years later to keep out better US cloud products.
Domestic spying is now "Benign Information Gathering"
What's stopping the EU from taking the position that they have similar access to users data stored on American servers? Google/Facebook provide services to Europeans, Europe has the right to access their data to support 'investigations'.
First of all, I don't see any definitions of the extent of the US law. Does it only apply to the data of US persons in support of a US investigation? Then I don't see a problem with granting the EU the same sorts of access to EU persons for the same reasons. Nowhere is it stated that the US wants to go on fishing expeditions through non US persons data. But if this is the case, then I don't see where European officials shouldn't have the same rights.
Have gnu, will travel.
But there is a huge difference between China and the USA govts.
In China, when you disagree with the govt, you and your family disappear, cannot travel, don't get a lawyer and often aren't seen for a yr. If you appeal, you get re-sentenced to death.
In the USA, you get a lawyer, can usually fight back, appeal any decision.
A few quick reminders:
Xi is
* a dictator for life
* sends millions of Chinese to "re-education camps"
* no freedom of speech
* no freedom of travel
* China uses tanks against their own people.
* Religious re-education cities with 1M+ people.
* smartphones **must** have govt tracking software
* Your social network posts are tracked by the govt and rated. A poor rating can block rights and travel.
* don't recognize international waters as ruled by world-wide govts
* Currency manipulation
* intellectual property stealer / Hacker of companies and govts world-wide
* Highly selective enforcement for any laws; usually against foreign companies and Chinese companies that cause large number of deaths
* Tibet takeover
* Tienanmen Square; they admit to killing over 1,022 civilians. Other estimates are over 10,000 deaths.
* Check your server logs, most attacks are probably from Chinese IP ranges.
* Their elections are fixed - only approved party members can be on the ballot. So, would you like Bernie or Clinton or Gore or Dukakis?
Like any of those are even a different choice from the others. Well, freakin' terrible vs really, really, bad is a choice, I suppose.
* Police in China behave like thugs. Ok, sometimes that happens in the USA too.
* Taiwan, cough.
Don't forget what China is and how they behave.
---
Cisco and Motorola caught Huawei stealing their intellectual property.
https://www.wsj.com/articles/S...
Huawei Admits Copying Code From Cisco in Router Software
https://www.reuters.com/articl...
---
Motorola sues Huawei for trade secret theft
Huawei physically stole parts in 2014 from a testing robot during a
visit to T-Mobile. The robot was used to ensure buttons on phones would last.
---
https://www.nytimes.com/2016/1...
China hacked more than 245 companies and agencies, including US Navy and NASA.
Ref: https://arstechnica.com/tech-p...
This happened while The US/China economic espionage pact was in-force beginning in 2016.
The USA isn't perfect, but it isn't China. Not by a long shot. If you refuse to decrypt data at the US border, they keep the data and you can sue to have it returned. Canada, UK, Australia, France, Thailand, and 50 other countries would demand you unlock it at the border without any reasonable cause. It is illegal to refuse, a crime.
That law is a prime example of slippery slope. The USA controls a lot of Internet resources and to make reaching laws gives other countries precedence to do exactly the same and now we just have clouds that don't pass territorial lines. Granted the spying was most likely happening anyway since nobody can trust their own country let alone each others countries anymore. At least though we didn't have a law saying we're going to f'n spy on you no matter where your data is.
That the ceo of the company will be liable and be arrested if any of the citizen's data is handed over to a foreign entity without permission. Let the cat and mouse begin....
On way to look at this from a European viewpoint is that this new awareness of data access on warrant (who really believes it takes a warrant?) is that EU companies may demand privacy from US prying eyes and thus fund the needed development of their own cloud services outside the reach of the US. This would also give US companies the same ability to hide their data in the cloud from those same prying eyes.
I still put shit on AWS because the billing is less than $1 so they just waive it and I encrypt my files anyway.
If the NSA wants to waste time decrypting my files then they will deserve the blame when the miss an actual threat.
numbnuts
This sums up [the external perception of] American attitudes in a nutshell.
It's the same with environmental protection, concepts of community benefit and dozens of other examples.
In a word - selfishness.
"I don't want the government/UN/international bodies... limiting what I want to do -- I don't care how my actions affect those around me- so long as I'm OK. Don't limit screwing over my neighbours/colleagues/friends/the planet/local environment if that would cost me a single cent."
Europe has grown up with centuries of such petty minded fiefdoms and the consequent wars. They've learnt gradually (and are still learning - apart from the lying nutters who precipitated Brexit) that supporting each other is a net gain for all and not a personal cost. Americans seem to project the image that any dilution of selfcentred approaches as full on communism.
Having my personal details harvested by China or the US? not much to choose - but at least China is open about it and doesn't ride a wave of hypocrisy, trying to project itself as a beacon of liberty and the good guys.
Looks like the cloud has been formally busted. It was always a bust. It was realistically a bust from the start, considering how the US has been known to use their intelligence agencies for industrial espionage against their "allies" since basically forever.
How anyone knowing that ever thought "the cloud" in it's current incarnation was a good idea is anyone's guess, even if the usual suspects in the form of nativity and ignorance does come to mind, but this should put paid to that. That said, I doubt the cloud is going away, but finally perhaps people will begin to understand the importance of being able to trust the entity hosting their cloud.
Most likely the outcome will be more entities moving away from vulnerable companies like Microsoft, IBM, Oracle and Amazon, and moving more towards self- or joint-venture hosted open source systems.
Trust is the most important currency of them all, and the international business scene and the US government went bankrupt a long time ago in that regard. Too bad people seem to have forgotten until now.
Hey smart guy, did you miss that little caveat about "if you can evade being identified locally?"
UK law enforcement has no legal standing in the US on this issue. That means that if you are in the UK and want to host edgy commentary all you have to do is find a host in the US that you like. If UK police send a subpoena, the American host is going to laugh hysterically and respond "stop wasting our time, limey pig."
I'm going to guess that when you saw the term "safe harbor" you thought of the safe harbor provisions of the DMCA, or some other law you are familiar with. Many laws have safe harbor provisions - including GDPR.
GDPR Article 47 states that companies outside the EEA that adopt "binding corporate rules" for data protection are exempt from GDPR Article 45, if their adoption is "approved by a competent supervisory authority".
Such "binding corporate rules" was first laid down in the EU-US Safe Harbour Principles (2000-2015), which was later renamed (with minor changes) as the EU-US Privacy Shield Framework (2016).
All of this increases the compute cost, the processing required to locally encrypt/decrypt, and as others have pointed out running this on your own metal instead of the cloud is much cheaper. No wonder companies like amazon and MS are successful with these services. What a scam.
Nor do you know what security by obscurity means and why it's rubbish.
All your screed there is bullshit. Why do you think cameras are recording in Malls? Stealing still happens, but the POSSIBILITY of getting caught puts people off and the number of attempts to actually stop reduce. Same with open source code: many are put off because if they DO get caught, they not only lose the access, they also get known as a black hat.
Meanwhile closed source can pretend there isn't a problem, and can even refuse to look for problems so that they can plausibly deny any culpability when the problem arises.
Protecting the US economy does however imply not fucking over America's IT industry, which the inane data access laws are likely to do.
Australian companies are already losing business or migrating key operations to other countries because the Australian government enacted idiotic laws. Spanish media screamed when the government enacted the idiotic laws they asked for because they lost so much business.
Governments are struggling to understand that technology makes it easy to avoid damaging laws.
There are already servers out there running everything inside HSMs, so problem solved.
For example these guys https://privatemachines.com/enforcer/ have something that seems to do exactly that.
Now if clouds would be allowed to deploy these is another story ...
It was ended in 2015, then re-done in 2016.
It's possible something happened in the last few weeks that I'm unaware of.
Or is America just that weak to have let it happen?
Wasn't that similar to the patriot act? Didn't you support that? And brag about how you helped the people make it?
The US is concerned about Huawei - not because China maybe will have access to the network - but rather that Huawei equipment will prevent the US from have unfettered access.
Good for European cloud companies, they now have a good selling point.