Europe Frightened By US 'Cloud Act', Fearing National Security Risks

"A foreign power with possible unbridled access to Europe's data is causing alarm in the region. No, it's not China. It's the U.S.," writes Bloomberg (in an article shared by hackingbear).

"As the U.S. pushes ahead with the 'Cloud Act' it enacted about a year ago, Europe is scrambling to curb its reach." Under the act, all U.S. cloud service providers, from Microsoft and IBM to Amazon -- when ordered -- have to provide American authorities with data stored on their servers, regardless of where it's housed. With those providers controlling much of the cloud market in Europe, the act could potentially give the US the right to access information on large swaths of the region's people and companies.

The U.S. says the act is aimed at aiding investigations. But some people are drawing parallels between the legislation and the National Intelligence Law that China put in place in 2017 requiring all its organisations and citizens to assist authorities with access to information. The Chinese law, which the US says is a tool for espionage, is cited by President Donald Trump's administration as a reason to avoid doing business with companies like Huawei Technologies. "I don't mean to compare US and Chinese laws, because obviously they aren't the same, but what we see is that on both sides, Chinese and American, there is clearly a push to have extraterritorial access to data," said Ms Laure de la Raudiere, a French lawmaker who co-heads a parliamentary cyber-security and sovereignty group. "This must be a wake up call for Europe to accelerate its own, sovereign offer in the data sector."

But China!

Every fucking article on China controlling state is written like they are bad guys and we are good guys.

No, fucking morons. Our leaders are exactly the same.

Please restrict us

[WindBourne]

America has NO RIGHT doing this. It was what Russia did within USSR and CHina does. Now, we are becoming no different than other dictatorial nations.

What they're saying...

...is that companies, organisations, & individuals outside the US can't do business with US data farm companies if they value their privacy, R&D secrets, & IP. Add this to the revelations outed by Edward Snowden & it's a wonder that anyone in their right mind would want to get entangled in that mess.

Interaction with GDPR

[stevelinton]

Isn't this in combination with the GDPR just going to make it plain illegal for European data controllers to put their data on US owned servers?

Re:Interaction with GDPR

[Cederic]

Europe forces its laws on every company in the world

Ah, that old canard.

No, GDPR is not forced onto every company in the world.

Companies wanting to operate or provide services in the EU must comply with EU law. What the mothering fuck is wrong with that?

So, make it impossible to read the data

[jtara]

So, just make it impossible for even the vendor to read the (unencrypted) data. The most the vendor could do is hand over encrypted data, leaving authorities to try to decrypt it without the key. Or try to force the owner to give up the key.

One such new offering is IBM Hyper Protect DBAAS:

Hyper Protect DBaaS: the evolution of cloud databases

Getting started with IBM Cloud Hyper Protect DBaaS

IBM® hosts your databases in a highly available and secure environment:

The underlying technologies prevent IBM or a third party from being able to access your data.
The IBM Secure Service Container technology protects the system via a tamper-proof environment. Access to the system is restricted and is only enabled through well-defined RESTful APIs.

Data is encrypted at rest and in flight.
The system hardware, the system configuration, and the database setup ensure high availability.

BTW, this doesn't run on Intel hardware. It runs on IBM Z hardware, on dedicated cores per instance, which should minimize the potential for Spectre-type attacks.

IBM is rolling this out aggressively. How aggressively?

For now, they are handing out well-provisioned Postgres (8G memory, 80G data) and MongoDB (8G memory, 40G data) experimental instances for free.
Only reason I am not taking them up on this is that I know we won't be able to afford the price, once it is not free. I'll stick with out 1G memory Databases for PostgreSql instance for our little educational app.

Hyper Protect DBaaS (pricing)

Not an IBM shill. Just happy to not be drinking the AWS kool aid.

Re:Well duh

[rtb61]

You entirely fail to take into account information people put up about other people. Take Gmail, whose mail is it the senders or the receivers, by law both and when Google invades that privacy they are engaged in a criminal act if they did not get the permission of the receiver when it is not non-gmail address.

So the US is trying to write superlative laws, laws that supersede other countries laws and if you disagree, what regime change, military invasion, first strike nuclear strike. Yep, the US has an entirely corrupt and crap global reputation. Liars, cheats and thieves is the US establishment.

It will trigger a host of anti-US laws, any US corporation that obeys this law without a regional warrant would get prosecuted and to make sure the penalty stuck, local executives prosecuted and handed out custodial sentences, US has established precedent for arresting and prosecuting people for political purposes, they are stuck with it now.

It's like the hate is bad already, go ahead, make the haters day because this will be ruthlessly attacked at all levels outside of the USA (Union of Shitty Arseholes, well, at least your government, dags on a sheep butt the majority of them with the American people as that poor suffering sheep).

Re:Well duh

[dryeo]

While Linux is obviously superiour to Windows etc, most people can't review all the code, including user land. Look at OpenSSL and even bash having vulnerabilities for years.
It's also really hard to guard against someone sneaking in and putting a key logger in your keyboard.

Re: As they should be!

[Teun]

You a very wrong
This is data belonging to the company and when a national government legally orders the company (not the ISP or storage provider!) to hand over the data to a court it is immaterial where the data is stored.
The problem here is the US believes it can access data belonging to others without going through the owners, just because it is stored on US operated servers, even in other jurisdictions.
Yesterday I heard German police depts. are storing their body cam footage on Amazon and now questions have been asked in the German parliament for exactly this reason/fear, US lack of legislation allows all kinds of people access without proper legal oversight.

Re:Well duh

[hairyfeet]

Sadly the entire "Linux code is vetted" meme is nothing but a giant case of the is ought problem because you assume the code OUGHT to have been vetted but you have absolutely no proof that the complete codebase IS vetted.

Look at the Bash bug that was there for years,go to US-CERT and see how many serious vulnerabilities exist even right now. we know for a fact that in the past bad actors have tried to get into places where they can inject nasty code...do you know FOR SURE that the person/s controlling the code for say the default music player on your distro is trustworthy? When was the last time the code for all the little boring bits and bobs required to make a Linux distro been actually audited? My bet is if you look at the code repo for those boring bits nobody thinks about are being seen and handled ONLY by the actual devs of that bit...are you 100% sure none of them are bad actors?

Sure having access to the code CAN help if someone finds out there is a bug or bad actor...after the fact, but assuming that just because the code is out there someone is spending the hundreds to thousands of hours on their own time to check every single bit with all the changes being constantly done to the huge amount of code? Yeah I have a bridge you might be interested in.