Europe Frightened By US 'Cloud Act', Fearing National Security Risks

"A foreign power with possible unbridled access to Europe's data is causing alarm in the region. No, it's not China. It's the U.S.," writes Bloomberg (in an article shared by hackingbear).

"As the U.S. pushes ahead with the 'Cloud Act' it enacted about a year ago, Europe is scrambling to curb its reach." Under the act, all U.S. cloud service providers, from Microsoft and IBM to Amazon -- when ordered -- have to provide American authorities with data stored on their servers, regardless of where it's housed. With those providers controlling much of the cloud market in Europe, the act could potentially give the US the right to access information on large swaths of the region's people and companies.

The U.S. says the act is aimed at aiding investigations. But some people are drawing parallels between the legislation and the National Intelligence Law that China put in place in 2017 requiring all its organisations and citizens to assist authorities with access to information. The Chinese law, which the US says is a tool for espionage, is cited by President Donald Trump's administration as a reason to avoid doing business with companies like Huawei Technologies. "I don't mean to compare US and Chinese laws, because obviously they aren't the same, but what we see is that on both sides, Chinese and American, there is clearly a push to have extraterritorial access to data," said Ms Laure de la Raudiere, a French lawmaker who co-heads a parliamentary cyber-security and sovereignty group. "This must be a wake up call for Europe to accelerate its own, sovereign offer in the data sector."

Well duh

[Rosco+P.+Coltrane]

When you put your data elsewhere than on your own iron, expect it to be as good as public. Everybody has known this since the beginning of the internet. Security-conscious IT folks don't do cloud, even if it costs more.

In my opinion, the Cloud Act is just an official recognition of what's already going on.

Re:Well duh

[BitterOak]

Security-conscious IT folks don't do cloud, even if it costs more.

In my opinion, the Cloud Act is just an official recognition of what's already going on.

Great, so you can choose not to put your organization's data in the cloud. I hope your doctor, banker, and the various other people you do business with feel the same way you do.

Re:Well duh

[AC-x]

Who owns your data center? Who owns your internet backbone?

Re:Well duh

[AHuxley]

Then the USA could not offer its cloud services from the USA into EU nations.
Its a new EU trade barrier to keep out better US services.
Forcing people in the EU to have to buy EU nation computer services over much better quality US cloud services.

Re:Well duh

[Tough+Love]

It's not actually worse than storing your data on a Windows computer, or an Apple, or Android. Basically, Linux and its ilk where the software stack is top to bottom visible to you is the _only_ way you can expect to keep your privacy and even that requires constant vigilance. Or to put it another way, if you have allowed yourself to be anally raped by Microsoft all these years then what is the point of getting upset just because your cloud provider decided to join the party?

If you have absolute control of your client, which is pretty much the default with Linux on a white box PC (short of your hardware actually being backdoored, awfully hard to hide from prying Linux eyes) then you can encrypt your cloud data and be pretty confident that nobody is getting into it. But your metadata will still be visible and you may attract attention from those who automatically regard you as a criminal because you believe that privacy is a right. It hasn't gotten quite that bad in functional democracies yet, although not for want of trying.

Re:Well duh

[rtb61]

You entirely fail to take into account information people put up about other people. Take Gmail, whose mail is it the senders or the receivers, by law both and when Google invades that privacy they are engaged in a criminal act if they did not get the permission of the receiver when it is not non-gmail address.

So the US is trying to write superlative laws, laws that supersede other countries laws and if you disagree, what regime change, military invasion, first strike nuclear strike. Yep, the US has an entirely corrupt and crap global reputation. Liars, cheats and thieves is the US establishment.

It will trigger a host of anti-US laws, any US corporation that obeys this law without a regional warrant would get prosecuted and to make sure the penalty stuck, local executives prosecuted and handed out custodial sentences, US has established precedent for arresting and prosecuting people for political purposes, they are stuck with it now.

It's like the hate is bad already, go ahead, make the haters day because this will be ruthlessly attacked at all levels outside of the USA (Union of Shitty Arseholes, well, at least your government, dags on a sheep butt the majority of them with the American people as that poor suffering sheep).

Re:Well duh

[dryeo]

While Linux is obviously superiour to Windows etc, most people can't review all the code, including user land. Look at OpenSSL and even bash having vulnerabilities for years.
It's also really hard to guard against someone sneaking in and putting a key logger in your keyboard.

Re:Well duh

[Tough+Love]

While Linux is obviously superiour to Windows etc, most people can't review all the code, including user land.

Obviously, you don't have to. But you must be able to. You must also belong to a community that takes such things seriously.

Re:Well duh

[Teun]

For a measure of 'better'. Over here in Europe we have standards regarding privacy and ownership of data.

Re:Well duh

[SuricouRaven]

A matter of effort. Yes, a government agency could send agents to pick the locks on your door and sneak a bug into your computer while you are out, or target your specific equipment for remote hacking - but that's going to take a lot of time, manpower and expense. Are you worth it?

Re:Well duh

[Lonewolf666]

It is an IMHO inevitable consequence of US law colliding with EU law.
The US say "when ordered, you have to give us the data of your customers worldwide". The EU says "you may not give that data away against our regulations" (especially to foreign countries).

I don't think it is meant as a trade barrier, at least not primarily. And if it is, I have very little sympathy for a country that threatens EU companies with sanctions about a project (North Stream 2) where the US is not even directly involved. And threatens to declare car import from Europe a threat to national security.

Re:Well duh

[Lennie]

My guess is these same security conscious IT folks also store a great deal of their wealth in bank accounts.

Which actually has the same problem (except for deposit insurance, you hope).

Re:Well duh

[hairyfeet]

Sadly the entire "Linux code is vetted" meme is nothing but a giant case of the is ought problem because you assume the code OUGHT to have been vetted but you have absolutely no proof that the complete codebase IS vetted.

Look at the Bash bug that was there for years,go to US-CERT and see how many serious vulnerabilities exist even right now. we know for a fact that in the past bad actors have tried to get into places where they can inject nasty code...do you know FOR SURE that the person/s controlling the code for say the default music player on your distro is trustworthy? When was the last time the code for all the little boring bits and bobs required to make a Linux distro been actually audited? My bet is if you look at the code repo for those boring bits nobody thinks about are being seen and handled ONLY by the actual devs of that bit...are you 100% sure none of them are bad actors?

Sure having access to the code CAN help if someone finds out there is a bug or bad actor...after the fact, but assuming that just because the code is out there someone is spending the hundreds to thousands of hours on their own time to check every single bit with all the changes being constantly done to the huge amount of code? Yeah I have a bridge you might be interested in.

Re:Well duh

[thegarbz]

Security-conscious IT folks don't do cloud, even if it costs more.

That's not remotely true. The decision to go to cloud needs to be based on the capabilities of your own organisation vs the capabilities of an organisation specialising in security.

How many times have you heard of the likes of Amazon, Google or Microsoft having their whole treasure trove of data hacked vs say the countless companies who were responsible for their own security?

Security isn't an on or off thing. It's a sliding scale with many variables.

Re:Well duh

[Kjella]

Well in this case we're talking about people who come with a court-approved warrant. As long as we're in a single jurisdiction it's only a question whether the police officers will knock on you company's door or the company next door running your servers, unless you work for the mafia or something you're just going to hand it over. And keeping it in-house doesn't actually solve the problem. It doesn't even have to involve client data.

There's two issues here:
1) Jurisdiction shopping, that despite operating in one jurisdiction you send your data to another country with more favorable laws and courts.
2) Jurisdiction leakage, that your data is unwittingly and unwillingly brought under the jurisdiction of other legal systems.

Now it's not exactly news that countries have different laws, that's one of many reasons you have legal subsidiaries. Say you're McDonald's, if you want to operate a restaurant here in Norway you have to comply with local taxes and regulations and permits and whatnot so you create McDonald's Norway, in the US you create McDonald's US and so on for each country with a simple holding company on top. So far, so good.

But now imagine if they fear some kind of price fixing investigation and say hey Norway got better privacy laws than us, let's just move the company email servers and all other non-essential data there to be operated by our Norwegian subsidiary. US courts come with a warrant, you shrug and like we have no data try the Norwegian courts. This is bad. But then you try to fix it by saying subsidiaries are puppets to a parent company, if you can instruct them then you must. That solves one problem but creates a new one.

Let's say that to reduce long term sick leave we have a program to help people get back to work, lots of gory detail on what condition you have, how it limits your working ability, what the company has done to try to accommodate you and we say this isn't just company data we're going to give it special protection and access restrictions. But then the marching orders come from the top, hand over all your data. Do you comply? If US companies can instruct their subsidiaries to comply with US law, well then Chinese companies can instruct their subsidiaries to comply with Chinese law.

The US, as usual, wants the rules to only apply in one direction. They want US courts to be able to go in and grab data from other jurisdictions, while they'll get very angry if China uses their companies as hired thugs in the same way. And they justify their hypocrisy by saying we're the good guys, it's okay when we do it. It's not okay, start respecting that these businesses operate in other countries and that here our laws take precedence and stop trying to act like world police.

Re:Well duh

I'm French, what's a backbone?

Re:Well duh

[Tough+Love]

Can you audit the source code of Windows? No? Then you are the FUD.

Re:Well duh

[zaphirplane]

how does that work for a french company's US subsidiary receiving a court order for their data? I mean even with your own datacenter if you have business in the US you are have to comply

Re:Well duh

[RespekMyAthorati]

il est "le backbone".

As they should be!

[oldgraybeard]

"Under the act, all U.S. cloud service providers, from Microsoft and IBM to Amazon -- when ordered"
Guess if you have already move on board(to the cloud) you have some thinking to do. Your data is in someone elses hands.

Just my 2 cents ;)

Re:As they should be!

[currently_awake]

I think EU data protection laws forbid this. Meaning every single American cloud server company just got banned from the entire EU.

Re: As they should be!

Sorry... I couldn't catch my breath from laughing SOOOOO hard.

I trust American courts about as much I as trust my dog when seated in front of a steak. While I don't think they will eat it... I'm rarely surprised when there is nothing but a bone left over after 30 seconds.

Re:As they should be!

[Tough+Love]

That would make a whole pile of business sense, never mind the ethical issues.

Re: As they should be!

[Tough+Love]

Want to investigate Company X, its CEO or any of its employees? Sorry, all pertinent e-mails and documents are stored on servers in [some other country] and we don't have to give them to you.

I see your point! The problem is, even if we can always get your data, then what about your thoughts? We need access to those too, and it shouldn't matter where you live.

Re:As they should be!

Correct. All your eggs in another persons basket. And if the other persons storage farm is not helpful, all the comms over the transatlantic cable may also be bugged/recorded.

The EU should levy a 30% non-EU privacy compliant IT TAX on all IT services and facilities yesterday. Not that Boeing would get to read Airbus emails etc - nahhhh.

Re: As they should be!

[Teun]

You a very wrong
This is data belonging to the company and when a national government legally orders the company (not the ISP or storage provider!) to hand over the data to a court it is immaterial where the data is stored.
The problem here is the US believes it can access data belonging to others without going through the owners, just because it is stored on US operated servers, even in other jurisdictions.
Yesterday I heard German police depts. are storing their body cam footage on Amazon and now questions have been asked in the German parliament for exactly this reason/fear, US lack of legislation allows all kinds of people access without proper legal oversight.

Re: As they should be!

[Teun]

Then sue Company X, not secretly or not secretly go after the storage and mail provider.
When you (the court) has a good case foreign governments and jurisdictions will cooperate.

Re:As they should be!

[Teun]

Please differentiate between the company (under investigation) and the provider of services.

Re:As they should be!

[SuricouRaven]

It does put them in an awkward situation, where they may be forced to choose between obeying EU law and obeying US law. Though I imagine they could play enough games with shells and subsiduaries to be able to argue in court that their US and EU cloud divisions are completely separate and confined to their own areas.

Re: As they should be!

[Tough+Love]

Whoosh.

Re:As they should be!

[Type44Q]

you have some thinking to do.

Me thinks you ask too much...

Re:As they should be!

[thegarbz]

Your data is in someone elses hands.

The question is, are your own hands safer?

Re:As they should be!

[AmiMoJo]

What would be the legal consequences? US employees could ask, EU employees could refuse... As long as they set it up so that US employees are locked out it seems like it won't work.

But China!

Every fucking article on China controlling state is written like they are bad guys and we are good guys.

No, fucking morons. Our leaders are exactly the same.

Re:But China!

false. china's "drain the swamp" policy resulted in heads being rolled of both corrupt local politicians, high ranking party members and more than a few millionaires. they also have an affordable health care system and when they set out to oversee their industries, they nationalized whole companies and factories that dared to routinely violate regulations. additionally when some factory closes down they make damn sure people don't end up without jobs. even if they have to subsidize the whole sector (steel) they'll figure something out.

overall, both the us and china are corrupt and oppressive oligarchies run by the 1%. but china is still acting to improve the welfare and the overall quality of life of all its people. by comparison, the us has wasted all its capital on class warfare in the last 100 years.

Re:But China!

[Cmdln+Daco]

Read Maos Lil' Red book; then the USA Constitution & Bill of Rights.

What does that even mean? You are saying that China's legal system is run according to 'Quotations from Chairman Mao' as compiled in 1966?

Or just ignorant anti-Communist red-baiting?

Re:But China!

[srmalloy]

Particularly when the summary at the top cites China's National Intelligence Law and its intent -- do you think the Chinese government is going to permit, say, Huawei to say "That data's in the server farm at our datacenter in South Carolina; we don't have to give it to you" when they are 'requested' to provide it? The "Cloud Act" is precisely the same thing, only spelled out explicitly to minimize having the lawyers spin out legal machinations over the precise meaning of the grammar of the law for months or years.

Re:But China!

[AHuxley]

In the USA you have the freedom of speech.
To say Taiwan is the real China.
To talk about the 1989 Tiananmen Square protests.
To enjoy a cartoon bear.
Read and comment on books like 1984, Animal farm.
To mention term limits.
To enjoy a movie and review the movie. To make a movie. To comment on a movie. To comment on the politics of a movie.
Enjoy many different types of publications from Japan, South Korea, Taiwan.
No getting reported to a Communist gov after speech and for speech.

Thats what sets the freedom in the USA apart from the total control of any Communist government.

The good guys let people publish and stay free after publication.
The bad guys have list of words, books, terms, cartoons, history to remove.

EU nations have their own laws on art, culture, history, politics, cartoons, protests making the US cloud products much better for publication globally.

Re:But China!

[h33t+l4x0r]

The good guys also let corporations bribe politicians as part of "free speech".

Re:But China!

[Blue+Stone]

>Our leaders are exactly the same.

This is the same bullshit as during the 2015 election: Trump and Hilary are the same.

Nope. They're not. The Chinese, who torture and murder their citizens and put them in correctional camps are not the same as the leaders here.

Our leaders might be shiity and corrupt and fail to live up to our expectations, but just a cursory glance at the way the Chinese state treats its citizens shows such claims of equivalence to be grossly ignorant and utterly false.

Re: But China!

[astrofurter]

He's most likely never read any Mao. Probably hasn't read the US Constitution either.

I bet that guy thinks Adam Smith's magnum opus is about capitalism & free markets, too.

Re: But China!

[astrofurter]

Yet our gulag is noticeably larger than China's. Something doesn't add up here...

Re:But China!

[Alypius]

To make a movie.

Unless you get in the way of Progressives and their beloved narrative.

Re:But China!

[AHuxley]

Still free to make a sci fi movie, enjoy a superstitious film.

Re:But China!

[thegarbz]

Yeah your leaders are much nicer simply droning them out of existence without trial. But that's only for citizens. If you're truly unlucky to witness the hospitality of the USA you may find yourself in a Cuban enclave instead.

Happy I'm NOT "millennial"

I have to agree, it sounds a lot/too dang much like China. My data used to be mine.
  As I look at what today says about the future, I'm profoundly grateful to be old now, having enjoyed my youth when it was still fun. I don't believe today's crop of eager, ambitious, hopeful young people have a real idea of what their future holds. The Cold War scared me a lot when I was that age, and now the Cold War looks very tame. The climate we old folks have made for them, the surveillance society that's evolving, and similar scary sh...tuff ought to scare the crap outta young people.
    -Fight it, while you still can! Good luck, kids!

Re:Happy I'm NOT "millennial"

[Rosco+P.+Coltrane]

That's the power of hindsight my friend. We know what is (or may be) in store for the new generations because we've lived more than then.

But look at the bright side: like you said, the younger generation stay hopeful. They walk blindly into their bleak future, because they don't have a past to compare it to. But at least they don't fret over it like we do.

Please restrict us

[WindBourne]

America has NO RIGHT doing this. It was what Russia did within USSR and CHina does. Now, we are becoming no different than other dictatorial nations.

Re:Please restrict us

[Tablizer]

I hope Europe tells the USA to shove that law where the Eagle doesn't shine.

Re:Please restrict us

[WindBourne]

I agree with you. This is wrong. I'm hoping that they block this. The west is supposed to work together, not fight each other like this. What Trump/GOP are doing is just plain wrong.

Re:Please restrict us

[Corbets]

One hopes they will, anyway,

But the reality is that the rest of the world bent over for the US with extraterritorial laws like FATCA, so I’m uncertain how much resistance they’ll really put up here. Perhaps, since it’s their own citizens this time...

Yes, if you don't own it, someone else does.

[Frobnicator]

Hardly news, and this has been "news" in the computer world since the beginning.

This is not a new concern. People have been renting out hardware long before Amazon was invented, computer time has been rented out . Back in the 1960s and 1970s many mid-sized banks were hesitant to avoid computers not because they didn't trust or couldn't afford the machines, but because they didn't trust the companies who owned the machines or the governments where the computers were located. IBM with locations around the globe was the biggest and generally considered most trustworthy, but (looking up history online) you could rent computer access from Honeywell, Sperry Rand, Siemens, EMI, Olivetti, and others. Noting their location, that could mean you were subject to US laws, or UK laws, or Germany or France or Italy or wherever the computing center was located.

I recall discussions a decade ago asking how much we valued hosting our own data, if we were willing to sacrifice the security of controlling it versus the convenience of letting Google Docs control access to all our documents. There are companies who trust every bit of their digital data to Amazon or Google or other companies. They figure that the cost savings is a benefit, and they don't care about (or don't realize) the security implications.

There are companies that decide that maintaining control is important. For them, even if it would be cheaper or easier to lease out hardware remotely the value of maintaining control is greater than any cost savings.

Re:Yes, if you don't own it, someone else does.

[Corbets]

There are companies who trust every bit of their digital data to Amazon or Google or other companies. They figure that the cost savings is a benefit, and they don't care about (or don't realize) the security implications.

I think it’s an overly-broad brush to paint those companies with to say they don’t care or realize the implications.

Remember that security, like all of business, is a risk. The risk must be balanced against the benefits, and in some cases security will be (perceived) as being less valuable than the benefits. It’s a fair analysis... as long as they’ve done the analysis.

Re:Yes, if you don't own it, someone else does.

[thegarbz]

They figure that the cost savings is a benefit, and they don't care about (or don't realize) the security implications.

Quite the opposite. Security implications are the core part of any decision to go to cloud. The security implications usually weigh up the risk of handing data to a third party vs our own capabilities to keep it secure.

Azure, AWS, etc host a shitton of confidential information from some of the biggest companies in the world. You'd think with that kind of a target we'd be hearing daily about breaches. Instead we get an endless string of breaches from companies that have failed to secure their own servers, or attempted to roll their own cloud infrastructure.

Think of it this way. Do you go to the doctor. Do you literally put your life in someone else's hand? Or do you build up your own medical lab so you can diagnose and treat yourself whenever you need? I mean we're not talking about something as handwavey as security here, we're talking about your life!

You'll also find that not only do companies not entrust ALL their data to the cloud, but the cloud providers give you tools to automate the process. For example (from where I work) Azure Information Protection client is configured on all our machines to force us to classify all documents. If I were to write a document, when I go to save it gives me the classification options. Should I tick "secret" or "sensitive" the document would automatically refuse synchronisation on OneDrive, it would automatically refuse to be handled by our exchange server if it were not encrypted, I would be unable to upload it to Sharepoint etc etc etc.

Managing and tightening down on secret information is an option provided by cloud providers to enable more control of security. These benefits and customisation need to be weighed up against the ability to roll this out yourself.

Re:Yes, if you don't own it, someone else does.

[Cederic]

Azure, AWS, etc host a shitton of confidential information from some of the biggest companies in the world. You'd think with that kind of a target we'd be hearing daily about breaches. Instead we get an endless string of breaches from companies that have failed to secure their own servers, or attempted to roll their own cloud infrastructure.

There are weekly fucking stories about data on AWS being illicitly accessed. It's fucking commonplace.

The reason you don't hear about cloud services being hacked is because the responsibility and thus blame is always dropped on the end user organisation.

The cloud is not secure, quite apart from shitty us laws.

Re:Yes, if you don't own it, someone else does.

[thegarbz]

There are weekly fucking stories about data on AWS being illicitly accessed. It's fucking commonplace.

There are weakly stories of AWS being access due to companies (who you are saying are the ones who should be in charge of security) setting up their AWS systems insecurely.

The cloud is as secure as your organisation makes it. There have not been any reports of massive breaches, only individual breaches from insecurely setup systems which are setup by the very people who would also be in charge of security at your organisation.

There's a common idiot in your security equation. The question is, if you get rid of that idiot what's more secure, the cloud or your personal system.

Re:Yes, if you don't own it, someone else does.

[Cederic]

The cloud is as secure as your organisation makes it.

what's more secure, the cloud or your personal system

Oddly enough, neither. Apply appropriate security controls or you're in trouble either way.

What they're saying...

...is that companies, organisations, & individuals outside the US can't do business with US data farm companies if they value their privacy, R&D secrets, & IP. Add this to the revelations outed by Edward Snowden & it's a wonder that anyone in their right mind would want to get entangled in that mess.

Re:What they're saying...

[sjames]

I'm not a lawyer, but I wonder if it's possible for a European company to use an American cloud provider at all without breaking European data privacy laws now?

Re:What they're saying...

[sjames]

The U.S. government is not the government in the EU.

Interaction with GDPR

[stevelinton]

Isn't this in combination with the GDPR just going to make it plain illegal for European data controllers to put their data on US owned servers?

Re:Interaction with GDPR

[CanadianMacFan]

The problem is that it isn't just US owned servers. The US authorities also believe that any servers owned by the subsidiaries of US companies are also fair game. Microsoft recently tried to fight having data stored in Ireland, owned by Microsoft Ireland, being included in a search in the US.

So this act will include servers in Europe owned by European companies that have to follow the GDPR just because they have an American parent company. The companies are going to do some creative working in order to break up the ownership link to foreign subsidiaries while still maintaining the value they have in order to prevent the stocks from tanking. They can't just create a parent for all of the companies because the parent needs to be outside of US jurisdiction. But they all have expensive and creative accountants and lawyers so they will figure something out.

Re:Interaction with GDPR

[Lonewolf666]

Your company could get around it, of course, by running its own server farms and not using the cloud providers, but then you would be at the mercy of whatever jurisdiction you're domiciled in.

You are that anyway - the country where your company resides has a lot more means of putting the pressure on than just confiscating your data. The "Cloud Act" makes you additionally vulnerable to the US if you use US cloud providers.

Re:Interaction with GDPR

[Cederic]

Europe forces its laws on every company in the world

Ah, that old canard.

No, GDPR is not forced onto every company in the world.

Companies wanting to operate or provide services in the EU must comply with EU law. What the mothering fuck is wrong with that?

Or...

... we need some way of obfuscating data with secrets that are not stored on the cloud provider ... we could call it ENCRYPTION.

US Government Foreign Policy Hypocritical???

Say it ain't so!!!

So, make it impossible to read the data

[jtara]

So, just make it impossible for even the vendor to read the (unencrypted) data. The most the vendor could do is hand over encrypted data, leaving authorities to try to decrypt it without the key. Or try to force the owner to give up the key.

One such new offering is IBM Hyper Protect DBAAS:

Hyper Protect DBaaS: the evolution of cloud databases

Getting started with IBM Cloud Hyper Protect DBaaS

IBM® hosts your databases in a highly available and secure environment:

The underlying technologies prevent IBM or a third party from being able to access your data.
The IBM Secure Service Container technology protects the system via a tamper-proof environment. Access to the system is restricted and is only enabled through well-defined RESTful APIs.

Data is encrypted at rest and in flight.
The system hardware, the system configuration, and the database setup ensure high availability.

BTW, this doesn't run on Intel hardware. It runs on IBM Z hardware, on dedicated cores per instance, which should minimize the potential for Spectre-type attacks.

IBM is rolling this out aggressively. How aggressively?

For now, they are handing out well-provisioned Postgres (8G memory, 80G data) and MongoDB (8G memory, 40G data) experimental instances for free.
Only reason I am not taking them up on this is that I know we won't be able to afford the price, once it is not free. I'll stick with out 1G memory Databases for PostgreSql instance for our little educational app.

Hyper Protect DBaaS (pricing)

Not an IBM shill. Just happy to not be drinking the AWS kool aid.

Re:The west needs to get our act together

Yeah, I'm sure if Putin was never in the picture, all the Democrat and Republican politicians would just be double super good.
Damn you Putin!

American law is a double edged sword for them

[MikeRT]

The flip side of this is that if you're European and can evade being identified locally, you can use American hosts to protect your speech since federal law protects American hosts from being taken to court for speech that is legal under the first amendment.

Re:American law is a double edged sword for them

[currently_awake]

Host the data in America, host the encryption keys in the EU?

Re:American law is a double edged sword for them

[Highdude702]

Go walk up to a cop in Germany and tell him the Holocaust was a hoax. See how far your European free speech gets you. Or did you mean regulated as in can only say certain approved things?

Own, as opposed to commercial

[davecb]

In a previous life, pretending to be a bog-data person, we could use US-based Google BigTables only because
- the most sensitive information had to be published in a political-contributors report later, and
- the personal (personally identifying) information was only kept there for the duration of the election campaign.

Otherwise, we would have had to store it in Canada on equipment we owned.

Re:Own, as opposed to commercial

[davecb]

s/bog/big/

Hmmn, that may have been a Freudian slip, based on my opinion of the big data of the day ...

Re:Own, as opposed to commercial

[Aighearach]

Bogs are great data stores, look how long bog cheese keeps its flavor!

Re:Own, as opposed to commercial

[Jane+Q.+Public]

You were foolish to use Google BigTables EVER.

We know for a fact that:

1) Google has NEVER been honest about the data it extracts or keeps.

2) It is quite possible they were truthful about information stored in BigTables, but dollars to doughnuts the TOS never mentioned the data being stored elsewhere, outside of BigTables.

Re:Own, as opposed to commercial

[Jane+Q.+Public]

Oops... (2) isn't a known "fact".

But I wouldn't be surprised at all if it were a fact.

Re:Own, as opposed to commercial

[K.+S.+Kyosuke]

Bog data storage for bioinformatics

Re:No wonder Trump hates China so much

[WindBourne]

Nope. He does not hate China. He is just using them hoping to take attention away from his treason.
HOWEVER, he was doing the right thing with CHina. We will see what happens down the road. I suspect that his deal with China will be a joke and a half, and fix nothing.

Re: The west needs to get our act together

This Putin guy must be some superhero. He singlehandedly took over the west while sitting on a failed second-world impoverished country's chair.

No, because they need a warrant / subpoena

[raymorris]

In a word, no. There could be some concerns in some cases, but generally not an issue.

The Cloud Act relates to what a warrant or subpeona may reach, and doesn't change anything - it just affirms what existing law, stating explicitly what had been implicit.

It says that the pre-existing power of US courts to order US companies to turn over data material to a case cannot be thwarted by the US company stashing the bits on disks which are physically overseas. That was already a bit of a "duh, no shit" to anyone who has studied law, but Congress saw fit to state it explicitly.

GDPR doesn't say you can't comply with a subpoena or warrant. It explicitly says you can comply. So no problem, there, no conflict between Cloud Act and GDPR, generally.

The one wrinkle is that GDPR says when you send data to another country, one of two things needs to be in place

A mutual legal assistance agreement
Or
The other country has approved privacy law

The US has both. A new data privacy safe harbor agreement with the US was approved by the EU in 2016, after the previous one was found lacking. We also have a Mutual Legal Assistance Agreement (MLAA).

There could be cases, however, in which a subpoena is issued which doesn't comply with the MLAA. Then one could argue complying with that particular subpeona could violate GDPR. Except we ALSO have the 2016 safe harbor agreement, so the MLAA isn't actually necessary anyway.

So in rare cases you could argue that there might be a conflict, but you'd probably lose that argument.

Turnabout is fair play

[PPH]

What's stopping the EU from taking the position that they have similar access to users data stored on American servers? Google/Facebook provide services to Europeans, Europe has the right to access their data to support 'investigations'.

First of all, I don't see any definitions of the extent of the US law. Does it only apply to the data of US persons in support of a US investigation? Then I don't see a problem with granting the EU the same sorts of access to EU persons for the same reasons. Nowhere is it stated that the US wants to go on fishing expeditions through non US persons data. But if this is the case, then I don't see where European officials shouldn't have the same rights.

Current leadership in the USA is an issue

But there is a huge difference between China and the USA govts.
In China, when you disagree with the govt, you and your family disappear, cannot travel, don't get a lawyer and often aren't seen for a yr. If you appeal, you get re-sentenced to death.
In the USA, you get a lawyer, can usually fight back, appeal any decision.

A few quick reminders:
Xi is
* a dictator for life
* sends millions of Chinese to "re-education camps"
* no freedom of speech
* no freedom of travel
* China uses tanks against their own people.
* Religious re-education cities with 1M+ people.
* smartphones **must** have govt tracking software
* Your social network posts are tracked by the govt and rated. A poor rating can block rights and travel.
* don't recognize international waters as ruled by world-wide govts
* Currency manipulation
* intellectual property stealer / Hacker of companies and govts world-wide
* Highly selective enforcement for any laws; usually against foreign companies and Chinese companies that cause large number of deaths
* Tibet takeover
* Tienanmen Square; they admit to killing over 1,022 civilians. Other estimates are over 10,000 deaths.
* Check your server logs, most attacks are probably from Chinese IP ranges.
* Their elections are fixed - only approved party members can be on the ballot. So, would you like Bernie or Clinton or Gore or Dukakis?
Like any of those are even a different choice from the others. Well, freakin' terrible vs really, really, bad is a choice, I suppose.
* Police in China behave like thugs. Ok, sometimes that happens in the USA too.
* Taiwan, cough.

Don't forget what China is and how they behave.
---
Cisco and Motorola caught Huawei stealing their intellectual property.
https://www.wsj.com/articles/S...

        Huawei Admits Copying Code From Cisco in Router Software
https://www.reuters.com/articl...
---
        Motorola sues Huawei for trade secret theft
Huawei physically stole parts in 2014 from a testing robot during a
visit to T-Mobile. The robot was used to ensure buttons on phones would last.
---
https://www.nytimes.com/2016/1...
China hacked more than 245 companies and agencies, including US Navy and NASA.
Ref: https://arstechnica.com/tech-p...

This happened while The US/China economic espionage pact was in-force beginning in 2016.

The USA isn't perfect, but it isn't China. Not by a long shot. If you refuse to decrypt data at the US border, they keep the data and you can sue to have it returned. Canada, UK, Australia, France, Thailand, and 50 other countries would demand you unlock it at the border without any reasonable cause. It is illegal to refuse, a crime.

Re:I don't mean to compare US and Chinese laws

[phantomfive]

DuPont is American, founded in Delaware.

Cloud act needs repealed

[jwymanm]

That law is a prime example of slippery slope. The USA controls a lot of Internet resources and to make reaching laws gives other countries precedence to do exactly the same and now we just have clouds that don't pass territorial lines. Granted the spying was most likely happening anyway since nobody can trust their own country let alone each others countries anymore. At least though we didn't have a law saying we're going to f'n spy on you no matter where your data is.

Re: The west needs to get our act together

Trump is just that weak.

Re:USA has no jurisdiction in Europe

[Pinky's+Brain]

They can punish multinationals for not complying though.

Playing chicken requires some balls and a lack of care for the consequences to win, the EU has no balls and the US is ruled by someone who doesn't give a shit about consequences. So in a game of chicken the US always wins.

When push comes to shove the EU will not impose liabilities on multinationals for complying with the Cloud act, but the US prosecutors would for not complying. The multinationals know this, so EU law is irrelevant and the Cloud act reigns supreme.

Re:USA has no jurisdiction in Europe

When push comes to shove the EU will not impose liabilities on multinationals for complying with the Cloud act

In before "OMG, EU is just fining US companies to get free money!"

Also, the solution is going to be that "Microsoft Cloud US" and "Microsoft Cloud EU" are two completely different companies that has nothing to do with each other more than both having the same owner.
One will comply with US rules and one will comply with EU rules.

There will also be a "Microsoft Cloud CH" where you for some reason can't have files named Winnie.

Re:There's a Way Out

[Lonewolf666]

In effect, that would mean that cloud services are only allowed to work with data from their own country. Or businesses would have to keep stuff on their own servers, as they did for, oh, 30 years or so before the data services in question became common?

Way to miss the point, AC

[MikeRT]

This is not true. UK legal precedent is that a UK court can prosecute speech even when abroad if the UK is a primary audience.

Hey smart guy, did you miss that little caveat about "if you can evade being identified locally?"

UK law enforcement has no legal standing in the US on this issue. That means that if you are in the UK and want to host edgy commentary all you have to do is find a host in the US that you like. If UK police send a subpoena, the American host is going to laugh hysterically and respond "stop wasting our time, limey pig."

Not DMCA safe harbor. It's a legal term

[raymorris]

I'm going to guess that when you saw the term "safe harbor" you thought of the safe harbor provisions of the DMCA, or some other law you are familiar with. Many laws have safe harbor provisions - including GDPR.

GDPR Article 47 states that companies outside the EEA that adopt "binding corporate rules" for data protection are exempt from GDPR Article 45, if their adoption is "approved by a competent supervisory authority".

Such "binding corporate rules" was first laid down in the EU-US Safe Harbour Principles (2000-2015), which was later renamed (with minor changes) as the EU-US Privacy Shield Framework (2016).

So you don;t know what is ought problem is

Nor do you know what security by obscurity means and why it's rubbish.

All your screed there is bullshit. Why do you think cameras are recording in Malls? Stealing still happens, but the POSSIBILITY of getting caught puts people off and the number of attempts to actually stop reduce. Same with open source code: many are put off because if they DO get caught, they not only lose the access, they also get known as a black hat.

Meanwhile closed source can pretend there isn't a problem, and can even refuse to look for problems so that they can plausibly deny any culpability when the problem arises.

Re:A sensible requirement for sure

[Cederic]

Protecting the US economy does however imply not fucking over America's IT industry, which the inane data access laws are likely to do.

Australian companies are already losing business or migrating key operations to other countries because the Australian government enacted idiotic laws. Spanish media screamed when the government enacted the idiotic laws they asked for because they lost so much business.

Governments are struggling to understand that technology makes it easy to avoid damaging laws.

In 2015, reworked in 2016

[raymorris]

It was ended in 2015, then re-done in 2016.
It's possible something happened in the last few weeks that I'm unaware of.