The German laws on that are interesting, and I don’t think Google’s Cloud can every comply with them – because you may not give any foreign third party access to personally identifiable data, or move it to a country with lower data privacy laws, hosting it in a Google-provided system would be quite problematic.
Although the laws are a pain (including for me, even if you just host an IRC bouncer for a bunch of people they become quite interesting), I wouldn’t trade them away for anything, because they help ensure that all spying that happens can be democratically regulated by those who are spied upon.
>I really don't understand why countries are so persistent about storing data in their country
It is about having some rights. So say if you are from USA then Google or NSA should follow the laws , but if say I am a politician from some other country the Google and NSA employees can just read my emails and then blakmail me (or grab my paypal code and grab my money) because US laws only protect US citizens, terms of service are not laws and we know that we can't attribute morality to Google,Apple or NSA.
> Other countries have their equivalents of the NSA, but as far as I know none of them have a law preventing companies from announcing that their respective agency has grabbed a user's data.
It's hard to know exactly what the US law is too because it's classified. I would not trust that any country is safe from snooping--always assume it will happen.
> Or would that still violate GDPR as Google as an American company can still be coerced to give access to data stored on their servers outside the US?
Yes, because of CLOUD Act. If GA would create a deployable agent that proceses user data on your server before sending it in aggregate/anonymously to central GA, that would make it usable
> Part of the issue is that data is transmitted outside the EU - but that seems easily fixable.
Not quite, since the CLOUD Act [0] was put in effect.
This is the gist of the problem:
The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.
And this is under "International reactions":
The European Data Protection Supervisor (EDPS) viewed the CLOUD Act as a law in possible conflict with the GDPR. The German Commissioner for Data Protection has warned against the use of US based Amazon Web Services for storing sensitive data for the Federal Police.
> The US government has a policy that is substantially similar in many respect
Not at all. The US legal tools that let the government demand data substantially limit what can be demanded. There is currently nothing in US law that prevents you from protecting your own systems. You might get a NSL, but you can fight it.
No doubt the US government collects a lot of data covertly, but you can fight that too. I'm not a big fan of giant US tech companies, but (based on well-placed friends I trust) I believe Google and others sincerely fight covert collection, and they're pretty competent.
I think a good choice for a private conversation would be a browser peer-to-peer WebRTC conversation on one of many hosts such as https://talky.io/ (for example). Good end-to-end encryption, perfect forward secrecy, open-source clients running on your platform of choice, many possible Web hosts which are unlikely to have been all backdoored by the government (and you can set up your own easily if you want). Obviously if you have been specifically targeted by a state-level agency, your client is probably already hacked and none of that matters, but those attacks are expensive and it seems unlikely that covers more than a small fraction of people.
It is counterproductive to take the position that all countries are similarly bad and there's nothing we can do about it.
And yet this was/is one of the justifications for implementing this.
They're not doing it in the EU because (a) there are decent privacy laws, and (b) IP addresses are (IIRC) considered personal information and so Cloudflare DoH would be responsible for keep a whole bunch of data safe. They may not want that responsibility.
This seems to (currently) be US-only because of the sucky US privacy laws.
> Any potentially-sensitive data would presumably be stored outside the US's borders in that case, in a country with laws sympathetic to the company's interests. I just don't see a good argument to be made for allowing a company chartered under US law to behave this way.
well currently than they need to search a country that would not coporate. Currently if some bad guy would store sensitive/illegal or whatever data in germany and the us would come and ask for it, the german law enforcement would check if the request (would meet all requirements in the german law for data search, etc) is valid and if it would, they would hand over the data. that's how it should happen and how it actually happens to some extent.
> Google is 1000 times more transparent company than ByteDance. It is OK to use US services for non-US countries.
Are we talking about freedom of speech? I 100% agree.
Otherwise, I don't think Google is a good example. There are actually many bad cases among US and EU companies. Just consider a few blow ups that we had with Google (e.g. Street view), Cicso (the issue with NSA), RSA (also the story about NSA), Facebook scandals, Crypto AG, Gemalto SIM cards, and etc.
Are they less evil or more transparent? I don't think so. It's the system that's more transparent in the West not companies. So when something leaks it's more likely that we are informed and it will blow up.
If you want to link everything to national security, then obviously domestic services are right choices. But, I'm still against banning and blocking other services. It's just against how I like the world to look like. It also sets a bad standard for other countries to inherit it. You don't want to disconnect the world more than it's now. History shows that it has bad consequences no matter where you are standing.
I think the right move would be setting good data protection laws (e.g. GDPR), and educating people about data privacy and help them to understand all the risks that are involved.
> People will need to realize that they will need to be welcoming to either everyone or noone, everything else is just bigotry.
AFAICT, Germany hasn't accused the NSA of doing anything illegal after the Snowden revelations. Should Germany be welcoming to the NSA in your opinion, lest Germany be accused of bigotry?
If the answer is that it is a separate issue because the NSA is a government agency of a nation-state and not a citizen, then I think good faith requires that you grant FUGoogle an edge case to your argument as well. After all, the argument they are putting forward is that Google is a powerful organization that surveils, censors, and avoids paying taxes. (Also, they make the argument that Google can't legally say no to participating in U.S. wide-net surveillance programs.)
Argue the substance, of which there is much, but please don't branch off into, "They came for Google and I said nothing." It's low effort.
> Definitely, I'm on the lookout for any kind of service that operates in a country with transparent law enforcement and accountability.
Being European, I'm looking for services which operate in my home country. I prefer to be spied where I'm a citizen, because US clearly only protects the privacy of its own citizen, and because it is illusional that intelligence services be transparent.
However, there is no such thing as a european company running cloud services for email, rss, file storage and social network: Not even talking about dismissing american-funded strat-ups, all the supposedly European services are run under a .com website, and this extension puts them under american trade and penal laws - We've had this example of a piracy UK website run by UK citizen be trialled in US, where the defendant knew no-one, for the domain was in .com.
Note that I would trust a cloud service registered in my ophome country and in .se, because they have proper forms of government.
Who's up to start such a company? I'd give them big money to keep my records home.
>So Germans will find lots of loopholes to be covered, such as not using a German hosting first, and not stating their Web/Gopher/Gemini site as a commercial service, with no data collecting at all.
Again, this is criminal.
Again, I am aware that there are numerous technical means to circumvent this, yet all of these are criminal.
> Do you know what it is like to live in a jurisdiction where you are actually liable for what happens to the data of your users?
No offense but it's this same reason that U.S. companies would be pilloried if they hosted all their users' private data on a cloud service hosted in Russia or China.
Even without an entity like the NSA an organization in the EU could not simply assume that any other nation obeys their data privacy rules without a strong bilateral agreement dictating just that.
That's not a consequence of the "recent scandal" as even now the scandal hasn't revealed anything with regard to non-U.S. networks that wasn't already known: the NSA intercepts communications abroad when they can, just as they've done since 1949.
The NSA stories have certainly brought it to prominence but anyone hosting their user's private data on Amazon's US-EAST before this, without a guarantee that the U.S. would obey European data privacy laws at the Virginia data center, was guilty of negligence at best, since no such agreement has ever been made to my knowledge.
What the NSA stories have helped to illustrate is that there is an essential disconnect between applying nation-level laws to global-level networks that needs to be rectified one way or another.
> Data hosted in Germany won't be accessible to Microsoft US nor the US government.
How do we know? Is Microsoft planning to release the source code?
> If the German government can access that data so what? Do you really expect to escape from that?
Yes.
I agree with your general point that this is a step forward, but I am also wary that people will perceive this as solving the massive problems we have with securing ourselves from pervasive surveillance.
Keep in mind this is basically just a promise from Microsoft that they'll keep your data in your country, so it's only as good as Microsoft's willingness and ability to keep that promise. If you trust it it's a step forward, but Microsoft is far from being worthy of that trust, so it's a very small step forward, so small it's barely worth talking about.
Can you explain what you mean by this? If the data is owned by Google, then the US government can compel them to turn it over; full stop. The fact that it lives in another country and never enters into the US is irrelevant; the US government can just say "give us this data, or we will do things that will cause you serious financial/legal harm".
> What is stopping them to force you to give access to your cloud providers though?
The fact that a) the cloud provider is in a different jurisdiction b) many countries have very broad "anti-hacking" laws that they'd be breaking. It's not by any means a "naturally safe" way of working, but under the current hodgepodge of laws it has some benefits.
> I know that my ISP works with the German government to help them censor me accessing certain websites by blocking DNS.
Citation on o2/Telekom/etc blocking domains?
> I also know that they collaborate with lawyers going after individual p2p users.
Kind of hard not to do if you're legally obliged. But not per se a privacy violation and not a matter of snooping on content.
> And I know it has a history of serving advertisements on domains that don't resolve (something I opted out of years ago).
> Ok but again not really a major privacy leak, just stupid/bad/user-hostile practice.
> I also know DNS traffic data is routinely shared between different nation states and that this practice has little or no oversight.
And who is the main party spying on/in Germany? Snowden leaks tells us the NSA, with active but idiotically unaware cooperation by the BND. So you're giving data directly to a US cloud provider instead.
> Does anyone else remember when housing data in US severs was considered less private than alternatives?
Right now much of Europe considers storing data in the US to be less private than hosting it locally. The US is certainly not in the same category as Russia or China, but it's not great either.
> but I sort of agree with the US government that it's crazy to give that much of (mostly) your youth's attention to an adversary.
In a way Europe has been doing that for many years. The US does not have any privacy protection of foreigners, the NSA is only not supposed to capture data on US citizens.
Only now are we seeing Google Analytics banned in many European countries. But it's a very small step.
The German laws on that are interesting, and I don’t think Google’s Cloud can every comply with them – because you may not give any foreign third party access to personally identifiable data, or move it to a country with lower data privacy laws, hosting it in a Google-provided system would be quite problematic.
Although the laws are a pain (including for me, even if you just host an IRC bouncer for a bunch of people they become quite interesting), I wouldn’t trade them away for anything, because they help ensure that all spying that happens can be democratically regulated by those who are spied upon.
reply