Getting out of the cloud…
blog.koehntopp.infoDear HN, please scale down the panic.
>President Trump’s Executive Order calls for federal agencies in the U.S. to ensure that their privacy notices make clear that Privacy Act protections extend only to citizens and permanent residents of the U.S. Importantly, Article 14 of the Order explicitly states that the federal agencies must do so in a manner that is “consistent with applicable law.” In the context of EU-U.S. data transfers for law enforcement purposes, the Judicial Redress Act constitutes applicable law, and thus President Trump’s Executive Order, as written, should not impact the Judicial Redress Act’s extension of the Privacy Act’s protections to citizens of the EU. As a result, absent further action from the U.S. government, we do not expect this Executive Order to impact the legal viability of the Privacy Shield Framework.
https://www.huntonprivacyblog.com/2017/01/28/privacy-shield-...
Here is a good summary from Techcrunch. TLDR: the EO shouldn't invalidate Privacy Shield protections, but the whole framework is flawed and does not guarantee privacy of EU citizens. The relevant parts:
> The spokeswoman has now sent us a statement in which the EC asserts that Privacy Shield “does not rely on the protections under the U.S. Privacy Act”.
> Critics of Privacy Shield –– including the lawyer who brought the original challenge against Safe Harbor — have consistently argued the arrangement contains the same fundamental flaws as its invalidated predecessor, given ongoing U.S. government agency surveillance programs accessing European citizens’ data.
https://techcrunch.com/2017/01/26/trump-order-strips-privacy...
Yes, seriously. Trump's orders only apply to the federal government. State and local governments, along with private companies, still have full discretion when it comes to their privacy policies and other actions.
Starting to think the Trump presidency will be great for Europe, by making it politically unfeasible for European politicians to continue pretending the US is a good ally, leader of the free world, champion of liberal values, etc...
The US fifth column voluntarily leaving the EU will surely expedite the process.
By any objective standard, the last 70 years were the best ever for Europe, and the world as a whole. There are certainly differences of opinion and interests between Europe and the US, but they are far from negating the overlaps. The ideas that the US has propagated are fundamentally sound, and any US hypocrisy may undermine the effort to spread them, but not the value they offer.
If you are an average citizen anywhere in Europe, throwing the dice in either the time or spatial dimensions is a losing proposition: there is almost no time nor place of higher prosperity, lower physical danger, better chances regardless of class/gender/race/etc, higher life expectancy, more vibrant cultural life, more freedom to explore your interest/kinks/obsessions etc. And the shift of the US under Trump is a throw of the dice in the best case. In reality, it is unlikely that a new world order build by an orange buffoon could in any way rival the current one, which was build by people who had the foresight and moral compass to invest trillions into a continent, and even the very country that had just plunged the world into the darkest crevice of history.
I'm not saying that all is well, just that we are, historically, closer to the best than the worst, or even to average. But any assertion that the system was fundamentally broken is obviously not supported by the outcomes it produced, and the way to optimise a system running at it's historical best involves carefully planned tuning, not destroying it with a sledgehammer and asking a reality TV character to build a new one.
> If you are an average citizen anywhere in Europe, throwing the dice in either the time or spatial dimensions is a losing proposition: there is almost no time nor place of higher prosperity, lower physical danger, better chances regardless of class/gender/race/etc, higher life expectancy, more vibrant cultural life, more freedom to explore your interest/kinks/obsessions etc.
Exactly. And at the risk of sounding entitled, privileged or whatever, I like it this way. I would like this to stay. The changes happening in US (and similar ones starting to happen in Europe) threaten this.
And sure, it's not fair to everyone all the time. But it's like some people these days think that if they can just blow everything up, things will be better for them, that it'll improve their relative well-being. It won't. Destabilizing things isn't beneficial for anyone.
Not at all. There is many a lost generation in European countries.
Best for the entire group on average != best for some subset of that group. But it seems to me that some people believe they'll be happier if they pull the world back to year 1940.
Exactly we are at a peek. Like a bubble in stock. It is about to pop.
> Starting to think the Trump presidency will be great for Europe
I'm in Europe and I'm getting seriously worried the US will start the Third World War within coming months...
Why? What warmongering have you seen? What has been done thus far that wasn't broadcasted in the campaign? Where in the campaign was there indication that he'd want to start a war?
I'm not saying it's impossible that trump could be offensive enough to cause an attack on the US which then results in offensive US action - but I've seen nothing to indicate he'll go looking to do so as a matter of policy.
Hyperbole is everywhere at the moment and whilst it makes for pithy comment it detracts from realistic concerns about the outcomes of his policy decisions. By giving people easy excuses to ignore "anti trump" comments (because they're a mixture of valid concerns and silliness) you grant him more freedom.
He is probably less likely to actively pursue conflict with Russia than his alternative, and he's reaffirmed support for NATO (which was no doubt part of the package traded for a non critical stance by the UK PM).
I haven't seen any warmongering. But what was broadcasted in the campaign I honestly rejected as too ridiculous to be true, and a case of media exaggerating about a candidate they don't like.
But now it turns out that what was broadcasted in the campaign is in fact what the current President means to do, and this is scary. From what I remember from my history lessons, it smells too much of how Hitler started his rule, and I don't recall him saying he wants to invade the rest of Europe either. That only came up after he was entrenched in power and stepped up the internal purges.
Assuming this doesn't happen, there's also a second scenario I fear - the US will say "fuck you Europe" and utterly withdraw, and Russia will get expansionist ideas.
Either way, I don't feel that what's going on leads to a safe and stable life here in Europe. (And that's beside the fact that the same sentiments that led to Trump's victory is also clearly visible in many parts of Europe; with nationalist tendencies on the rise, EU breakup and/or a war in Europe aren't beyond possibility).
Call me paranoid, but I am afraid. Not in a hypothetical way, I actually stress over it and it impares my day-to-day life.
> Assuming this doesn't happen, there's also a second scenario I fear - the US will say "fuck you Europe" and utterly withdraw, and Russia will get expansionist ideas.
This has been one of Trump's points for quite a while now. The USA will no longer subsidize the security of other states, unless there is some method of repayment.
> unless there is some method of repayment
Maybe I'm naïve, but I thought a stable, prosperous market on the continent dominated by US products makes it worth it for the US.
> dominated by US products
I'm in the US and most of the product I use were not manufactured here.
Globalism is better for countries sucking on the US's teet but it is bleeding the US dry. The US can't compete against other countries that have no environmental or wage regulations.
Its like every other country feels entitled to the US's resources or something.
> Assuming this doesn't happen, there's also a second scenario I fear - the US will say "fuck you Europe" and utterly withdraw, and Russia will get expansionist ideas.
Perhaps Europe should form a military of it's own for protection then?
Snarkiness aside, the nerve of people scolding the US like it's a foolish child while living under the umbrella of its "discount" military protection is a little galling.
The problem with this line of reasoning is that it has been, and is until very recently this very 'umbrella' that the US wishes to spread around the world, as she sees it as advantageous.
Post WW2, both the German and Japanese military were greatly limited, or outright abolished.
The numerous bases of the US around the globe in any country and climate imaginable are not only selfless bastions of people in need - they serve very concrete functions, namely protecting trade routes and political stability in systems that are beneficial to the economy of the US.
Indeed they are, but they are also extremely beneficial to much of the rest of the world, who repays this debt with insults.
> Where in the campaign was there indication that he'd want to start a war?
Just as my 2 cents, Mr. Trump definitely stated several times that he wants to re-thinkthe whole NATO, UN and the international security system in general.
I can easily imagine him making the same bold and unprofessional moves as everywhere else. And if that happens, it will definitely open up some new possibilities for international conflict.
He also said he wants to be friendly to Russia and take US troops the hell out of the Mid-West.
But well, promising is easy, and he is not the first to promise those exact things.
I think you mean Middle East? The Midwest of the US has not been invaded by American troops. :)
Well, tell that to the native Americans :)
Touche! The first people have a beef you are correct.
Ops. Where did English get East and West from anyway that it became so different from latin languages?
From PIE via Proto-Germanic:
http://www.etymonline.com/index.php?term=east http://www.etymonline.com/index.php?term=west
Fascinating link, thank you! I know what I will be wasting away the day doing now.
No kidding, "oeste" in Portuguese comes from the same word as in English, but I still mix them up. That's shameful.
Thanks a lot for those links.
Starting wars has historically been a popular and effective tool for consolidating power within the country. So even if Trump doesn't care much about any particular conflict he might start a war anyway if he feels that his power is threatened.
I commented about this yesterday. It's the third time in a row that the US people elected the person that wasn't supported by the Pentagon. That's a welcome change, even if he is a total asshole.
https://www.google.com/transparencyreport/userdatarequests/c... https://govtrequests.facebook.com/country/United%20States/20...
~60,000 google user accounts(not just email, but all your web browsing data) were handed over to the government in 2016. And this was under the Obama administration.
Those aren't requests to hand over all a user's data to the government. Half of those are subpoenas, and half of the remaining are search warrants. You're probably thinking of NSLs, which you can find ranges for https://www.google.com/transparencyreport/userdatarequests/U..., but those don't contain content. Also, it's unclear why you're talking about the number of Americans when the executive order is a change in the handling of foreigners' data.
FISA Content requests: July to December 2015 21000–21499. Note - FISA requests includes all personal information, NSL does not. And sure - this particular order is about foreigners' data, but they might require citizens' data in future. Also is data privacy only a US citizen's right? Googlers claimed to have strong views when non-citizen googlers were being treated unfairly on immigration. But no statement when non-citizens' privacy is being snatched away.
FISA is for non-Americans' data, and you were talking about Americans previously.
You can't write an executive order that says you can get access to something you previously needed a warrant for without a warrant.
> You can't write an executive order that says you can get access to something you previously needed a warrant for without a warrant.
Well, you can. If the US AG thinks it's illegal, you can fire her. If it's argued in court, you've got a floating SCOTUS appointment ready to make.
(The distinction between "can they do that?" and "can they legally do that?" is normally pedantic but at a time when CBP are reported to be ignoring court orders ( http://nypost.com/2017/01/29/customs-agents-ignore-judge-enf... ), this is becoming increasingly important)
Seems it does include US citizens.
Per "https://en.wikipedia.org/wiki/Foreign_Intelligence_Surveilla... : "and "agents of foreign powers" (which may include American citizens and permanent residents suspected of espionage or terrorism)."
You can look at the definition here: https://www.law.cornell.edu/uscode/text/50/1801. Suspicion of espionage or terrorism isn't enough to be considered an agent of a foreign power. A US citizen must be known to have aided a foreign power in espionage or sabotage and done so knowingly.
sure - that was not the intention. Fixed. I care deeply about user data privacy and how we have traded privacy(and user experience) for free software. Maybe recent events will change the trade-offs.
In fairness, this has been a long time coming - legal-aware geeks have been warning us since 2001 about the infamous PATRIOT Act. SafeHaven and PrivacyShield were both disingenuous attempts at persuading people that "actually we don't really mean that for you, friends". In a way, I'm glad the hypocrisy is over.
This might actually help the European market.
It's things like these that push me so hard in the direction of decentralized cloud applications. Centralized institutions should not be able to see your data, and foreign powers should not be able to command them to drop your data (or otherwise hold it hostage).
But what if I specifically want to store my own personal data in a different country? I want privacy from my government, not from foreign ones!
I'm the case of Sia at least you will have the ability to whitelist and/or blacklist hosts on the network. Which makes it really easy to control which countries do or don't end up with your data.
Can you provide some recommendations?
Full disclosure, I am the founder of Sia, which of course is my favorite and I do believe is far ahead of all the other platforms at this time. https://sia.tech
There is also Storj, MaidSafe, Filecoin, Swarm, and sort-of-but-not-quite IPFS.
Storj and Sia are the front runners for private data like family photos, computer backups, etc. I don't really consider Storj to be decentralized here though.
Swarm I know less about, but I believe their focus is more on file sharing. IPFS is closer to a replacement for http and BitTorrent (both), great for high-demand files or files that are being explicitly hosted on a web server but not so much private data. I think they plan to upgrade this with Filecoin.
MaidSafe is 10 years old and still in alpha. They have huge ambitions but I think too huge, they don't seem capable of publishing things.
Can any one please explain in layman terms what this means a bit more clearly?
I think I understood the part where the US no longer a good place to store data, and that there are no proper privacy laws protecting foreign citizens' data that is stored on US soil. So basically, if you still want to have a proper privacy policy, GTFO your data to non-US servers ASAP.
Anything else? Something I've gotten wrong?
EU law requires certain protections for data classed as "personal data" and "sensitive personal data". It especially requires that "Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data".
There was an agreement, "safe harbour", with the US, but Trump has issued an EO that contradicts it: https://www.lawfareblog.com/us-eu-privacy-shield-maybe-yes-m...
If that agreement is terminated, then it's no longer legal to transfer personal data from the EU to the US. This affects rather a lot of companies.
https://en.wikipedia.org/wiki/Data_Protection_Act_1998#Defin...
To add to that: Safe Harbor had already been ruled inadequate in 2015 by the European Court of Justice, in light of the Snowden revelations. A new agreement (Privacy Shield) had been drafted and signed in 2016, even though it was considered equally inadequate by everyone except the European Commission.
There's also the chance that USDoJ vs. Microsoft will land in USDoJ's favour. If so, then if your cloud provider is US-based (e.g. Amazon), then your data can be procured by the US government with a NSL or similar secret court mechanisms without you even being notified. I don't think that people frequenting HN need to have it explained to them why this is bad for US-based cloud providers. Amazon needs to segregate Frankfurt, fast.
Ireland's in the EU too (eu-west-1)
Will US companies really be able to segregate like you suggest? That sounds too easy...
I know of more than one company that has essentially duplicated all of their infrastructure from the US to the EU so they can store EU data in the EU.
For the tech industry, this is gonna be harder to navigate than the upcoming regulations on visas and h1bs. I don't even want to think about all the refactoring and rearchitecting to provide data segregation on multi-region. What a mess.
It's hilarious that Obama expanded the powers, scope, and capabilities of domestic spying more than any previous administration, but people thought he was a good dude and gave him a pass. Now Trump is in office less than a week and all of a sudden people are hair-on-fire worried about keeping their data on the same servers that have been essentially pwnd by the feds for years. Spoiler alert: nothing's changed except your level of interest in the issue.
Can anyone recommend a European alternative for Amazon AWS?
If all you need is Compute, DNS and/or S3 then exoscale.ch is worth a look. I dare say they are the best cloud service Switzerland currently has to offer. cloudscale.ch is a competitor but they are a very young company.
If you want a straight AWS "cloud" replacement, there aren't many options. OVH and LeaseWeb are the most likely candidates but don't come close to the breadth of offerings.
There's a very large and competitive market for dedicated servers and colocation though and depending on your load, it might be worth a look at switching to dedicated or leased infrastructure.
Owning the hardware is the only way to truly control your destiny as far as I'm concerned.
Profitbricks. cloudscale.ch. If you want to go self-hosted, talk to fuzzy-logic.org.
Indeed, these providers offer "virtual servers" as well, but if look beyond that they play an entirely different game than AWS.
The only relevant competitors to AWS are Google and maybe MS Azure. Both also US companies.
No one else is anywhere near the level of scale and expertise AWS has.
I would add Digital Ocean as a lower tier, they seem to have provisioning plugins for everything I use (mostly Vagrant) but I roll my own DNS and load balancing. Still US-based unfortunately.
One could always get a bit closer API-wise and go with a self-hosted Openstack cloud. It's a bit more involved than many folks care for, but if 'API-CRUDable VMs, networks, object storage, images' and similar are the goal, the market's pretty thin.
I've heard good things about Hetzner: https://www.hetzner.de/us/hosting/
You get the benefits of strong German privacy laws, on top of the EU's data protection directive[1].
heh, Hetzner literally asked for a scan of my passport when I wanted to get a VPS.
They require some form of government-issued ID so I provided them with a driving licence. I figured it wasn't a bad trade-off for a decent service. Germany seems to value data privacy much more than my own (Irish) government).
In the Netherlands, when businesses ask for such a thing, you are allowed to black out many non-required parts of the scan (this includes the photo), as well as paste a large watermark over the image. The watermark would contain the date and state the purpose of the scanned ID, to prevent re-use for anything else, if it were to be misplaced somehow.
I'm not sure how that works in Germany but I would sooner send a too-much-redacted scan and have them refuse and ask to see more of it, than send an actual complete scan of my ID to anyone but the government that issued it.
Not that governments are so good at not accidentally misplacing data. But it reduces the surface, at least.
Depends on what your requirements are but there are a number of Openstack Public Clouds - try http://www.datacentred.co.uk/
Aren't the data centers technically owned by Amazon Ireland for compliance (cough tax) reasons? Amazon clearly state that data never moves out of the region.
As long as Amazon has a US presence, it, and the data is hosts, is within legal reach of US judges and government.
This isn't yet decided. Microsoft and the DoJ are still arguing about this in the court system, which so far has ruled that the US government cannot compel Microsoft to release data it holds in Ireland. It's currently waiting for the DoJ to decide whether to take it to the Supreme Court: http://www.politico.com/blogs/under-the-radar/2017/01/micros...
Even if the DoJ did make it law, it would surely conflict with law that the Irish domiciled entity is subject to.
Penalties for the US-based domestic entity to compel compliance of the off-shore entity would fall onto the domestic entity. The off-shore entity ALSO has to comply with whatever local regulatory regime they fall under.
Unlinking the two companies completely might satisfy what you appear to be angling for, but it would be, in essence, a potential competitor to Amazon at that point.
That sounds very dangerous. What would happen if Amazon simply had a 99% share, but 1% was held by another purely Irish company. Amazon might elect the board and the subsidiary might 'lease' intellectual property and capital from the parent company, but I don't see how you could argue it is subject to US law in any way.
Not as far as I know.
Microsoft have gone as far with Azure in Germany to sign an agreement where T-Systems own the data and the systems and Microsoft are simply a contractor supplying a service to them.
http://news.microsoft.com/europe/2016/09/21/microsoft-azure-...
I have a good experience with cloudsigma.ch (but that only replaces the EC2 part, so it depends on what you need).
Depends on your requirements, but I dare to say there is none.
ovh.com
Don't want to sound like I sound, but this might be the end of the Internet as we know it.
more like the internet will finally be fixed. There is no reason gmail cannot encrypt my email and remove pii data, except that it will eat into advertising revenues. Its easy for companies like Google to take a stand on an easy thing like the government making it a bit harder to get visas, but when it comes to saying no to government requests for your email - they happily comply.
The number one benefit that Gmail touted when it launched was searchable email. That will break.
You're perfectly free to use E2E encryption on Gmail, and they are even trying to make it easy for you, though that project is evidently not as well staffed as the advertising org.
search-ability is not a constraint for encryption. Eq see https://people.eecs.berkeley.edu/~dawnsong/papers/se.pdf
Performant search is. Gmail wouldn't work with O(n) search times.
The inverted index could simply be built/live on client side. The cloud is then just a backup data storage. Encrypted email is downloaded, unencrypted and indexed on your laptop/phone etc.
To be clear, you're proposing that users download their entire email storage to their phones and browsers before they can search or spam filter their email? And you think that this would be a compelling product for the average email user? I'm having a hard time figuring out if you're trolling.
Isn't this how pretty much any mail client does it? Thunderbird does a decent job at spam filtering my mail. You know, I can even search folders in Outlook! Saying that scanning your 1M mails with 1kb each requires the use of a cloud service seems a bit over the top.
And how long does that search take? How long does it take to download that mail to a new device? How long would that have been on 2006 Internet? I've never said that it's impossible. I've only said that it takes away the main advantage claimed at launch — fast, working search.
Sure - might not be easy for email. It does work for imessages (no server storage, typical size 1-5GB, stored + indexed on client side). So once phones start having 50GB+ storage(wait my iphone already does :p), its not so far fetched to think of having a 20GB inbox stored+indexed on the phone - of course you don't need to store the attachments etc.
Anyways, my point was not to suggest a full solution but to say that companies are not incentivized to solve this problem.
> its not so far fetched to think of having a 20GB inbox stored+indexed on the phone
Yes it is. Besides just syncing the data there are a huge number of other performance hits.
> of course you don't need to store the attachments etc.
Why not? Do you want to a) drop support for searching through attachments (like pdfs) or b) not encrypt those?
> companies are not incentivized to solve this problem.
There has been huge improvements in the last few years in this space (take Signal as an example). But major email providers are not incentivized because most users don't care, UX and performance suffer, email is inherently an unsafe (even if you put PGP on top [1]) and because they would not be able to make as much ad revenue (worse targeting).
Yes, people are proposing that people download their email. How is that controversial? That's how email works. It's not like emails are large.
A huge number of emails plus attachments are large in size. It is that controversial because it is hard to make it perform on a mobile device over a crappy 3g connection.
Emails are text, and text compresses extremely well. Attachments are literally always unnecessary.
> Attachments are literally always unnecessary.
Why? Are you dropping support to search through them?
To be fair, mobile clients WOULDN'T download the entire email catalog for local search. It gets up to X days locally and the rest will be searched online. But you are right though, you really can't build the index remotely of you want end-to-end encryption.
You don't need to store the data locally, you can just store indexes and filters. Keep them up to date in an online fashion and the cost is a fraction of the storage space required, and some extra CPU time spend locally.
It's easier to move our own company's apps, I feel. What's harder is all the SaaS products that we use most of which are in the US :/ I have to look more closely into selfhosting solutions.
“A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty.” ― Winston S. Churchill