Norwegian backup provider promises NSA-free data storage using Norwegian laws
jottacloud.comAs a Norwegian, let me just say:
Yeah, right.
1. The Norwegian security services have a long history of violating Norwegian law (and when, for example, extensive illegal politically motivated surveillance of mostly left wing politicians was uncovered in the 90's they then had the gall to place an MP and member of the committee investigating them under surveillance while he was working on the report about their illegal surveillance), and have always been extremely cosy with the US.
2. Most bandwidth to Norway goes via Sweden. Sweden is not a safe country to pass data through if you want to avoid surveillance. See the FRA law: http://en.wikipedia.org/wiki/FRA_law ; unless they guarantee that they get their bandwidth via alternative means, this is a risk. Sure, you can encrypt the data, but if you trust that this is sufficient, then hosting your backups in the US should not a problem either. If you think Sweden's neutrality means a shit in this case, consider that Sweden has admitted to having been complicit with renditions of political asylum seekers to the CIA in direct violation of Swedish laws, so clearly they do not worry about cooperating with US intelligence agencies. To hand your data over to the NSA would not even require them to break any laws, and they've already demonstrated they don't have the moral backbone to stand up to far worse requests.
3. Norway is subject to the EU data retention regulations, and otherwise likes to bend over backwards to comply with EU directives despite not being an EU member (we're a member of the EEA, which means we get all the directives, but don't have a say - how anyone thought that was a better alternative is beyond me). In fact, Norway is "best in class" when it comes to implement EU directives - ahead of most EU countries... This doesn't impact this to a great extent, except it means all your communications with this company will be subject to retention laws, and if you consider it important enough to avoid the reach of the NSA for your hopefully encrypted backup data, this is worth keeping in mind too.
In other words: If you encrypt your communications and backup files well enough that you believe it is safe from the NSA in Norway, they'll likely be just as safe from the NSA in the US.
Well, what you say is not correct. First of all the Data Retention Directive have to be valid for you. I work for the Norwegian email provider Runbox and the EU Data Retention Directive is not applicable for us. It is only valid for carriers that own their own infrastructure down to the data center, called "communication providers". We even have it confirmed by both Kripos (FBI-ish) and Post- og Teletilsynet (Norwegian Post and Telecommunication Authority). We have tried to explain a bit why here: http://www.runbox.com/why-runbox/email-privacy-offshore-emai...
And you don't believe your data passes through a "communications provider"?
By the argumentation on your page, almost none of the electronic data targeted by the data retention directive would in fact be retained if the directive is not also applied to data that merely transit a providers network, given that the vast majority of e-mail addresses in use today are not hosted by "communications providers". If that is indeed an actual loophole, it will be closed quickly if/when everyone realizes that they're not getting the data they expect.
This is in any case a minor point, as in terms of dealing with backup data, it's the two first points of my message that are by far the most serious. And I don't think they're that serious, in that I don't really believe there are any suitable alternatives that are safe enough that you can prevent surveillance based on location, so you'll depend on the crypto, and the combination of the two makes the location of the data rather moot.
It does, but they dont offer email or phone services. So they are also exempt. We use Blix: https://www.blix.com/
What you call a loophole, was no secret in the hearings about the new law. The government wanted this implemented mainly for the phone providers. They understood that foreign email providers like Gmail and Hotmail that most use in Norway, could not be under the law in any practical way, so they restricted who this is applicable to.
I read your website and tried your service for a few days this past April. I cancelled immediately after you emailed both my web hosting and support account credentials. In plain text. That is egregious.
I mention this only to point out that without proper security procedures your data privacy policy is irrelevant. Not one-way hashing and salting passwords negates everything else you do.
I'm happy to try again some day but you really have to have airtight security at a minimum to appeal to privacy-conscious users. Password reset is one of the first things we test for any new service.
If you're worried about the NSA or other nation-states then I wouldn't stop with hashing+salting. You need to be using something like scrypt/bcrypt/PBKDF2. cperciva has a paper about scrypt, bcrypt is at least widely known for this use case, and PBKDF2 is even a "certified" way to do that.
Both your web hosting and support account credentials are encrypted. I see you point not sending them to you when you setup the services, but you have to understand that we do offer services for a wide range of people. Some really want a copy of their login in their email that they have locally.
But I take your point about this and we will try to make that optional. It is optional when you setup email sub-accounts for the administrator.
This sounds strange, as far as I understand it:
http://www.lovdata.no/ltavd1/filer/sf-20130514-0484.html#1-2 http://www.lovdata.no/ltavd1/filer/sf-20130514-0484.html#2-6
together states that if you provide email services, you are required to store metadata (which is what the Data Retention Directive is all about).
On a side note, if the secret services cooperate to do massive ingress/egress storage of data on the network level (say for 6 months) -- having easily passable meta-data would help turn that massive data dump into useful information (assuming index and organization around ip/date or something similar).
As for being safe from NSA outside of the US (even with an ally) -- that makes no sense. While it is against Norwegian law to hack into Norwegian businesses - the NSA isn't subject to Norwegian laws, their subject to US law. The secret services are explicitly set up to preform illegal actions in foreign territories (which is why the NSA story is about spying on Americans, rather than on spying in general).
If you are a layman, it does. But this quote is very restrictive in the interpretation by Post og Teletilsynet: "Tilbyder av elektronisk kommunikasjonsnett som anvendes til offentlig elektronisk kommunikasjonstjeneste og tilbyder av offentlig elektronisk kommunikasjonstjeneste er lagringspliktig."
What we dont do is offer "Tilbyder av elektronisk kommunikasjonsnett". That means we are outside. Then the rest is not relevant.
We have been in the courts about this and both Kripos (they wanted information) and the judge found that we are outside the scope of this.
Ok, it wasn't entirely clear to me that you'd been in court over this after the law was enacted. That certainly is good news.
Does indeed sound like the directive is tailor made to make ingress/egress snooping on data useful. The kind of snooping we saw with NSA's "secret rooms". Such illegal wire tapping would fit very well with meta data stored at the ISP level -- and could also explain why anyone not at that level are not required to store meta data (it would be redundant).
Is there a jurisdiction on the planet where data is safe from domestic wiretapping [1] (i.e. international espionage not withstanding)?
Serious question.
1. Clarification: I mean warrantless wiretapping.
No. Job #1 for a national government is national security, and governments inherently have the power to intrude upon privately operated companies.
I think that in the long run, the U.S. is still a good place to keep data.
U.S. citizens have an instinctual distrust of government that Europeans often mock, but in this case I think is an advantage.
In addition the U.S. has some of the strongest protections for freedom of expression in the world, which means that everyone can learn and argue openly about intel programs and other sub-topic of freedom vs. security.
> Job #1 for a national government is national security, and governments inherently have the power to intrude upon privately operated companies.
I would say that job #1 of a government is establishing and enforcing domestic property rights (to allow an economy to function); and job #2 is building public-good infrastructure like roads.
"National security" is job #1 of an organism interested in its own survival--but there's no reason a government needs to be such a thing; the only reason I can see for it is the precedent set by monarchies, where each current king wants the government to persist in its current form so that they themselves will stay in control of it. A government could run a country perfectly capably while leaving itself undefended from being "eaten" by a foreign government (or populist coup) at any time.
National Security is intrinsically about enforcing domestic property rights. It covers issues like terrorism but also foreign hostilities. Don't be a doof and pretend that National Security doesn't at least start with the interests of the citizens in mind. Seems like it gets awfully lost in the woods, but you can't pretend that if people just had the right ideals things would be fine.
Yes, that's what I too think right now in June 2013, although I am an European. But... How about in the future, considernig the progress towards a surveillance state which began around after 9/11 and Patriot Act? (And some say it began even earlier, but was greatly accelerated by Patriot Act)
The progress seems to be to give up individual liberties and freedoms in the name of War on Terror. Because the changes are incremental, people don't quite realize the progress until it is too late. By then, they consider it a status quo and youngsters don't even know what they are missing. It's the so-called boiling frog analogy.
Except that even in the U.S. it has literally been much worse, even before computers. We have always had an ebb-and-flow with civil liberties.
First we enslaved the blacks, then we started making them free. Then we made a slave control law to forcibly rendition captured slaves back to their masters in the slave states. Then we fought and died and FREED THE SLAVES!.... except that we didn't, as it turns out. Reconstruction was a high-water mark, then Jim Crow and the KKK came.
Hell, we didn't even start off from a great place. Go read about the Alien and Sedition Acts when you get a chance.
And likewise with privacy rights. We didn't start off with those either. As long as the government didn't have to search you or your property to find something, it was fair game. But then we added controls for postal mail. Then telephones, and eventually cell phones, beepers, and more. We also had the Supreme Court essentially create "reasonable expectation of privacy" out of whole cloth (which I don't blame them for, but goes to show how we didn't start off with Jefferson's dream government just to beat back all the attackers over time).
Of course in between there were COINTELPRO, FBI watchlists, HUAC & McCarthy's red scare, J. Edgar Hoover (which even MULTICS referenced, IIRC), ECPA, CALEA, attempts at the Clipper chip, munitions controls on crypto, etc. etc.
So it hasn't all been consistent progress but it also hasn't all been consistent withdrawal. So while I respect and greatly admire those who fight for increased privacy because they think it's the right thing to do, I can only assume those who characterize civil liberties in the U.S. as something that has simply been slowly eroded over time have not studied as much U.S. history as they should have.
It seems like it would be hard to find a jurisdiction where data is immune to the government breaking their own laws.
It seems like we need an independent project Loon but with servers attached to the balloons!
The US and Canada are actually some of the better places for a privacy-protecting provider, as long as you want to use strong cryptography. CALEA in the US is the main impediment to making a system where the operator intentionally can't disclose information, and that can be solved (for now) by not being a CALEA-covered provider (essentially, PSTN or VOIP interconnected with PSTN, or some kind of broadband physical access layer).
Not a jurisdiction, but your data is pretty safe from warrantless wiretapping in a Tor .onion server.
Why the downvote?
Thank you for taking the time to describe this. I'd been, naively, hoping -- yet to research -- that Norway might be somewhat better than Sweden.
I'm coming to the impression that none of the Scandinavian countries may be particularly friendly to data privacy advocates.
How did you come to that conclusion?
+1
If you want to have data storage that's secure from the NSA then you are going to need to do client side encryption. Moving your data to a company/country that promises not to access it isn't going to cut it.
Encryption won't help you, since a judge will simply throw you in jail for contempt until you cough up the key or give them a copy of the decrypted data. Honestly, in this hostile government environment, if you have something worth protecting you need to have a "dead man switch" on your data. Unless you take an action every few days (which you can't if in jail) then your data gets deleted.
I may be misreading this, but I think there's a big difference between "being readily accessible to the NSA" and "taking a judge to make it available."
If, through whatever means, they become interested enough in your data, they can just go judge shopping until they find one that decides that NSA suspicion is enough to issue a search warrant.
True enough, but that scales very poorly, while their current approach demonstrably scales rather well.
In a game of picking one's battles, that seems like an easy win; I'll worry about contempt charges and rubber hoses some other day.
Agreed.
A provider can give you all the assurances in the world, but the real assurance is using your own encryption with your own best practice and controlling the data store as it exists on the providers filesystem.
This is why it's important to give users a raw, open filesystem that they can manipulate any way they see fit, and not a fancy, highly abstracted backing store with a pretty GUI on the front.
Without a substantive commitment to open standards and open platforms, this is just a PR move.
I have to agree. The user needs control over their encryption.
Taking advantage of Norway's laws is fine, until the day that those laws go sour on you.
Don't you need a combination of encryption AND no law forcing you to reveal the key?
If so, then the law essentially forces you to give your files up and no server location will protect you.
For any person who is not being forced into giving their keys up, encrypting their own files must be safer than hoping a cloud provider won't freely hand them over to the US government.
This is especially true for non-US citizens, who seem to have no protection at all. Even the earlier whistle-blowers don't consider us anything but open season: http://www.usatoday.com/story/news/politics/2013/06/16/snowd...
Fine. If you're foreign, encrypt your files and store them anywhere you like. If you're a US citizen, do the same and know that the government only has them when they force you to hand the keys over.
(Barring them being able to hack them some other way, e.g. simply grabbing your keys off your machine.)
The law that might force you to reveal the key depends on where you are, not where your hoster is.
Good luck, I have terabytes of random data. I can always provide you OTP key, and create what ever content I want you to see. (Malleable encryption)
Stay away from the UK - here a judge can throw you in jail for failure to provide keys, even if there's no evidence you still have the keys, and said judge would pretty much be guaranteed to believe that you did not hand over the correct keys if the result is garbage.
http://www.theregister.co.uk/2008/10/14/ripa_self_incriminat...
A couple of people have been convicted of refusing to hand over their encryption key.
It's worth noting that this is a separate offence, so there's a determinate prison sentence. You can't be held in contempt of court for refusing to hand it over.
If you claim the encryption was done using a One Time Pad, you can pick any result you want, generate the corresponding key, and hand that over.
Unfortunately, the OTP is always as large as the encrypted data. So strictly speaking, this is not really "encrypted data + password" but more of a "split data into two random-looking parts". In particular, this is nothing you can keep in your head or print on paper.
You'd have to keep it on a separate storage medium. And if you have to hand out the done medium, what's preventing them to get your second medium? And if you are able to keep that second medium secret and safe, why don't you store the whole unencrypted data on it in the first place?
Either way: OTPs are really cool, but I don't think they have any relevance here.
I think this might be slight hyperbole but can you link to some cases/incidents for support?
Cheers.
It's not actually that common, but there have been at least 3 people prosecuted:
That's in line with what I expected, thanks. Specifically to read:
"Of the 15 individuals served, 11 did not comply with the notices. Of the 11, seven were charged and two convicted."
Whilst they may have been incarcerated since the report, at the least it would seem that there is some evidence based procedure to determine "guilt" in terms of whether you are able to produce the key or not.
Or the law of the country you are extradited to.
The slippery slope in all of this is the application of the law.
Sure, if the government was going after someone like Steve Muller (http://www.wired.com/threatlevel/2008/04/gsm-researcher/) you'd want him to be able to keep his stuff from prying eyes.
What about a Suadi National accused of plotting terror attacks in NYC? Would you want the same laws applied to him? Or would you want to able to force someone like this to de-crypt their files in order to stop an attack?
I really don't know what the right answer is, but sometimes laws intended to keep us safe, also give shelter to bad guys.
>I really don't know what the right answer is, but sometimes laws intended to keep us safe, also give shelter to bad guys.
Americans inherently know this. We were brought up with the idea that freedom isn't free and that the price of liberty is eternal vigilance. Just because it is more convenient to violate the civil liberties of all to catch a few bad actors doesn't mean it is what our country is all about.
Europeans often find that sentiment ridiculous. But that is just the cost of privacy and liberty - one that our forefathers were welcome to pay.
Good suggestion, I've been using Amazon Glacier with the CloudBerry backup software which supports client-side AES encryption (http://www.cloudberrylab.com/amazon-glacier-backup-software....) and couldn't ask for more. Of course you will have to trust CloudBerry not to put a backdoor in their Software, but it seems there are no OSS alternatives right now that work as easily.
Duplicity (http://duplicity.nongnu.org/) and its nice frontend Déjà Dup (https://launchpad.net/deja-dup). Client-side encryption, multiple backends.
tarsnap
From their website, it seems that tarsnap can't be counted as OSS: "The Tarsnap client code is built around the open source libarchive archive handling library. While the Tarsnap code is not distributed under an open source license..."
Here's the source code: https://www.tarsnap.com/download.html
This is the license:
Unless specified otherwise in individual files, the contents of this package is covered by the following copyright, license, and disclaimer:
Copyright 2006, 2007, 2008, 2009, 2010, 2011 Colin Percival All rights reserved.
Redistribution and use in source and binary forms, without modification, is permitted for the sole purpose of using the "tarsnap" backup service provided by Colin Percival.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
My reading of that is that you aren't allowed to redistribute any modifications or use it for anything other than accessing the tarsnap service.
So not really open source software in any sense that I understand.
[NB My comments is not intended as a criticism of tarsnap or Colin's licensing policy - he wrote it so, in my book, he can license it any way he wants.]
> Redistribution and use...without modification, is permitted for the sole purpose of using the "tarsnap" service.
(emphasis mine) This sounds like there are no restrictions on distributing modified source / binaries.
Quite the opposite: No permission is given to distribute modified versions, so you're not allowed to do it.
It's open source, allright. Free Software is the term you are looking for.
Free to distribute is one of the fundamental defining things about open source [1]. Lets not water it down to the point of meaninglessness like words like `open' currently are.
The Tarsnap client code isn't Open Source, but the source code is available, which means it can be audited.
s1kx's caveat ("Of course you will have to trust CloudBerry not to put a backdoor in their Software") therefore doesn't apply (as strongly, anyway) to Tarsnap.
While I mostly agree I also think that having some legal/jurisdictional protection is a good thing. If nothing else for the case where there turn out to be an exploitable weakness in the client side encryption you are using.
If you want to have data storage that's secure from the NSA then you are going to need to do client side encryption
Better not use an encryption with ties to the US government then ;)
Yes. If you want your data to be secure, secure it yourself.
Which goes back to the old saying: If you want something done right, do it yourself.
According to the FAQ they are encrypted client side
http://www.jottacloud.com/faq/
"Yes, all datatraffic between your computer and Jottacloud is encrypted with 256 bits AES high grade encryption, which makes it virtually impossible for unauthorized persons to use the information being sent."
That is just referring to SSL.
SSL keeps your data (relatively) safe from Sweden, though.
And Denmark, too, as my traceroutes seem to show.
I believe this refers to HTTPS.
"In Norway, privacy stands firm like the mighty mountains of Jotunheimen.".
Let's not flatter ourselves too much: http://no.wikipedia.org/wiki/Datalagringsdirektivet (in Norwegian, http://translate.google.com/translate?sl=auto&tl=en&js=n&pre...), or the less detailed http://en.wikipedia.org/wiki/Data_Retention_Directive
I don't think DLD/DRD is conflicting with the statements given in the post, as DLD only concerns itself with metadata (and yes, that can be harmful), and the article talks about the actual data. Both are important, but different, topics.
I was more objecting the very marketing-y-and-not-very-truthy quote.
That said, digging a bit more into Jottacloud does not make me any more likely to use the service, for anything I would be concerned to store at, say, Dropbox:
Their FAQ is (intentionally?) vague. How do they encrypt stuff?
"all datatraffic between your computer and Jottacloud is encrypted with 256 bits AES high grade encryption, which makes it virtually impossible for unauthorized persons to use the information being sent.".
And then:
"If you log into www.jottacloud.com it’s possible to download, view pictures and share files with friends and colleagues"
Right, so they would have the keys anyway.
Well, after reading Snowden's comments about what is available (everything) - it would seem that DLD goes hand in hand with storing all traffic for a limited time -- you would need help searching that to actually recover something.
> DLD goes hand in hand with storing all traffic for a limited time
Nope? From the linked translated wikipedia page:
> Data that reveals the content of the communication must not be stored
I meant - if you already, illegally store everything - that everything is problematic to search, and to store permanently. If you also, legally, through DLD store metadata, then that makes your illegally collected data more useful.
They provide an English version here: http://www.jottacloud.com/its-your-stuff-guaranteed/
As mentioned in a comment on the post, The EU Data Retention Directive does not apply to cloud storage providers. Not yet at least.
This is nice. But I think that the long term solution needs to be based on something that does not depend on the ability of your host to protect your data. The US is strong enough to pressure (almost?) any country to jump through hoops for them (we have seen leaks about their pressure on Sweden [1] or Spain) so just being out of their jurisdiction is not enough.
1. http://falkvinge.net/2013/01/06/banana-republic-justice-behi...
I agree 100%. Your country or company isn't going to make a difference when the people maintaining it are threatened or bribed by a force that can and does leverage power outside their jurisdiction. Honestly, the problem has to be addressed at the source, not with bandaids applied by the hopeful or naive.
From the article "U.S. law enforcement could use the USA PATRIOT Act on a U.S.-based organisation, like Microsoft, Google, Dropbox or Amazon, for example, to force its local subsidiary companies across the world into handing over user data to U.S. authorities."
Exactly how? By my understanding a company in EU operates under EU law and US parent company is only stock owner. Stock owner can not by my understanding force the company to do anything if the company does not want. Lets assume that US company does not want to force daughter company, how can NSA to make them?
EDIT: I'm fully aware that by harassment or blackmail anything can be done, no question here. What I meant to inquiry, out of curiosity, is, is there a legal way to _force_. I know that parent company can control and fire board etc, but can they be forced to do so. Or more broadly, can some US agency take full control of US company and run it like they please. Can f.e. NSA if they really-really wan't to rise McDonalds burgerflippers salary by twofold? Does Patriot Act or something allow that?
Your understanding is false. A sole stockholder (for example, the parent of an independent subsidiary), always has control, even if not by specific direction.
They can, after all, fire the entire board, and elect a new one that will direct the company to do what they want.
Not to mention in most cases, parent companies do in fact, maintain control over subsidiaries (IE they are not independent subsidiaries), and thus can directly control activities.
The way company law is set up in Norway, you cant as a board member do anything else than what is best for the company you are board member in. Doing something different would mean you could be held responsible. They could fire the board, but the next board have the same rules to go by.
"What is best" is of course, a matter of opinion. I'm not sure this is as concrete as you seem to think this is, though i'll admit i'm not familiar with the details of norwegian law, what you say is true of most countries in terms of duties.
> Lets assume that US company does not want to force daughter company, how can NSA to make them?
How can you still ask that question right now? Have you missed the whole Wikileaks scandal? All it took was one phone call for Amazon to take down their website. They didn't even need a court order or something.
I don't know what the laws are exactly, but in practice, and thanks to post-9/11 culture in law enforcement agencies, they can do whatever they want as long as they wave "national security" in front of them.
> US parent company is only stock owner
That is rarely the case. In most arrangements, foreign subsidiaries are still under direct control of the main company - do you really think "Google US" doesn't have a say in how "Google Ireland" operates?
There are tons of accountancy rules dealing exclusively with partially-owned-fully-controlled foreign companies, but when it comes to the Patriot Act, as long as there is even a shred of control from an American company, then all data held by the controlled company is subject to US laws, regardless of actual location. This is far from an expansive interpretation of the Act, tbh; it's just one of the many that have been tested in court.
Microsoft have already admitted this with respect to office 365.
http://www.zdnet.com/blog/igeneration/microsoft-admits-patri...
As long as they have a presence in the US, it's in their best interest to act according to US laws. I don't think saying "while we have many US customers, we are technically positioned in Ireland" is going to cut it.
Privacy laws in Europe are a bit of a mess (there being >1 country involved), and possibly stricter than the companies want to deal with.
So the information they're storing is, at least nominally, stored on computers owned by the american branches.
This might become a major trend in the EU if hosting/storage providers play their cards right. Sure the low prices, performance and flexibility of US providers are very tempting but surrendering your data to US intelligence agencies and god knows who else might no longer be a viable option, especially for government agencies and major corporations that might be targets of industrial espionage.
It is already a trend, but until last week it was the realm of huge companies, bureaucrats, weapon manufacturers and other security-industry types. Now there's potential for going mainstream.
This said, I wouldn't trust a French provider or an Italian provider with anything too sensitive: their police forces have a history of being incredibly heavy-handed when dealing with data. I remember one occasion in mid-00's when the Italian police investigating G8 riots (or something like that) raided a data centre, took home all disks they could find, cloned them all, then went through them with a fine comb, all because one mailing list hosted on one of those servers might have been tangentially related to whatever they were investigating. I'd be surprised if things were much better in other European countries, to be honest, but I guess Norway is one of the best bets (with UK/Ireland being among the worst, of course).
The whole computer security business couldn't have paid billions for the sort of free advertising they got this week...
The link should be updated to point to their own English version
I thought that the NSA surveillance was at least partially illegal. Laws (Norwegian or US) don't stop TLAs doing what they want.
Also in a related note I find the following fairly unconvincing:
"We will not hand over user data to authorities unless a warrant issued by the Norwegian court of law is presented"
Warrants are in my view more about providing a paper trail than actually preventing abuse.
Ultimately I think the only protection against surveillance is well-employed cryptography. Especially if the law offers some protection for encryption keys and/or passwords.
I'm moving away from Dropbox today. Thanks for this jensen2k.
If you crypt, Dropbox is fine. People need to use encryption. Every popular computer language has encryption routines, scroll through the source code until you find something accessible, twiddle something to personalize it while keeping it functional, perhaps convince yourself it will remain secure, etc, of course be cautious about that. Or simply, there's double encryption, fold it again. Know big 100 meg, gigabyte file size encryption, becomes vulnerable. Wikipedia is the best general crypto introduction I've see.
The main selling point of Dropbox is cross-platform support for umpteen platforms, so you'd need to find an encryption tool that will work on all platforms; say bye to iOS...
Check out boxcryptor, works in the OS's that you probably care about.
I'm not hiding state secrets or anything! For me it's the principle. I want to move away from hosting things in American servers.
'Twiddle something'?
Don't mess with publicly-vetted crypto code - you're far more likely to introduce a weakness. Instead, just follow the documentation and use it correctly.
Any recommendations and best practices to encrypt data ?
For me though, no linux support :(
I run linux into Dropbox. It's tedious having to manually select/enter files without the dragging the others get. There's language Dropbox API modules that automate this too.
Dropbox has an official Linux-client. I think the poster was complaining about the fact that there are no jottacloud-client for Linux. Which for me too is a show-stopper.
In that regard Owncloud[1] looks like a better option, but that again lacks mobile clients.
Owncloud does have mobile clients. I'm using the Android version and it works fine.
And suddenly I'm very interested again. thanks for nudging me in the right direction.
"Vi vil ikke overlevere brukerdata til myndighetene om vi ikke mottar en kjennelse fra norsk rettsvesen"
meaning
"We will not hand over user data to the government if we do not receive a ruling from the Norwegian judicial system"
which is pretty much the same thing as the Patriot Act in the US...
But as far as PRISM goes - that's a whole other matter!
Well for better or worse you can not really escape that. Best to my knowledge most (western) countries have the concept court orders/warrants or equivalents.
If you are in EU, Norway is pretty much transparent from a legislative pov. For example: http://www.autistici.org/ai/crackdown-2010/
United States Government:
-We are serious about creating jobs and supporting great American companies. -Makes the most lucrative young companies in the US unusable in the name of spying on their own citizens.
What in the actual fuck?
Encrypt all you like. It boils down to this: Will a government make you prove a negative, and if you don't, will it lock you up?
If you have encrypted files, there must have been or still be a key to decrypt it. You will be asked for the key. You will either given them the key, say no, or say you don't have it. The first two are no good, so all you have is the denial that you have the key. If government cant find the key, you will be asked to hand it over.
And that's the crux.
What then does the government do? All it can then do is make it an offence to withhold a key. How do they prove you have the key, if they themselves can't find it? You then have to prove the impossible, that you do not have the key, a negative. Which, even if you are telling the complete god's truth, you can never, ever, prove.
So, having an encrypted file, that you cannot or will not decrypt on demand is or will become a criminal offence. All encryption does, in the eyes of government, act as evidence of guilt. The suspect has an encrypted file, we can verify its contents, she wont give us the key, there for she has "something to hide", and there for must be guilty.
I can well imagine encrypted files being stored like athletes blood samples, waiting to be tested or decrypted by future methods.
We can not win unless we accept so risk and stop expecting our governments to do everything to stop the bad people. If a bomb goes off in Whatevercity, we must not be angry if it happened because the NSA were NOT collecting mass data, or something similar. We must make it clear to government that we are prepared to trade the risk of being blown up for our privacy and freedom, and that if that freedom contributed to the attack, we MUST accept that, and not suddenly switch and blame government. And the NSA, and the likes, must be allowed to say, "look we could have acted, here is the evidence, but we had to respect freedom and privacy", and not be lambasted for it. We have to reply, "OK, fair enough, we understand and accept that." Equally, of course, we need to know they did everything else legally and morally possible.
Question is, are we as a people able to do that? Or do we expect zero risk lives?
And all that is assuming there is zero risk from the powers government wants. Such laws and thinking creates a whole new avenue of risk.
Which is why I for one am quite prepared to say to government, cool it down, back off, set some limits, respect those limits, and if you fail because of that, I both accept it and forgive you, because I want to be free.
BTW, one of the few countries I have been to is Norway. Beautiful, stunning, country and fantastic people. If I wanted to or had to leave the UK, it would be one of the first places I would consider. I'd love Norway to be the savior of privacy and freedom, but I sadly cant see it.
> You will either given them the key, say no, or say you don't have it.
There's a 4th option: give them a key that decrypts innocuous material.
I think the thing this is supposed to be analogous to is carrying around an encrypted drive with your stuff on it. As in just trying to deal with the problems of not physically holding onto the drive (that is if there is client side encryption).
Basically what this would prevent would be data collection if you were caught in a web of general surveillance. I agree that if you're in a situation where a government is making a case against you you're fucked. But that requires specific targeting of you.
The US has a great deal of influence in the west, especially NATO members. They will readily comply to avoid complications. No country wants to find itself on the US "terrorist" list.
The memory stick under my pillow is pretty NSA proof too. Well unless someone in combat gear rocks up at my house...then all bets are off.
Spideroak...
What is the best country that you know of to store data safely in?
In the developed world? Your own. Hopefully then the data doesn't come in contact with any other jurisdiction with different laws and there are much fewer hops between you and the place data is stored, thus limiting the chances that it is intercepted along the way. However, there is the issue that if you store data with a local company, they may be forced to comply to the local law enforcement while a foreign company may or may not comply.
NSA.no!
erm, isn't this assbackwards?
intelligence agencies, aka spies, exist to spy. that's their entire purpose. now there are some laws to protect their own citizens, at least in the US.
once it's a foreign entity, it's fair game. zero fucks about legality given - see any info ever about clandestine services. so if you store your data in a non-US entity, you're more likely to be monitored.
do you think STUXNET was LEGAL?
the NSA, CIA, MI6, BND, KGB, Mossad all ignore the laws of the countries they are acting in. or what do you think a spy is?