NSA Helped Destroy Trust In US Internet Firms, But Would Going Overseas Be Any Better?
from the unfortunately-not dept
The NSA has created a real mess for the tech industry these days. As has been detailed repeatedly, and showing a complete lack of concern for basic privacy, the NSA has basically destroyed trust in US internet companies not just for Americans but everyone outside of the US as well. We're already hearing stories of foreign companies demanding contracts with internet firms that say data must be kept outside the US. And there are worries about a splintering internet. Even Eric Schmidt has said that Google explored the option of moving its servers out of the US, if it would protect them more from the NSA. But the company eventually chose otherwise, and the more you think about it, the more you realize that the really messed up thing in all of this is that even with all of the revelations, it's still probably safer to keep the data inside the US than out of it.First off, when the data is within the US, there are at least some restrictions on what the NSA/FBI can access. There are quite reasonable complaints about just how insanely broad Section 215 of the PATRIOT Act and Section 702 of the FISA Amendments Act are... but, at least those laws do include some restrictions and oversight (even if we all agree it's not nearly enough). However, once things are outside of the US, it's basically "fair game" to the NSA. The NSA has interpreted Executive Order 12333 to mean that it's "open season" on all information not in the US. As ridiculous as it sounds, that actually means that there are somewhat greater restrictions on information inside the US than outside. Those stories about the NSA hacking into the links between Google and Yahoo data centers? Those were only done on offshore data centers outside of the US, under the auspices of EO 12333. Meanwhile, for local intelligence operations, they rarely even have the same kind of restrictions that the NSA has -- meaning that offshore data may be even more at risk of being spied on by whatever local intelligence agencies are in that country.
It's a complete mess for the entire tech industry -- but if you were running a tech company and wanted to best protect that data from the NSA, there's at least a strong argument that the best move is to stay in the US, even after all of these revelations. And, honestly, that's even more of a reason why the US tech industry needs to be fighting strongly for much greater reform and oversight concerning NSA (and FBI) activities inside the US. The protections are way too low, but at least there are some protections.
I recognize that some are going to disagree with this entirely, as many have completely written the US off because of these revelations. But, there's a simple question to ask: if that's the case, do you really feel safer with your data somewhere else, where there are no rules at all about what the NSA can do with it?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: privacy, surveillance, tech, trust
Reader Comments
Subscribe: RSS
View by: Time | Thread
Too bad...
[ link to this | view in thread ]
You see, the question actually is: are there countries where the Governments can't issue secret court orders or executive orders (national security letters?) with gagging effects to hijack your business from the inside? If there are, is it enough to prevent the NSA or whoever from tapping directly into the fibers? Since we know the answer is no, can the data be protected, encrypted, so even with that direct tap they can't meddle with the data?
We also know there are issues at the very structural level introduced on purpose by the NSA so while you do have a point I think the focus you gave wasn't spot on. Regardless of internal safeguards they seemingly don't mean shit to the Govt so it's better to be outside where you can't be forced to self-hijack. Now, is there such country?
[ link to this | view in thread ]
Focusing on the wrong problem
If a government agency wants to tap communications, whether it's in the US or elsewhere, they should have the same restrictions, the same need to get a court order for that specific communications tap, have to follow the same minimization procedures to avoid as much as possible scooping up data not related to that specific investigation.
The fact that the NSA appears to believe otherwise shouldn't mean they get a pass because the data being tapped is foreign(Probably... well, with at least 51% certainty...), they need to be reigned in and told that no, if they want to tap any communications it requires following the same stringent rules they'd have to follow if they wanted to tap the communications of a domestic target(or course, that would require those rules to be enforced first I suppose).
[ link to this | view in thread ]
Easy question. Answer is NO: all gov'ts and all corporations are intent on stealing your privacy.
REPENT! TEH END OF TEH INTERNETS IS NIGH!
"There I Fixed It will not be publishing new content after this Friday, January 24th. Starting Saturday the 25th, all of the site's content will be reset entirely randomly each day."
http://cheezburger.com/8013372160
"In order to focus our efforts on the sites you all enjoy the most, we will no longer be updating Picture is Unrelated with new content."
http://cheezburger.com/8014043904
So much for teh free internets! NOT a sustainable model even for a few silly user-generated images!
Continuing to see trend next day: Not even 1.4m users can save 4Chan founder Chris Poole's startup If Moot can't turn a quid from an app, what chance do you have?
http://www.theregister.co.uk/2014/01/22/not_even_14m_users_can_save_4chan_chris_pooles_founders_star tup/
Actually, knew was the end of civilization when "Twin Peaks" arrived. Stupidest character ever: the Log Lady.
http://cheezburger.com/8013280512
When you think surveillance or spying or snooping or censoring or pushing propaganda (by a globalist mega-corporation), think Google!
05:10:41[g-101-5]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Easy question. Answer is NO: all gov'ts and all corporations are intent on stealing your privacy.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Move to avoid the NSLs.
Also, encrypt all communications between your data centers and with customers using forward secure encryption like ECDHE. Now the NSA must actually hack your servers, which they'll succeed in doing, but..
Install clever monitoring tools so that you've good odds of catching them in the act. If you succeed, then you publicize their hack attempt and the exploit.
If they face a PR disaster and loose an exploit by hacking your system, then they'll think twice before doing it again.
[ link to this | view in thread ]
It's the courts, not the tech.
The NSA itself is not the problem to be avoided for your hypothetical. It's safe to assume that the technical capabilities of the NSA are the same everywhere. It's also fairly safe to assume that the "limitations" imposed on the NSA with regards to US citizens are about as effective as a cheese grater at holding water.
Given that you face the same technical challenges anywhere in the globe, being outside of the US is a huge, huge benefit in that you have less to fear from NSL's and court orders. Those are the tools that the government uses to bypass what technology it cannot.
[ link to this | view in thread ]
[ link to this | view in thread ]
Your own country
If I put my data in a server in my own country, it is subject to one set of laws: the laws of my own country.
The NSA can't force my server provider to compromise my data and forbid them to tell me, because the USA gag order laws do not apply here. They are forced to use illegal methods, and my server provider has incentives to not cooperate with the NSA, since they could be arrested if they cooperate, while in the USA people have incentive to cooperate with the NSA, since they could be arrested if they do not cooperate.
Clearly, putting my data in the same jurisdiction as myself makes a lot of sense.
Frankly, the only reason people lease servers in the USA is that hosting in the USA is very cheap, while local hosting is quite expensive. Amazon does not count, they have a local datacenter but they are owned by a USA company so they can be forced to obey USA laws.
[ link to this | view in thread ]
This article seems very shillish.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Yes, it would be better
Here's a hint: NSA doesn't have infinite budget. And USA doesn't have infinite political influence. So, while US can pressure national government to do things, it's not a matter of piece of paper sent by mail.
In some high-profile cases, sure, CIA can cooperate with national agencies. But, fishing expeditions like NSA is running - no way.
Moreover, most of western-style democracies don't have NSL-like laws, so service providers can't be issued gag orders "just because". They will need to go to courts, run regular bureaucracy, and so on.
So, to answer the question - yes, it would be definitely better.
[ link to this | view in thread ]
[ link to this | view in thread ]
Why overthrow the US Government?
1. The elections are rigged. Any reasonably intelligent person already has tried my experiment: Look up the minor party candidates in Your area, and vote for a few of them. Then, check the election results on the web site for Your state's Secretary of State. Your precinct will show 0 votes for the candidate You voted for, at least 1/3 of the time.
2. The US Government has openly declared war on its own people. "The War on Terror." "The War on Drugs." "The War on Guns." "The War on Poverty." There are many more. Honest to God, man...they have declared war on You a dozen times over, and You are too cowardly to reciprocate?!?!
3. The US Government admits its illegitimacy. In the preamble to the Bill of Rights, it says any government that violated the BOR is not a legitimate government. Yet, the USA has violated that sacred charter.
4. The US Government has murdered 55 million unborn babies, and that's just inside its own borders. That ignores what is happening in Iraq, where the USA set up abortion mills / death camps before bothering to feed the people they conquered.
5. I could go on, but I have a meeting.
God Damn the USA!
[ link to this | view in thread ]
Missing a Point
___________________________
You say this as if that's the only consideration: whether the NSA can crack the tech (legally and technologically).
One also has to consider information laundering, the likelihood of being caught up in an investigation (local, state and federal), whether the company you are using makes things *easy* for the NSA (and by extension criminals), whether the company is fighting for your rights, whether you want to send a message to a U.S. company that just rolled over for the government, etc. etc.
All things being equal, I would rather (and I did) move my data to a company in a foreign jurisdiction that gives me more of (no one expects all!) the protections and assurance I can reasonably seek. I moved the accounts for my business from MS Skydrive (and before that Google Drive and before that Dropbox) exactly because I want MS, Google and other U.S. tech companies to suffer for not looking out for their customer.
They only listen to money, and the only way to get corporate America (and by extension their bought and sold political puppets) to listen is the power of the purse.
[ link to this | view in thread ]
Re: Easy question. Answer is NO: all gov'ts and all corporations are intent on stealing your privacy.
2. number of 4chan users has nothing to do with app users, so bringing That up is a bit pointless. There was never real cross-promotion because it was more or less unrelated to 4chan and his other works. Poole's own writing on the subject lays bare that the venture-backed business was just not quick to profit and it is shutting down instead of hunting for more VC money. That's the great thing about a free system! sometimes people succeed, sometimes not.
3. And thanks for that opinion.. which has nothing to do with anything ever.
Stop acting foolish, or at least stop broadcasting it.
[ link to this | view in thread ]
In the US they can come in with no warrant, no proof no nothing and get data from any company, encrypted or not. They siphon data from their own fiber optic cables, considering most of the world's activity flows through the US, if you look at the internet globally the US is the main HUB of activity, so that is where they are actually going to focus most. I don't want my data in there.
[ link to this | view in thread ]
If lavabit were hosted in a foreign country it would not have been forced to close by the US government.
[ link to this | view in thread ]
There are rules if you are American. If you're not, America never gave you and rights to begin with.
[ link to this | view in thread ]
Have you thought this through?
What you are saying here is that the NSA is running a successful international terrorist organization spreading fear to people outside of the U.S.A. and blackmailing them to not rely on local infrastructure because they'll blow it up.
So you are recommending supporting terrorism by moving business to the U.S.A. and thus funneling further money to the terrorists threatening the viability of the internet.
Even if they are your terrorists, successful in getting your money for financing their deeds, should you be supporting them? Should you tell others to buckle under their threats and machinations?
[ link to this | view in thread ]
As for 3rd party service providers As a US citizen, I'd probably go with an overseas email provider. At least then I know they're immune to warrant-less National Security Letters.
That 3rd party email provider would most likely need to be using free and open-source software, with client-side encryption. I'm willing to let them store my encrypted data on their servers, but the client-side software performing the encryption process needs to be FOSS.
Let's face it. There's a much higher chance that a citizen's own government will take an interest in them, than there is a foreign government taking an interest in the native citizen of a foreign country.
So FOSS solved the storage problem, by client-side encrypting the data. The 3rd party service provider (email), in a foreign country solved the warrent-less National Security Letters problem.
As for the political and legislative problems, such "mandatory" metadata logging (seizure) problems. Along with many other problems. I apologize, but I'm not that much of a wide eyed optimistic, to dream about any of those problems getting solved any time soon.
[ link to this | view in thread ]
Re: Move to avoid the NSLs.
You don't think other countries have the equivalent of NSLs, with even fewer legal protections?
[ link to this | view in thread ]
Re: It's the courts, not the tech.
Do you really? I think the evidence shows that you do not.
Given that you face the same technical challenges anywhere in the globe, being outside of the US is a huge, huge benefit in that you have less to fear from NSL's and court orders.
But significantly more to fear from local law enforcement, whose protections are often much LESS than the NSLs that we have in the US.
[ link to this | view in thread ]
Re: It's the courts, not the tech.
and the constraints on the NSA within the US are actually slightly weaker than those outside it.
Outside the US if they don't get caught they can do what they like. Inside the US if they don't get caught they can do what they like.
Outside of the US if they get caught they are immediately exposed and forced to stop.
Inside the US if they get caught they can use their considerable influence on the judicial system and the political system to keep it covered up - until someone like Snowden blows the gaff.
[ link to this | view in thread ]
Re:
That's not actually true. They will push boundaries and often (we believe) go too far, but there is no indication that institutionally they flat out ignore laws.
At least in other countries, they cant be ordered to do what the NSA wants, and they can protect the users properly.
Nearly every other country has their own version of the NSA, with much fewer protections for privacy.
This article seems very shillish.
Shillish for *who* for fuck's sake?
Seriously. Not everything you disagree with is "shillish".
[ link to this | view in thread ]
Re:
And you don't think pretty much every other country doesn't allow its own intelligence/law enforcement forces to do the same thing?
They siphon data from their own fiber optic cables, considering most of the world's activity flows through the US, if you look at the internet globally the US is the main HUB of activity, so that is where they are actually going to focus most. I don't want my data in there.
Actually the indication is they have taps on pretty much all of the world's fiber optic cables. So there's no increased benefit for being somewhere else.
[ link to this | view in thread ]
Re: Have you thought this through?
Not quite. But I did note that this was a problem.
So you are recommending supporting terrorism by moving business to the U.S.A. and thus funneling further money to the terrorists threatening the viability of the internet.
I didn't say that at all. I merely pointed out that it's not clear if anywhere else is safer.
Even if they are your terrorists, successful in getting your money for financing their deeds, should you be supporting them? Should you tell others to buckle under their threats and machinations?
Are you dense? I didn't say that this was something everyone should do. I pointed out the basic REALITY that things might not be any safer anywhere else, and noted that was a problem.
[ link to this | view in thread ]
Re: Re: Move to avoid the NSLs.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
wrong. generally, native citizens have privacy protections against their own government. so, how do they circumvent it? let another government do the snooping and then exchange data.
see the relationship between NSA (USA)and GCHQ (UK). and don't try to tell me that are isolated cases, I'm not buying that.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Uh, what? Just because abortion is legal doesn't mean the US Government "murdered babies."
Last I checked, we had no forced abortions in this country, and each one was the choice of the mother.
[ link to this | view in thread ]
[ link to this | view in thread ]
The best protection
However, the best solution is to just stop keeping any of your data on third party servers in the first place. Don't use the cloud, don't store your email on the server (unless you run your own server), etc.
This is what I do. If you're hardcore, you can even run your own private cloud so that you can get the convenience of the cloud without the risks.
[ link to this | view in thread ]
Re: Re: Re: Move to avoid the NSLs.
mike is assuming those 'legal protections' and strictures have any meaning any longer, i believe there is a valid argument in saying they don't: its all window dressing...
after all, the ONLY reason we KNOW (not 'strongly suspect to the point of near certainty', as many of us have for DECADES), is because someone TOLD us (and provided backup documentation); NOT as if the spooks told us, or were EVER going to tell us...
AND, GIVEN the unknown -if not unknowable- nature of these activities, i have ZERO 'trust' in these scumbags to follow the 'law', which -as documented by thousands of articles here and elsewhere- has little/no meaning any longer: 'law' is what the powerful inflict upon us, nothing more, nothing less...
further, it is disingenuous to say 'well, everyone does it...' bullshit, not only does 'everyone' NOT do it, they don't have the resources to do it on the massive, pervasive scale as unka sam (and a handful of other nations)...
further still, 'everyone' does NOT have their own personal splitter room at the chokepoints of international telephone/data lines...
and furtherest out of all, EVEN IF they did have such technical capabilities, they are NOT the 900 pound gorilla we are to get away with it TOTALLY UNSCATHED...
[ link to this | view in thread ]
Re: Re: It's the courts, not the tech.
But security is always about doing the best possible thing, not simply discarding options because they are imperfect.
It's kind of a question of which is worse: the enemy you know, or the enemy you don't know? What we know of the NSA and the US government is that it is an *extremely* serious enemy.
The NSA has far more technical resources than any other country I can think of. And the US government's ability to strongarm its citizens into doing bad things in the US is among the highest I can imagine, right up there with China and North Korea. We've all seen it and to pretend otherwise is foolish.
Given that, I'd expect anyone interested in privacy to try and get as much physical (and corporate) distance from the US. It might not be perfect, but hosting here is just fucking stupid.
[ link to this | view in thread ]
Re:
(except for the 55 million 'babies' thing: does a person own their own body or not ? if they do, then fuck off if i want to excise MY blob of MY protoplasm from MY body... and, no, it is NOT a 'person' until it gulps its first breath, but realistically, not until they are 18/21...)
make no mistake, even though we may disagree vehemently on the above factoid and its implications, we must ALL band together to defeat our common foe: the USG...
[ link to this | view in thread ]
Mike: "So there's no increased benefit for being somewhere else."
One of those statements has a hedge while the other doesn't.
You can't say there is NO benefit if you're not certain, and it seems like you keep dismissing all the legitimate reasons people point to for moving data out of the U.S.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
So, if you're not encrypting your datastream, then your data is just as susceptible to being slurped by the NSA overseas as domestically. If you are encrypting your data, then the data will still be slurped either way, but the NSA will have equal difficulty being able to read it.
I'm not sure I see a substantive difference.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
I think this is where most of the contentiousness in these posts is coming from. Different threat models require different responses. What needs to be met to fit your definition of secure? What protocols are you using? These are all questions that need to be answered before anyone can say which country your data would be most secure in.
Going forward, as more and more companies use encryption, I think it's a better bet to use foreign hosting because countries are less likely to force or coerce companies within their borders to install taps or weaken encryption.
[ link to this | view in thread ]
Re: Re: Easy question. Answer is NO: all gov'ts and all corporations are intent on stealing your privacy.
[ link to this | view in thread ]
So really what is your point? Does not matter where you are, you will get spied on, EVERYONE is spied on, but only the people who want to hide things, or get upset that their pizza order might be noted really care..
we live in an era of 'big data', look at Google, facebook, banks, money traiding, and spying, law enforcement, very good doco on 'big data' going around too, would pay to pirate it and watch it, try to keep up with technology, TD is falling behind..
[ link to this | view in thread ]
Re: Re:
"
so why have you been saying 'BUT THE CONSTITUTION', and 'ILLEGAL' searches and so on, now you are saying this is no evidence of this, apart from 'pushing the boundaries', and I would think in terms of copyright, you would agree you too 'push the boundaries'.
So you drive 50miles per hour, you are pushing the boundaries of speeding laws, but are you BREAKING A LAW ?? or are you doing ANYTHING WRONG? NO..
So by your admission what the NSA does is legal, and pushing the bounds of the law is just as legal.
On TD if you disagree with the TD line of arguing you are a troll or a shill.
[ link to this | view in thread ]
Re:
so running away will overthrow the Government ? Yea right, good plan, off you go.
and replace that Government with what? something that provides you will even less protection that you get now ?
I know you hate your Government really bad, we get that. But trying to use the NSA and a fight against terrorists is not such a smart way to do it.
[ link to this | view in thread ]
Re:
yes, he can, he does it all the time, makes statements of certainty with absolutely no evidence to confirm his statements.
It's called "spin", then he will call you 'dense' or an idiot if you point this out to him.
With TD I does not pay to look too closely at the 'facts' presented, its far more informative to look at the overall attitude. TD wants to put out ITS message, not THE MESSAGE.
[ link to this | view in thread ]
Moved already
The first is that overseas those countries would not be subject to NSLs or even subpoenas under the Patriot Act. I chose Switzerland and eliminated all my state-side online and off-site data contracts (but for a FAX service) within 60 days of learning of the NSAs spying. It was simple and cheap.
The second is that I responded to the NSAs excesses in much the same way that I responded to the excesses of the major U.S. banks. I moved my money then to punish the banks. I moved my data and online services to punish the telcoms and IT companies in the U.S.
Neither deserves my business. And, I'd feel like I were a serf or, worse yet, someone's b*tch if I didn't fight back.
[ link to this | view in thread ]
Re: Anonymous Coward
Nope. I've nothing to hide. I care deeply.
If for only the reason that I'm an adult, an accomplished citizen, an honorably discharged Vietnam era Marine infantry officer, a Ph.D., a scientist, a businessman and a doting father and I don't need supervision or looking after.
It's offensive to me that someone thinks so little of who I am and what I am to think that they have the right to pry into my private or business affairs at will.
And, it makes me feel less free.
LF
[ link to this | view in thread ]
Those things would have to be re-created from scratch with no US influence whatsoever to truly be safe.
That is, if the government of whatever country they're in can be trusted.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re:
...Baby steps, that's the way; boil that frog slowly.
[ link to this | view in thread ]
Difficult but not Unassailable
Snowden said, "If they went in they'll get in."
Longfisher says, as long as I receive a subpoena or a particularized NSA I would gladly cooperate and turnover what the government needed.
The part I get upset about is the fishing expeditions.
To extend the fishing analogy, my moving my data and services overseas is not too different from a landowner becoming frustrated with the trespassing on his lake even though he posted no trespassing signs so he erects a high wire fence.
It's not impossible to still trespass and fish the farmer's lake But it's a lot harder and those who would breech a wire fence just to pull in a bass have to be highly motivated.
I think the NSA will leave my foreign-hosted data alone because I'm making it harder for them to fish it. They can much more easily just ask me for it and show particularized reasons for me turning it over to them.
After all, I have nothing to hide.
LF
[ link to this | view in thread ]
Trust in other Countries
That's just too many positives to ignore.
Longfisher
[ link to this | view in thread ]
Nothing's Perfect
There are multiple "points of entry" for the NSA. They can hack, use NSLs, make "requests" to ISPs, service companies, the telco's. They can make these orders secret. They can't do this as easily with overseas services.
If the equipment goes from Taiwan or China to Switzerland, they can't walk into the warehouse at midnight with a court order and insert tapping hardware. They can't hack into the equipment except by subterfuge. They can't demand the private keys from the ISP.
You might argue (others have) that the local security service would do so. For some countries, yes. But consider - very few countries are that cozy with the NSA. UK, Canada, Australia, maybe. Switzerland? who knows. Those otehr countries don't have the hard-on or budget to do a tenth of what the NSA is doing. If you are selling nuclear secrets, distributing kiddie porn, or financing al Qeda and the USA can persuade the local gendarmerie of that, maybe they'll dig into your business. But for tax evasion, or because your father's name matches one of ten million on the no-fly list, or just wholesale hoovering of data, they won't do it - and odds are they won't sanction the USA doing it either.
A lot of data is collected because much of the internet backbone goes through the USA. To the extent current revalations encourage alternate high-level pathways, trhough routes the NSA does not have its claws into, then that will also be a benefit.
The worst effect is that software and hardware "made in the USA" will now be suspect. We saw this with a recent French satellite contract for the middle east. The buyer dropped it, in favour of a Russian choice, to avoid the prying eyes of the NSA. yeah, the Russians can pull the same tricks. When the world prefers the Russians rather than the USA know their business, what does that say?
the difference is the USA is the 800-lb gorilla. Not only do they collect data, they can persuade other nations to do things (sanctions) that the Russians can't. They have by threats made most foreign banks either report US customers' acounts, for example, or the banks prefer to simply dump US customers - it's easier not to have us customers than to try to undo a misunderstanding and business-crippling sanctions after the fact.
[ link to this | view in thread ]