Today, the first thing we have to check when sourcing some saas solution is where the data is stored and weather the company has a US department (I work in a Norwegian bank).
So far, if the data is stored physically in the EU and we get a list of names with access to said data, we have been able to use the service, however if the DoJ wins this case we can never use a US based saas type company again regardless of where the data is stored.
Is this on the agenda at all? I think a ruling like that would be most harmful for the US IT industry.
That actually might not be a bad thing. Because of the network effects and economies of scale, by being first the US companies is such as Google, Microsoft, and Amazon have sucked up all the oxygen in terms of large competitors from other countries. The only exception is China where the government has actively intervened to keep out foreign tech companies and has thus given Baidu, Alibaba, Tencent, etc time and a market to grow.
I think the global Internet is coming to an end. Look at Facebook. Basically, if you are not the US, your citizens are giving a vast treasure trove of intelligence concerning who is connected to whom and what is important to them to a company which is currently either sharing that information with the US to Electric electrical Government, or else can easily be compelled to share it.
Across the world, many countries' governments are worried about the power and influence of these multinational tech companies. In the past in the US, they used to be able to count on the Right to somewhat protect them. For example, the election of George W Bush probably saved Microsoft from breakup. Now, I think a lot of the Right also views these tech companies with suspicion. I think we are going to see more and more government action, for example going after them for antitrust and monopoly abuses.
Are EU regulations on this issue substantially different?
I ask because every time this topic comes up, a comment will inevitably be made saying how you should keep data in the EU and this will be the death of the US IT industry. However, what I've never seen is any actual evidence that these court cases would proceed differently in an EU country (and note that Microsoft actually seems to be winning their similar case as far as I know).
As an example, suppose France had a Google equivalent (Le Google) with servers all over the world. The French government issued a search warrant for an email account, and Le Google refused to hand over the contents of that email account because the data was (or could be) on a server located in a United States. Under French or EU law, is this a valid reason to reject a warrant (and does it matter if the account belongs to a French citizen or not)?
Your entity has a presence where the warrant is served. Your entity where the warrant is served can get at the data. You probably will be forced to comply.
If you genuinely want to avoid this issue, your foreign entity needs to be distinct and independent. That way Le Google could say "Serve the warrant. We have no ability to comply. What do you expect us to do?"
Of course, this means that you don't get the nice benefits of putting ALL your data into one gigantic maw to be chewed up by the machine.
Right, except the specific claim here as I understand it is that companies should be able to refuse to comply with warrants if the responsive data is stored in another country even if the company can access said data and that the lack of ability to do so exists in the US but not in the EU.
"Lack of ability" will have to be demonstrated politically as well as technically.
If Google doesn't want to be subject to US laws, then the data and servers in question have to be under the control of an entity not under US jurisdiction. And that includes financially and politically as well as technically.
This really isn't that hard. Google can either set things up so that Google US really, truly cannot affect anything in Le Google--and that includes management decisions--of course, Google does not want independent Googlets as those companies will start to compete with the mothership (or they can't function because they lose the economy of scale). Or Google can set it up so that NOBODY including Google, Le Google, etc. can get at the data because it is encrypted--of course, Google doesn't want this as then they cannot mine your stuff for advertising.
Why do you think Microsoft just announced all the SGX support stuff for Azure? They want email to be really, truly encrypted such that even Microsoft can't get at it so that the can keep selling Office 365 without getting embroiled in this.
We have many factions in the US, some more short-sighted or zealous than others. There certainly are citizens of the US who feel that unquestioning compliance with authority is paramount above all other concerns, including long-term economic effects.
Luckily US companies are much more nimble than their government. Most major companies have European branches and subsidiaries specifically for the purposes of ensuring international compliance and skirting around such legislative issues. We certainly poured a huge amount of engineering effort to make sure we had data centers that were EU compliant and completely bifurcated from our US datacenters.
You would have to show that the EU entity is not under the control of the US entity before the court. I don't see how you could get there without a fully separate entity that is not owned by the same parent company. Not to say it's not doable, AmaGooSoft are certainly capable of pulling it off, but you've got to be pretty convinced you're leaving a LOT of money in the table by not doing so.
I predict EU firms will get over it unless there are regulatory reasons they can't. Any EU company with a US presence is already vulnerable to DoJ lawsuits and can be directly compelled.
Just to demonstrate the kind of hell we have to go through (today) when we look at cloud services for storing personal data.
This is the recommended checklist from the Data Protection Authority in Norway when look at new cloud sources. By default we can't use anything outside the EEA, however there have been some agreements with e.g. US (safe harbour). This ruling will effectively eliminate the safe harbour agreements the EU/EEA has with the US.
This isn't climate science, we could see the economic effect immediately. That is simple enough for most people to draw a connection. I think the problem is more that some people want to hurt the US IT industry for political gain.
I disagree on how 'soon' the effect can be 'seen.' Any adverse effects would be rhetoric'd away by those in power at the moment. Their supporters would not 'see' (or if they did, acknowledge) any bad effects, and those in power would likely find another scapegoat. It's only after they are out that their supporters might (but no guarantees..) understand what happened. There will always be folks who can see through the bullshit, I wasn't referring to those good people in my original comment.
I work in a less strict environment, education on call management & insurance claims, in a more US friendly country, Canada, & we too are required to host through Canadian hosting companies. This in response to the Patriot Act
I don't understand how it can possibly be the case that google doesn't have to produce data under a valid court order because, well, they don't feel like it. If the data is in google's possession -- which it is -- then google needs to produce it. I understand this is not necessarily great for google's businesses abroad... but it remains ludicrous for a US corp to tell a US court to piss off.
>but it remains ludicrous for a US corp to tell a US court to piss off.
Assume I build a storage box business with headquarters in the US. After a few years of good business I decide to expand and open a subsidiary in Ireland with a local CEO in charge. I now get an order from a US court saying I need to hand over the contents of box #371 that's sitting in Ireland. I consult my lawyers in Ireland who tell me handing over those contents will be a breach of Irish law and very likely to be prosecuted. As the US based CEO do you think I should go to jail or I should send my Irish CEO to jail?
Tech company backend systems aren't independently owned/operated/engineered silos like a storage company's subsidiaries.
Any notion of data having a geographic home, unless specifically created to address a regulatory requirement, is a performance optimization. In any realistic architecture, there are are a million exceptions to "this Irish user's data is stored in Ireland": offsite backups, cross-datacenter requests within backend systems, offline analytical stores, queries, derived tables, etc. The same engineers who build and operate code for the US would build and operate code for Ireland, and in fact the developer platforms would be designed to hide differences between datacenters as much as possible.
If an Irish citizen logs into GMail in the US, they're not going to hit a frontend proxy in Ireland. Their data is going to be processed, and at least cached, by Google servers in the US.
Data having a geographical location is an incoherent concept in the context of the architectures of modern multinational tech companies. That much is obvious from simply reading their engineering blogs and whitepapers.
It would be a coherent legal standard (and one I favor) to say that an EU citizen's data is subject to EU protections regardless of where it's stored. It would also be coherent (and the one we unfortunately seem headed for) to say that anything an American employee can get over any remote access tool, he's required to hand over in response to a valid court order.
But pretending that data has a location is a weird hack, nowhere near as clear cut as your analogy suggests. Can you imagine, arguing in the courtroom over which member of a trans-continental Paxos group was master at the time a warrant was processed?
I know the case was a massive simplification on the technical side, that was on purpose. It wasn't a simplification on the jurisdiction side though. Google does have a subsidiary in Ireland and so handing over the EU data does put you in that conundrum as you definitely are subject to Irish law when dealing with the data of Irish users. That you decided to architect your systems so that data is not geographically separate is your own problem.
To my understanding, neither US nor EU law give a crap about the data's geography. And rightly so, because data doesn't have geography. EU privacy laws apply to all EU citizens, and US warrants apply to all US persons capable of facilitating them.
The exception for US-owned databases in European datacenters was a bizarre, short-lived loophole created by case law which maps poorly onto the realities of the situations.
I'd say it's the companies which have twisted themselves into knots to take advantage of this loophole, and expected that to be an enduring investment, which are having a problem.
> To my understanding, neither US nor EU law give a crap about the data's geography
How do you think search warrants and national espionage programs are carried out? ... That's where the law comes in: data is just "property". The law gives many craps about property :)
> I'd say it's the companies which have twisted themselves into knots to take advantage of this loophole, and expected that to be an enduring investment, which are having a problem.
The business conundrum is whether to cede massive, growing, markets to regional players or to try and straddle multiple legal regimes. That straddling means trying to reconcile different legal requirements, and that's what we're seeing: saying no to party A to respect the demands of party B.
Far from a problem, this is a consequence of expansion and profitability. Far from a "pretzel" this is par for the course for multinationals, and a key area of legal precedence for the current IT behemoths (read: impacts billions in revenue).
There are other corporate solutions to this issue, they're just much less profitable than todays approach from MS, Google, and others.
> To my understanding, neither US nor EU law give a crap about the data's geography ... [search warrants... are carried out] based on the citizenship of the targets.
Executing a legal search warrant involves using legally binding power on a legal entity within a specific jurisdiction. If property or entity is outside that jurisdiction then the laws do not apply. US and EU law give very, very, much a crap about their jurisdictions, and where property is (ie where data is located).
Whether US jurisdiction applies to data held by US companies outside the US has so far depended on which court you ask, and appears to be leaning towards "yes."
Certainly the citizenship of the entity holding the data matters, and from the GDPR's perspective, the citizenship of the data subject matters, but the "location" of the data itself has (maybe) mattered for about 2 years, and may not anymore after this works its way through the system.
In that case how do you propose US-based companies operate in Europe? If it's not possible to follow EU privacy laws because US courts can compell you to break them should Google/Facebook/Microsoft just leave the EU market?
What other choice do they have? With the "data lives in Europe" loophole ending, then yeah, the US will have to suffer the economic consequences of its failure to come to an agreement with the EU.
1. An AWS Ireland instance bought by a EU member: here the storage box analogy should apply fully. The data is indeed geographically located and being operated within that geography. US courts need to accept that they need to go through the local authorities to get a warrant for that data just like they would for any physical good.
2. A worldwide distributed database like the Facebook graph: here the analogy breaks down completely and the US courts are taking advantage of that to access anything they like. I'm sure their tune would change if suddenly the Chinese authorities forced the local Facebook subsidiary to hand over all the data of US citizens. For this the solution will need to be an international arbitration for data access. If the database is not geographically bound then the mechanism to ensure its privacy will have to be international as well.
I think the Microsoft case was of type 1 and so new laws should not be needed. Cases of type 2 will be much harder and it may very well mean that Facebook becomes de facto illegal in Europe.
> In any realistic architecture, there are are a million exceptions to "this Irish user's data is stored in Ireland": offsite backups, cross-datacenter requests within backend systems, offline analytical stores, queries, derived tables, etc. ... Data having a geographical location is an incoherent concept in the context of the architectures of modern multinational tech companies. That much is obvious from simply reading their engineering blogs and whitepapers.
Italicized for emphasis, because that's the part where one discussion attempts to diverge into two.
It's true what you're saying, in exactly that one context: from the point of view of a multinational cloud provider there's a lot of different ingredients coming together to make "a" stew.
For what the OP was discussing though: what you're saying is completely wrong.
From the context of the Irish Government who is protecting sensitive personal data on Irish citizens and deciding how it, the Irish Government, and their related services should handle data, there is only one legally defensible position as of today: full control of the legal entities handling the data. The EU has very little legal sway outside the EU, there is no baked in legal reciprocity, and your suggestion for data handling laws fall woefully short of the real world issues (like... hate speech legislation, abortion politics, etc).
You're thinking about GMail. The legislation is looking at something like the entirety Irish health services and handling sensitive individual research data. From that context the idea of having no data governance and relying on inadequate legal agreements directly contradicts expert opinion and legal requirements.
Personal Identification Numbers do a lot to streamline public services, they also change the relative sensitivity of data at rest. Therefore the EU has decided that putting such data in an environment where something like Paxos would be relevant is a complete no-go. Data has a location until it is copied multiple places. The EU has decided they don't want any of those places to be outside their jurisdiction for the good of their citizens.
>there is only one legally defensible position as of today: full control of the legal entities handling the data
Absolutely! The GDPR does this, and it's perfectly coherent, in that it applies to all EU citizens' data, regardless of where the data is stored or processed.
What's incoherent is the (former) US policy that data held by American companies is immune to search if and only if it's located outside the US.
>Data has a location until it is copied multiple places
Data are copied hundreds to thousands of times as they transit any network. Further, if data at rest are only stored in one place, the company storing it is dangerously irresponsible. HIPAA actually mandates backup and disaster recovery capabilities. The illegal thing would be having too few copies, or an architecture with a single point of failure.
>The legislation is looking at something like the entirety Irish health services and handling sensitive individual research data
Surely something this sensitive should not rely on the "one weird trick" that US companies are (sometimes? maybe?) not required to comply with court orders for data that they claim lives on EU soil.
I do not think this is an accurate analogy, specifically I do not think an Irish CEO would be violating the law, but in any case, most jurisdictions do not care if you have placed yourself between a rock and a hard place legally and will operate as if no other jurisdictions exist; the main question is usually "can the US entity do what is being demanded"
The EU is not most jurisdictions and have put pretty hard rules in place. What you are saying is that you think that it is OK for a lowly judge to force all companies that deal in personal data to choose to either operate in the EU or in the USA.
That is clearly not an optimal situation and will clearly have to be resolved, either by one side changing their rules or by a common agreement that voids GDPR for American courts.
This is not an optimal solution, which would be a negotiated agreement between the US and EU on how to reconcile the laws, but saying that doing what the court demands would put you in a hard spot of your own making isn't really a defense.
On the off chance an agreement is reached with the EU I fully expect that they will allow law enforcement access from both jurisdictions; None of the EU laws restrain law enforcement in this regard.
You can try and denigrate the judge all you want, but they have the authority to make these demands, and your only recourse is the supreme court or congress. Laws are a cost of doing business in the US.
So x0x0... Google China (which is a Chinese company) should hand over your data to the Chinese if they ask.. right?
I bet the Russians would like to take a look too. And India, South Africa, Israel, Turkey, ... (Google has a company that operates in each of these, and many others)
Reality allows more complicated trade-offs than we'll let no-one look at any data/we'll let everyone look at as much data as they want.
Law enforcement agencies are generally (though not always) interested in domestic matters, so there isn't usually any real conflict here; China primarily wants data on their own citizens; some people take issue with a US company being complicit in Chinese surveillance, but this should not bring US citizens interests being affected by Chinese requests.
In practice, it's really not an all or nothing proposition, companies do decide how to respond on a case by case basis, sometimes even pulling out of countries, e.g. Google from China.
> Reality allows more complicated trade-offs than we'll let no-one look at any data/we'll let everyone look at as much data as they want.
We're talking about legal precedent for a country to force a multinational to carry out acts in other countries because of their local laws...
If Google can be compelled by the US to violate EU law, the EU can force Google to violate US law. Reality may allow for nuance and shades of grey, but the ability of a legal system to force compliance regardless of local law is a binary proposition.
> ...companies do decide how to respond on a case by case basis, sometimes even pulling out of countries, e.g. Google from China.
If a company is legally compelled to do something, it is legally compelled.
From an investment point of view it is irrelevant that Google might cut some business in China if it were compelled to provide my trade secrets to the Chinese government. It is essential to risk management that my trade secrets never reside somewhere where that legal compulsion might arise with no recourse, due process, or knowledge of the transgression.
This is not about companies who host, this is about citizens and companies who have things hosted.
The government's arguments are awful. And I would like to point out that their efforts started when Obama was in office, so the awfulness cuts across party lines.
> The government, meanwhile, accused Google of fashioning a system that kept consumer data stored on various servers across the globe—just so it could defy court orders.
GGG? (Good Guy Google) ? For all the hate that Google gets on HN, it should also get some kudos for trying to protect the users' data.
Google, good or evil, has a massive long-running interest in not allowing nations to subvert each others laws.
Taken cynically: protecting user data may be entirely incidental to securing megabillions in hosting and services over the next few decades in privacy aware countries and with authoritarian regimes.
Still: doing the right thing for the wrong reason ain't the worst ;)
Engineering-wise, data dup and replication is worldwide for guaranteed access times, availability and DR. This particular legal advantage is a bonus of good design :)
Point of order: the accusation is not that Google duplicated and replicated data, some of which is outside the country.
Google is being accused of intentionally obfuscating their control of the data explicitly to avoid court-orders (and not technical reasons and common engineering approaches).
... what you're talking about should result in a logical amalgamation: data here AND data there. Google is being accused of going out of their way to create an artificial barriers to the legal system by only having data "NOT here".
Why can't anybody work on some kind of blockchained database software? I wonder if it would be doable... The Silicon Valley TV show had this. I've also thought about it, but I'm not sure it would be fast enough and redundancy could be tweaked... so only for backing up data...
I don't know but storing data in a cloud which resides in user computers sound like the perfect solution to those kinds of legal issues. The whole feature is having data that cannot be suppressed or accessed by a private party.
There was a desire for globalization, people to people connection and one world fantasy that a whole generation was brought up on that early tech companies leveraged.
But a lot of this is coming from the post 60-70 generation and events have completely discredited the idea of globalism.
Nation states, politics and parochialism is as alive and kicking and far from uniting people our companies are just a way to exercise unilateral power and further national interests.
No county can afford to be dependent on others for food, it's always used against them. It's the same for technology, both software and hardware and this will lead to a more divided splintered world and limit US opportunities but also increase local opportunities.
Until globalism is a social and political reality based on mutual respect and humanity and not exploitation and capitalism this can't change.
Just wondering, is it possible to design software where the data is visible to the software but not to a human (the programmer). I could see a system where the private key is generated and stored in RAM and all the data is encrypted but the first update or power event would destroy the data. Just a thought experiment.
Two approaches: "trustzone"-style systems where the data is inaccessible to everything but the secure processor, or homomorphic encryption.
But on the first, software updates present a problem. You can make the system only accept signed updates, but then the programmer can just replace the program with "please print all your secure data". Variants of this technique have been used to break all sorts of things, from arcade machines to payment cards. So if you want the data not to be visible to the programmer, you can never update the software.
Homomorphic encryption theoretically hides the data from the program, but is extremely inefficient and I'm not aware of any widely deployed use.
There was mention of the idea of data being (or not being) accessible to someone while in the US. It seems like it would be possible to design the system so no one in the US has "admin access" to the data in question. VPNs and firewalls restrict access to the data such that only someone physically in the EU can access it. An end-user with the account password could access their email or whatever through normal means from anywhere, but that would be it.
Not sure if this is possible, considering you can always make the argument that the employees in the EU with access are subordinate at least to the US-residing CEO, who could order them to fetch and send the data.
No, there is always a programmer, a sysadmin or an operator who is in control of a program. Software cannot deploy and maintain themselves.
It's possible to completely cut access to a system, for example you lose the only SSH key. It would continue to run and service users, but it is inoperable on an operational point of view.
In this article, the government directly accuses Google of deliberately storing data overseas, so that they don't have to comply with certain court orders.
How is it a crime to store data internationally?
Am I a criminal for storing my photos on a Russian VPS?
Does this enrage you?
Also absolutely insane that one ruling in one Fed District Court is non-binding to the other Courts.
Also absolutely insane that one ruling in one Fed District Court is non-binding to the other Courts.
What is the point of having the Supreme Court if courts which are nominally peers of one another are bound by each other's decisions? By having multiple cases with slight variations of the facts involved, the Supreme Court gets multiple data points upon which to base their decision which is then binding for the whole country.
From the article, and I'm no expert: they referred to that other court as a "sister court". My take on that was that those courts reside on the same legal 'tier' so neither one really dictates for the other, SCOTUS is the point of final arbitration.
You aren't a criminal for storing photos on a Russian VPS but you might be a criminal if you store data related to your money laundering activities on that same server. If the government can meet a reasonable standard for a warrant and prove that there is likely evidence on that server, should they be unable to secure access? What if that data were related to an imminent attack?
I'm in favor of protecting data privacy and hope that the courts side with Google/Microsoft but I don't think that the arguments are as crazy as you describe them. From the government's standpoint, tech companies are enabling criminal's efforts to circumvent the law and endanger citizens.
Offline laws are struggling to keep pace with the internets, nothing new.
> If the government ... access? What if that data were related to an imminent attack?
We can always play the game of upping the consequences but it's always the case that people are willing to throw out the rule of law when there's enough danger and I think that's the standard we should hold.
If there's an imminent attack I think the argument should be that the danger is so great that the police/military must be given an exception to the law, not constantly expanding their power just in case.
When "the rule of law" can be changed at whim by one side to the detriment of the citizens, without recourse by the citizens to fix those changes, then "the rule of law" is a farce and has already been thrown out.
Too often, the group who is currently in charge of a government gets a free pass to play havoc with both constitutional interpretations and general reasonableness of the societal rules and laws simply because they are the government. They are not held to any standard of responsibility for the changes they force upon the citizens.
How often do we find that governments create more and more law and regulation solely for the benefit of that government and its "backers"? These laws and regulations end up being to the detriment of the citizens, those for whom, ostensibly, that regulation and law is supposed to protect and benefit.
I should make note that irrespective of any imminent threat, law enforcement and military should always be held to the highest possible standard and never given any exception in following the law, that is the path to them never following the law and becoming a "law" unto themselves.
Which is fine, but my hope is that giving the police and military a method to deal with 'national security' threats by seeking exceptions on a case-by-case basis that generally applicable law can be reigned in unburdened from dealing with exceptional cases and add a bit of additional transparency because people would start paying attention when it's invoked.
> never given any exception in following the law
But my point is that in your world the law needs to explicitly handle exceptional cases and remain consistent which I think leads to an unnecessary expansion of power. For example I think there is a strong case that when faced with a credible bomb threat that the police should be able to compel suspects to unlock their phones. But outside of literal states of emergency I would be very uncomfortable with police having that power and I think asking the court to effectively instate temporary martial law to acquire powers like this would actually reduce their power most of the time.
* It means we can write laws without having to worry about exceptional cases that can be used as loopholes.
* It's an incredibly high bar to meet. I think the courts would rightfully be reluctant to grant these powers.
* There would be little chance of these powers setting a precedent since it's by definition since they're suspensions of the law.
* It would be an incredibly loud signal that would be obvious to anyone and everyone if it was being abused.
The problem is that this exists already and doesn't work. The fundamental problem is that "suspect" is based on assumption of guilt first and not on assumption of "innocence" first.
We already have enough evidence that the "haystacks" are far too big. Law enforcement should required very highly trained individuals that have extremely high standards of protecting the citizenry without requiring exceptions to obeying the law. Yet, what we see is LEO's of all description who are self-entitled, above the law and are only concerned about what they want, they kill, they steal, they destroy with the courts (in many cases) just giving them a free pass.
Society at large, doesn't trust them and these non-trusted groups are not interested (on the whole) to change to gain that trust back. So, until they change there is no logical reason for giving them any leeway.
In terms of your exceptional cases, there are laws already on the books that handle this. There is no need for additional specialised law to cover these cases.
The problem of "crime prevention" is that this is not an add-on feature. "Crime prevention" is a fundamental feature of a society that is responsible. Yes, there will be instances of a crime happening and you need to deal with this after the event with the appropriate action. Unfortunately, in today's society, many things that are "crimes" only because a section of society think they should be are treated as more serious than things that are really crimes. So copying a film is more punishable than taking a life. Go on from there.
If the data are stored in a Russian VPS, you ask the Russian authorities to get them for you.
Asking Google to get them, is akin to asking a hacker hack foreign servers. Would you like the reverse? A Russian company delivering data from US based servers just because a Russian court asked for them?
If I understand the 5th amendment correctly, and its caselaw, you would be OK storing evidence of your own crimes overseas, but evidence relating to other people you could be compelled to turn over.
Nice attempt of a PR stunt. "Google resists to hand hover 22 mail accounts" when in truth they hand over ALL of your email and surf data to the NSA, for later abuse. (willingly or not)
So far, if the data is stored physically in the EU and we get a list of names with access to said data, we have been able to use the service, however if the DoJ wins this case we can never use a US based saas type company again regardless of where the data is stored.
Is this on the agenda at all? I think a ruling like that would be most harmful for the US IT industry.