Everyone is talking KMS which is nice but I don't think that is the biggest selling point. Being able to say in which region your email is stored is huge for customers who don't want their data shipped all over the world.
"Another notable feature of WorkMail is that users can specify what Amazon region their e-mail is stored in. Customers can choose a specific, relatively close data center to reduce latency in retrieving e-mail or for compliance purposes—such as European privacy regulations. The feature means that users won’t get the benefit of failover to another data center in the event of an outage, but Amazon may offer mirroring services later."
That is a big differentiator for many companies right there.
> or for compliance purposes—such as European privacy regulations
That sounds nice, but Amazon is still a US company, and the US government seems pretty staunch in their view that US law trumps country-of-residence law.
I can understand why you would say that after the big fight with Microsoft. What if Amazon makes it so the only employees with keys to be able to decrypt data in that region, live in that region. I think that could be the failsafe right there to where even if the government says "hand over the data", Amazon says "we can't and the only people that can are Citizens of xyz and we can't compel them to break the law of their home country".
I'm not saying that is what they are doing but it would be a very interesting strategy.
You can bet there will be some bs charges like obstruction of justice or whatever and it might even fly depending on how much of an asshole the judge is...
What if the company was Enron 2.0 and was keeping their tax records and other incriminating emails on a server in another country that was under the control of an American company? Should the US justice system just accept it is outside of their control, or pursue the American company to turn over material in their control for the case?
That would depend on the law about "where should an American company store its emails". If they are not allowed to store stuff abroad, then you can throw the book at them regardless of whether you get those emails or not.
Like for tax evasion vs tax avoidance, law enforcement cannot complain that individuals and companies use rules to their advantage, they just have to make smarter rules.
That's two different points through from a company perspective. The first is whether you're compliant with well-defined local regulations for the jurisdictions you are within, as well as any industry specific regulations you're under (think Finance). For example, the specific regulations for employee email are substantially different in the UK, Germany and USA.
The point you're making is whether 'state actors' can get into your documents or email. It's a different order of magnitude issue. First, as a company you're going to comply with whatever the law is in the jurisdiction. Second, if you're being attacked by a state actor then you've got major issues. And for many businesses even considering protecting against that wouldn't make sense from a cost vs risk perspective.
IANAL, but these regulations and organization requirements in my experience haven't cared about this. A common requirement is physical location of servers / the data on them which this satisfies.
Amazon and other tech companies can design systems where the keys are held entirely by the end-users. How far is the US willing and able to go to get at that data?
How? If I send an e-mail via Amazon's service, they must at minimum have the standard e-mail headers in order to process it. In which case, it's no different than PGP-encrypted e-mail, available with almost any e-mail provider. This also provides Amazon (and whoever subpoenas Amazon) with significant meta-data on my communications, even if they don't have my actual text.
In order to make e-mail into a system where two people can communicate in a secure fashion, where no data is stored on or passes through a remote system unencrypted, you would have to re-implement e-mail. And of course there goes interoperability.
"extradite" as in to wrench out a server rack, bundle it into a helicopter in a blaze of sparks, and fly the server to the US in a helicopter under the depth of night? Unlikely.
Require US companies to follow US law and regulations, across global legal entities, even when the local law of locally incorporated entities is incompatible with US law, absolutely yes, that is required.
> Require US companies to follow US law and regulations, across global legal entities, even when the local law of locally incorporated entities is incompatible with US law, absolutely yes, that is required.
Then why the hell would anyone build a company in the US?
And where US law has limitations, they have the Five Eyes coalition to do the work for them. "We didn't spy on them. Someone else gave us the info!" ... in an automated fashion, 3ms after "someone eles" did the dirty work.
http://arstechnica.com/information-technology/2015/01/amazon...
"Another notable feature of WorkMail is that users can specify what Amazon region their e-mail is stored in. Customers can choose a specific, relatively close data center to reduce latency in retrieving e-mail or for compliance purposes—such as European privacy regulations. The feature means that users won’t get the benefit of failover to another data center in the event of an outage, but Amazon may offer mirroring services later."
That is a big differentiator for many companies right there.