That hasn't been my experience, I don't know from where you're getting your facts from. But I'm involved with two very big German companies and I've heard of many others that are banning US-based services and it's not enough for those services to have servers in the EU. There is no such thing as AWS or Azure, their usage would be unthinkable. Everything happens on their own infrastructure and installing Skype on your computer for example can get you fired. The reason is quite simply fear of industrial espionage and the Snowden leaks made things a lot worse.
From actually doing security and compliance(ISO, PCI, FCA) related work within the EU, as for getting fired for installing Skype, you can get fired for installing any unauthorized software in a company with a strict computer use and computer security policy.
I use skype to communicate with German clients including in the banking sector like ING-DiBa, so anecdotal evidence aside not every company has some aversion from US companies not to mention that Amazon is pretty much handing out free AWS credits in every large accelerator in Europe (If you want anecdotal German examples then Deutsche Bank's innovation hub in Berlin) including fin-tech and health care specific accelerators and the participants are eating them up (and if you want bigger companies than AWS's case studies have quite a few of big German clients https://aws.amazon.com/de/solutions/case-studies/all/ including Siemens health care solutions and Software AG, and Nuremberg's Airport so 2 regulated industries, and the 2nd largest German software house).
With the exception of 1 startup in the current Barclay's accelerator run in London every company in IIRC is running on AWS because of that, heck some companies in the the MSFT accelerator across the hall are using AWS even tho that Azure is pretty much complementary.
Big companies always are slow in adapting new technologies but it doesn't mean that there is some generic no cloud or non US policy in it, yes if you are handling data protected under local and EU data directives you need assurances but if you can achieve those or flex them enough to maintain compliance you will be able to use them.
Yes if you are giant org that has it's own data centers and 100% control over all of it's assets you won't be jumping on the cloud bandwagon and you are more likely to deploy a "private cloud" in house which is just a fancy word to say that you will have more modern resource management and deployment infrastructure, and sure the likes of Rackspace are still considerably more popular in Europe (as they are in the US) than AWS as far as managed services go mostly because they've existed for much longer and they still offer traditional types of managed infrastructure / data center as well as cloud-ish products.
You are also way way over estimating the impact of the Snowden leaks on the industry.
When avoiding US Services it's not about the whole company. At least 4 DAX companies research departments I know about enforce GPG Crypted mail transport since Snowden. Everything else bounces. The same companies asked us to exclude the US and the UK out of sensible data routes. I know that's not gonna do it, and there's a lot more to do but... I know that you know why I can't go into further details.
Research departments have always had different operational procedures, 4-5 years ago i did a project for a company called Interhyp(financial services mostly finance management loans and mortgages) in the building across them there was a Siemens facility which had cell jammers that leaked through the street if you were too close well tough luck.
Different departments and subsidiaries will operate according to different procedures based on the specific threats and requirements, this happens even in already highly regulated and restricted fields for example Lockheed Martin'a Skunk Works and Boeing's Phantom Works operate on a completely different level than their civilian and even military BAU aerospace departments when it comes to operational security and secrecy.
Not every company, and not every department can and has to operate using the same ruleset, departments that are relatively sensitive or can afford to work under stringent rules may do so, departments that can't or don't really need too won't, life isn't binary there's more than 2 ways to skin a cat ;)
Depends where and for what use, some company in the US got hit in the rear because of that, but if you are working in the defense industry you might get exempted, heck in South Africa there was a scandal this year when they jammed the signal inside the parliament even tho it was illegal.
http://www.news24.com/SouthAfrica/Politics/Reports-of-a-cell...
At least with Android you can view and compile/install from source right? I thought that was one of the main benefits of using open source for security; that you can both verify the source is secure and also that you can be sure the source you're viewing is being used.
I suppose you also need to trust the build system and compilers though.
How many companies would (not to mention could) you think buy OEM phones and build their own Android OS from scratch including device specific and baseband drivers? I would bet that it's 0 even government agencies opt-out to certify existing devices.
If you work in a place that is too sensitive to accept phones there is a much simpler way to go around it and it's that you aren't allowed to bring in phones into the facility in such cases you usually leave them in a locker at reception.
Other policies might only prevent phones from being used in places that deal with sensitive information such as labs and R&D departments or meetings which touch sensitive matters.
I've worked at a facility that while allowing phones it didn't allow phones with cameras so around 2009 I still have an old nokia phone which while had a camera initially it was easily removable, if you didn't had a phone without a camera then you could simply do a follow me to your roaming extension before shutting it off.
I don't think that any company that sees phone tapping as an actual realistic threat would filter phones based on their manufacturer yet alone the OS, they might issue their own phones which are connected to the companies MDM or require BYOD devices to be pre-screened but saying Android no, iOS yes or vise versa unless it's has to do with specifics like MDM compatibility wouldn't be a realistic scenario.
> How many companies would (not to mention could) you think buy OEM phones and build their own Android OS from scratch including device specific and baseband drivers? I would bet that it's 0 even government agencies opt-out to certify existing devices.
Well, I certainly expect Amazon to be able to do so. Google actually has left them no other choice in the long term than to re-implement everything because a shitload of stuff has been moved into Google Play Services.
