What I don't really get here, is how is storing data in a cloud service any different, from the legal perspective, from a safety deposit box at a bank or a storage locker in a public storage location?
The paradigm seems very similar - I go to a service provider, pay them money to give me certain amount of private space, put my stuff there, lock it with a key and go on my merry way. When I want to get my stuff out, I go to the location, unlock, get the stuff, re-lock and go.
US laws seem to have very strong protection against someone going and taking my stuff from there. Even if the bank or the storage place go bankrupt, I'm fairly sure no one is legally entitled to go through the stuff that is being stored.
Further, if one of the bank's or storage place customers happens to store something illegal, law enforcement typically needs a warrant to seize it. However, in no way are they entitled to take or destroy property of others, not relating to the warrant.
The ONLY meaningful difference seems to be that they can't easily just access the "storage box" associated with the warrant, and servers are much more portable, so they feel entitled to just take the entire thing. I guess that if your bank had no way of opening the lockbox, law enforcement might feel entitled to take the entire vault...
It's important to see that there isn't just one legal perspective. The law tends to be incredibly malleable, so in many areas (especially newly developing areas of law) you'll see actors espousing theories based on what they want you to see. Think of it like a Rubin vase (http://en.wikipedia.org/wiki/Rubin_vase).
Here, it's not surprising that the government wants to take a position that gives them greater power to snoop around in files you store in the cloud.
It's perfectly reasonable to look at your data in the cloud like a safety deposit box. But alas, government tends to follow a path that gives them greater control and not less. This is just another instance of that tendency.
Because with most websites when you agree to the terms and conditions you also agree to hand over all rights to that content to the service provider.
That means that the US government only needs the approval of the service provider (via warrant or subpoena) or no approval when they sieze that provider.
Most websites function as content distributors, so for them to be able to serve your content to anyone who asks for it, you need to give them the legal right to do so.
The difference from the storage locker or safe deposit box example above is that for those services, you hold the key. You are not putting your stuff in those places so that any passerby can rummage through it.
Websites/services that provide more limited distribution services, e.g. dropbox, or anything where you need to grant permission to individuals, are a bit closer but still not really the same as the safe deposit box example. You should be sure that the rights you are granting by agreeing to the terms of service are more limited.
For cloud storage where you really want to limit access to the content to yourself only, you need to be sure that not even the provider can access it. I.e. encrypt it before it leaves your machine.
Good point. There are services that specifically provide for encryption and import, requiring a private key that only the user of the info has. Of course, the encryption can be cracked with time.
However, my main concern is not so with no one reading the data, but with data being taken and not returned.
nikcub raises an important issue - one must consider the contract between the end customer and the service provider. The analysis doesn't end here though.
There is a lot of additional complexity -- not only are there other contracts in play (e.g. contract between Megaupload and Carpathia and any other contract between Goodwin and any other 3rd party impacting the data), but also the issue of whether and how the court will enforce those agreement.
The government's ability to access the data changes depending on how these agreements are interpreted/enforced.
If you want to get really pedantic, there is also the question of whether the court is appropriately exercising jurisdiction and therefore has the authority to make and enforce such a ruling.
> Because with most websites when you agree to the terms and conditions you also agree to hand over all rights to that content to the service provider.
Rarely true anymore. Most sites that accept user-generated content explicitly state that the users retain ownership rights, but grant the site operators a broad license to republish that content.
But that doesn't matter because the government does not need anyone's approval if they have a warrant or subpoena. Compliance is not optional and supersedes IP protections.
The US government has taken upon itself the power to go thru safety deposit boxes at any time, for any reason, in recent years. They say it's necessary to "fight terrorism" and "money laundering" (which is a "crime" whose definition is so flexible that you can get a conviction of anyone for it.)
Don't confuse what the constitution says with what the current "legal perspective" is. Under the constitution, most of the government is illegal.
Since the US Federal government doesn't follow the law, there's pretty much no limit to what they can do.
Hell, in the megaupload case they violated the laws of New Zealand and the USA, and still are not giving people the illegally seized data back.
They say it's necessary to "fight terrorism" and "money laundering"
I'm not familiar with this. Do you have links to where this is said, or articles about this abuse? I searched a bit and came up with some similar things that were debunked (http://www.snopes.com/politics/business/safedeposit.asp) but nothing about this specifically. Thanks!
Except judges are so easily swayed by sealed evidence about national security. And national security has been arbitrarily stretched to encompass all manner of things. They'll definitely try and make a case about terrorism and drug cartels affecting national security.
Court rulings can violate the law. Wickard v Filburn is a perfect example. Everyone can read Article 1 Section 8 and know that personal property does not fall under "interstate commerce." That doesn't stop the Supreme Court from ruling that way.
In the same vein, we've now reached a point where the Supreme Court's decisions are increasingly (if not all) unconstitutional.
The problem is that there's no 3rd party to settle a dispute with the government. If you and the government have a disagreement, the government decides who's right.
If the Supreme Court ruled the sky was red, the sky would still be blue.
This resonates well: I just finished a first proto install of a local personal cloud with a Raspberry and a USB drive. I've always been reluctant to putting my files in a 3rd party cloud except for backup. I have pics of my kid and feel I have the duty to ensure these will still exist in 30 years, and in 30 years most likely none of Amazon or Apple or Google or Dropbox services will be the same as they are now, if they are not simply discontinued.
I live and work in China, and often advoces the same lines to my colleagues, most of whom are trusting Apple with all their files. They don't see the danger, but even if you leave politics aside, moral values and taboos change much faster than we think. For instance, the "loli" thing in China is not taken as seriously (litote) as it is in the West, and many pics/drawings that would send you to jail in US are deemed most innocent here. But in 20 years it can be different.
The electronical devices I buy are my property, I have root access. I can change the software running them.
My files belong to me and no-one else. I am responsible of them, if some are lost it is my fault.
Yes, it was some kind of ironical use. But in fact the remote storage and services we call "cloud" is not more revolutionary than the same thing done locally.
With all those new tablets we move around in our houses and outside[1] we certainly need a central repository of things like our music and pictures, and Google and Amazon et al. know it well enough[2], but I do not agree to trust them with my important stuff, and some recent bad experiences show that data sent to the "cloud" is not your anymore, except if you run this "cloud" on your server.
Well, if you get three-five small machines, put CouchBase on them, and maybe even install the CBFS (couchbase filesystem) project, do you not have a private cloud? Replication, failover, etc.
You certainly have a private cluster.
While "cloud" is associated with living in some datacenter somewhere, it is not a precise technical term, and there's a lot of marketing towards businesses to "build an enterprise cloud" (where it's a private cluster in a datacenter or building owned by the business.)
You seem to imply that there's a minimum latency between your personal machine and the "cloud" machines for the cloud term to apply. Or just that the servers have to be owned by someone else?
I think the real meaning (or intended) for "cloud" is a cluster, or set of services that are designed to run on clusters....a collection of machines that provide services, as opposed to the specific meaning of "cluster" which is a set of machines providing a specific service.
>You seem to imply that there's a minimum latency between your personal machine and the "cloud" machines for the cloud term to apply.
not latency, abstraction. If i'm building a server out of parts and wiring it up in my closet, that's a server. If somebody else wires up a server in their closet and rents it out to me, that's a cloud. The cloud means not having to think about things like hard drives failing, and keeping hot spares of servers. So yes, that often means failover clusters but the real point of cloud is that it doesn't matter whether it's a cluster or not - the physical architecture is somebody else's problem.
> If somebody else wires up a server in their closet and rents it out to me, that's a cloud. The cloud means not having to think about things like hard drives failing, and keeping hot spares of servers.
I'd say a VPS could nominally be called part of a cloud, but most serious deployments, pre-cloud, were some sort of colo arrangement where if a hardware part died you had to either drive up to the DC and go swap out for a new one, or else call up the DC staff and ask them nicely to fix it for you. Your hosting wasn't a black box.
I'm confused (and perhaps younger than you). It went like this: servers under desk -> colo -> vps/cloud/everything as a service? There wasn't a huge dedicated hosting market between colo and cloud?
> I have pics of my kid and feel I have the duty to ensure these will still exist in 30 years, and in 30 years most likely none of Amazon or Apple or Google or Dropbox services will be the same as they are now, if they are not simply discontinued.
I never got why people mistrusting the cloud implied the cloud should not be used. Surely a local server AND a cloud server would be the best solution? It's been drilled into my head that everything will fail eventually, so you should base your technology across many different services that are unlikely to fail simultaneously.
I think that misses the point, people with perfectly legal uses for mega upload services had their data hosed when mega uploads was shut down. How is Dropbox immune to this (it may be that it is, I have no idea). If someone else stores all your data, you are entirely in their hands.
The main difference between Dropbox and any "web only" hosting solution is that Dropbox replicates the file on all your machines that are sync'd with Dropbox. So the file is both in your hands and replicated in the 'cloud'.
So unless the government pulls their server just as you upload your encrypted file, and somehow your HDD simultaneously fail immediately after upload, Dropbox does not have the same vulnerability as Mega/Rapid/etc-Uploader if you're uploading encrypted files.
There is a caveat though, you are not just uploading, but syncing your local file as well. The governement having your Dropbox file deleted will delete your local file on sync, and you'll be SOL if you didn't keep other backups.
No, if the government pulls the Dropbox servers (my original stated scenario), your client will not be able to communicate with Dropbox servers, ergo your files will stay intact.
If you mean to say that the government will maliciously delete all files WHILE keeping Dropbox servers online. that is a possible scenario, but extremely unlikely as to not even be worth pondering (i.e. there is no benefit to the government to do that).
Though I must also add: Dropbox is a synchronization service, not a backup service. And even if Dropbox was a backup service, you should have multiple redundant copies of critical files. Don't put all your eggs in one basket and all that.
Ahh, good point, exactly (and wow and having no hint of sarcasm as that is blindingly obvious now). Dropbox has this behaviour by default, yes. MacBook Air owners with piddling hard discs (me) may use it as a cloud only store by messing around in prefs, and then forget that it ever worked any other way. I know this misses the main attraction of Dropbox, but one day Ill have a decent disc and will restore it to its former glory.
Of course, US Govt is not the biggest of our problems. Others include:
- Rogue (or just bored) employees of web companies accessing customer data for fun or profit. (Happens much more often than you think, also in govt agencies.)
- Internet criminals breaking into cloud accounts and stealing data.
- Companies using their knowledge of their customers against those customers in disputes and legal challenges.
- Companies trying to extract the most financial value from customer data by selling it to questionable outfits.
- Foreign intelligence services and outright criminal organizations getting access (through 'hacking', bribery or threats) to any information hosted by any web service and many government institutions.
[I mean, for Christ sakes, if a news publication (NoTW and other tabloids) can buy some very private data of celebrities from UK police, how hard would it be for an organization with bigger resources and no fear of legal retribution to access any electronically stored data - especially by companies?]
* * *
And yet the trend in our merry startup world is to put everything in the cloud. Try asking any web company for a self-hosted version of their service.
For instance, can I get a Evernote server software to roll my own Evernote server? (Compiled and obfuscated, encapsulated in a VM appliance, I don't care.) Even if I was willing to pay for it like for any other software? No. Actually, Phil Libin was asked about it on the Triangulation show on TWiT. His answer? (paraphrasing) "Well, um.. It would be hard, um... The real question is: how do we make you trust us." Well, if that's your answer, you've already lost me. I mean, go ahead, keep my recipes and random silly photos. But if you expect me to trust you with my private documents or my schedule or anything of any IP value from my work, then you have a much bigger problem than communicating.
And so does your company, dear HN reader.
(Well, unless you're doing something frivolous, of course. If you're into the next FartingApp™ or photo-sharing-with-a-twist website, then I guess you're safe, for the most part.)
I would counter that in fact the US Government is the biggest of the problems. All of those other actors fall under the law and are much more likely to be punished for their actions whereas the US Govt doesn't have to obey any laws and constantly finds ways around the existing protections, National Security Letters as just one example.
Iceland and Switzerland are possibilities. As is panama.
Right now, the US has managed to violate he privacy laws of almost every country- famously Switzerland bank secrecy is no more.
But the decade of bullying other countries in the name of "terrorism" is not making a lot of friends, and as the power structures in the world shift, eventually someone will get the balls to stand up to the USA.
Panama might be that country, because China is heavily invested in the expansion of the panama canal. The canal is a massive proportion of the countries economy, and much of the economy that isn't the canal is indirectly boosted by the canal.
With China as a strategic partner, they may be willing to stand up to the USA. Not now, not yet, but in 5 to 10 years.
Europe and the US are both in the middle of massive financial crosses, which will likely result in the destruction of both currencies, and a significant amount of damage to asia as well... but as a result, confiscatory tax policies will go into effect and capital flight from these regions will accelerate. The diminished demand will hurt asia and south america, but increasingly businesses will relocate to those regions.
I seriously doubt that China will stand up as defender of privacy, seeing the track record with their own country. It is inimical to the interests of any large state actor to allow actual, real privacy since that could harbor elements trying overthrow that very same state.
From the Government filing:
"Any ownership interest by Mr. Goodwin in that data would be limited by at least two separate agreements: (1) the contract between Carpathia and Megaupload regarding Megaupload’s use of Carpathia servers; and, more specifically, (2) the written agreement between Megaupload and Mr. Goodwin regarding use of Megaupload’s service. Those contracts not only bind Mr. Goodwin’s use of Megaupload’s service and Carpathia’s servers, they also likely limit any property interest he may have in the data stored on Carpathia’s property. Thus, the Court should limit the breadth of the initial hearing to whether Mr. Goodwin has a prima facie case, i.e. whether he retains any ownership interest in copies of files which he uploaded pursuant to agreements which may have severely limited any ownership rights."
https://www.eff.org/sites/default/files/filenode/Govt_41(g)_...
Isn't that like saying that if you put your car on somebody else's property, he now owns the car? My analogy may not be perfect, but I'm sure there are much better analogies out there that make what the Government is suggesting illogical.
I think their argument is that you no longer maintain control of the object.
If you share a house with someone, and leave your drug paraphernalia in the common area, if your housemate invites the police in and they see it there they can use it in court and leverage that to search your room.
I disagree with their argument, but they are suggesting that the cloud provider is your housemate and you gave up control when you uploaded it to their common area.
I continue to be disappointed the US doesn't have data protection laws (in the style of the EU), because that addresses precisely this issue: you own your data.
Furthermore, I continue to be irritated that non-EU companies don't comply with these laws while still offering their services in the EU. You can't have it both ways. The physical location of the server or the legal entity behind it shouldn't matter: if you want to offer your services to a country, you should have to abide by local laws.
It's issues like this that really emphasise just how young the Internet is, in that the law still hasn't caught up. I find it sad that a lot of these issues are being resolved "accidentally" (i.e. when it comes up in court and laws that predate the digital world are used to set bad or misguided precedents) rather than proactively, by trying to make new laws that take the nature of the Internet into account. Surely that's what the EFF should be campaigning for. Why not require, by law, all cloud providers to offer an API to let users access, modify or delete any and all of their data?
This scheme is not infallible. Although signing the declaration makes it impossible for a third party to produce arbitrary declarations, it does not prevent them from using force to coerce rsync.net to produce false declarations. The news clip in the signed message serves to demonstrate that that update could not have been created prior to that date. It shows that a series of these updates were not created in advance and posted on this page.
The US has more fundamental protections for your data than the EU does. The US has it written into the highest law of the land, wheras the EU just has some promises.
The reality is this: In neither jurisdiction are you safe, because in both jurisdictions the government will sieze or snoop on data at will. Sometimes it will do it publically with warrants (Which are generally fraudulent in the US and used to sieze things that are not covered by the warrent also.) Or they will simply pass some law "to fight terrorism" or "tax evasion" or "money laundering" or "child pornography" that exempts them from having to comply with the other laws.
It doesn't matter. You cannot trust government because government is evil. It's like expecting a fox to guard the henhouse. It's silly if you think about it.
Imagine if the government had private data in the cloud and somebody accessed it. Do you think that person would be able to say in court, "The government doesn't own its cloud data, so I accessed it."?
Well, as much as I think their position on this is complete bullshit and a slap in the face of freedom, they aren't committing crime to get at it, they are either asking nicely or have some form of warrant. Presumably, one would be committing a crime to get at theirs.
But it could be argued if the entity "asking nicely" is the government, then that counts as coercion. While not technically illegal, it could be an abuse of power.
Handing out data after requests is not an abuse of power, that's a failure of the data storage facility to do a bare minimum attempt to protect their users' rights. I say this because the actual abuse of power is secret Patriot Act warrants. When the government wants data, they don't use some sort of Mafia-style coercion, they just make it illegal to not give them the data.
You are conflating different things in a way that does not make sense to me.
Is the RIAA claiming that the songs distributed by their constituent organizations are somehow private? No. They are claiming that they have the right to determine what happens to the bits after they have sold them on to another party. The arguments are over the extent of those rights of long term control.
The right to privacy of unsold, unpublished bits held by a third party under contract is what is being discussed here. The question is whether by storing your property in the safekeeping of a third party, do you lose your right of privacy?
It's a complex question. Among other facets, we need to consider what people think of as "private" -- because, ultimately, law ought to match up with the general opinion of the community it serves.
Privacy protection of the citizens and intellectual property protection have preciously little to do with each other. Storing your data in the cloud should come with automatic extension of the rights that you'd normally have to data stored on your own devices. Anything less will be a disaster, not just for the citizens but also for all those that earn a living building cloud services. A ruling like this has enormous implications that extend far beyond the piracy debate.
The RIAA doesn't have any bits worth protecting in the same way that people's private information warrants protection.
So artist 'x' is a citizen and their privacy (and hence their private data) warrants protection just as much as any other citizens privacy. Whether or not the data they produce and release into mainstream culture (which is in the end an affair between citizens) warrants economic protection is an entirely different matter.
That is an erroneous comparison. Regarding our own bits, it is the right to access information that we store on devices that we own or rent. Regarding "RIAA's bits" it is our right to copy information that was made publicly available. Regardless of political opinions, the contradiction that I think you are suggesting does not exist.
There is no hypocrisy: those people would continue thinking that if they put "their" bits in the public, they would also be free. That has nothing to do with the government being able to interfere with your private relationship with a cloud service. Here, since you brought up physical items perhaps I can make it clearer:
I have a manuscript for a new book which I keep in a safe at home. I may believe that once a book is "out in the wild", anyone should be allowed to copy it. However, that does not mean I think it is OK for the government to have the right to open up my security box at a bank and read the manuscript if I choose to use "cloud safes" (AKA banks) instead of my own personal safe at home. The problem here is not really the reading of the book, but interfering with my agreement with the bank that only I should be allowed into the safe, regardless of what may or may not be in there.
Not shared anywhere. Something I upload to Dropbox is private data. Something I upload to youtube is public data. If a piece of media is being sold, 99.9% chance it's not private.
Now, about being 'stolen'. The argument about bits being free is that you can copy them anywhere. I think you can see how deleting from someone else's server is not the same thing.
The government is not causing problems by copying the drives, they are causing problems by confiscating them.
The argument is usually not that "bits can't be stolen" but that "copying is not theft". If people broke into RIAA's servers and removed their data, I think most pirates would agree that it's comparable to theft.
The "tech community" doesn't have a single opinion. Proof: you're part of the tech community.
Personally, I don't believe the government is stealing anything. They're violating people's privacy, which is a different thing and does not require the data to be property.
Love it. The idea that musicians and moviemakers and their sponsors have property rights to their output is so alien to HN that it's perceived as a troll.
Content publishers in the recorded music business are the biggest abusers of content creators, with crooked contracts and phony bookkeeping. They hardly represent the rights of creators.
I don't think anyone is worries about the government copying the evidence drives. There are two issues here. First the government is (edit: in some cases, not necessarily megaupload) inspecting the files without a warrant. Second, the government is taking away user access to primary/key copies of a lot of data. Neither of those apply to copyright infringement, where someone that legally obtained ownership to a copy starts abusing that access.
Yes, clearly the only reason someone would want to continue accessing files they uploaded to a cloud service is to re-affirm their "property rights" to the data. Nobody would possibly use this service to collaborate with other people, or make legally allowed backups of music or movies they already have the physical media for. No sir-ee.
Is there anything currently in the "let me access my files from anywhere" (aka Dropbox) space that supports private key encryption while maintaining some level of convenience?
I'm happy to give up some features (collaboration, web access) for the peace of mind that comes from random governments not being able to read my data whenever they like...
There's a technical problem with this. Dropbox syncs between multiple clients. That means multiple clients can change a file. IF the files are encrypted and the service doesn't have the key, there's little the service can do about a file that's (effectively) simultaneously changed on two machines, that then try to sync.
You could zip up your files, encrypt them as strongly as you want and then upload them to some server somewhere at any time (Say you get a hosting account) and then nobody else but you has access to your password, and presumably that would be a solution you seek-- but maybe not the same level of convenience.
I think the convenience (depending on what you want) is intrinsic to the lack of security.
I don't understand what technical problem you are referring to. Dropbox doesn't marge files. If two computers change it at the same time you get two different files and you have to manually fix it. The only thing dropbox needs unencrypted is the set of files you make public.
I'm not sure exactly what technical problem you're alluding to, but it is possible, albeit very difficult to perform computations on encrypted files without the key.
My opinion is that if you put anything sensitive into the cloud without encrypting it, you are not doing it right. If you don't want the government reading whatever it is, why on Earth would you trust the cloud providers?
Data security and data ownership are not the same thing. In many of these user's cases, it's not about the Government reading their data. It's about getting their data back. It is property that the Government has stolen, that the individuals can no longer use or access.
The average HNer might be smart enough to know that they should encrypt their data before uploading it, but does the average U.S. citizen know it? Many of them aren't even aware that they're uploading any data at all, let alone encrypt it.
Cloud computing has become so seamless that it's difficult even for experienced users to tell when their data is being sent somewhere else unless they pay attention all the time. For example, Office 2013 is very keen to save all your documents to SkyDrive.
Key management is beyond the average user of the internet.
Maybe it'll improve if we start putting encryption keys in physical charms that you can hang on your real-life key-chain; then again, there is no locksmith, so maybe not.
Meta-point - I much prefer links to original content e.g. the EFF statement over links to the Slashdot (or other link aggregator/discussion forum) discussion thread.
For me, personally this isn't much of a problem, since I've got exactly no data at all hosted on cloud services. All the data I want to use on the go, as well as from home, I host on my own server. Therefore the data is, as far as I know, my property.
However, anybody running a business on customer data might want to think about the implications of this. The real question is where to put the servers. The EU isn't much better about this than the US (since they've spent most of the last few years with their heads up in America's bottom anyway).
"Copyright is a legal concept, enacted by most governments, giving the creator of an original work exclusive rights to it." - Source http://en.wikipedia.org/wiki/Copyright
One might argue that my words in a document are not property, however they are often refereed to as intellectual property (refers to creations of the mind for which exclusive rights are recognized in law). They are mine and I hold the exclusive rights to them. I want them back. What right does a government have to take them from me?
The term is "unreasonable search and seizure" and it is not considered unreasonable to search documents that someone voluntarily gave to a third party (e.g. a cloud hosting provider) with that third party's consent.
I think it depends on the legal agreements between the parties. Many hosting and service contracts make an effort to preserve an expectation of privacy.
It should be quite the contrary. The government(that represents the public) data should be open, like in a stream, where anybody can see what's "flowing", gov emails should be shouted to the stream. Then the public or some algorithm should analyse the stream to maximize global happiness, resources, prosperity.
The article is talking about private data, e.g., your company's strategic documents that get backed up to a cloud service, that the government now wants to say is not owned by the company because it is on the cloud. What access rights should look like with regards to government produced data is an entirely different topic... though perhaps not entirely unrelated, if cloud data does become government data.
Nice !!! So all the fimls are free as noone owns the data. That means that films on the cloud, have no ownner, and no responsable. So if I host a film in a server in amazon, I can also say that I am not the owner.
Or that, by agreeing to license their films for distribution to Netflix, every film company involved has agreed that they no longer retain ownership of those very files anymore?
Hear me now, believe me later: If you keep your customer data on your servers, it behooves you to host your servers outside the USA.
If you do this now, while you're a startup, you'll have a lot less hassle in the future when you're losing customers because of jurisdictional problems.
Right now, people are only barely aware of the growing surveillance state in the USA. They're all aware of it, of course, but they think that only terrorists have to worry. In the last couple years, increasingly the government has gone after regular people, like hip hop blog authors, and people using megaupload to avoid emails file size limits.
I'm sure for many of you, you don't care cause you're hosting cat pictures or whatnot. But if you've got customer confidential data, especially financial data, it would be a good idea to find a jurisdiction that still respects privacy.
I'm not a lawyer and this isn't legal advice, but my casual explorations indicate that Iceland might be a good jurisdiction.
Correction: Host your users data outside of the country they reside in. The EU is just as bad about this as the US is - An unnamed EU nation ruled that all user data stored on servers in their jurisdiction and pertaining to users in their jurisdiction was subject to police investigation without warrant, subpoena, or the hosting provider to inform the users that their data had, or could be, accessed in this way.
My company still runs a datacenter within that country - but we assure that no users that reside there also have their data stored there. Making it cross-jurisdictional, even a little bit - the user data is still in the EU - does wonders for privacy.
I wish that the courts would rule cell phones and hosted services an extension of the human mind (and thus protected under the fifth), but I doubt I will ever see this. Too many people fail to see how vulnerable they are.
Could you please tell us which EU country is that? Or at least tell me if it is the UK or the Netherlands? We have some servers in those countries and the last thing we want is them to be searched (they store extremely personal information about our users).
I don't think it's the UK; they wouldn't be that open it. Minor details of random government bodies (or police departments) people able to demand data from ISPs without a court order are usually hidden away in some "think about the children" act.
There are various bodies (perhaps fewer now than maybe 5 years ago, though) that have the power just to demand data from an ISP without a court order.
And yet they keep saying Europeans have nothing to worry about and they shouldn't fear the Patriot Act if they keep their data on the servers of US companies. Yeah, right.
So are they claiming it applies to servers owned by US companies or servers that are located in the US? For example as a European I'm hosted with Linode at their datacenter in London. Not that it really matters, apparently they are able to change the rules any time it suits them.
US Govt can force a US-based company to handover customer data from an overseas data center.
So no, you're not safe in London.
[In fact, due to close cooperation of intelligence services of the five Anglo-Saxon countries (Five Eyes), you're not safe in any of them if you want to do anything that challenges the interests that US law enforcement and intelligence protect. That includes any activity that would unsettle current intellectual property and copyright regimes, strong political activism, completely free speech, etc. If you're a web startup, that of course applies to your users too.]
Note to hastur: it looks like your snarky one-liners got your account auto-banned, so now nobody can read your comments that are actually interesting.
How much karma do I need to be able to read dead comments? Hellban is a pain, valuable comments keep getting lost every day. I don't think this keeps trolls away, this is definitely broken.
The UK is one of the few countries with a more active surveillance state than the USA. Hell, they have cameras everywhere there. (Don't teach 1984 in schools anymore?)
The US government generally considers anything on US soil, owned by anybody, to be their purview... but in the Megaupload case they siezed servers and data in new zealand, along with the USA.
Please, if you are British or live here, you know there are not cameras "everywhere". If you are not British and don't live here, please know that "they have cameras everywhere" is a lie.
The paradigm seems very similar - I go to a service provider, pay them money to give me certain amount of private space, put my stuff there, lock it with a key and go on my merry way. When I want to get my stuff out, I go to the location, unlock, get the stuff, re-lock and go.
US laws seem to have very strong protection against someone going and taking my stuff from there. Even if the bank or the storage place go bankrupt, I'm fairly sure no one is legally entitled to go through the stuff that is being stored.
Further, if one of the bank's or storage place customers happens to store something illegal, law enforcement typically needs a warrant to seize it. However, in no way are they entitled to take or destroy property of others, not relating to the warrant.
The ONLY meaningful difference seems to be that they can't easily just access the "storage box" associated with the warrant, and servers are much more portable, so they feel entitled to just take the entire thing. I guess that if your bank had no way of opening the lockbox, law enforcement might feel entitled to take the entire vault...