Is your data more private on foreign servers?

Is your data more private on foreign servers?

Summary: Companies outside the US are marketing their Internet services as more private, out of reach of the US government.

TOPICS: Security

Everyone knows about the scandal of NSA bulk data collection and surveillance of Americans and non-Americans. There are many reasonable ways to respond to it. Or you can be irrational.

One irrational suggestion, for Americans anyway, is to move your computing off-shore.

The Wall Street Journal on Friday reported on the boom in business for non-US computing resources. This morning on Twitter, F-Secure was pitching their new younited service, which centralizes access to your various cloud services. It's interesting just on these merits, but the pitch was focused on the fact that the data is stored in Finland, not in George Orwell's United States of America. 

The service is not live yet, but is accepting requests for early access. Here's some more on younited:

My Twitter exchange with the F-Secure guys triggered a burst of Finnish national pride (although I wonder whether Sean Sullivan is a native Finn). The pointed me to Finland's strong data privacy laws and noted that "Finnish police (not government) needs a court order or formal criminal investigation to request user data".

I'm still trying to find out what "(not government)" means, but for US police, Feds, state or local, a court order is required too. In fact, a formal investigation isn't enough. We all know now that there are giant holes in these protections, the main one being that metadata, like the fact that your computers connected to their computers at a particular date and time, is not protected. I'm not sure how outrageous this is, but it's not a new law; it long-predates the Bush administration.

I've followed F-Secure's Mikko Hypponen on Twitter for many years. Mikko has over 50,000 followers; in the world of security he's a rock star, and for good reason. He has a great talent for explaining technical security issues, and his understanding is at the bleeding edge. But I have the distinct impression, with respect to the data security issue here, he's mainly offended by the fact that, under US law, the US government is free to surveil non-US citizens living outside of the US, like him, to their heart's content.

Before you make any decisions, sit down, have a drink, get calm and open yourself up to some perspective. Is it rational for the average American to expend any effort to protect themselves against government surveillance?

We know from recent disclosures that Microsoft does not disclose data to law enforcement willy-nilly, and they reject many requests. We don't know the numbers of disclosures they make in response to National Security Letters and other secret, Federal requests, but the fact that Microsoft and several other companies are litigating for the right to disclose aggregate data tells me that the numbers are low.

Whether the numbers are low or not doesn't make a difference for whether the surveillance is just. Even one person in the US has Fourth Amendment rights, and whether any of the surveillance disclosed by Edward Snowden is illegal or unjust is a fair matter for debate. Surely at least some of the practices he disclosed are unjustifiable.

But none of that means that it's reasonable for you to worry about government surveillance, at least of the type that can be avoided by storing your data on foreign servers. I know I'm trying out younited because it sounds like an interesting service, but I don't care where my data resides.

Who does need to keep their data outside the reach of authorities? Principally people who have something to hide. Anyone and everyone has the *right* to do so, but a principle is not the same thing as an actual need.

So let's get principled: We believe the US government to be malevolent and desirous of our private correspondence, so let's store it elsewhere. Can you think of a better way to call attention to yourself? And what reason do you have to trust the government of Finland or any other government?

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Government Snooping

    The NSA scandal is not about the laws but that semi-rogue and rogue government agencies have been snooping on users for sometime. The problem is which government can you trust and whether using an offshore facility changes the legal situation.

    My opinion is all cloud based services to some degree are vulnerable to snooping by others like the NSA.
    • At least...

      if you use a "local" cloud provider, you are safe from prosecution if the rouge agency pulls the information...
  • What about your data in transit?

    Isn't there a basic technical issue here? If you're in the US, how does your data get to Finland to be stored there, and how do you get it back when you need it? Over the Internet, obviously. If the NSA is after you, what's to stop them from intercepting that traffic? For that matter, if your data is already in Finland when the NSA starts violating your consitutional rights, what's to stop them from intercepting your logon credentials the next time you open a communication link with the vendor in Finland?
    • data in transit

      Using SSL properly should address that problem, but that would be the same on either side of the border.
      Larry Seltzer
      • SSL is probably not secure

        Some reports say that the NSA has broken SSL, while others say that they hack into servers (domestic or foreign) to steal encryption keys. However they do it, the documents released by Snowden 3 or 4 weeks ago indicate that SSL doesn't stop them when they are trying to get specific information. Apparently they don't crack or bypass SSL for their routine, blanket data trolling that supposedly isn't unconstitutional searching without a warrant because it isn't "searching."
        • SSL and TLS 1.0

          SSL 1 and 2 have been cracked (publicly) for a while. TLS 1.0 as well. But we have SSL 3 and TLS 1.1 and 1.2 - but not all browsers support them (Firefox only introduced support for TLS 1.1 in August and hasn't said when they will support 1.2) and not all servers support them either.

          If the browser and server support TLS 1.2 and use long keys (2048 bit or more), you should be safe, at the moment...

          Oh and make sure they are using a proper PRNC, not the NSA sponsored one.
  • Offshore data

    If my data is in Finland and I am here, and Finland snoops on it, do I care? I am not there, so there is little they can do if they find something. Same the other way: if I am in Spain, and my data is in the USA, when the USA snoops on it, what are the chances that they will care enough to try to extradite me?

    If we assume that they all snoop, the added complexity of international investigations and extradition may be enough to tip it to off shore for everyone.
    • Drone your arse

      they can still drone you, if they feel you are a big enough threat. :-P

      The problem is, if you are in Spain and the Spanish authorities can prove that "you" have given the NSA your data (i.e. by using a cloud service with a USA office, who handed over your data) without first getting written permission, then they can prosecute you.

      It is fairly far fetched, but it is a risk, especially for a business.
  • Who does need to keep their data outside the reach of authorities?

    Outside the reach of US Authorities in particular, any non-US citizen who stores personally identifiable information in the cloud (E.g. contact information, emails, calendar information etc.) and doesn't want to be prosecuted for breaking the law.

    In Europe, we are not allowed to hand over personally identifiable information to third parties outside the EU without first getting written permission from each identifiable person. But the US based cloud services (or any cloud service with a branch office or a server in the US) are forced to hand that data over without getting the relevant permissions. That leaves the owner of the data (the user) open to prosecution in Europe.

    This is the sort of person this is aimed at.

    At the moment, with Google, Apple and Microsoft clouds powering smartphone syncing, the non-USA user has to ask themselves, do they want to be safe from prosecution, or do they want to take the risk of having their contact information easily to hand and risk prosecution. It is either that or you set up your own private cloud.

    There are plenty of cloud providers outside the USA, but they aren't as well known as the big 3.