The lunacy of trying to avoid NSA spying by moving e-mail and cloud out of the US

The lunacy of trying to avoid NSA spying by moving e-mail and cloud out of the US

Summary: Some people are ao much in a panic about the NSA spying on them that they're going to move their e-mail and cloud services out of the US entirely to "safer" foreign companies.


The Information Technology and Innovation Foundation recently claimed that thanks to the National Security Agency (NSA) spying programs, US cloud providers would lose at least 10 percent of its foreign market, $21.5 billion, to European or Asian competitors. Others are considering abandoning American Internet companies and e-mail providers in favor of European providers.


But if I were the NSA, I could only say, "Yes! Please move out of the US so we don't need to deal with the he Foreign Intelligence Surveillance Court (FISC)!"

Why would the NSA want you to move your data to cloud and e-mail providers in other countries?

Because, in the United States, the NSA and friends need to jump through the FISC hoops to listen in to your e-mail, cloud data transfers, phone calls, whatever. If you're doing any of the above to someone or some site outside of the US, any of your communications are pretty much fair game.

Now, you can certainly argue that the "no such agency" is doing way too much domestic spying anyway. Or, that the entire domestic eavesdropping thing has been vastly overblown. Or, you can believe that FISC is little more than a rubber stamp. And, last but not least, that way too many people like Edward Snowden have way too much access to the data the NSA does collect.

Six ways to protect yourself from the NSA and other eavesdroppers

But, here's the important part, outside of the US, the NSA doesn't need to worry about the FISC. Sure the European Union (EU) has strong data protection laws. So what?

The NSA has to follow a different set of laws for tracking data outside the US: The  Foreign Intelligence Surveillance Act (FISA) as amended by the 2001 Patriot Act. In the latest update to the Patriot Act, H.R. 6304, the American Civil Liberty Unions (ACLU) found that the revised bill allowed the NSA to "conduct mass, untargeted surveillance of all communications coming into and out of the United States, without any individualized review, and without any finding of wrongdoing." 

Starting to get the picture now? 

Let's step back for a moment. What is the NSA's job? Since Harry Truman set it up back in 1952 the NSA's job is to monitor foreign communications, whether it is electronic intelligence (ELINT) or signal intelligence (SIGINT). Update it to 2013 and the NSA's job is still tracking foreign communications. These can be either from one country to another, say Russia to China, or from someone in the US to another country.

It's always been this way. The NSA is a foreign intelligence agency. This is what they do for a living. Always have, always will.

There is nothing really new in what Snowden revealed to anyone who'd bothered to read the books of James Bamford. Bamford spelling all this out starting with his first book in 1983, The Puzzle Palace. The NSA is doing exactly what its mission has always been.

So, if you think for one second that moving your data out of the US, or keeping it out of the US will somehow make your information safer, think again. By doing so you actually make it more likely that the NSA will have access to it.

Related Stories:

Topics: Networking, Cloud, Government US, Privacy, Security, Unified Comms

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • it's easy

    If you are an European company, you are better served by an European based cloud service, because

    They are all the same
    You might even get support in your own language
    You will be better on taxes, VAT etc.
    You will be subject to European laws and will face no regulatory surprises
    The NSA will still try to spy on you. Big deal. They do it already. But that will cost them way more, which in turn will weaken the US economy and benefit yours.
    Your next door company will get your money and there is better chance those people will buy something from you than say, amazon or Microsoft.

    So why not just do it?
    • Why shucks,

      why stop with Amazon and Microsoft?? There's a whole slew of companies that are based in the US...does Apple ring a bell? It should, they send your e-funds to your bank account. What about Google? Hmmm...nVidia, Qualcomm? Seems they supply parts for your beloved.
      I'm sure there's more, but you get my point.
      We're all in this together, it's a worldwide web remember.
      • Weird argument...

        The issue is the NSA monitoring your communications - the chip makers aren't involved in that (as far as we know). So the only really relevent participants would be Microsoft (Azure), Amazon (AWS) and maybe Google.
        The Werewolf!
      • Nothing to do with American companies...

        the problem is data protection law.

        In Europe, personally identifiable data must be stored within the EU (tax relevant data generally can't be stored outside the country of origin).

        So, for a start, the US cloud providers are forcing you to break the law, if they mirror the data in a non-European data center, but there is usually a blind eye turned to that part of the equation, because the cloud came after the law.

        BUT, because of the Patriot Act, anybody in Europe who stores data in a cloud that has a point of presence in the USA, whether that be servers, head quarters or just a branch office, the cloud provider can be forced to hand over your data in contravention to the laws that the owner of the data is subject to.

        In theory, a Microsoft or Google must get WRITTEN permission from each named person in the data they are handing over, before they are allowed to hand it over. As the Patriot Act/FISC orders state that they cannot tell anyone that they are handing the data over, they are breaking the law at the source, because the destination is forcing them to.

        The problem is, the cloud provider with a US presence isn't liable for this breach of data protection law, YOU ARE! That means, Google et al hand over YOUR data and you get sued / put on trial in Europe because you "allowed" the data to be given to a third party outside Europe without gaining the proper authorisation (allowed = you stored it in a cloud you knew had operations in the USA).

        If the NSA want the data in Europe, they have to go through the European courts and get a valid court order to collect the data, in which case you are covered, or they have to illegally hack into the computer center, in which case you are covered and they are liable to prosecution, expulsion or trade sanctions against the USA if they are discovered.
    • And the European security agencies aren't tracking anything??

      Please, you really think the European agencies don't do exactly what the NSA does? Such foolishness.

      Just because you may be in Europe doesn't mean you are secure from your government or the NSA for that matter. I suspect that the European agencies are spying in the United States right now, and the NSA is spying globally. Why do you think none of the governments are getting all that upset. All the back room deals between governments, or better yet, just ignoring each other so they can claim, "WE DIDN'T KNOW!"

      Such a fool.
      • And?

        Maybe they are, but they have to follow legal procedure within the EU (i.e. they cannot spy on their own citizens in most countries). Under EU law, the personal data cannot be given to third party outside the EU without getting the written permission from each affected person (E.g. every contact in your address book).

        Inside the EU, they have to get a valid court order, or they have to hack into the servers, in which case they are open to prosecution under various laws, such as RIPA, if they are caught.

        But the data owner won't be liable to prosecution for "giving" the data to a 3rd party outside the EU (E.g. the US Government).
  • Avoiding the NSA

    It is easy enough to set up your own email server, cloud, and encrypt your communications forcing the NSA to work to get your information. You could also know when they did.
  • GovComm5556t

    LOL, you people will believe anything!
    Per our CIC:
    “We don’t have a domestic spying program. What we do have are some mechanisms where we can track a phone number or an e-mail address that we know is connected to some sort of terrorist threat.”
    There is NO spying on any of you good people!
    • Right. And Benghazi was the result

      of a youtube video.
  • think for another minute

    Sure, the NSA will monitor all the traffic to European clouds. Since this traffic is usually encrypted, there is not that much information they could get out of it. Now, they could either ask the European legislative for assistance (who would never allow spying on such a vast scale) - or simply plant a trojan on your computer to access the data.
    Still far more secure and more hassle for the NSA than just logging into google or microsoft and simply access the data.
    • who would never allow spying on such a vast scale

      Want to bet on the vastness of spying in Europe?
      • Sure....

        Any agency caught doing that will have their posterior handed to them, at the latest on the level of the ECHR. In Germany, the Constitutional Court has already repeatedly asked the domestic intelligence agencies what they were smoking and has forced the government to get into a conflict with the EU on telecommunication provider data retention legislation.

        You might not like it, but the US is worldwide #3 in industrial espionage and IP theft.
    • NSA

      The NSA according to snowden now have the ability to decrypt most internet communications.
  • The benefits of being located outside the US

    Outside the US their ability to keep data private is directly related to their ability to keep data private.

    I believe the data can also be encrypted by the end users. So they can setup a process were they are unable to decode information even if they wanted to.

    If I was a business outside the US it would be a requirement going forward. I think long-term this will hurt US businesses.
    Richard Garrick
  • Or... you could think it through rather than thinking linearly...

    If I provide a web service that's PKI encrypted... and I provide an SDK, so you can build desktop and mobile apps that support the encryption - then the NSA is pretty much screwed (unless they've broken PKI, which is possible, of course, but unlikely).

    Then moving the servers off US soil actually works. The NSA *can* get a US company to decrypt or provide keys for these streams - but they can't if the servers and the company providing them are offshore.
    The Werewolf!
    • How do you know that some European government isn't also involved?

      You don't. These are governments, large parts of the European system are former Soviet block. Do you really think those entities don't have cpabilities to "spy" on their citizens?
      • Huh? Check your map - and history book, while you're at it.

        " These are governments, large parts of the European system are former Soviet block."

        Nonsense. There are SOME former Soviet block states, but to call them "large parts" is showing your geography is off.

        "Do you really think those entities don't have cpabilities to "spy" on their citizens?"

        You ever actually seen the "capabilities" of these nations? The spying on their own citizens relied largely to one half of the population snitching out the other half - the rest was short distance surveillance. Not to mention that the capabilities of the soviet block are by now >20 years old. You're trying to tap the internet by intercepting carrier pigeons.

        Incidentally, by now pretty much all of these nations have joined the European Convention on Human rights, giving their citizens legal recourse should indeed come out that their state spied on them - and legal recourse that is independent of their individual government.
    • Encryption

      Encryption can't help you much any more, the NSA can now decrypt most web communications according to snowden.
  • You forget "principle"

    Why would I like to get my e-mail off USA servers? principle. Perhaps you're right, Steve, my data is never safe anywhere, and the NSA will get whatever data they want if they really want it. That doesn't mean that it's not worth doing, for a few reasons...

    1.) If the NSA goes to Google/Microsoft/Amazon and says "pretty please, and I'll return the favor by ensuring the IRS won't make a mess of your ledgers for the next few years", then my data won't be involved. Sure, the NSA can certainly get targeted information if they desired, but the point is getting past that first wave of bulk data transfer and being principally opposed to data being part of the proverbial station wagon full of backup tapes.

    2.) As it seems, international politics make due process an inherent part of the deal. If the NSA went to Germany and said "we want the inboxes of all U.S. based account holders...because...terrorists and stuff...", Germany would likely tell them to go pound stand. If the NSA wanted my specific e-mail for a specific crime and they have reason to believe that my particular inbox may hold the key to it...then they may still get a hold of my data, after having performed some amount of research beforehand.

    3.) If US-based e-mail providers notice a dip in subscriptions, and by extension revenue, it's unlikely that there will continue to be a dearth of lobbying dollars in my favor.

    4.) If someone's router only supported WEP, would you say that WEP is so horridly cracked that it's not worth using? Of course not. WEP expresses intent, whereby connections aren't simply a matter of opportunity, but being targeted.

  • To everyone that thinks moving out of the United States is a panacea

    1. The NSA spy's globally, so if you have something the want, they'll find a way to get it.

    2. European governments taught the USA everything they know about spying. The USA wasn't the best at it for a long time and I suspect certain governments in the Pacific Rim and Europe are still light years ahead of the NSA.

    3. Every government spy's on it's citizens. If you have something they want, they'll find a way to get it.

    4. Encryption sounds wonderful on paper, but the NSA, if they want your info bad enough, probably developed many ways around your encryption. If it can be written by humans, humans can break it. Remember a little German device called the Enigma? Broken by the first real computer. Yes the NSA and about every other government in the world has access to super computers now capable of breaking most encryptions.

    If breaking the encryption isn't an option or just isn't worth it, the algorithm used to create the encryption may be the target. All that open source stuff is just that, OPEN! Nothing is perfect.

    In other words, if the NSA wants your stuff, they'll find a way to get it. Then again no one here has much to worry about, including Steven. Somehow I doubt anyone here has anything the NSA wants. They want important stuff, not Steven's drivel.