28 comments

[ 4.2 ms ] story [ 74.0 ms ] thread
That is why I totally support the proposed regulation by Central Bank of India (RBI) to mandate STORAGE of all financial transaction of Indian customers within India ONLY [1]. VISA & MASTERCARD are pushing for "At least one local copy is enough to comply law enforcement requests." NO. If they find India to be a nonviable business opportunity to them with latest Indian regulations, there are plenty local players full capable and compliant.

As long as market is OPEN to all, there is no harm introducing "Financial data on local servers only" regulations.

[1]https://economictimes.indiatimes.com/small-biz/startups/news...

Maybe a small improvement, but in 2018 changing the physical location of data does not of course keep it safe.
As Microsoft could not guarantee the storage of data stays in India, they'd be ineligible to do such business in India if Indian regulations are kept abreast that no US corporation can possibly guarantee such data remains within the country due to US govt.
It's not about ensuring safety, it's about ensuring jurisdiction.
AFAIK, Canada does this. It's not unheard-of.
Ok, and what would prevent Microsoft from granting access to the NSA and then NSA transferring the data with or "without" the consent from Microsoft? In the worse/best case scenario Microsoft could let itself "hacked" by NSA.
That's a large improvement over the status quo because it turns what is currently above the table behavior by the NSA (or whoever) to behavior they have to conceal and Microsoft (or whoever) has an incentive to close security holes because they don't know if it's the NSA or someone else who might be using them.
It's not clear that data location matters when courts are determining whether they have jurisdiction.
The problem is that the only solution is that every single government brings their whole IT stacks in land, which naturally does not scale.
For US companies, I guess they can't legally scale.
What makes you think it doesn't scale?
Each country needs to have hardware, programming languages, OS development, business applications done 100% in-house, because back doors can exist at any level.

Then all businesses are forbidden to use foreign software due to possible back doors.

India is big enough to do that easily.

Other countries with sane laws can also group together to scale.

Think banking secrecy, but for cloud data.

The full stack from the hardware layer, FABs, all the way up to business applications?

Yes, it is possible, easily is not a word I would use though.

Interesting that the second quote says "content located outside the United States", not "content pertaining to customers located outside the united states".

They can just keep a copy in both places, allowing them to simultaneously "have zero requests for content outside the US" and "share data of India bank customers".

If you believe that cloud providers just copy your data willy-nilly from place to place, you've obviously never dealt with the cloud before. They go to great pains to earn trust by making sure that your data only lives where you put it. You haven't read any of their documentation, you haven't looked into the independent, third-party audits that verify that their documentation is true. You know what region you put your data in, and the cloud provider doesn't surrepititiously copy places without your knowledge. If your approach to risk management is that cloud providers will do the opposite of what they write in documentation and that the third party auditors are lying or not actually seeing what really happens, you'll never be able to use any equipment that you don't personally manage. You'd never be able to use a managed data centre or a so-called "private cloud" either, because all these providers could just tell you one thing and do another.

Then there's the simple fact that it doesn't scale to copy everybody's data to the US. When you're as big as one of these major cloud providers, that's just simply not possible.

Many people don’t realize that much of the data privacy legislation coming out of Europe is about national security, not privacy. The legislation focuses on data retention and data transfer policies with a core objective of ensuring that data for its citizens are held by local companies and to discourage foreign companies from collecting too much data on its citizens.
The local companies have to abide by the same rules as the foreign companies.
Yes but there are restrictions on holding data of citizens within servers hosted in another country. And there is a trend to segment users into systems hosted within that country designed to adhere to their requirements. The end goal is data on their citizens are more easily obtainable by local government.
Renting some servers in Europe is not that a big problem. What prevents foreign companies from using AWS-EU region and then foreign governments (i.e. US) from accessing it?

>> The end goal is data on their citizens are more easily obtainable by local government.

I think this is a sensible requirement, don't you think? What makes the U.S. gov more eligible than the local gov to access their citizens data? It's not only a national security issue, it's a local police issue as well(i.e. finding criminals based on their digital fingerprints).

The current situation is quite ridiculous if you think about it. You can't have global services without a global "police". As we don't have a global police(yet) local gov try to make these global companies to store data locally.

It is a sensible requirement but it will require a major shift in how companies think about what data it collect and what will the storage retention policies.

Siginicant data collected on individuals across the world via social media are held with US companies that must follow the processes put in place to provide Law Enforcement with data regardless of the citizenship of the person, when someone commits a crime in one jurisdiction, that local law enforcement has the right to collect from the business, data needed to support their case.

The problem is when Bob from country X commits a crime "social media business" may have relevant information on, how cooperative will the US company be in helping country X? Especially if country x is politically unpopular at the moment.

Require local subsidiaries follow data protection and retention that adheres to local law. Everything gets much easier.

Another issue, "social media business" has a tone of information on citizens of country X, now the citizens of country X are vulnerable to manipulation which could disrupt the stability of country X. What do they do?

this is deeply worring, its something I feared.

Right now when I do risk analysis, I consider any american service, whether they have servers in Europe or not as high risk. We are currently moving our elasticSearch to cloud and one requirment we have focused on is nulling out the personal data before it even enters the AWS network.

Read more carefully before you worry. You're not reading facts and making sober decisions. You're reading a headline that isn't supported by the article it is attached to. You have to go read up on facts and understand the cloud before you can make sweeping judgements like this. You know very little about how the cloud works, so you worry a bit. That's prudent. But the way to cure ignorance is not to avoid the subject. The way to cure ignorance is to read.
Sometimes I wonder why most people of my country are so apathetic towards these privacy related news and often debate on stupid issues of who said what.

If this would have happened to a developed country, I am guess it would have been a huge uproar by now.

How many governments cannot subpoena information from companies under their jurisdiction? I guess I don't see the US as being an outlier. If you are storing data in another country, it's subject to that country's legal process.
> “No government has direct access to any of our users’ data,” said an unidentified company spokesperson.

"...unidentified company spokesperson."

If this was a true statement, why wouldn't anyone at Microsoft be willing to hang their name on it?

The Scroll article itself has no named author. If this article was true, why wouldn't the author put their name to it? The answer to that is because this is just a rip-off of a different article written by a different author, who did put their name to it. Microsoft has issued a formal clarification on this particular article. https://news.microsoft.com/en-in/setting-the-record-straight...
This is an idiotic article. Read carefully before you decide what you think.

1. Scroll anonymously reposted a poorly-written article from DNA. (First link in first sentence)

2. Look at the facts quoted in the article. "Banks know that Microsoft MIGHT be sharing". (emphasis mine) What does the title say? It doesn't say what the banks say. Banks know that it COULD happen under some circumstances. The article title omits any sense of uncertainty and says it definitely already has happened. Those are different.

3. The article quotes a number of 3,036 requests for "Indian customers in the US" which means NOT PEOPLE IN INDIA. And certainly not customers of RBI in India (which the article would have you believe). Indian nationals living in the US have a different expectation with respect to US law enforcement.

4. Microsoft has issued a strong and clear rebuttal.https://news.microsoft.com/en-in/setting-the-record-straight...

This was wild conjecture, un-sourced anonymous writing, and it was poorly fact-checked. It looks like the author saw a single document that they didn't understand. Then they wrote a bunch of conspiracy theory bogey-man nonsense that has nothing to do with the document they saw.