290 comments

[ 3.0 ms ] story [ 219 ms ] thread
No.

Because most people don't care about privacy that much. See TSA scanners, foursquare, hell GMail scans your data everytime you read mails, Facebook doesn't even pretend there is a privacy. Damn, first thing any Apple computer do is taking your picture, getting your details and sending it all to Cupertino, before you even load the OS. Android tries to track all your phones under one account you have to add before starting up.

People don't really care about privacy. (Disclaimer: I am no better.)

There will be some anti NSA rallies, sure. Photos of those rallies will be geotagged with EXIF data and posted on tumblr, facebook and twitter from iphones and androids.

So true. The real danger here is that it's now easier for foreign governments to justify censoring the web, to "protect us against US invasion of privacy" or something.
I certainly wouldn't mind if PSA[1] got cut off of the rest of internet.

[1]: Police State of America

I don't care about privacy for my personal (not corporate) information from Google. The worst they can do is disconnect me, and I can always leave them.

I do care about that an organisation with the power to legally kill or imprison me without trial, with the world's strongest military and a penchant for punishing anyone who embarasses them has all of my data, including who I associate with, what I say and whereever I go. In fact not just my data, the data of their political opponents and the journalists that keep the system honest.

If not Obama, someone at the head of the table is going to abuse this information one day.

> The worst they can do is disconnect me, and I can always leave them.

No, the worst thing that Google,[1] can do is share that information with credit card companies, HR departments, health insurance companies, etc, who do have the power to ruin your life and are much more likely to do it than the government.

What happens when the advertising money hits the wall and can't support revenue growth sufficient to keep the Wall Street analysts happy? At some point some MBA is going to figure out that HR departments would love to be notified about e.g. their employees joining say a cancer support page. It sounds inconceivable today, but I bet people who started using credit cards in the 1960's and 1970's never expected that one day the various credit organizations would band together and sell your information to literally everyone, so that you could be denied a job because of your credit history.

I think it's important to keep some perspective, and I feel like people on HN aren't doing that here when they direct all their blame to the government over this issue and hold Google, Facebook, etc, who created this surveillance apparatus, blameless. Corporate America is much more likely to screw you over than the government. They have a profit motive to do so, and can get away with screwing you over on a mass scale in a way the government cannot. I don't know a single person who has been screwed over by the government. I do know people who have been screwed over by credit ratings agencies, having job offers revoked because they struggled financially in college.

Maybe it's not inevitable or even very likely that Google and Facebook will sell your information to the highest bidder. But it's a failure of imagination not to pretend that it isn't possible, and if we're going to engage in slippery slope reasoning with respect to the NSA, let's be intellectually honest and admit that we've built a vast surveillance apparatus in both the public and the private sector, and there are numerous entities within both sectors who have the ability and perhaps the motive to use that information to hurt you.

[1] Or Facebook or whatever. It doesn't matter. One day these companies will become mature and will be headed by some MBA who has never written a line of code...

>I think it's important to keep some perspective, and I feel like people on HN aren't doing that here when they direct all their blame to the government over this issue and hold Google, Facebook, etc, who created this surveillance apparatus, blameless.

Yes. The only reason the NSA/etc/all has this data is that people (probably a lot like you, dear reader) built these popular systems that make their money from tracking users. Worse still, they will always beat out a paid service because of friction and network effects.

We didn't just stand by and watch the creation of this situation, we actively participated.

Collusion among private corporations is scary, but it's not as scary as totalitarianism, mass imprisonment, and genocide. The precedents set for what governments end up doing once they get their hands on this level of social control are very bleak.
The amount you should reasonably be worried about something happening is the probability of the event multiplied by how bad that event would be. Government gone totally off the rails would be much worse, of course, but corporations going off the rails is much more likely.

How many liberal democracies can you point to that have gone the way of totalitarianism, mass imprisonment, and genocide? I don't see a lot of examples around. Yet I can look around and see tons of examples of corporations doing evil things with your information (health insurance companies dropping coverage when you get sick, credit card companies sharing credit history for any purpose other than setting interest rates, etc).

I think things you can see examples of every day are generally much more worthy of your worry. Or at the very least, it's not rational to be so worried about government surveillance while giving a free pass to the companies creating a surveillance apparatus that can be abused by corporations.

> How many liberal democracies can you point to that have gone the way of totalitarianism, mass imprisonment, and genocide?

How many 200 year old liberal democracies can you point to? There's no historical data to look at. This history of the United States itself is an indicator that democracy is self-defeating. Compare the amount of classical liberalism in 1800 and 2000. Whether that can continue past the middle and into full-blown totalitarianism is untested.

> It's not rational to be so worried about government surveillance while giving a free pass to the companies creating a surveillance apparatus that can be abused by corporations.

It's also not rational to give the government a free pass. Don't think that companies can collude with each other. The government can also collude with companies, as PRISM indicates that they have been doing.

> Compare the amount of classical liberalism in 1800 and 2000. Whether that can continue past the middle and into full-blown totalitarianism is untested.

You mean in 1800 when the Alien and Sedition Acts were in force and the government didn't even have to come up with some pretense and prosecuted and convicted people directly for what they said in the press? I don't think the U.S. circa 2000 suffers for that comparison! If you want to talk about which is a more free society, the U.S. in 1800 or the U.S. in 2000, you also can't leave women and blacks (combined more than 50% of the population!) out of the equation...

It's ahistorical to pretend that the U.S. has only gotten less free over time. Vis-a-vis "classical liberalism" the government claimed the power to regulate all interstate commerce in 1824--the only difference today is that you can't even buy a candy bar at a vending machine without engaging in an interstate commercial transaction. If you live today the way the vast majority of the population lived in 1800 (on a farm growing food for your own consumption and sewing your own clothes, etc), you'd probably find that government doesn't reach your activities appreciably more today than it did 200 years ago.

It's also ahistorical to pretend that our rights are universally weaker than they were in 1800. Remember, at that time, the Bill of Rights did not apply to the states. The liberal Supreme Courts of the 1960's and 1970's dramatically strengthened due process rights and habeas rights relative to what they were before. First Amendment rights are dramatically stronger than they were in 1800 (the "obscenity" exception to the 1st amendment has been whittled down to pretty much just child porn).

Now, I won't say the U.S. is the freest its ever been. When you take into account the experience of all Americans (not just rich white males), the freest the U.S. has ever been was probably the mid 1990's. But, it's been worse before. It was worse under the Alien and Sedition Acts. It was worse under Lincoln who governed under borderline martial law. It was worse under McCarthy. From an economic rights point of view--the country was far more regulated in 1935-1970 (vast swaths of the economy, everything from transportation to telecommunication, was deregulated from 1970-1990).

The idea that the trajectory of the U.S. has inexorably been in the direction of less freedom is nothing more than looking at the past with rose-colored glasses. It's not a perspective rooted in historical truth.

"How many liberal democracies can you point to that have gone the way of totalitarianism, mass imprisonment, and genocide?"

How many 'liberal democracies' have built international surveillance dragnets? How many have secret prisons all over the world? How many spend more militarily than the rest of the world combined? I wouldn't say the US is exactly your run of the mill democracy these days.

> If not Obama, someone at the head of the table is going to abuse this information one day.

I'd worry less about someone at the head of the table -- who has a lot of visibility and responsibility -- and more about the legion of prosecutors and officers (plus their friends they owe favors to) who all have incentives to catch bad guys... whether they're actually bad, or just barely find themselves on the wrong side of an interpretation of some statute, or just fit the profile.

And of course, the occasional less duty-oriented reasons for making your life difficult.

My personal experience with reselling Google Apps here in Australia is quite different, privacy of data is almost always the first or second question they ask. I also rejoiced at AWS coming to Sydney, but having servers physically located in Australia does nothing to protect data by law from the US Govt.
No, because only those who were on the fence were swayed either way. As of right now, the Poll on how the HN community will respond ( https://news.ycombinator.com/item?id=5846564 ) is at :

  No, I'm ok with it								66 
  
  I'd like to do something but it's too difficult to avoid using cloud services	195 
  
  I'm going to try to use services from non-US companies hosted outside the US	99 
  
  I'm only going to use services that allow client side encryption.		37
  
  I'm going to host all my own services. 					47 
  
  I'm not changing anything because I already assumed all of my data was being 
  monitored anyway.                                                             151
A quick glance at what the rest of the public is thinking is quite illuminating as well.

http://www.csmonitor.com/USA/DC-Decoder/2013/0609/How-do-Ame...

Summary: People think in terms of "Privacy is a bit like oil. It's getting pricey, but I still like my SUV."

If anything, it may give a much needed boost to an existing sector of internet industry, privacy and security. I see several companies springing up (some already have) that delivery end-to-end encrypted communication and storage over different media (of course, there would be plenty of Snake Oil as well).

The real frontier of communication is the transmission of anonymized and encrypted data with services bought and paid for anonymously as well with no repercussions for the service providers.

I doubt it will have much of an impact, but I'd be reluctant to make a prediction about international growth based on an HN survey and a CS Monitor article that references American polling data.
Fair enough.

My gut feeling is about the same on impact of international growth. On one hand it may have been a blessing in disguise. The Internet is supposed to be global in the first place, but we have massive over-representation in pretty much every aspect of its commercial operation.

The same services outside U.S. jurisdiction and influence are suddenly more alluring.

"Privacy is a bit like oil. It's getting pricey, but I still like my SUV."

You do know that outside of the US, there are lots of people who don't drive SUVs because of the price of oil?

Not having being born in the U.S. and still having family in several countries, Yes, I do.

The implication is that U.S. Internet Industry is somehow "destroyed" as a result of this is hyperbole. If anything, all it did was give hope to those outside the U.S. that there's still a viable market for the same cloud services (sans FISA leash) even in smaller scales.

Yeah, but there are also lots of people who would drive SUVs, but SUVs are impractical. Roads that are hundreds or thousands of years old tend to be very narrow.
The danger is that foreign governments will recognize that the US is using gmail to spy on them. They may ban the use of gmail or other cloud providers within their national boundaries.
I don't think most governments will go that far for casual usage, however I do see more restrictions on confidential, "official business" communication and storage through these (which, I hope is already the case).

Think of how much disruption would be caused if Hotmail, for instance, was forbidden in addition to Gmail. Many of the early adopters of the web in these countries flocked to the most popular platforms (in addition to their ISP email of course). Having to print new business cards would hardly be the only inconvenience.

There are levels, but the danger is that some person with sensitive information may communicate the information using an insecure service. For instance someone might remark that the military appears to be building a large underground structure near their farm, the US could then use this information to locate a newly build ICBM silo.

The levels of action that a nation could take to protect itself are:

1. They could train people who have access to sensitive information not to use any US service. This is what the US has done asking some members of the intelligence community to not use Skype and other services due to worries about its insecurity. This is probably common training for handling sensitive information in most nations.

2. They could filter such services at government offices, schools and sensitive sites. For instance no company can get defense contracts unless they have a policy that prevents their employees from using gmail. This is probably the most likely additional action that will taken and it will hurt US business.

3. They could filter such services at the national level. China (1 billion people) already does this, I wouldn't be surprised if Russia started. It's unlikely to happen on a global scale but each country that bans another US service hurts the economy.

We saw this happen with US crypto export controls, the market spoke and companies began switching to non-US software.

Additionally there is a very real possibility of backlash against US companies. It makes them uncool and political hot potatoes, who wants to use a phone made by some pet of the NSA.
"If anything, it may give a much needed boost to an existing sector of internet industry, privacy and security. I see several companies springing up (some already have) that delivery end-to-end encrypted communication and storage over different media (of course, there would be plenty of Snake Oil as well)."

I think it's worth pointing out that this sector growing as a result of this will mean that those 195 people who responded "I'd like to do something but it's too difficult to avoid using cloud services" will find it easier and easier to make the switch.

Couple that opinion in the tech community with consumer protection laws that may technically forbid a business from storing customer data on these services and you do have a drive for foreign business to move away from US services.

When your talking about a principle such as a right to privacy that's not something that will disappear from society quicker than the time it takes for businesses competing on this principle can be set up.

From the article you linked to:

"With the latest revelations just days – in some cases, hours – old, it’s too soon to know for sure."

I think it's still too early and I'd wait until all the facts are out. I can't speak for how people in other countries are feeling, but I can say this...

As an American startup founder, I'd be very worried about what my international customers would think if they knew I was working secretly with the U.S. government, publicly denying it, subsequently being caught in my own misleading statements, and allowing the government access to all of their data after I told them it was private. As a customer, I'm happy if you can use that data to serve better ads that are relevant to me. But I would be very angry if it was being served to a foreign government which wants to profile me a certain way, potentially to justify killing or detaining me.

True. We know so far that they've limited the original PRISM scope to major infrastructure providers and social media. This is obvious since that would cast the widest net.

As a startup founder, if your operation does get popular enough to catch the eye of the NSA, realistically there's absolutely nothing you can do to fight it. That's how far ingrained the instruments of our own deconstruction are. And they're buried in plain sight in U.S. law. I don't see that changing overnight with a few amendments or acts introduced here and there. It would take an overhaul of the very principles of government we've taken for granted (and quite possibly never really existed).

The fact that we're aware of this aspect of hopelessness will, in the end, be far more damaging to the U.S. economy than any foreign entities being aware of it.

After all, why would American founders found and base anything on U.S. territory if they cannot do it freely and on their own terms? They'd rather found a startup in Hong Kong.

I wonder if Dropbox are caught up in this too?
No I don't think Obama did anything.
How's that hole in the sand? Seeing anything good down there?
Given that civil liberties were such a big part of his 2008 campaign, the best case scenario you describe is still a bit of a problem. I'm actually pretty angry at him right now. I donated a lot to his campaign in 2008 based on his focus on civil liberties, and he has only escalated everything I disliked about Bush. (And yes, I realize he made some questionable votes in the Senate before the 2008 election. I told myself it was what he had to do to get elected. By the 2012 election I had wised up and voted third party.)
A core principle of politics is that you're responsible for everything that happens on your watch. If you don't believe that, go listen to the past 40 years of broadcasted debates, and count the number of things that the opponent didn't personally do but was called to account for.
I swear, it's like nobody ever read the USA PATRIOT act, even though its been law for 12 years. Obama's fault? For what, following the laws that Congress passed?
I don't think it will have that big an impact.

The thing is that the grassroots organizers in other countries who care most about government spying tend to live in countries with much more meddling than that which the US government has demonstrated through PRISM. So compared to a locally-run service, keeping data in the US cloud is likely still much safer. I don't see Google handing over an activist's email logs to the Turkish government, whereas an email service based in Turkey could be strongarmed into it.

A legitimate, non-rhetorical question: does an activist in Turkey care whether the US government reads his/her emails, as long as they don't share them with Turkey?

I don't see why this is the most downvoted option. It does seem on point that the piece doesn't have any hard polling data about worldwide reactions to the recent NSA revelations, and the stuff about alternative services mostly refer to Chinese competitors, who are large players locally, but not worldwide. Hence, you'd think Betteridge's law was applicable. No?
I never noticed till someone pointed the law out on HN this year. IMHO the trailing question mark is almost always lazy writing.
That is brilliant.

I still think headlines with question marks are cowardly writing. Be bold! Take a stand! Come right out and say Betteridge's law is bullshit.

I kinda get the socratic effect the author is going for, but i still think it's a cheap trick. I didn't ask that question, the author did.

It's odd, I hear people saying, "no big deal, nothing will change." But then I wonder, if you're saying it's no big deal, are you an American or not?

The point of this pst is that foreign business will be affected, AFAICT, Europeans have always held the Internet to a stricter standard than Americans and have passed stricter laws around everything from what data can be retained to the behaviour of tracking cookies.

If you've posted a "no big deal" comment, can you please go back and tell us whether you are an American or not.

On consumers I would not expect much change to any other non-us service that keeps you invested and locked-in. There simply are no alternatives, some european services are currently shutting down.

Even Schneier is stating that if you aren't connected with us social media, you simply stop to exist for certain groups of people. That rule applies to nearly every european user too.

I think its a big deal. I'm not American. I don't think things will change - at first.

The leading US internet companies are all built on a foundation of trust. Undermining that trust counterbalances the convenience of their services and over time new competitors without these trust problems are only a click away.

It's odd, I hear people saying, "no big deal, nothing will change." But then I wonder, if you're saying it's no big deal, are you an American or not?"

There is a fear of having guns taken, but there is an even greater fear of using them against the regime.

I think it will change things; I'm an American. Having your customers trust is important for business---now data stored offshore has just become a feature.
I'm an American, and I think things will change - for the worse. I'd like to think that if morality or the Constitution didn't stop this shit, at least bidness would.

But I think what will really happen is that the administration, and the bureaucrats, and the security "services" in general will double down, be much more secretive about what they do, be much better at what they do (grants coming soon to a computer science department near you), be much more aggressive to prosecute and intimidate whistle blowers, and put more layers on the stonewall of denial.

The government has become self aware.

Your last line is a really interesting one. Most governments probably are to some extent self aware, insofar as there's an executive branch. But I think the self awareness you are referring to is a kind of secretive adaption of sorts, where the response is not aligned necessary with the public interest, but with the interest of those in power (to stay in power).
Exactly.
I dont think its the kind of thing that affects things commercially in a visible or predictable way. One of my first impression is that its humbling. Web companies are the ones that brag the msot about "building a better world" and this time there was collaboration to make it worse. I think the best or biggest change that could happen is better Whistleblower laws and protection (or high level of exposure to produce more).
It's not just about what people think. It's also whether they think hosting stuff on US servers is even legal.

I can imagine the Pirate Party suing some EU groups (governments, companies, whatever) because they are using US providers, and the US is not safe enough to conform with EU privacy law. And there's money on the line too, lots of EU companies will want the contracts that are going to US ones. And keeping jobs onshore is always popular with the masses.

Europeans tend to have higher standards for protecting the privacy of the personal data of their citizens from access and use by private corporations.

But what the U.S. NSA is doing is sifting data for connections to foreigners who are suspected of being terrorists. I would be shocked if Euro intelligence agencies are not doing the same thing.

"Everybody's doing it!" isn't really a good excuse once you turn about 12 years old.
I'm not making an excuse. If the theory is that folks will pull out of U.S.-based cloud services, then the question is, where would they go instead?

The U.S. data-mining program has been revealed. I would not assume the lack of revelations from other nations is definitive proof that those nations aren't doing similar things. In the absence of data it is very easy to make convenient assumptions.

True.

The old rules still apply. If you can't afford someone else to know something, you have to encrypt it in motion and at rest.

>But what the U.S. NSA is doing is sifting data for connections to foreigners who are suspected of being terrorists.

Demonstrably false. All of the terrorist laws are mostly used for drug enforcement and the like. They get nearly no terrorist usage because there are nearly no terrorists.

At least Sweden is openly telling that FRA is allowed to legally monitor all international network traffic.
The point of this pst is that foreign business will be affected, AFAICT, Europeans have always held the Internet to a stricter standard than Americans and have passed stricter laws around everything from what data can be retained to the behaviour of tracking cookies.

I run businesses in the UK that deal with personal data and sometimes use US companies to do so.

There is a specific provision intended to fix the problem of exporting personal data outside the EEA to be processed in the US, which would otherwise be prohibited because US laws are inadequate in this area: the US Department of Commerce operates a Safe Harbor scheme, recognised by the European authorities, which US businesses can participate in to demonstrate that they handle data with sufficient care to satisfy European standards.

The problem is that if the US government is going to permit itself to access data contrary to the claimed protections anyway, then the Safe Harbor scheme is demonstrably unfit for purpose, and any legal shield it provides to European businesses that want to use US-based services to process personal data is in doubt.

This problem is hardly a new discovery, but until recently, the issue was being dealt with quietly, with European officials making occasional mutterings about being in contact with the US government to resolve the conflict here. As of the past week, I'm not sure that's going to carry much weight any more.

This leaves a paradoxical position for any business wanting to operate legally in both the US and Europe. It's not clear whether the huge players like Google or Facebook could avoid the problem by changing their corporate structures, if doing so means that a parent organisation in the US would not be required to disclose personal data held and processed only in Europe by a separate European legal entity under European data protection law. In practice, this might be worse news for US businesses that aren't yet big enough to play the corporate structures lottery, and for those European companies who benefit from services provided by such companies and might have to make other plans. Obviously quite a few smaller Internet services well known on HN would fall into that category.

If you'd asked me a year ago how the paradox would be resolved, I would probably have cynically suggested that the EU authorities would ask how high when the US authorities told them to jump, as they have done previously with things like travel and banking data. But now that this has become a major public issue that people are actually talking about, any attempt to do that seems likely to turn out very badly for European authorities whose popularity is already at an all-time low. I suspect far more Europeans resent the constant privacy intrusions and security theatre of modern life than many across the Atlantic may realise, probably because the consequences of excessive state surveillance are still within living memory in many European countries, and because all around the Med we've been watching timely reminders playing out over the past 2-3 years.

I'm Brazilian and in the corporate and government space there is considerable resistance to hosting systems and data outside our jurisdiction. What I don't think people have fully realized yet is that American companies are subject to the Patriot Act wherever the operate, so even data stored in Brazil might be exported by them to USA authorities without the customers being notified. I ask myself, how far does this extend? Not only to online services, but even to mainframes and storage systems? Application software? Operating systems?
The biggest problem with this article is that the only competitors the author can find who might supplant the US ones are located in China. Don't see US tech hegemony fading anytime soon, Prism or no Prism.
The author is guilty of thinking that the president is King, as if the entire federal government and all three branches weren't behind these things for that past 7 years.
The headline "Has the US Government's History of Acting Against its own Stated Values in the Protection of Civil Liberties and Privacy" is not nearly punchy enough to attract the desired clicks though.

The window ain't just 7 years, it stretches a lot further back than that.

Nothing will change.

If you think that those involved were not prepared for the eventually of a leak, you'd be very naive. The fact that all of these companies have been sitting on boilerplate denial statements speaks volumes. Contingency plans have been put in place for this eventuality and the people making these plans are experts at dealing with these situations.

My guess is that the gameplan for the US government will be to stay silent and wait for general apathy to sink back in. Tomorrow is WWDC and, with the latest Apple news, the tech community rally will likely fall to 2-3 page in a week or so and then disappear altogether. Once that happens, the difficulty moving to alternate services (as per the other HN poll) will shadow everything, and the company bottom lines will be unaffected.

Add to that, if you believe that the US government and institutions are the only ones doing this, that would be even more naive. The Mossad, SIS, CSIS, KGB etc. are likely implementing very similar policies and procedures, if not directly involved with PRISM (or whatever it is actually called) and the outsourcing companies providing it. The likelihood of finding other territorial based services with capability, scale in an area not under surveillance is probably close to impossible.

The Arab Spring was a wake-up call to all governments/multi-nationals that these tools are power in the hands of the general public and steps were taken to mitigate and reduce this effectiveness.

It's depressing. I wish it were otherwise. I wish the companies involved actually had the ability to push back or outright deny involvement in these types of actions, but I suspect their hands were tied.

Silicon Valley is entrenched. We like to think that it is still our playground but we should know better. My only hope is that this time we learn and that brighter people than I figure out what we can do about it.

> The fact that all of these companies have been sitting on boilerplate denial statements speaks volumes.

Can you show your work on this? How would we know this?

A bunch of people compared ~9 of the companies' statements in a past thread. They are all identical in structure, form, and style, with only minor differences like differing adjectives and emphases. They all also beat the exact same terminology to death. Namely, "direct access".
You don't care. I don't care. The EU companies which are running systems on US-based SAS platforms care.
That's an assumption. The fact remains, the ability to move to other countries is a fallacy in that the rest are looking at or are implementing very similar strategies.
Tomorrow is WWDC and, with the latest Apple news, the tech community rally will likely fall to 2-3 page in a week or so and then disappear altogether.

Perhaps use that to gain more attention. Picket the WWDC.

One biggie that the author left out of the piece:

The US Gov continues to insist that they are not monitoring the data of US citizens because that would be unconstitutional without warrants. But that's a tacit admission that they are openly monitoring the data of non-US citizens. I think this is one of the most important revelations of this leak, the US Gov has made it clear that if you are a non US citizen using a web service based in the US your data is definitely under observation.

As an Australian, that's what I found most interesting as well about all the commentary going on. From the perspective of the NSA it seems my data is fair game under any and all circumstances.

Well fuck that. Google, Amazon, et al. - I'm out

Good luck. I don't see other countries innovating at even half the rate of the U.S. with tech stuff. Leaving the umbrella will be like turning out the lights. It gets boring and cold in the dark after a while.
That's possibly because of a few advantages that US companies had due to quicker exposure to leading edge technology. However, when privacy becomes a unique selling point that US corporations can no longer provide - suddenly the competition will see a reason to appear.

I'm on the lookout for reasonably good Google apps alternatives, if they don't exist right now - this is a time that a solid market just got created. I'm sure someone out there will be interested in making it happen!

Agreed. I see this as being a catalyst for the creation of greater competition to the US internet incumbents. There will likely not be an immediate impact for Google et al. but there will be much longer term consequences I think.
That might change... and not only for reasons related to privacy.

I live in EU and I remember that about two or three years ago every geek's wet dream was to get to Silicon Valley and build a startup. But that seems to be changing. I don't have any research to back it up - it's just some anecdotal evidence but many people now seem to consider alternatives like London or Chile... mostly because they are afraid of software patents and want to stay out of US jurisdiction.

These things are difficult to asses but there is a tipping point somewhere - once critical mass is achieved innovation can quickly move somewhere else. Fear of American government can help make it happen and I am sure that competitors are going to love playing that card.

same thing here, a friend recently refused work, because he would have to physically go to USA (he loves seeing the world) - money was waaaay above EU.
(comment deleted)
I don't expect non-Americans to be all that familiar with my country, and vice versa.

But think about it. The NSA has been around since 1952. They now have N billions of dollars of black budget. The relevant Congressional oversight committees are prohibited from talking about what they learn. They are (supposedly) constitutionally prohibited from spying on Americans. If they aren't (or say the aren't) spying on Americans, then they're spying on y'all.

Some of it, plus the rest of it, equals all of it. We're some of it. Venn says y'all are the rest of it.

Well obviously many governments have spies. There's even a genre of entertainment constructed around spies. And generally in the spy narrative the spy is after guys from the other country, not his own.

The revelation here is that if you are a non-American your data that you store via a company based in the US is available to the US government with virtually (maybe even literally?) no protections. And this isn't tin foil paranoia, the US Government just told you that in public discourse.

> And this isn't tin foil paranoia, the US Government just told you that in public discourse.

You know, if you had said that about anything else, it'd be a transparency win.

They'll be doing something like the old Echelon trick.

US spy agencies can't spy on Americans, so they spy on Australians, Canadians and Britons. In return, Australians spy on Americans, Britons on Canadians etc etc. Then they swap intelligence and get to claim that "we didn't spy, it was given to us by our allies who are under no such regulations".

There's still a major limit there. The issue of the Verizon and PRISM systems is that they probably involve the possibility at least of legal authority over the vendors. Court orders or possibilities of court orders....

If the NSA is spying on Australians clandestinely, then they don't have that authority and they are limited to what they can scavange. It would be far better if we were to a point where no courts would coerce cooperation of this sort, and the system you are describing is better than what we have. The problem is when the NSA gets a court to forcibly deputize an American business to spy on Australians, and that's a very, very different problem.

I'm not entirely sure why you think a non-us citizen using a web service in the non-us is not similarly targeted?

Either by other intelligence agencies, or even more likely, that the NSA shares these abilities with other friendly foreign governments (UK, NZ, AUS, etc) in order to ensure their tacit approval.

Even in the world of intelligence, diplomacy matters. Secrecy only counts for so much. You can't keep the fact that you have a huge listening post in NZ secret, huge dishes don't look like they belong in cow pastures. Same with fiber optic cable. It's not like they can splice them without someone noticing. Instead, the way you accomplish this is by providing NZ what it wants while still retaining plausible deniability if things go south for them ("We had no idea the horrible NSA had secretly placed all this stuff here. We're completely outraged!")

I'm not sure how common this is on this site, but I happen to be an HN reader the vast majority of whose friends in the US and across the world don't know or follow technology/security stuff.

Out of my 600-odd 'friends' on Facebook, one (1) is posting stuff about the NSA allegations. The other 599, are posting pictures of cats, music videos, snaps from vacation, reflections about life, et cetera. I myself am extremely reticent about posting on Facebook due to the recent revelations.

As a result, I am afraid Edward Snowdon's fears might come to pass, atleast in the short run. Not enough people care. They crave the short-term dopamine bursts that result from people liking their posts, or pictures, or videos. Getting them to set that aside and care about the fact that the Government might potentially have access to it all is a very, very hard task.

In order to do this, you have to get people to switch en masse to new, secure social protocols. In short, you have to build a Facebook alternative, an client-side encrypted webmail service, or a document sharing site that JustWorks, is secure, and doesn't require any terminal commands to access / run. Otherwise the majority of the population is going to use products from Microsoft, Facebook, and Google. You can use your encrypted webmail and identi.ca, but very few people outside the "tech-aware" world will communicate with you.

I really concur and like to add there are now one or two generations of young adults and their kids out there, who have never even considered privacy (as in non-exhibitionism).
I'm Canadian. I'll be locking down my communications as best I can: email (GPG), instant messaging, chat, etc. I'd like to see my American neighbours do the same and hold their politicians feet the fire over this.

I feel like I should boycott the US companies on the list, at least to some degree. I have made the switch to DuckDuckGo and Mozilla. A Blackberry, as opposed to Android, will be my next smartphone. As a developer I'll be dropping my iOS support in the coming weeks. I haven't used a Microsoft product, including Skype, in a long time (exclusively Linux). I will likely phase out Google Drive and Gmail as well.

Not sure how many of my compatriots will follow suit or if that will have an impact financially.

There are lots of recommendations out there now to lock-down your browser, e.g. adblock/https/etc, if you haven't already. If this becomes mainstream then advertisers like Google may take a hit.

I'll be emailing my member of parliament (MP) to make sure we keep tabs on this in Canada, and keep our privacy laws intact.

How do you plan on telling everyone you communicate with, "I'm sorry, this channel is unencrypted, this conversation cannot continue."

Why aren't companies scrambling to provide a plug-in encryption product? Forget Google's default https, I want easy end user encryption.

Same here.

Ill be looking to expedite my move off of gmail, yahoo, rackspace etc. It's a shame , but it has to be done.

I'm doing some active research into sending an effective letter my my MP as well as I would like to have it as much weight as possible.

> I'll be emailing my member of parliament (MP) to make sure we keep tabs on this in Canada, and keep our privacy laws intact.

openmedia.org seems to have done a good job campaigning against the Online Spying Bill.

(comment deleted)
(comment deleted)
(comment deleted)
I think most people with some technical savvy have already concluded that everything on the Internet is potentially subject to surveillance, both government and corporate. You can mitigate the impact on your privacy to some extent by going offline or using crypto but not totally. People need to choose what to share, when and with whom. The people who are loudly shouting on social media about the evils of government interception are still shouting on social media where everything they have ever said or done is able to be mined and analysed. Nothing really has changed except perhaps the perceptions of the naive.
This is a huge deal. I live in Australia and I have been running businesses on the cloud for the last 3 years or so. I have rarely heard the issue of the PATRIOT Act raised and in spite of there being laws banning the transfer of personal data outside Australia, most people are quite lax about the issue and take the view that the risks are too small to be counted.

Those days are most certainly over. This stuff will affect companies like AWS and Rackspace the most, given that they are competing for contracts with companies who are seriously concerned about who can get at their data. I imagine nobody will flaunt the laws in Australia regarding international data transfers in future, and that countries where no such laws exist will enact some very quickly.

Any cloud based software company in the US which holds large amounts of data that could in any way be deemed to be sensitive is going to have a much harder time pitching to clients overseas who will increasingly opt for a decent local alternative over a foreign one should the option exist. The only thing that American companies can hope for otherwise is that there is no foreign alternative.

The world is not going to come to an end but for a lot of people, their jobs are about to get much harder and the government should be worried about this.

I'm, also in Australia.

NB: It's a real struggle to not make this sound paranoid.

Just at an individual level, I'm questioning whether it's wise to store my data in a US service that won't afford me the same protection as US citizens.

I've already started reducing my reliance on Google, and I barely use facebook, but things like Amazon and Linode are much harder for me to quickly divorce myself from.

If you're willing to pay a bit more, there are companies like Ninefold

But then again, that is just talk. I still use AWS and Linode religiously. The prices are really hard to beat

> I'm questioning whether it's wise to store my data in a US service

It definitely isn't, and I'm wondering why this issue wasn't on top of your mind before that?

Unfortunately, Oz is one of our spying partners, so your ASIO is probably just annoyed that the NSA can't keep its house in order.
> in spite of there being laws banning the transfer of personal data outside Australia, most people are quite lax about the issue and take the view that the risks are too small to be counted.

I can tell you from working in the finance industry in Australia and APEA, larger companies/banks take this very seriously due to compliance obligations with regulators (APRA, MAS, HKMA, etc).

Agreed.

I am surprised that Amazon, Rackspace et. al. aren't coming out and letting their customers know where they stand in all of this.

Pleading the fifth apparently...
As Facebook, Google, and Yahoo! have demonstrated so far, a company can only make itself look worse by making any statement.

Any denial will be rejected as dissembling or sophistry and admissions of complicity would be suicidal.

Australia isn't exactly a safe haven. There are only a handful of pipes in and out of the country, each of them probably well within the deep packet inspection capability of serious spy gear. I'd be amazed if one of the AFP, ACC, ASIS, ASIO or DSD didn't have their own rooms in selected Telstra and Optus facilities.

And not to mention that Conroy wants to do something like what the NSA are supposedly doing; he's just going to outsource it to the ISPs.

I've seen an AFP server in a certain government datacentre. Its security was a square of black and yellow tape and the assurance that I would be detained without charge under anti-terrorism legislation if I crossed the tape to take a closer look.

But as an Australian citizen we have our courts and public opinion to try and fight for us. Not to mention the people doing the snooping have far less incentive to pass commercial information along to a competitor.
I'm not sure I follow you.

Americans are, theoretically, in a much stronger position vs NSA snooping. US law is meant to make it illegal for their spy agencies to look inwards and the US Constitution has its famous "search and seizure" clause which can, if you find the right judge, have some formidable teeth.

As Australian citizens we have no such protections and we have no standing in US courts to get any restitution. We're fair game.

Further, as Australians, while we enjoy some protection from our own outward-looking agency (ASIS), the inward-looking agency (ASIO) can and does investigate Australian citizens with a broad range of powers, including powers to intercept telecommunications. Their powers compound of investigation with the Australian Federal Police's powers of arrest, sometimes without cause or notice.

In theory, ASIO requires the Attorney-General to grant warrants to exercise most of its powers. Statistics on the warrants haven't been published, so we have no idea if they're granted begrudgingly or rubberstamped. My guess is going to be the latter -- which Minister wants to the one who was "soft on communism/terrorism"?

In the same way that Americans are in a stronger position vs NSA snooping Australians are in a stronger position vs our own snooping.
As I noted elsewhere in the thread, Echelon taught us that the agencies can circumvent these protections by agreeing to spy on each other's citizens and then forward the intelligence.
The idea that would be just as subject to surveillance using Australian hosted servers is pure speculation and not supported by the so far leaked information on PRISM.
Great, as an American, now I have to worry about Australians snooping on me, too.
I think the issue for foreign governments is closer to countries not wanting other countries to have easy reach into their data. For them it's not a civil liberties issue, it's a security issue.
Australian here. Government departments are slowly starting to catch on to this sort of thing.

One application I work on stores data from DEEWR and FaHCSIA and this year they've "cracked down" on that data going overseas.

The application's data (and the bits we get back from the government) has always been stored in Australia on our hardware. My understanding is that some of our competitors using AWS and Rackspace had to work hard to quickly get their stuff hosted locally (or are in the process of bringing it back here).

You can get an idea of what DEEWR expects providers using cloud services to adhere to from here: http://foi.deewr.gov.au/documents/policy-use-cloud-hosted-so...

My latest startup is Efficito (a Limited Company, registered in the UK). The web site is http://www.efficito.com and our servers are all in Europe. We have built the service up with a very careful eye for security (why we are going hosted cloud first, and multi-tenant is still in the works).

You have just given me what I think is a very good possibility regarding a marketing message, namely that we are not subject to NSA orders, and that we take security extraordinarily seriously. We are still looking into whole disk encryption for virtual instances, but key management is a non-trivial problem there to get right. For those who want it I can be pretty sure we'd be happy to work with you to find a way of making the system meet your needs. (Of course given a few customers, we could work with a server in Australia too.)

But I also think it goes beyond shipping the data overseas. Suppose you do business with an American company that has servers in Australia (for the record we are registered in the UK, not the US), and they get a FISA warrant? Of course they will send the info over. So you can't only look at where the business's servers are but also where what legal authorities they are obviously subject to.

You have just given me what I think is a very good possibility regarding a marketing message, namely that we are not subject to NSA orders, and that we take security extraordinarily seriously.

You certainly won't be the first with that idea. I've now lost count of how many blog posts, tweets, forum posts and so on I've seen in the past week that essentially say, "Is the next big selling point for European service companies that we're not subject to US laws?"

The UK has quite a strong military sector with their own secret agencies and a strong relationship with America.

Could that make them capable of similar monitoring? Does the UK have stronger information privacy laws that the US doesn't?

The laws are build on different principles making them somewhat different. However, one of the things that we pay a lot of attention to is security resilience. The question is, "what has to be compromised before your data is compromised? and is there a way to detect it?" The storage is still something we are working on but you can believe it is a design goal.

The EU has very different approaches again to privacy law. I don't know you can compare them. They tend to be more lax with collection and stronger with use.

However, we can also help you install the software (open source, reviewed by developers all over the world) on your premises if you would prefer. So our best shot is only for those who really want to cloud host.

If you're outside of the US, then yes you are not subject to NSA orders. But your data will still be accessed by the NSA, as the NSA won't require an order to read what you've got.
The point is they cannot get a court to compel you to hand it over. Yes, they can take what they can get.
And my point is that what they can get without a court order is more than they can get with one.
But the return on investment is likely to be far less. If it is harder, more resources have to be spent, then they will be more selective if just because it would be prohibitive to bug every system across the world, at least at present.
>But the return on investment is likely to be far less.

I am not so sure about that. The internet... well, many of the wide-open holes have been closed... BGP hijacking isn't as trivial as it was in '08[1], mostly because filtering has been implemented in some places, but it's still something that could be done by someone of, say, my resources. It's trivial to anyone with real resources.

And there are all sorts of other possible attacks. Hell, even ignoring the (probably easy, for one of the three letter agencies) possibility of putting a backdoor in the firmware shipping on popular routers, well, most ISPs end up using ancient router firmware revisions on their routers[2]

Yeah; read over that BGP hijacking attack; it sounds way easier than setting up a collector at every ISP. (You'd still need local collectors to not add too much latency, but a single (/very/ well connected) collector could cover a reasonable region)

[1]http://www.defcon.org/images/defcon-16/dc16-presentations/de...

[2]Cisco charges an arm and a leg for firmware upgrades... they give you some of the really old stuff? but usually the choice is used $BIGNAME hardware without firmware updates, or you roll-your own quagga. (at the 10G/sec traffic level my upstreams can push, quagga/vyatta work just fine... that's what I use.)

Metadata cannot be protected as well as the actual content can. One of the keys of good security is to ask what has to be compromised for your data to be compromised, though. If you have SSL-protected connections, BCG hijacking alone isn't going to reveal your communications but BCG hijacking along with a fake certificate issued by a trusted CA under court order or merely voluntarily) would allow a MITM attack.

The thing is, if you have your own CA, and expect certs from both sides from the same CA, then it is very hard for an MITM attack of this sort to be orchestrated because you can say, "Something isn't right here." So that leaves attacks against the cyphers involved or against the endpoints.

One service we offer is an ability to use an SSL cert issued by the customer, as well as appropriate VPN options to connect to the system at all. Between these, in general I would expect that MITM approaches can be protected against in high security configurations. But that still leaves cyphers and endpoints.

So the first thing we need is a better PKI which can more robustly handle fraudulent certificates. This is something I have written about a bit. (see my blog, http://ledgersmbdev.blogspot.com for more.) But we also need a lot more.

BTW, we build everything on the basis of compartmentalized security with the idea that compromising customer data will require working through quite a bit of depth, particularly in relatively high security configurations. It wouldn't protect against a court order, but it should protect against a lot of other things.

Could the NSA hack us? I am sure they could. Could we make it difficult enough that they would be much better going through legal channels (maybe making deals with local law enforcement or the like)? That's what I am shooting for. It is probably the best one really can shoot for.

>Could we make it difficult enough that they would be much better going through legal channels (maybe making deals with local law enforcement or the like)? That's what I am shooting for. It is probably the best one really can shoot for.

Yeah; my point was just that getting to that point (where it's easier for them to go through legal channels) is harder than it looks. It's certainly not the default state.

> Yeah; my point was just that getting to that point (where it's easier for them to go through legal channels) is harder than it looks. It's certainly not the default state.

As we went through our initial design, and started talking to others, it became quite clear that the being industry standard when it came to security is not something that either myself nor my business partner were comfortable with. We opted to start looking at everything very carefully and review eachothers' works regarding security, suggesting improvement, etc.

It's one of the reasons we decided to go hosted cloud first and only later multi-tenant.

>It's one of the reasons we decided to go hosted cloud first and only later multi-tenant.

So by 'hosted cloud' you mean 'every user gets their own VM?' I mean, you could mean that you use on-demand dedicated servers, but most people mean virtual instances when they say "cloud" (I hate that word "cloud" - it's so vague)

(personally, i still think of multiple VMs on one physical box as multi-tenant. But managing a VPS per user? thousands of times easier than managing a user-account per user and just having a bunch of users on the same box. In my opinion, more secure, too.)

How are you managing images? I mean, that's the thing you've gotta watch for, a backdoor in the install image.

One thing I've noticed about my customers is that they almost all prefer to use my image than to do a net-install. (I give my xen users a paravirtualized boot loader, so they can load the distro install kernel and go from there.) the interesting thing is that my dedicated customers are far more likely to do their own install (I provide only... a very rudamentary PXE menu.)

Or, maybe that's just my perception because I only notice what OS they are running when they ask for help... whereas on the dedicated servers, I've recently had to move a bunch of them, which required me to look at consoles. So I guess there could be a bunch of arch users or something like that who just don't ask for help.

It does seem like having your own physical hardware would make... a big difference, security-wise.

We can do either but our default is vm's, just because for smaller businesses that is a lot more practical. Customers typically do not have root access to their VM's unless they supply their own keys/x509 certs so we can take ours off. If we are managing the box we have, for example, stored root passwords (rarely needed and only two people have access) encrypted in PostgreSQL (which means we do not log when we are not debugging and we do not allow history to be stored since manual keys must be entered when retrieving this info).

> How are you managing images? I mean, that's the thing you've gotta watch for, a backdoor in the install image.

It's not the only thing you have to watch out for. If someone can compromise the host they should be able to compromise all vm's given a little time. We do have some automated ways of checking for changes though. In general the physical hosts are much less exposed but cannot guarantee that more generally. We are always discussing ways to tighten security (I am considering setting up a rediculously tight selinux policy on the physical hosts).

> It does seem like having your own physical hardware would make... a big difference, security-wise.

The big difference is actually where the hardware is located. The big difference is really having your own physical hardware on your own premises on your own intranet vs using someone else's physical hardware in their datacenter, with their intranet. In general though if you have someone else's hardware on your intranet you can better control it than if you have your hardware somewhere else.

Again, I don't understand why you think that it's harder for the NSA to hack / bribe / trick their way into data than it is to have to obtain court orders and convince everyone to work with them.
The cannot get a US court to compel you to hand it over.

How likely do you think it is that any of the UK agencies that have powers to request interception under RIPA will refuse a "please scratch your back, and we'll scratch your back later" request from the NSA if the NSA actually cares about your data enough to try to get someone to compel you to hand it over?

And RIPA does provide basis for compelling you to hand over keys or face prison.

Being in the UK may protect us against NSA just taking whatever they feel like whenever they feel like it for no reason at all, but I very much doubt it does much good for anyone that actually ends up in the NSA's crosshairs.

"Suppose you do business with an American company that has servers in Australia (for the record we are registered in the UK, not the US), and they get a FISA warrant? Of course they will send the info over"

There's a way out. Those server offshore must be handled by subsidiary. Then the parent company in US does not have the data and they can not also command subsidiary to handle it over.

The big US companies have made it clear that they will give out data held by subsidiaries, even if this is illegal eg under European law.
That means the best option is not to use wholely owned subsidiaries and instead have a partnership with the parent owning a large plurality but non-controlling interest (say 10 partners from various countries, with the parent owning 49.9% of the subsidiary). You can set the agenda, more or less run things how you want, but anything you try to do as shareholder can be vetoed by the other 9 acting in unison.
The UK is not exactly an ideal location to make a fuss about this from, given that the Regulation of Investigative Powers Act (2000) gives extensive rights to the government to demand covert surveillance, which includes requirements of confidentiality over interception warrants to the extent that they in some circumstances can not even be revealed in court.

On top of that Part III of RIPA makes it an offense to fail to disclose your encryption keys to the government in certain circumstances, and the court does not need to actually prove that you have the keys in order to sentence you for failure to produce them.

Before anyone else gets this idea, I'd encourage you to look at your organizations' resident country laws before thinking & acting on this.

Companies based in the UK, for example, can not make the claim found above ( http://m.washingtonpost.com/investigations/us-intelligence-m...).

I'm not a lawyer, but you could lose all credibility if you act on that and get it wrong.

There are technological solutions to address this for US firms. Encryption on the client side, before data is sent to the cloud, would work. I would suspect (hope) that browser makers will quickly introduce features that make sending and receiving end-to-end encrypted communications (email etc.) a thoughtless process - since that is the only way to get people to use it.

Even better, perhaps someone will write software that sits on top of the network stack and automatically negotiates secure communications regardless of the origin client software. Maybe some sort of public key registry might come into play.

I think it will impact B2B e.g. big/sensitive projects will be much less inclined to use Skype.
I live in the UK and for me this is a big deal. While this issue was always in the back of my mind, I never had concrete proof that this was happening.

Now that my fears have been answered, I shall think twice before buying any cloud space on US companies servers. I will be speaking to my colleagues on the effects this will on our existing data and how will this effect the trust with our customers.

I think this is a huge deal.

I don't think he's capable of destroying it, but he's certainly set things back quite a ways. We've known about domestic internet spying for quite some time, but its definately gotten bigger and badder under the current administration.

I hope people finally will stop with the "oh but nobody is looking at my stuff" attitude, because now they know BigBrother(tm) is watching.

IMO it should be a much bigger deal for totally commodity services (IMAP/SMTP, file storage, etc.) vs. "unique" services (it's not like you could run your own Facebook server in Iceland...)
There are local social networks, to give an example from Russia: vk.com, odnoklassniki.ru, etc. And these are more popular than Facebook.
Social networks aren't commodities, especially once your set of friends are on them.
You're right, what I meant with my comment was that for may countries Facebook is not the only social network. Many people are active in multiple networks and some of these social networks have no ties to the US, hence if users outside of the US decide to move away from Facebook it won't be that hard to do.
Another data point, I have used a ton of cloud services from US companies in the past with an attitude of not really being comfortable with it based on a belief that something like what was discovered was probably happening but it was just too damned convenient and easy to ignore.

I still made efforts to secure what mattered, like truecrypt containers on dropbox et al, but at the end of the day I just shouldn't have played the game at all. Lending economic support to this kind of behaviour is not acceptable.

I'm conflicted about this because I'm convinced that generally speaking, Dropbox and Google and various other companies that have no other choice than to behave in this way are otherwise really worth supporting.

I am as we speak setting up dedicated hosting with encrypted storage and obfuscated service paths to migrate all my existing services onto something I can reliably control, starting with gmail and dropbox.

I really should have just done this a long time ago, but it becoming abundantly clear that my suspicions were completely justified pushed me over the edge.

No, this sort of thing has been going on long before Obama. If anything he will just be the one that got unlucky enough to be in charge when people found out some of the details.
Nothing new at all, history just repeating itself. Everything mentioned in this article was already assumed by people. I did laugh when they aid we don't do domestic spying. I think they don't know in US how many people in the world are living outside the all mighty US. Maybe it's just bad geography and limited national political thinking.
The good news is, if we make this a big deal and companies start to feel the pressure, we'll have millions of lobbying dollars on our side.
Is it true that Google does not protect the rights of non-US users from having their emails read and copied by the NSA?

If that is the case, then why would any foreigner ever use Gmail, Yahoo mail, Hotmail, etc?

I am an American and I just want to point out that my latest startup (http://www.efficito.com) is a Limited UK company, and my co-founder is from the Netherlands. It would certainly be to my advantage if things change. We offer cloud-based ERP, and you might be interested to know our main hosting server is currently in the Czech Republic. We are also paranoid about security (all access is encrtpted, and we are looking at encrypted storage for virtual machines, and much more).

I would love for things to change. I really would. What I worry though is about attention span of even decision makers on the business side, and what the alternatives are. The ideal situation would be a bunch of smaller private social networks able to interop (the Diaspora model) but it isn't clear there is a financial way to make this work.

So I hope it changes. I really do. I just am somewhat pessimistic :-P

I'm a UK citizen with a startup http://microco.sm that has gone to some lengths to avoid US domains, companies and laws.

All of our domains are EU based, the company is UK based, and whilst we've used Linode for blog and basic site-hosting and will use Cloudflare for CDN, we are putting nothing on the server of a US company that could be a risk to privacy.

All of our data we are keeping within the EU which we feel holds much better standards and has stricter laws on data protection, and for user-generated content we feel that the EU E-commerce Act is better than the DMCA and risk created by the copyright lobby in the US.

Ultimately what this means is that for our core data and API, European companies with no US parent or holding company will win our hosting business.

We will still use US companies, but in a way that is little more than transport and performance increases for US-based users. But even then, we are not requiring real identity and we are implementing SSL everywhere and are happy if users use VPNs or Tor to connect.

Why all the fuss? I believe that through a persons' interests one can determine political affiliation. So I believe that to allow people to organise themselves freely around their hobbies and pastimes, that we must consider this and protect them from any entities that might use that information against the individuals. Further I believe that when people of shared interest come together that they are likely to organise to protect and preserve that interest, and this means that interest groups galvanise ad-hoc lobby groups and activists.

I also hope it changes, but I'm going to act as if I believe it will get worse on all fronts.

What I'm saying is that I foresee a hybrid approach in which company data officers will help guide all identifiable data and transactions to EU or local sovereign cloud companies, and that only data that is not personally identifiable, containing company secrets or in the form of aggregated data will be stored on US-linked cloud companies.

This seems to be the best approach and respects EU data protection laws, consumer expectations and rights, and still offers the company flexibility on choosing based on price/performance.

you'll be putting all your traffic through cloudflare?

if they do your SSL termination that makes all your careful US-avoidance completely redundant.

additionally, if you include some JS hosted on cloudflare, then that's susceptible to being tapped by the US intelligence agencies too.

No, I'll be putting some of my traffic through Cloudflare as we use several domain names, and each for a specific purpose.
also if they want to intercept a few of your high profile users, the fact you're using SSL really isn't going to stop them, when they can issue valid certs for your domain without asking you.

short of SSL pinning being widely deployed: you're powerless to stop them, and while it's an admirable goal, it's ultimately disingenuous to suggest that you can safeguard your user's privacy.

I'm not suggesting that I can safeguard user privacy, but doing something is better than doing nothing, and certainly I can do what I am able to. Ultimately the user is far more likely to give up their privacy by posting identifiable information online, and through graph analysis revealing their associates too.

What I can do though is: Leave the core data in Europe, not store anything that I do not need to offer the service (and I don't need your real identity), educate users and encourage the use of Tor and VPNs, implement what measures I can do protect users (SSL).

What does this have to do with Obama? Genuine question, the article doesn't say. I thought this was a consequence of the Patriot Act.