24 comments

[ 13.4 ms ] story [ 1054 ms ] thread
Brief synopsis: an Italian-based startup with some of its technology infrastructure hosted with US companies was the subject of massive fraud in Italy due to its recent decision to accept (only) Bitcoins. Completely misunderstanding how the law works, they assumed that a US company would comply with an Italian court order because of an EU directive. Their solution? Move to Iceland, a member of the European Economic Area.

EU and US law doesn't work the way they think it does. For starters, FISC isn't relevant law here. But more importantly--simply relocating their servers to Iceland does nothing for them since the company physically remains in Italy.

They (Clipperz) remain subject to Italian laws, meaning that they are still subject to Italian subpoenas and discovery requests. Civil law countries like Italy don't have the same evidentiary protections that the US has. Italian prosecutors can simply use their refusal to provide access to those servers against them in court. (The same is generally true in the US for civil, i.e., tort, cases but not for criminal cases.)

However, since their servers are no longer hosted in the US or the EU, they're no longer protected by US or EU laws! So congratulations, Clipperz! You've accomplished the double whammy of not improving your legal situation at home while simultaneously increasing the threat to your servers! Now the NSA, British Intelligence, and various other US and EU government agencies can legally hack your servers, and the data they recover can legally be used in any US or EU court even without a warrant and despite the illegal means by which the data was obtained. Congratulations!

Here's a suggestion guys: next time, consult a lawyer. You clearly need one.

They already mention Lavabit. How were they protected by US law exactly?
Evidence must be acquired by legal means to be usable in US courts. This means that data acquired by the NSA can't be used in court by the government in a prosecutorial setting unless the prosecution can establish how the evidence was acquired. If they can't, the evidence is tainted, as it all evidence discovered through the tainted evidence, and can't be used in court.

While prosecutors frequently try to argue parallel construction (they would have discovered the evidence anyways through other means), judges rarely accept this argument unless the prosecution can show that such other means were already underway and yielding evidence that would have led to the tainted evidence. (This is rare, because at this point in the proceedings, the investigating agency has usually moved on to investigating other cases. The law doesn't move as fast as it does on Law & Order or CSI.)

Also...Lavabit isn't relevant. That idiot thought he came up with some brilliant "hack" of the legal system based on a bizarre misunderstanding of the law and it bit him in the ass. Even a first year law student could have told him that scheme wouldn't have worked. If he had wanted to make a subpoena-proof system which would have prevented him from actually providing decrypted customer data, he should have designed such a system. Instead, he built a system that let him decrypt customer data...while also decrypting the data for every other customer.

Sorry to disagree with you, but I think that Iceland is a good place to host if you want data protection. Being inside the USA does nothing to stop the NSA from sweeping up all your data: didn't they break into Google and Yahoo private property to plant equipment to intercept private fiber communications (on private Property! no warrant!).

I expect some small tax jurisdictions (i.e., countries) to try to get more IT business by disassociating with the USA and EU. More power to them.

>Being inside the USA does nothing to stop the NSA from sweeping up all your data: didn't they break into Google and Yahoo private property

They might not have broken in, but that doesn't mean they can't, just that they had an easier way to do it.

I doubt Germany and Brazil gave the NSA permission to eavesdrop on them, but they did it anyway. Make no mistake, simply not having anything in the US is no protection if you are hiding from the NSA.

But none of that matters (there is more to security than pretending to hid from the NSA), the GP appears to be correct and they moved to Iceland to deal with Italian law, while living and being based in Italy. They seriously need a lawyer.

> Sorry to disagree with you, but I think that Iceland is a good place to host if you want data protection

You've missed the point: they are not incorporated in Iceland. They are incorporated in Italy. Move their servers does them no good, and doesn't do anything to reduce their exposure.

An analogy: a company can move all its money offshore to reduce its tax liability, but only if at the same time it sets up a offshore limited liability subsidiary to handle that. Just moving all your money one day to the Cayman Islands without any of the legal and corporate work associated with it doesn't reduce your tax bill.

Similarly, it doesn't matter if Clipperz servers are hosted in Iceland unless said servers are owned and managed by a Clipperz subsidiary based in Iceland and not subject to Italian law. It sounds like they think they've figured out a clever wheeze, but they haven't at all:

> Clipperz was born as an Italian company subject to Italian laws and so it will remain. We are not planning to move people or assets out of Italy, we just moved the tech infrastructure to a place where our fundamental rights enjoy better protection.

Moving the tech whilst keeping the entire company in Italy and subject to Italian laws doesn't give their fundamental rights any better protection.

You seem to be missing their point; they were worried that previously, there was a possibility of their servers etc. being seized for investigation (a la Megaupload) based on these dodgy wire transfers. They believe that in Iceland there is less chance of this happening.

In other words, they believe Icelandic authorities will be more likely to tell the Italian authorities where to go than would the US authorities. This doesn't seem unreasonable.

Their worry is about servers being confiscated. They believe there's less chance of this happening in Iceland than with a US provider obeying EU-US safeharbor treaties. Of course their own exposure as a company and as individuals remain the same (under Italian law), but they believe the physical threat to servers has diminished - should they get arrested, they could "eat their ssh keys" and authorities could not just stop the service.

I'm pretty sure they do have a lawyer already (ever tried to do business in Italy? You'll need a lot of lawyers). I do hope these attacks are from "usual" bad agents (i.e. organised crime, people interested in laundering BTC), rather than some dirty-trick Italian agency, but who knows, the country is crazy atm...

(comment deleted)
(comment deleted)
They certainly did not "break into Google and Yahoo private property to plant equipment to intercept private fiber communications" you'd expect people on HN to at least be literate.

GCHQ with the assistance of telcos and probably level 3 intercepted the data transferred between global datacenters and the legal justification was that those datacenters are located outside the US.

> However, since their servers are no longer hosted in the US or the EU, they're no longer protected by US or EU laws! So congratulations, Clipperz! You've accomplished the double whammy of not improving your legal situation at home while simultaneously increasing the threat to your servers! Now the NSA, British Intelligence, and various other US and EU government agencies can legally hack your servers, and the data they recover can legally be used in any US or EU court even without a warrant and despite the illegal means by which the data was obtained. Congratulations!

AFAIK the NSA can and will legally capture and analyze data in US-based servers and networks if the data relates to non US citizens. Admittedly, keeping American users' data in the US could keep the NSA from analyzing it, but they're still allowed (or so they claim) to capture all data in US soil.

> was the subject of massive fraud in Italy due to its recent decision to accept (only) Bitcoins

Can you elaborate please? What's the fraud angle?

They discuss it briefly, that after they announced the switch to Bitcoin-only payments, they suddenly became the target of various bank deposit frauds. The gist of it is that people were claiming that unauthorized withdrawals were made from their accounts to Clipperz' bank account. These persons were able to show "proof" of the outbound transactions, though apparently the corresponding inbound transactions had not actually (yet?) shown up in Clipperz accounts. Presumably, under Italian law Clipperz would have been required to reimburse them for these unauthorized transactions (assuming that such transactions actually took place).

As they are based in Italy, it is likely that Clipperz was the target of organized crime.

Thanks for that explanation. So the fraud is unrelated to Bitcoin, I take it.
With this headline and then reading the content I feel like this was more of a marketing exercise than a legal one.
"However, since their servers are no longer hosted in the US or the EU, they're no longer protected by US or EU laws! So congratulations, Clipperz!"

If you read the post, it seems pretty clear that they wanted to not be subject to EU laws either:

> Joyent, our previous hosting provider, has a safe harbor agreement in place with EU authorities which can intervene on Clipperz servers as if they were physically located in the EU. Or Joyent could be forced by a FISC order to hand over data, keys or fiddle with our code. Or US authorities can just cancel Clipperz from DNS registries or simply seize its TLD (read this Wired article).

Someone obviously obtained their bank account wiring details. Why don't they switch accounts and/or banks? Leaving the U.S. won't seem to affect their situation.
Yeah, my thoughts exactly. It looks like the problem and solution don't exactly agree -- if your problem is someone having access to wire details for your bank account who should not, the solution should be fixing that compromise ASAP. Sure, moving your servers could help fix another problem, but it doesn't solve THIS one.
This smells fishy. Why would this matter since they supposedly know nothing about who stores what? Is their zero-knowledge service not ZK? Are they logging IPs?
When dealing with bitcoin, be prepared to have big bankers and powerful countries as enemies..

They will use all dirty tatics available.. these are the guys ruling the world right now.. and bitcoin is a threat to their power..

The hope is that some of them will see bitcoin as a oportunity, or that the new emerging ruler class (the technology geeks) will create the new clash of the titans..

The NSA scandal already started the fire.. lets see what happens in the next chapters :)

https://www.clipperz.com/pricing/financial_statement/

"Fiat currencies" = Italian autocorrect?

The whole thing sounds crazy -- I wonder if it's a competitor trying to sink them. Or an even crazier twist would be a competitor trying to sink them while simultaneously leveraging their open code base...