That's what he's talking about. Does the quote have a different meaning than the literal one? Because otherwise I'm not sure I understand what you are trying to convey with it.
Thanks, interesting. (Although I can't help but mention: having had a bunch of classes teaching you how to properly distribute information and knowledge using a screen and powerpoint-style slides, this one sure looks like a total abomination to me - and looks can be deceiving unfortunately, they really don't add to the credibility here)
And exactly no information on how Microsoft cooperated or caved. For all you know, the slide might just be indicating the NSA implemented Microsoft-specific parsers before others. Or that they tapped MS fibre or datacenters.
How does it work for companies that are separately incorporated in another country?
For example: I had a argument with someone from Goldman Sachs Switzerland. They are claiming that their data is out of reach from the US dept. of justice because they are a separate entity incorporated in Switzerland. I have also heard that as an argument from a datacenter provider (Equinix).
Don't profits from these Swiss corporation still somehow make it to the parent company?
What does the parent company do when served with an NSL for data located in the Swiss company?
BTW the funniest thing about Goldman Sachs Switzerland is that they do not accept US customers as they are considered 'toxic'.
The Swiss banks which have been getting in trouble and paying billions in fines have been doing so because they were conducting business in America with Americans in order to break American laws.
If Microsoft or any company does foreign business and that specific business stays out of America, the American justice system has no business at all trying to reach it's fingers into it except by established treaty and/or cooperation with foreign governments.
BTW the funniest thing about Goldman Sachs Switzerland is that they do not accept US customers as they are considered 'toxic'.
Practically no Swiss bank accepts US customers at this time. This can be quite a hardship for US citizens living in Switzerland. But they deem the risk just too high and rather forgo the business.
To clarify what your Goldman friend meant.
Swiss banks are obliged to keep customer identifiable data ring fenced and within the country. That is, it can't even be processed offshore. It has nothing to do how the entity is setup legally.
For example (I work for a Swiss bank). I can easily remote access my desktop from home, or, if I have my laptop and token with me, from any other location in Switzerland.
There is no way to access the systems from outside Switzerland.
Singapore, btw, has comparable laws and also ring fences data for use only in Singapore.
First of all, the role of that executive would require a business need to access the data at all. Banks are really big on compartmentalization and the most important principle is that a bank employee can only see, let alone modify, data as far as it's required to do his or her job. This also applies to top executives.
It's unlikely that an US top executive has a valid business reason to see Swiss data when visiting the country. If such a reason exists he can surely see it, but it's probably illegal to take the data out of the country in any form. (I'm guessing here, but Swiss criminal law is quite finicky on the issue of bank secrecy).
If the top executive tries to asshole his way into the data (as in: "hand over the data, or you're fired") any halfway smart employee would immediately inform compliance, where a whole cacophony of alarm bells would go off.
As for IT professionals. Sure, a lot of foreign IT professionals work for Swiss Banks. But the need to access actual customer data is very, very rare. If the need exists, they can surely see it, but only from within the country's borders.
> For example (I work for a Swiss bank). I can easily remote access my desktop from home, or, if I have my laptop and token with me, from any other location in Switzerland.
There is no way to access the systems from outside Switzerland.
Can you remote access your home desktop from outside Switzerland? :)
While I understand and accept the technical possibilities where this could be worked around, it actually misses the intent of the law.
If someone where to be caught doing that, she/he would not be able to say it was technically possible so it's OK. It's technically possible but legally forbidden. So the message is: do it at your own peril.
Reality and law don't always agree but when these things go to court, law has the upper-hand :)
US customers are "toxic" to many banks internationally, not just the Swiss, because the IRS claims authority to access a lot of data for the prevention of tax evasion that either makes US customers wildly inconvenient, or that is actually illegal for the banks to disclose to anyone but their own authorities (if that).
I don't think so :), we're not that important. So far only 3 comments have been seriously downvoted -- one of them presented seemingly unfounded information, the other one was simply unfunny trolling that should not be on HN, the third one was mostly off-topic.
Because of - to some extent understandable - reasons MS hate is still quite strong among this community but destroying an MS-related thread is unnecessary.
Do you really think a site has to be "important" to be targeted? To influence public opinion it seems like you'd just want to blanket influence as many popular websites as possible. It wouldn't take that large a team to do it given the right software.
I was a part-owner and later a mod on a quite big forum (>500k registered users, etc.). There were many people who always claimed that others who disagree with them are paid shills -- I happened to know that they aren't at all.
Heh, same here. If everyone who accused someone of being a shill was right, then everyone would be a shill, almost. Hilarious stuff, literally insinuating that someone had built up a reputation on a tech magazine forum over half a decade to shill products. In fact, I think in the years I was a mod/admin, we banned maybe one "shill", and even that was debatable and mainly because they didn't post any relevant information for anything else.
I've suspected for a while that the NSA has some kind of software like google alerts that monitors the top 1000 relevant sites and detects when they are being talked about so they can turn the discussion. We know from Snowden leaks that they are attempting to influence public opinion online, so that seems like how I would do it. Also I've noticed that previous threads like this are particularly full of naysayers.
Whilst our opinions are indeed irrelevant, they still try and influence the discussion.
Why? Because the military-industrial complex has invested vast amounts of public money in technology, contractors and employees to allow them to do just that.
Companies like Booz Allen Hamilton are making buckets of cash selling the government this kind of tech and the contract staff to go with it.
The government buyers are being taken on jollies in the Caribbean and receiving nice kickbacks for authorising the public purse. Next year both parties plan on increasing the budget. And so the merry dance goes on getting bigger and bigger every year.
How are they fighting the "wrong battle" when complying would be a breach of Irish law? If the US DOJ is so keen on this data, they should get the Irish law enforcement in the loop.
What are the legal consequences for Microsoft if the US government succeeds in forcing them to bring this data over from Ireland? Won't Microsoft then be in breach of Irish law? What does a company do if forced to choose between breaking one of two legal instructions? Perhaps they can just choose?
Alternatively, the Irish Microsoft corporation could decide to prevent the US corporation from having access. It could be argued that they are legally required to do this. Then the US corporation can say they no longer have access. It doesn't matter that the US corporation is the only / majority shareholder because the shareholders cannot compel the company officers to do something illegal (i.e. provide access).
Suppose the people working in the US are required to tell the people in Ireland to give over the data, and the people in Ireland are required to refuse. Maybe they'd just have to have a really long argument on the phone until the court got tired of it.
Presumably there is a way to challenge this though. If the court ordered Microsoft to produce a square circle could they still be found in contempt for failing to do so?
Is it really an "internal" structure though - Microsoft US and Microsoft Ireland will be different legal entities. Of course, Microsoft US as the owner of Microsoft Ireland can tell their subsidiary to do something - but that doesn't mean that the management there will do it if it is illegal.
And if the people in the EU complied, they should similarly be held accountable under EU privacy and data protection rules. Either way, Microsoft and/or their employees personally wind up in serious legal trouble.
This is why Microsoft are in a Catch-22 situation, and why the correct solution for Europe is probably to just stand their ground until the US realises it has gone too far in expecting its laws to apply to the whole world and is now asking the impossible at the expense of its own business community.
I guess the US government will force the US based part of Microsoft to cooperate. No choice, possible in stealth. This might or might not be discovered by the Irish part/government, which must then sue.
Basically there is no winning for Microsoft, except keeping it secret, having the US government pressure the Irish not to sue, or having the NSA pay possible fines.
Its not really that simple, since Ireland is part of the European union. If Microsoft willingly break data protection laws, then the EU court would likely sue Microsoft again.
Given the history of EU court vs Microsoft, and the market size of EU vs US, Microsoft has no easy solution to the problem. The US government might pressure the Irish, but would have a harder time against European union (which I suppose is part of its design).
Sadly, so far no company has been sued by EU for complying with american legal requests.
I think the motivation is somewhat along the lines that the company didn't have a choice in the matter. Personally I wish that didn't matter and that the privacy breaches would have been prosecuted - I can think of nothing that makes legislative changes faster than companies having to choose where to do business because it would not be possible to do business both in USA and EU.
There have been some very shady dealings between Europe and the US, in areas as sensitive as financial and travel information, where it seems the US has demanded data and Europe has conveniently overlooked and/or hacked its own privacy and data protection laws so they can provide it.
I suspect given the increasingly anti-EU sentiments in many European countries and the outright hostile behaviour of the US toward foreign citizens in recent years, this situation isn't going to last much longer. Someone in politics is just waiting to make their career by telling a weakened EU administration and/or the US where to go, presenting themselves as the people's advocate and defender of basic human rights. This issue provides a convenient and potentially very effective vehicle for anyone with such ambitions.
Put another way, the asymmetric legal, economic and diplomatic relationships that have favoured the US for some time are essentially a bet that the US is worth more as a partner than any cost that asking "how high" will incur. Sooner or later, someone is going to call them, and at this point I'm not sure whether they're just bluffing.
I think I would agree to what you are saying as to the logical conclusion of what is happening now, but I hope no one will conflate such a possible outcome with it's probable effectiveness as long as the technical capabilities allow for governments, corporations, and individuals to subvert such systems.
Would citizens of the EU have faith in such a candidate anyway who will basically play the same game as their predecessors? Would anyone with the technical capabilities to develop and use encryption/steganography software for things they deem necessary to encrypt, put any trust in such a candidate over themselves?
Seems like a growing market to sell people on privacy as a service, which means there will be a growing market for those who want to subvert such…
Firstly, the means to make mass surveillance significantly more difficult and expensive already exist, we just don't use them routinely as a society. This lack of security and privacy awareness is harmful for many reasons, only a few of which are related to potential abuses by government organisations, but part of the reason they haven't been used more is because of the pressures imposed formally and no doubt less formally by governments. There is always going to be a balance here, because obviously there are bad people in the world and governments are expected (reasonably or otherwise) to protect their citizens and organisations against those bad people. I doubt any government is going to willingly give up all possibilities to intercept communication, but I think you could have a situation with much more transparency and oversight than we have today to keep that power in check and directed to its intended purposes.
Secondly, one of the most disappointing things about this whole affair is that our own intelligence and security services (I'm in the UK) seem to be more concerned with covering their backsides and keeping tight with their US chums than they are with actually, you know, providing for the security of their own country. In an era when foreign surveillance is a significant threat to everyone and so-called allies are among the prime culprits, the duty of our services is to treat those allies as hostile to the extent that their observed behaviour demonstrates they are hostile, and to respond proportionately. US spying on all our citizens' data? Promote encryption as standard and advise businesses on how to keep their data out of US jurisdiction. If allies have legitimate grounds for wanting sensitive information about British people (and I'm certainly not saying they won't have legitimate grounds for doing so from time to time) then let them request that information through proper channels and in compliance with our laws (and make sure our laws provide for assisting allies appropriately but with appropriate controls and oversight as well).
Ultimately, you can't rationally expect governments to protect their people without allowing them to use the technical tools and legal powers necessary to do so, but neither can you rationally protect your society and way of life by destroying it. This debate is all about resolving that inherent conflict in as fair and practical a way as possible, and to that extent, I think some fresh views in politics could improve the current situation considerably.
Firstly, the means to make mass surveillance significantly more difficult and expensive already exist, we just don't use them routinely as a society[…]but I think you could have a situation with much more transparency and oversight than we have today to keep that power in check and directed to its intended purposes.
One has to acknowledge that it is also not presently in the interests of those who have kept it so. Transparency is a two way street, if everyone as individuals had access to such information that is in the hands of the few to leverage, many aspects of our society could also be made better. After all, "encrypt all the things" makes one wonder about the effort exerted is worth it all, especially if it enables individuals to deceive/mislead/exaggerate to others in the name of privacy.
Secondly, one of the most disappointing things about this whole affair is that our own intelligence and security services (I'm in the UK) seem to be more concerned with covering their backsides and keeping tight with their US chums than they are with actually, you know, providing for the security of their own country.
I question how much "security" there needs to be when governments, corporations and individuals go to such lengths to hide such information from others to maintain the asymmetry of information from individuals of the public, and wonder if they're would be more "security" provided if the public who funds such boondoggles had access to such infrastructure. I'd rather have API keys than the hand-waving/profiteering/"we know whats best for you" media/policy makers and it's enablers tell us what they think we, the public, should know of what they do on our behalf, because only they should be responsible for protecting us, and not ourselves as individuals?
I never have expected any government to protect "their" people, when all of them to some degree are actively harming them and continue to do so through various means unaccountably with claims onto behalf of the public.
Just in case it wasn't clear, when I wrote "providing for the security of their own country", I was referring to protecting their own citizens and organisations from unjustified mass surveillance by foreign powers (whether or not those powers purport to be allies). If the press releases and government statements are any indication, there seems to be more emphasis right now on collaborating with those foreign powers and even helping them to conduct their surveillance than in reining them in or applying technological measures to prevent or deter acts that are not permitted under our laws.
Part of Microsoft's solution to the problem is getting this headline published. While the article suggests that this has been going on since before the Snowden information disclosures arose, demonstrating that they're resisting is a change from the perception many had regarding Microsoft's stance on these issues when the Snowden content first began to be published. This excerpt supports this point:
"Microsoft’s efforts to push back against the government in this and other cases, company officials say, predate the disclosures by former National Security Agency contractor Edward Snowden about the reach of U.S. surveillance. But the revelations, which began a year ago, “certainly put a premium on demonstrating to people that we are fighting,” said one Microsoft official who spoke on the condition of anonymity because he was not authorized to speak for the company."
That is an important point. The ironically named Patriot Act contains a deeper, clandestine layer a Treason Act, if you will, that can compel American companies to act in ways that are illegal in other jurisdiction. It is kept secret and any business costs and consequences for those actions are compensated, also clandestinely; which is also the biggest reason why it is actually quite crucial that American companies are not trusted by other people around the world.
If, e.g., Europe, is serious about protecting and defending against the demons that are quickly consuming the USA; they need to put in place meaningful, positive controls in place.
We really need to start coming to terms with the fact that we, the USA, are quickly becoming or maybe even are the most dangerous force humanity has ever seen. Sure, we are not "doing anything wrong" other than killing civilians and even out own people against our own laws by rationalizing ways and reasons to sidestep our most core fundamentals; but we will all rue the day that the force canalizes and stripps off its mask to reveal something far more sinister than most people could even imagine.
You have to remember, no horrible regime took power by saying they will graduate to brutalizing their own people. Put it this way, we are well into several meth highs, still insisting that we will be able to stop when we want to and control any addiction that may arise.
I would think Microsoft has the upper hand untimely. They could always take the nuclear option and stop selling the government windows or something drastic like that.
If companies like Microsoft adopted end-to-end encryption wherever they can for their services, this would be less and less of an issue. The users from a certain country wouldn't need to "trust Microsoft" anymore then, because there would be nothing to trust them with. In the same fashion, governments wouldn't need to try and force Microsoft to build local datacenters to keep the data there. When the service is trust-less, such policies aren't necessary.
Fair point. I was more meaning that arguments about how he couldn't comply (in that case for legal more than technical reasons) didn't cut much ice. The general view of the authorities appeared to be that the operator of the service was required to comply and if they hadn't left themselves a way to do so without violating some other obligation then that was their problem.
But if there was technically nothing they could do to access the data, they could not be forced to do it. If I encrypt data on my machine and upload it to s3, Amazon cannot be forced to do anything other than provide the encrypted data to the government. They can't be compelled to give my key because they do not have it. It is very hard to operate e-mail this way, because the server cannot send your e-mail other servers in the encrypted form, unless you limit correspondence to users that are using your encryption and key-exchange system.
Not all cloud services have this limitation. However I suspect that there will always be some metadata that the government will be able to request from the cloud provider, and this legal question will still be relevant.
In finance, the US pressuring people in arbitrary jurisdictions is considered completely normal, though they've been overstepping themselves of late by wholesale interference with intra-EU transactions conducted by European private citizens, by collaborating with Israel to pressure Europe to block Iran entirely from SWIFT, and by showing their cards by financially blockading Wikileaks without any form of trial or due legal process whatsoever.
With the news here confirming that communications area resistance is beginning on commercial grounds... and from well funded pockets like Microsoft's... a ray of hope exists that the whole tide may be beginning to turn. The truth, ladies and gentlemen, is that we can choose freedom - the natural result of decentralization, encouraged by the jurisdiction-hopping internet - or we can have a feel-good, artificial, dangerous kind of centralized-power-billed-as-safety: one, or the other. It is pertinent to remember what Benjamin Franklin said: Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety.
Julian Assange's strong statement in Cypherpunks that we are galloping in to a new transnational dystopia is certainly correct. Yet it is also true to say that, with massive transnational corporations even so blindly led as by the profit motive, commercial interest in reaping the custom of the decentralized masses actually aligns with the disempowerment of rogue nations acting continually in defiance of international law and other jurisdictions' right to self determination (such as the US) and instead acts to benefit the preservation of basic digital freedoms for the many.
It's far too early to see what kind of world we will pass on to the next generation, but we are at least blessed to live in interesting times.
As far as I can tell, the main issue here (ignoring jabs about the NSA, M$, etc.) is the difference between a warrant and a subpoena. US law enforcement would like to have their cake and eat it too, using a novel warrant-subpoena hybrid. With a warrant, law enforcement officers are the ones that search and seize the documents or data outlined in the search warrant. In a subpoena, the party being served is compelled to produce the documents themselves and testify in court.
In this particular case, it seems obvious that a warrant is inapplicable, since US law enforcement officers don't have the authority to seize Microsoft-controlled data located on servers in Ireland. If Microsoft had instead been served with a subpoena, they would be required to hand over any documents that they had access to, regardless of the data's physical location. However, there are strategic advantages (for law enforcement) to favor warrants, since they're much harder to challenge, and that treaty obligations with foreign countries might restrict the kinds of data that can be retrieved from overseas servers.
American institutions truly think their jurisdiction is global. Did you hear the one about the NYPD cops that showed up in different parts of the world demanding the governments in various jurisdictions respect them? (https://www.techdirt.com/articles/20140107/21020425797/posti...)
And the BNP bank fined $ 10 billions for not respecting US law while doing operations between foreign countries (under the preposterous argument that if you use US dollar for a transaction anywhere in the world, it must respect US laws).
Yup. My friend's dad had his UK account(!!!!) frozen on request of USA government because he was doing business with Cuba(trading cigars). He has never ever been to USA,and the money being transferred wasn't going through US either. It took 6 months before whichever US agency finished their investigation why a UK-citizen would be buying Cuban cigars, and they "allowed" the account to be unfrozen. Absolutely unacceptable if you ask me.
Absolutely not. The US courts used the argument that in last resort a US clearing house _may_ have to survey the transaction because it was in US$. However not a single dollar went through the US.
On top of the potentially huge fine, BNP Paribas could suffer a temporary ban on processing dollar transactions, a business that is essential to the operations of an international bank.
Are USA officials able to enforce these sorts of restrictions on e.g. the sidewalk moneychangers one finds in any developing nation? There are more dollars (both physical and in ledger books) overseas than in the USA. At what point does a bank in another country become vulnerable to this sort of restriction? Are officers going to show up outside the bank and yell "give us all your dollars!"?
Hmmm, that seems to contradict the assertion that "not a single dollar went through the US". If this is the mechanism that BNP Paribas uses, they shouldn't be surprised they are subject to USA laws.
The issue here is what happens when China does the same and ask Microsoft to hand over data stored in US for US customer? I bet US Gov will be furious. What if every country starts doing this?
I think we will hear a lot of these stories, but they will
be for show only. The American government has
access to all the server files. Companies will act like they
are fighting for our privacy, but the NSA will still be
viewing the files. The NSA might not ever say they are using the information found on servers, but they will be looking
for criminals and terrorists. When they find the perps, they will use illegial wire taps and other means to get whomever they
want. I don't doubt for a second those Irish servers have back doors tied directly to the NSA. Oh, Microsoft, Facebook, Google, etc. will all put up a very public fight though. I have a guestion about cryptanalysis; In the ninties, a Hacker named Iceman was arrested for a Card
Swap Forum. He thought he bricked his hard drives with encryption, but a eastern company broke the encrytpion--easily. What form of encryption was he using? Thanks-
Anyone else remember Microsoft cheerfully getting a US judge to overrule a German court decision? Only to now insist that a US court can't compel them to hand over an Irish server. Their views on jurisdiction matters seem to be remarkably flexible...
"The judge opined that the search would take place only when the e-mails were opened and read"
That's a silly argument, because it's like saying I'm going to grab papers from your home, but I'm not searching your home because the papers will only be read back at the office.
Who cares whether it's subpoena or warrant, thats not the point.
The point is, you can't compel international company to break law in another country, f. ex. suppose chinese court would order (subpoena?) microsoft to hand over emails and pictures of a known political dissident, that are kept on US server, what the hell do you expect microsoft do? comply? stop doing business in any country that has laws that conflict those of US? It's _very_ easy to imagine such scenarios, in all areas really, patent law, finance, whatever.
I think the only real solution is those MLATs, or international agreements on handing over data. Or maybe, in future, an international court, that could issue subpoenas valid in all member nations, when investigating crimes with similar enough laws in member nations.
The US government don't seem to realize that this could equally well be used against them, for example another country where MS operates could file a warrant requiring that Microsoft handover US government files.
China immediately popped to my head: Large enough of a market to be interesting, eager to learn and a lot of US companies have operations there. Now that could turn out interesting...
This is why my European clients are no longer using Amazon Web Services. For awhile they let us put their projects on AWS's ireland zones but even with that they were reluctant. After the NSA revelations (I know that this particular story is unrelated) they don't even allow that.
The projects were only content management system projects with minimal privacy concerns. One project did have some customer data but the others were mostly just marketing material.
Stories like this are just going to dry up the final remaining non-u.s. customers for u.s.-based cloud computing companies. It's almost like the u.s. government is trying to screw u.s. companies.
This is a ridiculous situation and as an Irish person I would say, a gross violation of our sovereignty. It's bad enough that GCHQ and the NSA do it on a daily basis anyway, now the US is trying to do it via the legal route.
Imagine the uproar if China or Russia decided to do the same to data held on US servers...
I guess this just goes to reinforce the fact that the US is a very hostile environment for business, particularly web based businesses. Incorporate in the EU!
America won the digital age, but the post-digital age will be won by whomever builds the most progressive laws into privacy and digital rights. America is at risk right now, and although momentum carries (hence why we even talk about Microsoft decades after any real innovation), but if America doesn't quickly course correct, they're soon going to find that the thing that made them great was freedom to innovate and thrive. In this new era, America is no longer the leader in freedom or the American dream. I hope whoever wins the next election is at least aware of this, as a country that focuses more and more on IP as a significant exportable product, if no one trusts or uses those products, and the natural resources have already been significantly exploited, this does not bode well for the long game.
Can you give an example where Microsoft has been innovating? Innovation mean 'novel change' and I've not seen anything outside Azure that was even the slightest bit novel. Balmer was not a risk taker, but the Azure and VS teams have been turning that ship, but it'll be years yet before I acknowledge anything as novel.
BTW a logical fallacy cannot apply to a personal value judgement.
>Moreover, they say, imposing limits sought by Microsoft would “lead to absurd results and severely undercut criminal investigations.”
The most dangerous argument made by government. There is no end to it. Someday the exact same argument will be used to ensure we all have a telescreen in every room of our homes because not having it would "severely undercut criminal investigations.”
98 comments
[ 0.24 ms ] story [ 163 ms ] threadhttp://en.wikipedia.org/wiki/NSAKEY
Edit: Why the downvotes?
To be honest I'm more worried that the crypto service providers as supplied aren't available in their shared source license.
"I love crypto, it tells me what part of the system not to bother attacking" -- Drew Gross, forensic scientist
OpenSSL, GNUTLS, Secure Transport
Done!
http://upload.wikimedia.org/wikipedia/commons/c/c7/Prism_sli...
I love it when you play rough, you sexy beast! DO NOT FORGET WHO OWNS YOU, SLAVE! YOU ARE MINE!
Love, Obama and the NSA Spooks
P.S. I left you a little something extra on the nightstand, get yourself some makeup.
How does it work for companies that are separately incorporated in another country?
For example: I had a argument with someone from Goldman Sachs Switzerland. They are claiming that their data is out of reach from the US dept. of justice because they are a separate entity incorporated in Switzerland. I have also heard that as an argument from a datacenter provider (Equinix).
Don't profits from these Swiss corporation still somehow make it to the parent company?
What does the parent company do when served with an NSL for data located in the Swiss company?
BTW the funniest thing about Goldman Sachs Switzerland is that they do not accept US customers as they are considered 'toxic'.
If Microsoft or any company does foreign business and that specific business stays out of America, the American justice system has no business at all trying to reach it's fingers into it except by established treaty and/or cooperation with foreign governments.
To clarify what your Goldman friend meant.
Swiss banks are obliged to keep customer identifiable data ring fenced and within the country. That is, it can't even be processed offshore. It has nothing to do how the entity is setup legally.
For example (I work for a Swiss bank). I can easily remote access my desktop from home, or, if I have my laptop and token with me, from any other location in Switzerland.
There is no way to access the systems from outside Switzerland.
Singapore, btw, has comparable laws and also ring fences data for use only in Singapore.
What about IT people? Such companies generally bring in IT professionals for projects from other entities such as the US headquarters.
It's unlikely that an US top executive has a valid business reason to see Swiss data when visiting the country. If such a reason exists he can surely see it, but it's probably illegal to take the data out of the country in any form. (I'm guessing here, but Swiss criminal law is quite finicky on the issue of bank secrecy).
If the top executive tries to asshole his way into the data (as in: "hand over the data, or you're fired") any halfway smart employee would immediately inform compliance, where a whole cacophony of alarm bells would go off.
As for IT professionals. Sure, a lot of foreign IT professionals work for Swiss Banks. But the need to access actual customer data is very, very rare. If the need exists, they can surely see it, but only from within the country's borders.
Can you remote access your home desktop from outside Switzerland? :)
If someone where to be caught doing that, she/he would not be able to say it was technically possible so it's OK. It's technically possible but legally forbidden. So the message is: do it at your own peril.
Reality and law don't always agree but when these things go to court, law has the upper-hand :)
https://archive.org/download/gov.uscourts.nysd.427456/gov.us...
Because of - to some extent understandable - reasons MS hate is still quite strong among this community but destroying an MS-related thread is unnecessary.
Whilst our opinions are indeed irrelevant, they still try and influence the discussion.
Why? Because the military-industrial complex has invested vast amounts of public money in technology, contractors and employees to allow them to do just that.
Companies like Booz Allen Hamilton are making buckets of cash selling the government this kind of tech and the contract staff to go with it.
The government buyers are being taken on jollies in the Caribbean and receiving nice kickbacks for authorising the public purse. Next year both parties plan on increasing the budget. And so the merry dance goes on getting bigger and bigger every year.
MS is fighting the wrong battle here.
When you're in a middle of a drug case it's pretty normal that they read your emails.
It's not normal that they read secretly my emails when they have nothing against me.
Alternatively, the Irish Microsoft corporation could decide to prevent the US corporation from having access. It could be argued that they are legally required to do this. Then the US corporation can say they no longer have access. It doesn't matter that the US corporation is the only / majority shareholder because the shareholders cannot compel the company officers to do something illegal (i.e. provide access).
The court's argument could be that MS should be required to design their systems to make it possible to comply with their requests.
(Assuming the US court claims jurisdiction, which is more or less what this case is about)
This is why Microsoft are in a Catch-22 situation, and why the correct solution for Europe is probably to just stand their ground until the US realises it has gone too far in expecting its laws to apply to the whole world and is now asking the impossible at the expense of its own business community.
Basically there is no winning for Microsoft, except keeping it secret, having the US government pressure the Irish not to sue, or having the NSA pay possible fines.
Given the history of EU court vs Microsoft, and the market size of EU vs US, Microsoft has no easy solution to the problem. The US government might pressure the Irish, but would have a harder time against European union (which I suppose is part of its design).
http://en.wikipedia.org/wiki/European_Union_Microsoft_compet...
I think the motivation is somewhat along the lines that the company didn't have a choice in the matter. Personally I wish that didn't matter and that the privacy breaches would have been prosecuted - I can think of nothing that makes legislative changes faster than companies having to choose where to do business because it would not be possible to do business both in USA and EU.
There have been some very shady dealings between Europe and the US, in areas as sensitive as financial and travel information, where it seems the US has demanded data and Europe has conveniently overlooked and/or hacked its own privacy and data protection laws so they can provide it.
I suspect given the increasingly anti-EU sentiments in many European countries and the outright hostile behaviour of the US toward foreign citizens in recent years, this situation isn't going to last much longer. Someone in politics is just waiting to make their career by telling a weakened EU administration and/or the US where to go, presenting themselves as the people's advocate and defender of basic human rights. This issue provides a convenient and potentially very effective vehicle for anyone with such ambitions.
Put another way, the asymmetric legal, economic and diplomatic relationships that have favoured the US for some time are essentially a bet that the US is worth more as a partner than any cost that asking "how high" will incur. Sooner or later, someone is going to call them, and at this point I'm not sure whether they're just bluffing.
Would citizens of the EU have faith in such a candidate anyway who will basically play the same game as their predecessors? Would anyone with the technical capabilities to develop and use encryption/steganography software for things they deem necessary to encrypt, put any trust in such a candidate over themselves?
Seems like a growing market to sell people on privacy as a service, which means there will be a growing market for those who want to subvert such…
Firstly, the means to make mass surveillance significantly more difficult and expensive already exist, we just don't use them routinely as a society. This lack of security and privacy awareness is harmful for many reasons, only a few of which are related to potential abuses by government organisations, but part of the reason they haven't been used more is because of the pressures imposed formally and no doubt less formally by governments. There is always going to be a balance here, because obviously there are bad people in the world and governments are expected (reasonably or otherwise) to protect their citizens and organisations against those bad people. I doubt any government is going to willingly give up all possibilities to intercept communication, but I think you could have a situation with much more transparency and oversight than we have today to keep that power in check and directed to its intended purposes.
Secondly, one of the most disappointing things about this whole affair is that our own intelligence and security services (I'm in the UK) seem to be more concerned with covering their backsides and keeping tight with their US chums than they are with actually, you know, providing for the security of their own country. In an era when foreign surveillance is a significant threat to everyone and so-called allies are among the prime culprits, the duty of our services is to treat those allies as hostile to the extent that their observed behaviour demonstrates they are hostile, and to respond proportionately. US spying on all our citizens' data? Promote encryption as standard and advise businesses on how to keep their data out of US jurisdiction. If allies have legitimate grounds for wanting sensitive information about British people (and I'm certainly not saying they won't have legitimate grounds for doing so from time to time) then let them request that information through proper channels and in compliance with our laws (and make sure our laws provide for assisting allies appropriately but with appropriate controls and oversight as well).
Ultimately, you can't rationally expect governments to protect their people without allowing them to use the technical tools and legal powers necessary to do so, but neither can you rationally protect your society and way of life by destroying it. This debate is all about resolving that inherent conflict in as fair and practical a way as possible, and to that extent, I think some fresh views in politics could improve the current situation considerably.
One has to acknowledge that it is also not presently in the interests of those who have kept it so. Transparency is a two way street, if everyone as individuals had access to such information that is in the hands of the few to leverage, many aspects of our society could also be made better. After all, "encrypt all the things" makes one wonder about the effort exerted is worth it all, especially if it enables individuals to deceive/mislead/exaggerate to others in the name of privacy.
Secondly, one of the most disappointing things about this whole affair is that our own intelligence and security services (I'm in the UK) seem to be more concerned with covering their backsides and keeping tight with their US chums than they are with actually, you know, providing for the security of their own country.
I question how much "security" there needs to be when governments, corporations and individuals go to such lengths to hide such information from others to maintain the asymmetry of information from individuals of the public, and wonder if they're would be more "security" provided if the public who funds such boondoggles had access to such infrastructure. I'd rather have API keys than the hand-waving/profiteering/"we know whats best for you" media/policy makers and it's enablers tell us what they think we, the public, should know of what they do on our behalf, because only they should be responsible for protecting us, and not ourselves as individuals?
I never have expected any government to protect "their" people, when all of them to some degree are actively harming them and continue to do so through various means unaccountably with claims onto behalf of the public.
Part of Microsoft's solution to the problem is getting this headline published. While the article suggests that this has been going on since before the Snowden information disclosures arose, demonstrating that they're resisting is a change from the perception many had regarding Microsoft's stance on these issues when the Snowden content first began to be published. This excerpt supports this point:
"Microsoft’s efforts to push back against the government in this and other cases, company officials say, predate the disclosures by former National Security Agency contractor Edward Snowden about the reach of U.S. surveillance. But the revelations, which began a year ago, “certainly put a premium on demonstrating to people that we are fighting,” said one Microsoft official who spoke on the condition of anonymity because he was not authorized to speak for the company."
Perhaps consider moving all operations to Europe.
If, e.g., Europe, is serious about protecting and defending against the demons that are quickly consuming the USA; they need to put in place meaningful, positive controls in place.
We really need to start coming to terms with the fact that we, the USA, are quickly becoming or maybe even are the most dangerous force humanity has ever seen. Sure, we are not "doing anything wrong" other than killing civilians and even out own people against our own laws by rationalizing ways and reasons to sidestep our most core fundamentals; but we will all rue the day that the force canalizes and stripps off its mask to reveal something far more sinister than most people could even imagine.
You have to remember, no horrible regime took power by saying they will graduate to brutalizing their own people. Put it this way, we are well into several meth highs, still insisting that we will be able to stop when we want to and control any addiction that may arise.
Not all cloud services have this limitation. However I suspect that there will always be some metadata that the government will be able to request from the cloud provider, and this legal question will still be relevant.
With the news here confirming that communications area resistance is beginning on commercial grounds... and from well funded pockets like Microsoft's... a ray of hope exists that the whole tide may be beginning to turn. The truth, ladies and gentlemen, is that we can choose freedom - the natural result of decentralization, encouraged by the jurisdiction-hopping internet - or we can have a feel-good, artificial, dangerous kind of centralized-power-billed-as-safety: one, or the other. It is pertinent to remember what Benjamin Franklin said: Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety.
Julian Assange's strong statement in Cypherpunks that we are galloping in to a new transnational dystopia is certainly correct. Yet it is also true to say that, with massive transnational corporations even so blindly led as by the profit motive, commercial interest in reaping the custom of the decentralized masses actually aligns with the disempowerment of rogue nations acting continually in defiance of international law and other jurisdictions' right to self determination (such as the US) and instead acts to benefit the preservation of basic digital freedoms for the many.
It's far too early to see what kind of world we will pass on to the next generation, but we are at least blessed to live in interesting times.
In this particular case, it seems obvious that a warrant is inapplicable, since US law enforcement officers don't have the authority to seize Microsoft-controlled data located on servers in Ireland. If Microsoft had instead been served with a subpoena, they would be required to hand over any documents that they had access to, regardless of the data's physical location. However, there are strategic advantages (for law enforcement) to favor warrants, since they're much harder to challenge, and that treaty obligations with foreign countries might restrict the kinds of data that can be retrieved from overseas servers.
If it's that hard to get the necessary paperwork done for this they should fix their system not complain to the courts that it takes to long.
http://www.theguardian.com/business/2014/may/30/bnp-paribas-...
On top of the potentially huge fine, BNP Paribas could suffer a temporary ban on processing dollar transactions, a business that is essential to the operations of an international bank.
Are USA officials able to enforce these sorts of restrictions on e.g. the sidewalk moneychangers one finds in any developing nation? There are more dollars (both physical and in ledger books) overseas than in the USA. At what point does a bank in another country become vulnerable to this sort of restriction? Are officers going to show up outside the bank and yell "give us all your dollars!"?
the Indonesian National Police “were astonished and irritated that the NYPD showed up,” a federal source explained
That's a silly argument, because it's like saying I'm going to grab papers from your home, but I'm not searching your home because the papers will only be read back at the office.
The projects were only content management system projects with minimal privacy concerns. One project did have some customer data but the others were mostly just marketing material.
Stories like this are just going to dry up the final remaining non-u.s. customers for u.s.-based cloud computing companies. It's almost like the u.s. government is trying to screw u.s. companies.
Imagine the uproar if China or Russia decided to do the same to data held on US servers...
BTW a logical fallacy cannot apply to a personal value judgement.
Which in fairness the country has only had for a very short amount of time and takes very seriously.
The most dangerous argument made by government. There is no end to it. Someday the exact same argument will be used to ensure we all have a telescreen in every room of our homes because not having it would "severely undercut criminal investigations.”