We are dealing with the consequences of not taking this very seriously for the last decade. It's not good enough to just hope that the Internet will remain free in the face of legitimate concerns.
Yes, it's a concern that the Internet won't be global anymore, but it never really was. Up until thing like Firesheep and Snowden, and still to some extent, a lot of Internet traffic was only safe based on not passing any bad actors.
> Yes, it's a concern that the Internet won't be global anymore, but it never really was.
So we're willing to throw all this interconnection away, the one thing that made the internet the place it is? The interconnected nature of the internet is what made me the person I am today. I have more friends from other countries than I have friends from my own and from my friendship circles I know I'm not the only one.
Not taking legitimate concerns seriously and securing the Internet we want is what is going to throw away the positive things about the Internet. Something that isn't technically secure nor robust in the face of arguments is bound to change
> Up until thing like Firesheep and Snowden, and still to some extent, a lot of Internet traffic was only safe based on not passing any bad actors.
So what? "Only safe based on not encountering bad actors" is far and away the dominant mode of security everywhere. It's what keeps your house unburgled, your planes in the air, and your family alive. Breaking into a house, taking down a plane, and murdering strangers all require very little in the way of skill or planning. Burglary and murder are also unlikely to be caught (absent a connection to the victim).
If the end of Safe Harbor spells disaster for all those centralized cloud services, that might actually turn out to be a good thing for the Internet in the long term.
We often think of decentralized peer-to-peer networks as a rebellious technology, something we need to develop in order to evade oppressive laws in an increasingly dystopian world. But what if decentralization becomes the only legal way to create and maintain a global social network? That would be ironic but also deeply satisfying.
My only worry is that this ruling might not spell enough of a disaster to shake up the VCs' faith in the centralized cloud.
"Bad actors" includes all bad actors, and the parent explicitly called out both major bad actors (hackers and governments). Not sure what more you want by demanding a clarification.
The end result may become a Balkanized internet - you can't share anything outside your country's borders or access them from outside. Each country winds up as a China, a government's dream situation. In the end though we all lose.
Not necessarily Balkanized if we concentrate our efforts in developing better protocols and not larger centralized platforms. Decentralization is key to internet freedom.
Not sure what you are proposing. This is not really something we can improve as nature works against us. Unless someone finds a wormhole for data, we will be bound by latency and thus the only solution is user segregation.
Message delivery is not a problem that needs solving. You don't even need XMPP for that, good old sockets do the trick. The problem is that you need to fetch data over high latency network links and you are not even allowed to cache it due to legal reasons.
> Eh, what? The EU data privacy laws have a specific paragraph directly and specifically declaring that caching is exempt.
That works for actual short lived caching, but not for database replication which is what you would actually need for services like facebook.
//EDIT: also the directive does not actually mention caching directly, it just mentions various exceptions of the rule. Can I have a reference to what you mean exactly?
Global latency is not that bad for a website. Sending light from one side of the globe to the other is 133 milliseconds and it's not like your sitting in the same room as Facebooks severs anyway.
133ms latency (in the best case) is insanely bad for a database connection!
Even just adding 100ms latency to Google's page load time had a clear measurably effect on # of searches, and having 100+ms latency for each database request during a pageview would absolutely kill performance of most sites...
No it isn't, average page load is much higher. It's a huge struggle to get below 300ms. Adding 100ms on its own is not insanely bad, but the head of line blocking would probably be terrible and that's what would annoy you most.
EDIT: to those downvoting try cold loading google.com, I get > 200ms within San Francisco. 100ms is not "insanely" bad, and maybe a good price to pay for regulated data privacy
But it's 100ms each way for every database request while rendering the page! There's not a lot of apps out there that can do with 1 request to their database during an average page load.
If you actually had that limitation you could redesign the overwhelming majority of apps to only need 1 DB request/response. EX: Stored procedure or map reduce
I think the idea is not that slower speed would impact the Internet, but the Internet is built specifically to handle that kind of impact. Slowing it down would suck, but would not kill it. People managed just fine on dial-up, and the difference between 100ms delay and dial-up is enormous. The only thing it would impact is JS-heavy web apps that rely on pulling megs of content down very quickly. Stuff that looks and feels nice but is hardly necessary.
I can’t find the specific exception anymore, and Google is only delivering articles about today, so I’m sorry (and at any Googlers reading this: Fix your damn algorithms, or at least give us the ability to search the same way as in early 2013! I’m less bothered by spam domains than by getting only buzzfeed etc instead of actual documentation)
Back to topic: Database replication is forbidden, yes. So, well, host your data in the EU for now, and hope that the US finally comes to senses regarding spying. Same applies to GCHQ and BND
> Google is only delivering articles about today, so I’m sorry
only three of my top links are from today if I search something like "EU safe harbor caching" and even fewer for searches that omit "safe harbor" and search for data protection (which gets you the actual directives as the first hit).
Regardless, your problem is solved easily with Search Tools -> Any Time -> Custom range...
Well, that search tool stuff still doesn’t give me any proper links, and with the way Google results are customized nowadays, it’s not really comparable anymore anyway.
Anyway, database replication is nothing that is supposed to be exempt from data privacy laws anyway. You’ll have to deal with it somehow without giving my data into the hands of a US entity.
It's not really a dotcom 2.0 until your parents' retirement is heavily dependent on unicorn valuations. If the "bubble" were to burst now the implications for the broader economy are nothing like what they were 15 years ago.
Not necessarily. The privacy rules protect personal data of EU citizens. You can share as many cat pictures as you want without safe harbour. However share my name, contacts, address and date of birth in the US and by proxy then share it with the NSA, then thanks but no thanks.
If you're a US company and some of your users happen to be European, and you just ignore this and store all users' data in the US, what kinds of sanctions can be imposed by the European Court of Justice or national authorities in individual European countries? Do they have some way to block your site at the national / continental level or go after your users? Can they fine you, send you a bill and ask US authorities to seize your company's assets if you fail to comply, even though you're breaking no US laws?
If they can't take any enforcement action against non-compliant companies outside European borders, how does this decision even matter for non-European startups?
I'm no expert, but -- am I missing something? Why can't they just (after all other due process is exhausted) just send the police to seize your servers from your data center in their territory?
Me too. In many ways, money basically ruined it. It happens everywhere where builders get replaced by businessmen.
Don't get me wrong - I appreciate what money did here. But I also hate that most of the Internet is now flooded with ads, SEO, "entrepreneurs" seeking ways to make a quick buck and startups monetizing the most basic aspects of human interaction.
It’s funny that you say this on a website aimed at people who do exactly that. Make a quick bucks by monetizing the most simple things.
You know, I’ve been thinking about it for a long time. In a lot of ways, the internet was an anarchist society for some time. Then some people took advantage of it, used anarcho-capitalism to get insane profits and violate any normal laws, and nowadays, it’s a bit regulated, but still anarcho-capitalist.
The anti-spam measure re-captcha is effectively everyone giving Google training data for their neural networks.
Maybe it would have been better if everything on the web was GPL. Maybe it wouldn’t. Who knows.
But obviously, this should be a sign for entrepreneurs that maybe, just maybe, your users might be more important than profits.
I don't necessarily agree with him. People who live in countries with strict data protection laws are safer, but those who live in more lax surveillance might actually wind up less safe.
I must admit, after the NSA stuff, I feel safer without "Safe Harbor".
But I guess a bunch of US companies are pretty scared about the financial implications right now. Kicking out EU citizens or moving their data to the EU.
Well, this is the usual thing about whether you're worried about the NSA or you're worried about more mundane threats.
If your threat model is "government coercion," sure, stay out of the US. But if your threat model is something like "an attacker broke into a cloud provider employee's account" or "the provider didn't take software updates", you're probably safer on the world's larger, more-staffed, more-well-run, etc. services, which are largely (though not entirely) in the US.
The best outcome here, I think, would involve serious, secure competitors to things like AWS being run by European countries in Europe.
You can already choose AWS services and ensure that they stay located only in a single region (that you decide), so you can pick EU-West-1 (Ireland) or EU-Central-1 (Germany) and be assured that Amazon won't move your data into another region.
If you are contemplating "pan-cloud root compromise", I'd worry more about the probability of that happening and less about in which countries that cloud provider operates. That would push me towards the larger, established provider (perceived lower probability of all-access-root compromise) over a smaller upstart whose value prop was "we ONLY operate in Europe".
> and be assured that Amazon won't move your data into another region.
Is this true? If Amazon received a US subpoena requiring them to provide a copy of data on EU-West-1, is violating EU privacy laws a reason to deny a seemingly lawful court order? After all, it is against the law in the US to withhold the information.
The U.S. did exactly that with some data Microsoft had stored on Irish servers, which was subpoenaed by an American court. Microsoft lost initially, because while the data was in Europe, the subpoena was only served to Microsoft US, which had access to the data, and could therefore validly be required to hand it over under US law. The appeal is still being litigated [1]. Microsoft is very interested in fighting the case, because they've been heavily advertising cloud services to European customers on the promise that the data will be stored in Europe and accessed only according to European laws. If they lose, they may have to either give up that claim, or move to a more fully segmented model where access credentials to data in EU-based datacenters are restricted to EU-based employees.
The Microsoft case is about extraterritorial limits of search warrants, not subpoenas.
US corporations can be compelled by subpoena to appear before court and turn over documents/evidence they control regardless of what country they are stored in.
No idea about administrative subpoenas which I believe include National Security Letters though. I imagine it is the same as the judicial subpoenas.
Spot on. If Microsoft lose this case then both Azure and AWS have major problems. I do wonder though whether they can simply restructure their corporations so that they have a European arm that is completely independent legally from the US one. Maybe that will solve the NSA and EU legal problems.
1. You can still (as a user) avail yourself of user of AWS (aka "you") controlled encryption for most of the relevant data at rest.
2. There is still a legal hurdle for the US to provide a subpoena for data which doesn't reside in the US to be brought into the US and provided. I'm no legal expert, but I doubt that's going to be as simple as "because we said we want to look at it" as this is an issue of sovereignty of the counterpart nation, particularly given that the EU high court has just ruled that the export of this data is contrary to EU law.
Of the two, #1 has significant mathematical assurance.
#1 doesn't really help if you also want to use EC2, Lambda, etc.
#2 assumes that the US national security apparatus is playing by international law, which the EU may not want to assume. Like the EU cookie law, regardless of the intentions behind the ruling/law, what matters for me as a developer is what the law thinks I should do to protect my users, not what I think I should do.
Yeah, but there's unfortunately a difference between wanting to use Lambda and needing to use Lambda, and I'm pretty sure that even an EU court can tell the difference. "We hosted in America because only Amazon supports Lambda." "OK, and what does Lambda do?" "It runs code for us when we tell it to." "And there are no European services that run code for you when you tell them to?" "Uhh...."
My point was that when you're considering what technology/hosting/cloud provider to use, you are balancing a variety of factors and very few people should weigh "can be attacked legally by the US govt" with weight of 1.0 and all other factors with weight 0.0.
Some businesses will weigh the US risk as 0.1; others at 0.001 and even those that weigh it at 0.1 might be better off choosing a provider with a higher risk of that in exchange for a richer catalog of building block services.
I think Armin makes a good point that European intelligence services have as little, or even less, regards for EU citizens' privacy as the NSA. Getting spied upon by GCHQ, the EU branch of the NSA, or by the mothership itself, makes little difference in practice.
Considering that France recently voted a law to make retroactively legal existing practices, I'd say this legal control is most often a farce (and it's not like the new law introduces strong judicial supervision, either).
Do Americans have a realistic expectation on not being spied upon by foreign powers over the internet? A cursory look at securelist.com reveals that multiple nation-states conduct campaigns against U.S. targets (and also reveals apparent U.S. gov campaigns against targets in other countries).
>Do Americans have a realistic expectation on not being spied upon by foreign powers over the internet?
Maybe or maybe not, but they do have a very realistic expectation of it having no consequences to them and the country at large. It's not like China (much less Russia) will do anything to the US (as a land and population). Other countries even less so.
Whereas lesser countries have seen the US (and Russia, especially as USSR and/or China) mess up with their internal politics, even topple legitimate governments and install friendly lackeys in power, assist one or the other party to get in power, help friendly governments prosecute their citizenry (especially during the Cold War), bully them to sign favorable trade and other deals (favorable not for them of course), or downright get to war with them.
I don't know a lot about international electronic communication surveillance, but wouldn't GCHQ be responsible to the United Kingdom, whereas Germany would spy through the BND and France would spy through the Brigade de Renseignement?
Good article, but he almost lost me when he started with the passport thing: European privacy laws apply to European residents (regardless of citizenship) and not to European citizens living outside of the European Union.
The latter would be unenforceable anyways. In fact, the United States is the only major country exporting laws on their citizens living abroad (e.g. taxes).
EDIT: And, in fact, detecting the ___location of an Internet user (while not perfect) unfortunately works very well for "regular" users not well versed in VPNs and proxying - think YouTube country restrictions or also Google Maps' approach to display different maps depending on the user's ___location.
The flip side is it's a better place to be a free citizen for the most part. You can ask companies for all the data they have on you and they are legally compelled to comply.
Respectfully, do you think that is perhaps a false sense of security? Government surveillance is ubiquitous and American companies are going to track you regardless.
In some sense I absolutely agree. There's a difference to be seen in requests for existing data and the realtime feeds we now know exist.
But I guess something could be considered better than nothing. Europeans definitely do have better legal access to correcting incorrect data for example.
So does that rule out a good chunk of US providers for european companies (stripe/braintree/slack etc)?
I could only find mention of Safe Harbor in their privacy policy and not where the data is hosted.
Pretty much. From what I have heard so far the general assumption is that you can still set up a contract to achieve what Save Harbor did, you users need to explicitly agree with the provisions.
This is our concern, as a small business using a very small but non-zero set of US services, all of which were previously covered by Safe Harbor provisions.
This ruling is something we have always been concerned about from a business point of view, because ever since it became untenable to claim US companies could actually protect any personal data at all the basic legal premise on which Safe Harbor was built has been shaky. We don't know now whether it will still be sufficient to merely disclose our commercial partners in our privacy policy (which we do, by name and with an indication of what we use them for) or whether we need some sort of more active consent.
I haven't had chance to speak to our lawyer yet, but I'm expecting him to tell us something along the lines of: the law now requires us to add yet another prominent notice at the conclusion of a sale. On top of all the consumer protection rubbish from the recent EU changes there -- which again were well-intentioned but actually impose silly things that help neither us nor our customers -- the number of such notices we need by law is making our sales pages almost comical now. I can't believe all these notices really help to protect anyone from much of anything in practice, and anyone reading this on HN probably knows what effect compliance has on conversions.
The second to worst possible outcome is probably that we are now required to seek active consent from our existing customers before continuing to use things like US-based payment services. The worst is that it actually becomes illegal to use those services at all, though I don't think that is going to happen.
It's sad, because from a personal point of view this mess is long overdue for being cleaned up. But the authorities are so clumsy about handling these issues that a lot of the time they just hurt small businesses and legitimate international trade.
Is the "required to seek active consent" actualy a bad outcome? From a customer point of view it seems better than "I assumend you wanted me to do x" regardless of what x is
Think about this from a non-IT point of view. If you went to a store and paid for your groceries with a card, would you expect to go to the checkout, hand over the card, and then have the cashier stop you for thirty seconds while reading a form disclaimer that by paying by card you were consenting to information about the ___location and amount of your purchase together with your own identity and the details of your card being sent to the operators of the card scheme, who may be based outside Europe, for the purposes of completing the transaction, and only then (assuming you haven't given up in frustration) ask you to put in your PIN to confirm the purchase?
I kind of get your point however I believe that the inconvenience of having to make decisions based on actual information is preferable to implicitly trusting any country or company that the store chooses to use, especially in the IT case where most of the time (if you live in EU) you also have to agree that your information
should be handled and protected by a foreign power (which have showned itself to be hostile on several occasions, it's bascily the same as US citizens trusting there personal data to russia) with no legal obligations towards you.
The big issue is the fact that we have become accustomed to being relived of both
the choice and the information about which choices thats been made for us.
Which of course makes us a bit lazy since it's hard to make informed choices which probably is going to make a system like the one you described a hassle to implement but id say it's worth it to bring back at least a small resemblance of choice and control of your own information.
This is great! It gives users lots more privacy rights, rights that come with teeth. See page 105 of [1]. It's going to force many US companies to register with a European data privacy controller.
Here are the basic rights of a "data subject":
Everyone shall have the right under national law to request from any controller information as to whether the controller is processing his or her data.
• Data subjects shall have the right under national law to:
• access their own data from any controller who processes such data;
• have their data rectified (or blocked, as appropriate) by the controller processing their data, if the data are inaccurate;
• have their data deleted or blocked, as appropriate, by the controller if the controller is processing their data illegally.
• Additionally, data subjects shall have the right to object to controllers about:
• automated decisions (made using personal data processed solely by automatic means);
• the processing of their data if it leads to disproportionate results;
• the use of their data for direct marketing purposes.
What this means is that data collected by a company about an individual belongs to the individual, not the company. The individual can look at it, correct it, and take it back.
This isn't a problem if you're not a scumbag. If you're selling your customer list for marketing purposes, or using data you collect about users for marketing purposes, you have a problem.
The EU requires explicit consent for such things. A contract of adhesion EULA is not enough. Exceptions to data privacy must be opt-in, not opt-out.
Passing data about persons on to another party can cause serious liability. You have to know where the data went, exactly who has it, and be able to delete it even if it's now in the hands of another party.
This is EU-wide, and registration with one national data controller (a Government agency which checks for privacy violations) in the EU is usually sufficient. Here's a set of guidelines from the European trade association for online marketing.[2]
The biggest practical implication here is that any data you collect and share about individuals must remain within your reach, because you're responsible for correcting it, blocking it, or deleting it. Mailing lists must now contain info as to where the info was originally collected.
It's not really that bad. Europe has operated under these rules for decades. Deal with it.
It's not really that bad. Europe has operated under these rules for decades.
It's really not that simple either. Many businesses, particularly very small ones, depend on external services to be viable in the first place. It's right that those businesses should pay attention to data protection and privacy issues -- I'm a strong believer in such things personally -- but there also has to be some reasonable framework for what can and can't be done by default, without requiring explicit consent for every last detail.
The trouble with opt-ins for everything is that it instantly scales beyond the point of being practical. Just as hardly anyone actually reads the 9,753 page terms and conditions document before checking the box or pays any attention to the "we use cookies" notices, so hardly anyone will pay attention to formulaic "we might export your data outside the EU and foreign governments might spy on you" warnings. Creating a system that no basically reasonable and ethical business can actually comply with in practice will just result in no-one taking the rules seriously and consequently no-one actually enforcing them, again much like the cookie notices and so on.
Ironically, a good solution in this case is easy to see: the US government could make it absolutely clear that interception of or interference with personal data held by US companies can only be done following proper, legal processes, and then the EU governments would need to update the rules about Safe Harbor provisions to allow a reasonable exception for government access to personal data following due process. Throw in mandatory encryption at a level where the shortest path to getting data needed for legitimate government purposes is to just get the appropriate warrant or equivalent and formally request that the business in question hand over the relevant data, and probably most people are happy.
No-one serious about the privacy debate seems to be suggesting that businesses should never have to turn over personal data they have access to in order to comply with something like a proper court order to provide evidence for a case being heard by that court. It's the dubious access to the data outside of proper legal processes and oversight that causes the conflict here, and at least parts of the EU government system take that sort of thing a lot more seriously than most of the US government right now.
"The trouble with opt-ins for everything is that it instantly scales beyond the point of being practical."
That's a feature, not a bug. It means you don't get to use personal information for marketing purposes unless the customer really wants to to and says so. It's the customer's information, not the retailers.
US businesses might think of it as the customer having a property right, like copyright, in their own personal info.
I consider not being able to run an otherwise reasonable business at all a bug.
It means you don't get to use personal information for marketing purposes unless the customer really wants to to and says so.
It also means, for example, that you can't charge them using a US-based payment service, provide whatever product or service they are requesting if it involves interacting with a US supplier and providing their personal details for delivery or authorising access, or use US-based administrative services to help run your business more efficiently, without your customers' explicit consent, even if this is only to provide exactly what they've just asked you to provide.
If your business model depends on openly breaking the law, it's not a reasonable business model.
Alternative possibility: The law is broken.
What if your business model is otherwise perfectly reasonable and acceptable to all of your customers, and it doesn't rely on breaking the law at all, until the very governments who are entrusted with producing reasonable, consistent laws to support their populations are the ones who screw it up? Should we just close down all European companies doing business with US online services right now, today?
As far as I can see, that is technically what this ruling will lead to. Somehow, I don't think most people in either Europe or the US would consider the resulting collapse of both regions' economies to be desirable, and I doubt that was the desired outcome when the European lawmakers established the basic data protection principles at the heart of this. Those same lawmakers, after all, are the ones who saw fit to provide a Safe Harbor mechanism to facilitate reasonable international trade in the first place.
If the end of slavery causes your cotton business to become unprofitable, it's not an attack on the cotton industry, it's still an attack on slavery.
And what about providing exactly the service your customers were asking for, but using say a US-based payment service that is openly disclosed in your privacy policy? Maybe that is now illegal on a technicality, because you didn't get active consent for using that US service to charge their card. What if your Europe-based bank didn't have explicit permission from your customer to communicate with a US-based card scheme to authorise your customer's card, for that matter?
Will it really help to confront customers with yet more mandatory legalese at the online checkout that just describes what everyone expects to be happening anyway? Who is really going to benefit from that? I'm all for reasonable protection of personal data and proper safeguards for privacy, but when you go so far that you stop people transferring personal data in ways that are necessary to provide the exact product or service that a customer is deliberately requesting and would be reasonably expected by that customer, you've lost the plot and your system needs fixing.
I hear your words and all I can conclude is: What a _great_ ruling. Seriously.
Decentralization is a major thing we need right now. Also: the EU gov. agencies are very unlike the US ones in that we have a political power over them.
What are the business implications for this? Does this only matter for businesses registered in Europe operating off US servers? Or does it prevent any US business from storing European customers' data?
Yes, it's a concern that the Internet won't be global anymore, but it never really was. Up until thing like Firesheep and Snowden, and still to some extent, a lot of Internet traffic was only safe based on not passing any bad actors.