Well, this is the usual thing about whether you're worried about the NSA or you're worried about more mundane threats.
If your threat model is "government coercion," sure, stay out of the US. But if your threat model is something like "an attacker broke into a cloud provider employee's account" or "the provider didn't take software updates", you're probably safer on the world's larger, more-staffed, more-well-run, etc. services, which are largely (though not entirely) in the US.
The best outcome here, I think, would involve serious, secure competitors to things like AWS being run by European countries in Europe.
You can already choose AWS services and ensure that they stay located only in a single region (that you decide), so you can pick EU-West-1 (Ireland) or EU-Central-1 (Germany) and be assured that Amazon won't move your data into another region.
If you are contemplating "pan-cloud root compromise", I'd worry more about the probability of that happening and less about in which countries that cloud provider operates. That would push me towards the larger, established provider (perceived lower probability of all-access-root compromise) over a smaller upstart whose value prop was "we ONLY operate in Europe".
> and be assured that Amazon won't move your data into another region.
Is this true? If Amazon received a US subpoena requiring them to provide a copy of data on EU-West-1, is violating EU privacy laws a reason to deny a seemingly lawful court order? After all, it is against the law in the US to withhold the information.
The U.S. did exactly that with some data Microsoft had stored on Irish servers, which was subpoenaed by an American court. Microsoft lost initially, because while the data was in Europe, the subpoena was only served to Microsoft US, which had access to the data, and could therefore validly be required to hand it over under US law. The appeal is still being litigated [1]. Microsoft is very interested in fighting the case, because they've been heavily advertising cloud services to European customers on the promise that the data will be stored in Europe and accessed only according to European laws. If they lose, they may have to either give up that claim, or move to a more fully segmented model where access credentials to data in EU-based datacenters are restricted to EU-based employees.
The Microsoft case is about extraterritorial limits of search warrants, not subpoenas.
US corporations can be compelled by subpoena to appear before court and turn over documents/evidence they control regardless of what country they are stored in.
No idea about administrative subpoenas which I believe include National Security Letters though. I imagine it is the same as the judicial subpoenas.
Spot on. If Microsoft lose this case then both Azure and AWS have major problems. I do wonder though whether they can simply restructure their corporations so that they have a European arm that is completely independent legally from the US one. Maybe that will solve the NSA and EU legal problems.
1. You can still (as a user) avail yourself of user of AWS (aka "you") controlled encryption for most of the relevant data at rest.
2. There is still a legal hurdle for the US to provide a subpoena for data which doesn't reside in the US to be brought into the US and provided. I'm no legal expert, but I doubt that's going to be as simple as "because we said we want to look at it" as this is an issue of sovereignty of the counterpart nation, particularly given that the EU high court has just ruled that the export of this data is contrary to EU law.
Of the two, #1 has significant mathematical assurance.
#1 doesn't really help if you also want to use EC2, Lambda, etc.
#2 assumes that the US national security apparatus is playing by international law, which the EU may not want to assume. Like the EU cookie law, regardless of the intentions behind the ruling/law, what matters for me as a developer is what the law thinks I should do to protect my users, not what I think I should do.
Yeah, but there's unfortunately a difference between wanting to use Lambda and needing to use Lambda, and I'm pretty sure that even an EU court can tell the difference. "We hosted in America because only Amazon supports Lambda." "OK, and what does Lambda do?" "It runs code for us when we tell it to." "And there are no European services that run code for you when you tell them to?" "Uhh...."
My point was that when you're considering what technology/hosting/cloud provider to use, you are balancing a variety of factors and very few people should weigh "can be attacked legally by the US govt" with weight of 1.0 and all other factors with weight 0.0.
Some businesses will weigh the US risk as 0.1; others at 0.001 and even those that weigh it at 0.1 might be better off choosing a provider with a higher risk of that in exchange for a richer catalog of building block services.
If your threat model is "government coercion," sure, stay out of the US. But if your threat model is something like "an attacker broke into a cloud provider employee's account" or "the provider didn't take software updates", you're probably safer on the world's larger, more-staffed, more-well-run, etc. services, which are largely (though not entirely) in the US.
The best outcome here, I think, would involve serious, secure competitors to things like AWS being run by European countries in Europe.