Much as I'd like to see some kind of "tidal wave of people doing this", purely in the interests of sending a message to somebody somewhere that data sniffing = not cool, I don't personally know anyone who's taken the time or energy to move all his data off of bugged U.S. servers onto bugged European or Asian ones or attempted to host it himself in less-efficient email clients, etc., nor plans to, nor do I hear very many people online talking about doing this, nor planning to, nor have I done this myself, nor do I plan to.

There's a lot of pulling of hair and gnashing of teeth going on right now in the blogosphere, but strikingly few people actually doing anything, and the actual movement looks more like a tiny ripple in an otherwise calm tide pool than it does a 100-story wave.

I suspect that until better, easier-to-use services come along than the ones being skewered in this post, most people are simply going to stay right where they are.

And once those services do come along, and attract a large enough user base, I'm pretty certain they will in turn attract agencies like the NSA (or whatever the local government equivalent may be, if not in the U.S.), showing up with hands out and secret court orders up.

If privacy was paramount to people, no one would be on Facebook (I'm certainly not, and haven't been for years). Yet, Facebook, much as everyone constantly complains about its blatant disregard for users' privacy, seems to be doing just fine, with its billion or so users and its $80 billion valuation.

The Internet is living, breathing, functioning proof that, at least to 99.9999% of human beings, utility > privacy. Unless the U.S. government starts skimming off the top of people's bank accounts, I don't think there's going to be much of a mass exodus any time soon - the motivation simply isn't there.

U.S. policy is greatly influenced by corporations. Let's assume that an alternative non-american gmail shows up with most of the key functionality in place but with extensive user privacy being a selling point. I for one would switch in a heartbeat. I think a lot of other technically minded people would as well. Many of which are probably influential when it comes to technology decisions among their peers. It doesn't have to be a mass exodus. A trickle of influential can turn into a tide. We've see it before, especially with internet companies.

Google's a data company. They're definitely going to see this and if it's non-trivial then they're going to react. Lawyers and lobbying ensues. Policy may be affected.

I admit I'm kinda waiting for someone to say: "We're exactly like GMail/Dropbox/whatever but we take security seriously and we're outside US jurisdiction. Click this button and we'll migrate your data for you."

I guess I just don't value my boring private data enough to put much work into this right now. But if I ever need a new cloud service, being outside the US will definitely count as a big plus.

Large companies have a pretty strong set of rules to guide them in the EU DPD en privacy laws of individual countries, that means that they need to subcontract with others in such a way that they can fulfill this.

From a few months ago if you were serious about trying to comply with the law in Europe then by now you are either migrating to EU hosting, you've already migrated or you are planning your migration. If not you run the risk of being found non-compliant at some point in the future or to get very pointed questions when a new investor decides to step on board or when you're in a position to sell your company to a larger entity.

This is not going to be advertised, it isn't going to be in the headlines, it is just happening underwater and out of sight. But it definitely is happening. Individuals making those same choices are doing so for different reasons than corporations.

I completely agree that the technologies used for self-hosting have been neglected during this era's obsession with what I call the "plain cloud." As you point out, convenience is paramount. The plain cloud has seen the lion's share of R&D and has been sold to consumers as the pinnacle of convenience.

However, I contend that had an equal amount of R&D been invested in a distributed cloud (what we used to refer to as "the Internet," not to be snarky)--especially one that provided federated encrypted data backup among trusted friends and family, a model that would embrace high-bandwidth symmetric connections to consumers' homes and the notion of self-serving--we'd be better off now.

In other threads at HN, I believe this has been covered sufficiently, so I'll cut that short.

I think your first paragraph may be correct insofar as there are many of us who were already doing self-hosting of our data. Those concerned with privacy were already assuming the situation was fairly bad, although I think even we were surprised at how bad it is.

My data is no more interesting than the OP's. Boring e-mail, boring family photos, boring unpopular music, boring documents. Yet out of principal, I self-host it. Self hosting is not that remarkable, but it is a rapidly disappearing practice. As recently as five to ten years ago nearly everyone in the world self-hosted their personal data.

Since my first DSL line in 1998, I've always splurged a bit for a symmetric connection. Since then I've found it disheartening that symmetric connections were and remain marginalized. Today, I can connect to my home VPN relatively easily from any of my devices to access my data. It could certainly be a lot better (I've ranted elsewhere that VPNs suck; they've not seen genuine R&D in ages).

Running a personal mail server is pretty simple too. With so much *-as-a-service out there, I admit that some people are losing the will to install a service of their own, but assuming you do a little bit of research, some modern options are more or less install-and-play, with decent anti-spam.

Again, had a distributed cloud continued to see bountiful R&D as the plain cloud has, the self-managed options would be 5-10 years more mature today. Had Thunderbird not been effectively neglected for the past ~4 years, it would probably be a (slightly) nicer e-mail client.

> I don't personally know anyone who's taken the time or energy to move all his data off of bugged U.S. servers onto bugged European or Asian ones or attempted to host it himself ...

Hi there. This is, in fact, exactly what I've been working on over the weekend.

I have ~8 GB of mail spread across three e-mail accounts hosted by Google (excluding my original @gmail.com account, which I never use). I've now got my own server set up and about 0100 UTC today (Monday) I "flipped the switch" (changed MX records) and have been keeping an eye on it since then.

I did an initial run with imapsync to move the bulk of the mail over and, after 0100 UTC (when the TTL expires) I'll do another run to make sure I've gotten anything that ended up in the mailboxes on Google's servers since then.

Afterwards, I'll delete all of the messages in those Google accounts and, finally, remove the whole ___domain and such. I'm sure that Google will still have a copy of all of that for a good while but, at some point, they'll delete it.

In the grand scheme of things, I know that it isn't really going to make a difference. It's more symbolic than anything but I can feel a little bit better knowing that my data is more secure/private than it was.

I've been meaning to do it for the last few months and I'm happy that I finally devoted the time to making it happen.

(For the curious... a RHEL derivative, configured according to the CIS RHEL6 Benchmark and DoD/DISA RHEL6 STIG (for the most part), running Postfix and Dovecot (w/ SSL/TLS and a "real" certificate although I'm starting to think I'd be more comfortable if I had just made my own) w/ AMaViS and ClamAV thrown in as well.)

>The Internet is living, breathing, functioning proof that, at least to 99.9999% of human beings, utility > privacy.

Imagine, for a moment, that evidence comes forward that Snowden wasn't the first.

Imagine that someone in Snowden's position did exactly the same thing, only for financial gain, say, selling private company secrets to a competitor.

That would change the situation, would it not?

+1, the NSA is one player amongst all the countries, corporations, and ...work colleagues who might be interested in your files. There are more commercial agencies around than we'd like to think, who are given 10 grands to ruin your reputation or make your laptop disclose your next commercial move...

I don't think the worst consequences are in people moving their data off services now -- the real impact is how this affects long term IT strategy. Even small changes to the slope of the adoption curve now will result in massive accumulated losses over time.

A lot of companies with a lot of data are asking themselves whether or not to put that data in the cloud. Storing data in the US right now is a bit like suggesting you store your confidential files in 1980s Soviet union -- only, they would probably have been a lot safer in the 1980s Soviet union.

It's scary that they don't care but not surprising. We live in a world where the majority of people with privilege are comfortable with the fact that racial profiling still pervades the criminal justice system. In fact, such a statement will be viewed as controversial and debate will be diluted by meaningless argument about whether racial profiling exists or whether the use of the term, "privilege," is even fair. Privacy, I believe, faces the same conundrum: it's a problem but the consequences of it are so divorced from the individual that most people won't even think about it.

The rub for me is not that some NSA goon could snoop on where my gaming group is meeting up next week. It's that they could use the scale of their surveillance powers to profile and target groups of individuals in much finer strokes. They don't need to mobilize a state police force to stop random persons and check their papers anymore. It's much more quiet now and less noticeable. We can let our imaginations run rampant about what they could do with this information but I think there's evidence of what they do use it for already and the reality is often much more frightening because it seems so benign.

Please explain what "the reality" is in regards for what they use it for that is more frightening.

From: http://www.nsa.gov/public_info/_files/speeches_testimonies/2...

     When conducting 702 FISA surveillance, the only information NSA obtains results from the use of specific identifiers (for example email addresses and telephone numbers) used by non-U.S. persons overseas who are believed to possess or receive foreign intelligence information.
     
     Foreign terrorists sometimes communicate with persons in the U.S. or Americans overseas. In targeting a terrorist overseas who is not a U.S. person, NSA may get both sides of a communication. If that communication involves a U.S. person, NSA must follow Attorney General protects the privacy of U.S. persons.

     The collection under FISA section 702 is the most significant tool in the NSA collection arsenal for the detection, identification, and disruption of terrorist threats to the U.S. and around the world.

It's probably all true. I'd wager the majority of information gathered from surveillance activities under the FISA is to spoil terrorist threats against the U.S. However denials like this have a way of avoiding the definition of, "terrorist threat," or explaining the scope and restrictions the information so gathered must be used.

I suspect they might use the aforementioned section of the FISA to enable the extradition and persecution of whistle-blowers as terrorists. This would allow them to black-van these people and remove them from the world. However one can only speculate that this is true. And therein, in my opinion, lies the danger.

Edit formatting issues...

   echo "my quote" | fold -s -w 77 | sed "s/^/   /"

append pbcopy if on a mac: echo "my quote" | fold -s -w 77 | sed "s/^/ /" | pbcopy

   When conducting 702 FISA surveillance, the only information NSA obtains 
   results from the use of specific identifiers (for example email addresses 
   and telephone numbers) used by non-U.S. persons overseas who are believed to 
   possess or receive foreign intelligence information.
        
        Foreign terrorists sometimes communicate with persons in the U.S. or 
   Americans overseas. In targeting a terrorist overseas who is not a U.S. 
   person, NSA may get both sides of a communication. If that communication 
   involves a U.S. person, NSA must follow Attorney General protects the 
   privacy of U.S. persons.
   
        The collection under FISA section 702 is the most significant tool in 
   the NSA collection arsenal for the detection, identification, and disruption 
   of terrorist threats to the U.S. and around the world.

also, to address the lies you're spreading:

I have no idea about 702 fisa surveillance, but what we do know is:

1 - the nsa collects intelligence

2 - if you, as an american, communicated with a foreigner, you're fair game.

2b - if you, as an american, communicated with an american who communicated with a foreigner, the nsa collects your communications.

2c - if you, as an american, communicated with an american who communicated with an american who communicated with a foreigner... the nsa collects your communications.

2d - why yes, if you're observant, you might think this is virtually every american.

3 - if they accidentally collected your, as an american, communications, they keep it. "Accidentally".

4 - since all pigs are liars, they distribute this to, amongst others, the irs and the dea, along with a guide to whitewashing where the information came from. So the dea can, what do you know, pull over a random van for a busted tail light or not signaling a lane change or signaling a lane change to early or just cause they feel like it -- there is always, 100% of the time, a reason for a cop to pull over a car if they want to. Then they randomly find drugs! Who knew, must be just a coincidence! [1]

   The undated documents show that federal agents are trained to recreate the 
   investigative trail to effectively cover up where the information 
   originated, a practice that some experts say violates a defendant's 
   Constitutional right to a fair trial. If defendants don't know how an 
   investigation began, they cannot know to ask to review potential sources of 
   exculpatory evidence - information that could reveal entrapment, mistakes or 
   biased witnesses.
   
   I have never heard of anything like this at all, said Nancy Gertner, a 
   Harvard Law School professor who served as a federal judge from 1994 to 
   2011. Gertner and other legal experts said the program sounds more troubling 
   than recent disclosures that the National Security Agency has been 
   collecting domestic phone records. The NSA effort is geared toward stopping 
   terrorists; the DEA program targets common criminals, primarily drug dealers.
   
   It is one thing to create special rules for national security, Gertner said. 
   Ordinary crime is entirely different. It sounds like they are phonying up 
   investigations. [1]

5 - yes, regarding #4, all pigs are liars, and this would be lying directly to the court. Not that they will be prosecuted for it.

6 - since this already migrated from "omg terrarism" to drugs, you may wonder where it will end. tip: it won't just be with drugs, it never is.

[1] http://news.yahoo.com/exclusive-u-directs-agents-cover-progr...

European chest-beating in the wake of the NSA revelations is fairly hypocritical. The difference between the US and the EU is that in the US, the snooping was icky, secret and very possibly illegal. In the EU, it's done out in the open, required by law:

According to the directive, member states will have to store citizens' telecommunications data for six to 24 months stipulating a maximum time period. Under the directive the police and security agencies will be able to request access to details such as IP address and time of use of every email, phone call and text message sent or received. A permission to access the information will be granted only by a court.

http://en.wikipedia.org/wiki/Data_Retention_Directive

Concerns about spying on foreigners vs. nationals? Does not apply in the EU. All the chatter about mission creep in the PRISM data, how it's used by the DEA, IRS etc., rather than use national security? That's routine, by the book usage of the very same data in the EU.

DRD is in many ways incompatible with DPD, this is well known and a source of much industry confusion.

Note that the DRD applies to specific requests and that the data is kept by the corporations (typically telcos and ISPs) rather than turned over wholesale to government institutions, in other words, you need a warrant to get specific data.

As such, there is a huge difference here.

Where the hypocrisy comes in is where the EU nation states were actively aiding the NSA in exchange for access and tricks regarding nationality to side-step local limitations ('I spy on your citizens if you spy on mine').

And I still don't like the DRD either.

Another thing, hypocritical maybe, even if the EU is being "just as bad" in a certain sense, piggybacking on the US outrage on this topic may help matters in the EU as well. Even if it's just increased privacy-consciousness among the public. For real, like people have pointed out, we already knew about surveillance in the EU months (or longer) before Snowden leaked his info, it was public knowledge and nobody said anything because it wasn't really in the news. Now it is, and some of it may stick to what the EU is doing as well.

The data retention directive is undoubtedly problematic, but if it is implemented according to law, it means that telcos will hand over metadata on individual accounts at the request of a court. There are no secret courts, no gag orders and no dragnet mining of content as opposed to metadata.

But of course that says nothing about what European police organizations are up to ... secretly. I'm thinking of things like the "Bundestrojaner".

How un-secret are they? Is there a room I can go sit and watch search warrants being requested and issued? If not, why do you believe it's better than the US situation?

The existence of such a room is not the only way in which the situation could possibly be better than in the US. In fact, such a room would itself be a gross violation of privacy.

I think I explained in which ways I think it is better as far as the data retention directive is concerned. Whether or not it is really better in practice considering what police in any particular country might do, that I don't know. Maybe we need our own Snowden to tell us that.

I was asking a question, not saying you're wrong. I'm genuinely curious what forms of transparency exists in the EU, and how it curbs abuses.

It's more about pragmatism than hypocracy. Everyone in Europe has a lot to win on painting the US as the bad guys and themselves as innocent. Major European tech firms are going to play this story very hard to gain fat government contracts rather than their American competitors. That's what might change things, when profits are being hurt politicians are very quick to act.

Short sighted pragmatism.

As Europeans turn against Americans (or more precisely, non-Anglos turn against the Anglosphere/Five Eyes), the West begins to fracture precisely as the East begins to rise again with force.

It's going to be an interesting decade.

The west fractured or not, the east is going to rise. Turning a blind eye to this concrete opportunity makes no difference to that end result, but does affect the quarter's earnings.

Also, these quarrels will hardly damage international relations in any significant manner as to prevent the west unite in whatever manner they see fit to face the east.

Will it? People are getting fired up, and the anti-American feelings in Europe are strong. The politicians might understand better but will the people? Or will, after years of being told how evil the Americans are, functionally see their choice as one despot or another? Which is sad, because all of this hoopla over spying... isn't a hoopla in the east. It's just the status quo.

The rest of the world has known for a lot of years (more than thirty) what has just been confirmed an publicized in the US itself with the latest developments: The US government is not at all a BDFL, but behaves more like a bully.

These revelations don't change things much, macropollitically.

The only thing that could, maybe, be changing is the US people perception of their country but, again, many western democracies are not keen on listening to the people.

More to the point, this is a problem of layers. It's not just where you decide to host.

Most every national government is probably involved in data sniffing to one degree or another, major hubs are/can be bugged, and undersea fiber connections are especially vulnerable. This, in addition to all of the insecurities found in common consumer gear.

There's probably a tidal wave of folks moving, but I agree: the move is nothing more than hugely symbolic. The only thing you might accomplish is change the organization that's capturing your data and perhaps the method. But that's about it.

The method is significant. I don't really have any issue with NSA trying to MITM, hack phones and tap cables: as long as my endpoints are safe and I'm using encryption between them, they have to work for it, so only real baddies will be seriously targeted.

What we cannot defend from is the liberal use of NSLs to subvert endpoints controlled by Google, Facebook etc, which make it way too easy for them to mass-dragnet, leading straight to LOVEINT abuses and the like. Moving away from these services should help in this regard.

This said, moving away from these services does take some work, which is why OP deserves lots of kudos.

> as long as my endpoints are safe and I'm using encryption between them, they have to work for it, so only real baddies will be seriously targeted.

This technical barrier is getting weaker every year (or month or week?), we cannot be sure that encryption is still holding up, or at least: that it will always hold up. And besides that, endpoint security may be acceptable for real experts, but never for the layman (probable backdoors in Windows, MacOS - maybe even Linux OSes).

If we as a society decide to accept what the NSA does, then we accept the total loss of privacy - it's then just a matter of time. And without privacy, democracies will die and corruption will flourish.

To think that...

> only real baddies will be seriously targeted.

...is a grave mistake.

You can also encrypt the data before it gets to the server by a third-party who holds the key in your own country. (these services do exist btw) The question is then if those companies chose to give up the key to decrypt the information.

It will however have an economic impact on US, if you do that. Think of it as "voting with your wallet". You're voting with your wallet against US.

It's also a political stand. As a foreigner who can't vote against the current US government, or even as a US citizen, your action can have a political impact.

Our political system sucks. I'm deeply affected by the US or Russian government's actions - because the Internet is mostly American and Russian, yet I don't have rights to influence decisions in either of those countries. Our country's minimum monthly wage is $211 and our average - $500, so there isn't even a lot of voting with our wallets that we can do. The only choice I had is to donate to Fight for the Future and plan moving everything to a home server, essentially reverting to my setup from 5 years ago.

At least there is a glimmer of hope (no matter how delusional) that the political process in Europe can be influenced and at some date in the future the monitoring can be turned off or at least put under more rigorous oversight.

Perhaps the only language that the US will understand is a loss of business?