undefined | Better HN

0 pointsblibble1y ago0 comments

the "sovereign" label from Amazon, Microsoft, Google and Oracle was always a lie, for auditors check boxes

they are not sovereign because they're running software developed by a company liable to coercion by the regime

0 comments

7 comments · 3 top-level

Sammi1y ago· 4 in thread

US companies are required by US law to disclose data to US authorities when requested - no matter where in the world they operate.

Doesn't matter if it is a EU subsidiary. The US parent company must abide by US law and give US authorities the data.

EU citizens cannot trust their data in the hands of US companies. No matter if it is on servers in Europe hosted by European subsidiaries.

mattlondon1y ago

The way they are doing it is entirely air gapped systems, run by totally independent companies (not subsidiaries, totally separate legal entities owned and run by other people) that are effectively licensing the software.

So the US legal system can say "give us this data" but they don't have access as they are on another company's servers in another company's data center operated by another company's staff.

pyrale1y ago

> So the US legal system can say "give us this data" but they don't have access as they are on another company's servers in another company's data center operated by another company's staff.

US institutions don't hesitate to demand their companies to implement secret backdoors in their hardware or software, as evidenced by Snowden's leaks (for Cisco routers) and the Lavabit shutdown (mail company ordered to implement a tap on their clients' data).

Sure, you can have all you described, but how are updates vetted?

2 more replies

rurban1y ago

The US state just ask the UK GHCQ to get the data to them instead. That's what they already do for decades, and likewise the GHCQ gets the US data. Under the national security umbrella, so they'll deny any data exchanges. With Germany the figure is known to be 10%. With the UK the figure is 100%.

The EU should really fight these illegal circumventions

sebazzz1y ago

If that is the case, how can I manage my EU Azure instances via the regular Azure Portal, yet US-Microsoft not having any access?

2 more replies

formerly_proven1y ago

Yeah it's a 100% checkbox exercise explicitly designed to only satisfy the letter of the law.

Unfortunately critical infrastructure providers flock to that, though there are some exceptions.

sudoshred1y ago

Disagree, location matters. It should be technically feasible to implement a code freeze (in software, or hardware) in a sovereign system when external partners’ motives become questionable. That being said in all likelihood that capability is cost prohibitive (speculation), but still co-location is a pre-requisite.

j / k navigate · click thread line to collapse

0 comments

7 comments · 3 top-level

Sammi1y ago· 4 in thread

US companies are required by US law to disclose data to US authorities when requested - no matter where in the world they operate.

Doesn't matter if it is a EU subsidiary. The US parent company must abide by US law and give US authorities the data.

EU citizens cannot trust their data in the hands of US companies. No matter if it is on servers in Europe hosted by European subsidiaries.

mattlondon1y ago

So the US legal system can say "give us this data" but they don't have access as they are on another company's servers in another company's data center operated by another company's staff.

pyrale1y ago

> So the US legal system can say "give us this data" but they don't have access as they are on another company's servers in another company's data center operated by another company's staff.

Sure, you can have all you described, but how are updates vetted?

2 more replies

rurban1y ago

The EU should really fight these illegal circumventions

sebazzz1y ago

If that is the case, how can I manage my EU Azure instances via the regular Azure Portal, yet US-Microsoft not having any access?

2 more replies

formerly_proven1y ago

Yeah it's a 100% checkbox exercise explicitly designed to only satisfy the letter of the law.

Unfortunately critical infrastructure providers flock to that, though there are some exceptions.

sudoshred1y ago

j / k navigate · click thread line to collapse