Yeah, right.
1. The Norwegian security services have a long history of violating Norwegian law (and when, for example, extensive illegal politically motivated surveillance of mostly left wing politicians was uncovered in the 90's they then had the gall to place an MP and member of the committee investigating them under surveillance while he was working on the report about their illegal surveillance), and have always been extremely cosy with the US.
2. Most bandwidth to Norway goes via Sweden. Sweden is not a safe country to pass data through if you want to avoid surveillance. See the FRA law: http://en.wikipedia.org/wiki/FRA_law ; unless they guarantee that they get their bandwidth via alternative means, this is a risk. Sure, you can encrypt the data, but if you trust that this is sufficient, then hosting your backups in the US should not a problem either. If you think Sweden's neutrality means a shit in this case, consider that Sweden has admitted to having been complicit with renditions of political asylum seekers to the CIA in direct violation of Swedish laws, so clearly they do not worry about cooperating with US intelligence agencies. To hand your data over to the NSA would not even require them to break any laws, and they've already demonstrated they don't have the moral backbone to stand up to far worse requests.
3. Norway is subject to the EU data retention regulations, and otherwise likes to bend over backwards to comply with EU directives despite not being an EU member (we're a member of the EEA, which means we get all the directives, but don't have a say - how anyone thought that was a better alternative is beyond me). In fact, Norway is "best in class" when it comes to implement EU directives - ahead of most EU countries... This doesn't impact this to a great extent, except it means all your communications with this company will be subject to retention laws, and if you consider it important enough to avoid the reach of the NSA for your hopefully encrypted backup data, this is worth keeping in mind too.
In other words: If you encrypt your communications and backup files well enough that you believe it is safe from the NSA in Norway, they'll likely be just as safe from the NSA in the US.
By the argumentation on your page, almost none of the electronic data targeted by the data retention directive would in fact be retained if the directive is not also applied to data that merely transit a providers network, given that the vast majority of e-mail addresses in use today are not hosted by "communications providers". If that is indeed an actual loophole, it will be closed quickly if/when everyone realizes that they're not getting the data they expect.
This is in any case a minor point, as in terms of dealing with backup data, it's the two first points of my message that are by far the most serious. And I don't think they're that serious, in that I don't really believe there are any suitable alternatives that are safe enough that you can prevent surveillance based on location, so you'll depend on the crypto, and the combination of the two makes the location of the data rather moot.
http://www.lovdata.no/ltavd1/filer/sf-20130514-0484.html#1-2 http://www.lovdata.no/ltavd1/filer/sf-20130514-0484.html#2-6
together states that if you provide email services, you are required to store metadata (which is what the Data Retention Directive is all about).
On a side note, if the secret services cooperate to do massive ingress/egress storage of data on the network level (say for 6 months) -- having easily passable meta-data would help turn that massive data dump into useful information (assuming index and organization around ip/date or something similar).
As for being safe from NSA outside of the US (even with an ally) -- that makes no sense. While it is against Norwegian law to hack into Norwegian businesses - the NSA isn't subject to Norwegian laws, their subject to US law. The secret services are explicitly set up to preform illegal actions in foreign territories (which is why the NSA story is about spying on Americans, rather than on spying in general).
Serious question.
1. Clarification: I mean warrantless wiretapping.
I think that in the long run, the U.S. is still a good place to keep data.
U.S. citizens have an instinctual distrust of government that Europeans often mock, but in this case I think is an advantage.
In addition the U.S. has some of the strongest protections for freedom of expression in the world, which means that everyone can learn and argue openly about intel programs and other sub-topic of freedom vs. security.
I'm coming to the impression that none of the Scandinavian countries may be particularly friendly to data privacy advocates.
A provider can give you all the assurances in the world, but the real assurance is using your own encryption with your own best practice and controlling the data store as it exists on the providers filesystem.
This is why it's important to give users a raw, open filesystem that they can manipulate any way they see fit, and not a fancy, highly abstracted backing store with a pretty GUI on the front.
Without a substantive commitment to open standards and open platforms, this is just a PR move.
Taking advantage of Norway's laws is fine, until the day that those laws go sour on you.
Sure, if the government was going after someone like Steve Muller (http://www.wired.com/threatlevel/2008/04/gsm-researcher/) you'd want him to be able to keep his stuff from prying eyes.
What about a Suadi National accused of plotting terror attacks in NYC? Would you want the same laws applied to him? Or would you want to able to force someone like this to de-crypt their files in order to stop an attack?
I really don't know what the right answer is, but sometimes laws intended to keep us safe, also give shelter to bad guys.
Better not use an encryption with ties to the US government then ;)
http://www.jottacloud.com/faq/
"Yes, all datatraffic between your computer and Jottacloud is encrypted with 256 bits AES high grade encryption, which makes it virtually impossible for unauthorized persons to use the information being sent."
Let's not flatter ourselves too much: http://no.wikipedia.org/wiki/Datalagringsdirektivet (in Norwegian, http://translate.google.com/translate?sl=auto&tl=en&js=n&pre...), or the less detailed http://en.wikipedia.org/wiki/Data_Retention_Directive
That said, digging a bit more into Jottacloud does not make me any more likely to use the service, for anything I would be concerned to store at, say, Dropbox:
Their FAQ is (intentionally?) vague. How do they encrypt stuff?
"all datatraffic between your computer and Jottacloud is encrypted with 256 bits AES high grade encryption, which makes it virtually impossible for unauthorized persons to use the information being sent.".
And then:
"If you log into www.jottacloud.com it’s possible to download, view pictures and share files with friends and colleagues"
Right, so they would have the keys anyway.
1. http://falkvinge.net/2013/01/06/banana-republic-justice-behi...
Exactly how? By my understanding a company in EU operates under EU law and US parent company is only stock owner. Stock owner can not by my understanding force the company to do anything if the company does not want. Lets assume that US company does not want to force daughter company, how can NSA to make them?
EDIT: I'm fully aware that by harassment or blackmail anything can be done, no question here. What I meant to inquiry, out of curiosity, is, is there a legal way to _force_. I know that parent company can control and fire board etc, but can they be forced to do so. Or more broadly, can some US agency take full control of US company and run it like they please. Can f.e. NSA if they really-really wan't to rise McDonalds burgerflippers salary by twofold? Does Patriot Act or something allow that?
They can, after all, fire the entire board, and elect a new one that will direct the company to do what they want.
Not to mention in most cases, parent companies do in fact, maintain control over subsidiaries (IE they are not independent subsidiaries), and thus can directly control activities.
How can you still ask that question right now? Have you missed the whole Wikileaks scandal? All it took was one phone call for Amazon to take down their website. They didn't even need a court order or something.
I don't know what the laws are exactly, but in practice, and thanks to post-9/11 culture in law enforcement agencies, they can do whatever they want as long as they wave "national security" in front of them.
That is rarely the case. In most arrangements, foreign subsidiaries are still under direct control of the main company - do you really think "Google US" doesn't have a say in how "Google Ireland" operates?
There are tons of accountancy rules dealing exclusively with partially-owned-fully-controlled foreign companies, but when it comes to the Patriot Act, as long as there is even a shred of control from an American company, then all data held by the controlled company is subject to US laws, regardless of actual location. This is far from an expansive interpretation of the Act, tbh; it's just one of the many that have been tested in court.
http://www.zdnet.com/blog/igeneration/microsoft-admits-patri...
So the information they're storing is, at least nominally, stored on computers owned by the american branches.
This said, I wouldn't trust a French provider or an Italian provider with anything too sensitive: their police forces have a history of being incredibly heavy-handed when dealing with data. I remember one occasion in mid-00's when the Italian police investigating G8 riots (or something like that) raided a data centre, took home all disks they could find, cloned them all, then went through them with a fine comb, all because one mailing list hosted on one of those servers might have been tangentially related to whatever they were investigating. I'd be surprised if things were much better in other European countries, to be honest, but I guess Norway is one of the best bets (with UK/Ireland being among the worst, of course).
Also in a related note I find the following fairly unconvincing:
"We will not hand over user data to authorities unless a warrant issued by the Norwegian court of law is presented"
Warrants are in my view more about providing a paper trail than actually preventing abuse.
Ultimately I think the only protection against surveillance is well-employed cryptography. Especially if the law offers some protection for encryption keys and/or passwords.
Don't mess with publicly-vetted crypto code - you're far more likely to introduce a weakness. Instead, just follow the documentation and use it correctly.
meaning
"We will not hand over user data to the government if we do not receive a ruling from the Norwegian judicial system"
which is pretty much the same thing as the Patriot Act in the US...
But as far as PRISM goes - that's a whole other matter!
-We are serious about creating jobs and supporting great American companies. -Makes the most lucrative young companies in the US unusable in the name of spying on their own citizens.
What in the actual fuck?
If you have encrypted files, there must have been or still be a key to decrypt it. You will be asked for the key. You will either given them the key, say no, or say you don't have it. The first two are no good, so all you have is the denial that you have the key. If government cant find the key, you will be asked to hand it over.
And that's the crux.
What then does the government do? All it can then do is make it an offence to withhold a key. How do they prove you have the key, if they themselves can't find it? You then have to prove the impossible, that you do not have the key, a negative. Which, even if you are telling the complete god's truth, you can never, ever, prove.
So, having an encrypted file, that you cannot or will not decrypt on demand is or will become a criminal offence. All encryption does, in the eyes of government, act as evidence of guilt. The suspect has an encrypted file, we can verify its contents, she wont give us the key, there for she has "something to hide", and there for must be guilty.
I can well imagine encrypted files being stored like athletes blood samples, waiting to be tested or decrypted by future methods.
We can not win unless we accept so risk and stop expecting our governments to do everything to stop the bad people. If a bomb goes off in Whatevercity, we must not be angry if it happened because the NSA were NOT collecting mass data, or something similar. We must make it clear to government that we are prepared to trade the risk of being blown up for our privacy and freedom, and that if that freedom contributed to the attack, we MUST accept that, and not suddenly switch and blame government. And the NSA, and the likes, must be allowed to say, "look we could have acted, here is the evidence, but we had to respect freedom and privacy", and not be lambasted for it. We have to reply, "OK, fair enough, we understand and accept that." Equally, of course, we need to know they did everything else legally and morally possible.
Question is, are we as a people able to do that? Or do we expect zero risk lives?
And all that is assuming there is zero risk from the powers government wants. Such laws and thinking creates a whole new avenue of risk.
Which is why I for one am quite prepared to say to government, cool it down, back off, set some limits, respect those limits, and if you fail because of that, I both accept it and forgive you, because I want to be free.
BTW, one of the few countries I have been to is Norway. Beautiful, stunning, country and fantastic people. If I wanted to or had to leave the UK, it would be one of the first places I would consider. I'd love Norway to be the savior of privacy and freedom, but I sadly cant see it.
There's a 4th option: give them a key that decrypts innocuous material.
Basically what this would prevent would be data collection if you were caught in a web of general surveillance. I agree that if you're in a situation where a government is making a case against you you're fucked. But that requires specific targeting of you.
intelligence agencies, aka spies, exist to spy. that's their entire purpose. now there are some laws to protect their own citizens, at least in the US.
once it's a foreign entity, it's fair game. zero fucks about legality given - see any info ever about clandestine services. so if you store your data in a non-US entity, you're more likely to be monitored.
do you think STUXNET was LEGAL?
the NSA, CIA, MI6, BND, KGB, Mossad all ignore the laws of the countries they are acting in. or what do you think a spy is?
