> Wait, so the NSA can walk into a German hosting provider's office and force them to install a box and no we won't tell you what it does?
The equivalent in the US requires a warrant, and it would be the FBI not the NSA. For example an NSL or warrant with a gag order similar to what Lavabit saw. These warrants at least give the provider the option to shutdown. Also see similar situation to PrivateSky (UK-based). The fact that these cases are news, and even moving through the courts on appeal, is a Good Thing (TM).
This is a significantly different attack model than NSA hacking your network and picking data off your internal pipes (like what happened to Google), Firewire/Thunderbolt ports (commercial off-the-shelf products sold to law enforcement do this through DMA access granted by Firewire/Thunderbolt), or hell, even stealing keys through the ground potential of your chassis . Those techniques, sans warrant, are claimed to be "legal" only because they happen overseas.
If you think the NSA doesn't have access to all your traffic just because you're in Germany, I'm saying, IMO the NSA has better access to your traffic, indeed all your gear, because it's in Germany.
> For international customers it is rather pointless to talk about data that never leaves the US. If this is a bad reaction, then what is a meaningful reaction?
This is a great point. I think the most meaningful reaction would be an increase in self-hosted SaaS models which are open source but not MIT/GPL as in, auditable but not free. Continuing the evolution of systems like Docker, and maybe even to an extent things like node-webkit, you might get to a future where grandma can single-click self-host all the apps she needs on any OS she happens to be running.
I'm so disappointed that such approaches are assumed to be doomed. You can't convince the CEO that people won't just comment out the license check rather than pay the license. I know GPL is supposed to provide "freedom" to the user, but I don't think there's anything inherently wrong with providing access to the source while still legally requiring a end-user or commercial license, and not just in the form of a support contract. In fact, I really wish more companies would try this, because I think it would ultimately be very successful and if it can jump the shark as an acceptable approach, it would benefit the entire industry. I plan on trying it myself with a few products, and I'll definitely report my progress.
In short, we need to increase investment in designing, deploying, and maintaining secure systems and architectures, combined with demanding real end-user ownership and control over your own data, which means self-hosting the service and open source. In my opinion, moving the server to international data centers doesn't provide any demonstrable value, and I believe just makes matters worse.
The equivalent in the US requires a warrant, and it would be the FBI not the NSA. For example an NSL or warrant with a gag order similar to what Lavabit saw. These warrants at least give the provider the option to shutdown. Also see similar situation to PrivateSky (UK-based). The fact that these cases are news, and even moving through the courts on appeal, is a Good Thing (TM).
This is a significantly different attack model than NSA hacking your network and picking data off your internal pipes (like what happened to Google), Firewire/Thunderbolt ports (commercial off-the-shelf products sold to law enforcement do this through DMA access granted by Firewire/Thunderbolt), or hell, even stealing keys through the ground potential of your chassis . Those techniques, sans warrant, are claimed to be "legal" only because they happen overseas.
If you think the NSA doesn't have access to all your traffic just because you're in Germany, I'm saying, IMO the NSA has better access to your traffic, indeed all your gear, because it's in Germany.
> For international customers it is rather pointless to talk about data that never leaves the US. If this is a bad reaction, then what is a meaningful reaction?
This is a great point. I think the most meaningful reaction would be an increase in self-hosted SaaS models which are open source but not MIT/GPL as in, auditable but not free. Continuing the evolution of systems like Docker, and maybe even to an extent things like node-webkit, you might get to a future where grandma can single-click self-host all the apps she needs on any OS she happens to be running.
I'm so disappointed that such approaches are assumed to be doomed. You can't convince the CEO that people won't just comment out the license check rather than pay the license. I know GPL is supposed to provide "freedom" to the user, but I don't think there's anything inherently wrong with providing access to the source while still legally requiring a end-user or commercial license, and not just in the form of a support contract. In fact, I really wish more companies would try this, because I think it would ultimately be very successful and if it can jump the shark as an acceptable approach, it would benefit the entire industry. I plan on trying it myself with a few products, and I'll definitely report my progress.
In short, we need to increase investment in designing, deploying, and maintaining secure systems and architectures, combined with demanding real end-user ownership and control over your own data, which means self-hosting the service and open source. In my opinion, moving the server to international data centers doesn't provide any demonstrable value, and I believe just makes matters worse.