It seems to me that the NSA finds it a lot harder to get at data that never enters the US at all.
I have doubts about sending data to the US in any way - I work for a European tech company, and some co-workers want us to use private repos on GitHub for our source control. I am personally against this simply because it sends important data into the US. That kind of thing should be kept on-site.
This may be naive, and if it is please elaborate; but as the NSA is a branch of the USA's government, it has legal power over companies in the USA and over infrastructure in the USA. Their legal writ does not hold in Germany for instance. I'm interested in seeing how this whole "broke German law on German soil" thing plays out: http://www.cbc.ca/news/world/nsa-s-alleged-spying-on-merkel-...
The NSA's methods of surveiling the internet seems to have been to tap into "destination" data centres in the USA, and to tap into all passing traffic as it crosses US borders. If internet traffic passes through neither of those checkpoints (e.g. originates in Leipzig, goes to a server in Berlin) then the NSA will find it a lot harder to tap it. Not impossible, but a lot harder to do it and lot harder to make a convincing legal justification.
This leaves aside the impact of the sharing agreements between the "five eyes", that basically the UK et al are doing the same thing as the NSA here.
The second problem is of "American" companies which operate worldwide. Even if the server is in Berlin, no doubt the US government will lean on the US parent company, if there is one. Which is why we're seeing stories like this one.
Even if your servers are patched, firewalled etc and you encrypt all traffic travelling between data centres, if the data is decrypted on your internal network for processing or use you're vulnerable to "host is subpoenaed by the NSA", "black box installed on network by NSA" and "insiders work with NSA out of patriotism" which non-US suppliers may protect you from. Even if you self-host and have no employees, it's difficult to stop a legal subpoena from the NSA for your SSL private key except by making sure you and it never enter the US courts' jurisdiction.
Of course, you're still vulnerable to hacking, physical intrusion, and blackmail or bribery of insiders by the NSA. And whatever the local equivalent of the NSA is. And secretive international agreements.
> In the USA ... you're vulnerable to "host is subpoenaed by the NSA", "black box installed on network by NSA" and "insiders work with NSA out of patriotism"
Yep. That's what I mean by "tap into "destination" data centres in the US". e.g. what was going to happen to Lavabit.
I'm not sure why people are having difficulty grasping the whole concept of "US legal power is much lessened outside of the USA". (see also here https://news.ycombinator.com/item?id=6944880 )
> Of course, you're still vulnerable to hacking, physical intrusion, and blackmail or bribery of insiders by the NSA
Yes, or by any other rogue actor. But any government that does that on a mass scale on notionally "friendly" territory is playing a dangerous game if and when they get found out.
It seems to me that the NSA finds it a lot harder to get at data that never enters the US at all.
I have doubts about sending data to the US in any way - I work for a European tech company, and some co-workers want us to use private repos on GitHub for our source control. I am personally against this simply because it sends important data into the US. That kind of thing should be kept on-site.