This really wasn't in the script. All conquering, "disruptive" Silicon Valley companies were more powerful than any nation state, we were told, and governments and nations would submit to their norms. But now the dam that Max Schrems cracked last week has burst open as European companies seek to nail down local alternatives to Google, Dropbox and other Californian over-the-top players.
They don't have much choice, says Rafe Laguna, the open source veteran at Open Xchange.
What the Schrems vs Facebook decision in the European Court means, Laguna argues, is that any data protection guarantee that a US company makes in Europe is worthless, and so any business processing a European individual's data on US servers exposes them to lawsuits they can't win.
"Suppose I'm a German business, and I get an agreement from Google, which says everything is good, and I put that into my file. When a customer sues me, I go to court and find that agreement isn't worth a dime. Google cannot guarantee what they're guaranteeing.
"This takedown of Safe Harbor will be remembered as a historical event. It'll be patched, but it'll be a bad patch. The real patch is you do business with a trusted supplier operating in a country whose laws you trust. And that doesn't mean the over-the-top big boys from California," says Laguna.
Related Stories
While most of the newspapers were distracting the public with the antics of Mark Zuckerberg, a European Union High Court raised 11 important questions regarding privacy (warning for PDF) that will affect large data-gathering operations like Facebook. The 11 questions have been passed upwards to the most senior EU court and are based on a current case started by Max Schrems.
The Irish High Court referral, published on Thursday and due to be submitted to the ECJ by the end of April, stems from a case brought by an Austrian privacy activist against the methods used by Facebook to store user data on U.S. servers following revelations in 2013 of mass U.S. surveillance practices.
[...] The High Court's five-page referral asks the Court of Justice of the EU (ECJ) if the Privacy Shield - under which companies certify they comply with EU privacy law when transferring data to the United States - does in fact mean that the United States "ensures an adequate level of protection".
Opponents can still appeal the court's referral any time until the end of the month. The proposed Privacy Shield legislation is the EU's follow up framework to cover transfers of personal data to outside the EU. It is being written as a replacement for the now invalidated International Safe Harbor Privacy Principles. The Safe Harbour agreement was brought down, after an earlier two-year lawsuit (Case C-362/14) by Max Schrems, because of its inadequate protections in light of the Snowden revelations.
From Reuters : EU's top court asked to probe Facebook U.S. data transfers
The Irish Times : High Court sets out 11 questions for ECJ on EU-US data transfers
Ars Technica : Facebook data transfers to be examined by EU court, Irish judge rules
See also an intial analysis, http://www.europe-v-facebook.org/sh2/PA-ref.pdf
Earlier on SN:
Austria Resident Max Schrems is Organizing a Privacy-Oriented Class-Action Suit Against Facebook
On its Way: A Google-Free, NSA-Free IT Infrastructure for Europe
(Score: 4, Insightful) by Hartree on Thursday October 15 2015, @05:30PM
It's NSA free.
Unfortunately, it may not be GCHQ, DGSI, and BND free, and the NSA has data sharing agreements with them.
(Score: 4, Funny) by isostatic on Thursday October 15 2015, @05:39PM
It's NSA free.
Free NSA with every server!
(Score: 2) by Hyperturtle on Thursday October 15 2015, @05:55PM
Without the NSAKey registry entry, the door is open for *all* to come in, not just the NSA!
Anyway I would endorse the creation of such an environment, if I thought it had a chance to succeed.
All it will do is, if it works, is result in spying that is less overt in nature. No one that expects to be involved will be left out, and it undoubtedly will draw attention and probably funding. It's a commercial art form, if nothing else.
The real secured networks that exist are not advertised in this way.
(Score: 1, Insightful) by Anonymous Coward on Thursday October 15 2015, @05:55PM
One step at a time.
(Score: 0) by Anonymous Coward on Thursday October 15 2015, @06:53PM
While they certainly may not be perfect, at least those agencies are (in theory) bound by the laws of their nation. Compare that to America, where the NSA and other agencies routinely violate both domestic legislation and international agreements (which is how we got to this state of things in the first place; the Schrems vs Facebook ruling didn't come from nowhere).
(Score: 2) by bob_super on Thursday October 15 2015, @07:14PM
> While they certainly may not be perfect, at least those agencies are (in theory) bound by the laws of their nation.
Sadly, too often they are not bound by national pride
(Score: 2) by hemocyanin on Thursday October 15 2015, @11:31PM
It's a win.
These Silicon Valley companies have their massive over-valuation based on the notion that the world is their oyster, but if it turns out half the world is legally barred from doing business with them because of some horseshit from that Dark City in the East (WA DC), all that money is going to turn on Mordor and its minions like pack of Wargs, and fearing the loss of the free flow of cash, hookers, and coke, all those politicians will suddenly find themselves very interested in reigning in the NSA.
(Score: 3, Insightful) by ticho on Friday October 16 2015, @07:02AM
Even the smallest lawsuit can change the course of the future.
(Score: 0) by Anonymous Coward on Friday October 16 2015, @12:02AM
EVERYONE does espionage and that's not changing any time soon. What's changing is data sovereignty. If you want my data you'll have to send your spooks over to steal it because I'm not just fucking sending it to you.
(Score: 1, Insightful) by Anonymous Coward on Thursday October 15 2015, @05:54PM
This could be an opportunity, for companies funded by them. I doubt it's only the CIA [theregister.co.uk] who does that.
(Score: 1, Interesting) by Anonymous Coward on Thursday October 15 2015, @06:03PM
Part of the problem is that new entrants to the market of social networking and the like have to compete with companies like facebook that have effectively unlimited funds. This opens the door for alternatives, especially alternatives that are not so spy friendly. Distributed services where there is no centralization of data, and thus no easy place for any intelligence agency to scoop it all up. It is certainly possible that all we will get are more centralized services. But at least there is now a chance to do it better.
(Score: 4, Insightful) by duvel on Thursday October 15 2015, @06:07PM
I somewhat doubt that the goal of the EU-privacy regulation is to foster more-privacy friendly distributed service alternatives. More likely than not, it's EU-spy agencies preferring to have access to the private information of their EU-subjects themselves, rather than having to beg the NSA for it. Then again, perhaps I'm just a cynic.
This Sig is under surveilance by the NSA
(Score: 2, Insightful) by Anonymous Coward on Thursday October 15 2015, @08:15PM
> I somewhat doubt that the goal of the EU-privacy regulation is to foster more-privacy friendly distributed service alternatives.
#1 the privacy regulations have existed for decades
#2 the intent doesn't matter, the results do
(Score: 3, Insightful) by frojack on Thursday October 15 2015, @06:22PM
facebook that have effectively unlimited funds.
Facebook also has EU servers, and has joined the Microsoft effort to block US subpoenas of data held overseas.
Why?
Because Facebook can see that all the money in the world does not protect them from a simple subpoena.
To paraphrase Stalin: How many divisions does Zuckerberg have?
No, you are mistaken. I've always had this sig.
(Score: 2) by BK on Thursday October 15 2015, @09:34PM
I think you misunderstand -
It doesn't open any markets, but it may segment them and it probably separates those markets from reality.
A response to a recent article on this site suggested that the Googles and Facebooks could simply move data-centers and subsidiaries outside the EU. Suggestions like this are routinely dismissed here -- 'Abandon Europe?! USA isn't the whole world economy afterall!!' -- but if they can't operate legally in a place, they will find a place where they can. The Googles and Facebooks can afford to move... they won't like it, but they can afford it. The only rational response to this, other than some form of surrender, is a 'Pare-feu de la Grande Allemagne' to keep the patriotic from accidentally using a foreign system. So we have segmentation.
As for reality, do you really think that commercial networks can be secured against nation-state actors while still remaining open to miscellaneous users? The Chinese, Russians, NSA, and more will penetrate your network to some degree. You may feel better if you think that it's "just the Dutch" or whatever, but you're delusional. If the Dutch can get in, the NSA and their peers will as well.
...but you HAVE heard of me.
(Score: 2) by hemocyanin on Thursday October 15 2015, @11:34PM
Google and FB will have to convince the US courts that the Feds don't have access to foreign servers. Good luck with that. http://www.theguardian.com/technology/2014/apr/29/us-court-microsoft-personal-data-emails-irish-server [theguardian.com]
(Score: 4, Interesting) by frojack on Thursday October 15 2015, @06:14PM
with a trusted supplier operating in a country whose laws you trust.
So, translation: you can't trust any company to store your data period. Forget this whole internet thing.
There is no reason to trust your own government any more than another government.
The Germans, British, Spanish, Dutch governments are all making demands on companies that sell services based on the internet, and the EU's promise of privacy does not extend to these spy agencies.
The EU telcos are complicit, because they are told to be quiet about the taps and the intercepts.
The next big revelation will be that the EU privacy guarantees aren't any better than any other countries, which is to say worthless. And the EU citizens pointing with pride to EU privacy laws will meekly tuck tail and knuckle under.
Open Xchange is a short term joke.
Carrier grade intermediaries will host the private key, and the end user only needs to enter a passphrase, or use whatever authentication they already use such as 2FA or USB keys. And lo, a global key directory emerges.
FAIL!
No, you are mistaken. I've always had this sig.
(Score: 3, Insightful) by Anonymous Coward on Thursday October 15 2015, @07:40PM
Still, I'd rather be spied upon by (say) Netherlands than by the US. US has proven itself willing to completely ignore the laws of every other nation on the planet, when it's not busy doing extrajudicial drone killings, middle-of-the-night police raids on people it has no actual jurisdiction over (c.f. Kim Dotcom case) or forcefully grounding planes with foreign heads of state based on nothing but vague suspicions and unsubstantiated rumors (c.f. Edward Snowden and the Bolivian President's plane). Fuck 'em. Fuck 'em with a rusty spork.
While the EU as a whole can sometimes stand up to the US, internally it's still mostly fragmented. Dozens of spy agencies that sometimes compete, sometimes work together is orders of magnitude better than the NSA. On the other hand, if the EU ever gets something close to the US federal government, then we're screwed.
(Score: 2, Interesting) by lars on Friday October 16 2015, @01:45AM
I'd rather be spied upon by Chinese/Russians, since I know they won't be sharing their data with my gov't. My next phone will be a Chinese one, shipped straight from there. I'll bet they have pretty good web services, a Chinese VPS would be nice too.
(Score: 0) by Anonymous Coward on Friday October 16 2015, @07:07AM
Shipped from China, but intercepted at the border and bugged for your convenience.
(Score: 1) by lars on Saturday October 17 2015, @03:20AM
I thought about that, but I've only heard about such things happening for big stuff (routers) or for targeted individuals.
(Score: 5, Insightful) by HiThere on Thursday October 15 2015, @08:35PM
While true, it misses a major point. Companies that expose their european customers data to subpoena by the US are set up to lose tremendous lawsuits.
So while you may have no better reason to trust (say) the German government, it doesn't expose you to the same legal threat. The laws don't forbid sharing the data (on european customers) in answer to a German subpoena.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 5, Insightful) by frojack on Thursday October 15 2015, @10:38PM
Ah, I see. Its all about protecting the corporations then?
No, you are mistaken. I've always had this sig.
(Score: 2) by HiThere on Friday October 16 2015, @05:22PM
That's quite plausible, if you mean local corporations. It doesn't much help international corporations unless they keep all their records in Europe, and perhaps not then.
OTOH, a lot of people are more paranoid about the US than about any other government than their own...and this is a rational concern given the last decade's news stories. So it's probably an easy sell.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 3, Insightful) by frojack on Friday October 16 2015, @05:50PM
Admittedly its been easier to blame the NSA for what the BND and GCHQ have been doing. Why would these homegrown spy agencies accept any blame when you can just point a finger across the ocean?
No, you are mistaken. I've always had this sig.
(Score: 1, Informative) by Anonymous Coward on Thursday October 15 2015, @08:53PM
Google has sent today, Oct 15, a mail to all Google Apps enterprise customers in the EU titled "European Safe Harbor ruling update and Google Apps".
In the mail, they state that there is a compliant alternative to the Safe Harbor framework for EU customers since 2012, consisting of a data processing amendment [google.com] to the existing Google Apps contract, as well as additional model contract clauses [google.com]
.