Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

US companies are required by US law to disclose data to US authorities when requested - no matter where in the world they operate.

Doesn't matter if it is a EU subsidiary. The US parent company must abide by US law and give US authorities the data.

EU citizens cannot trust their data in the hands of US companies. No matter if it is on servers in Europe hosted by European subsidiaries.



The way they are doing it is entirely air gapped systems, run by totally independent companies (not subsidiaries, totally separate legal entities owned and run by other people) that are effectively licensing the software.

So the US legal system can say "give us this data" but they don't have access as they are on another company's servers in another company's data center operated by another company's staff.


> So the US legal system can say "give us this data" but they don't have access as they are on another company's servers in another company's data center operated by another company's staff.

US institutions don't hesitate to demand their companies to implement secret backdoors in their hardware or software, as evidenced by Snowden's leaks (for Cisco routers) and the Lavabit shutdown (mail company ordered to implement a tap on their clients' data).

Sure, you can have all you described, but how are updates vetted?


Yeah it is a risk, but so is it a risk for anything. Can you really trust the CPU, RAM, BIOS, USB-C cable etc on your desk? Maybe those have backdoors too?

But that is adversarial and is to be expected.

At least for these sort of cooperative partnerships that I am aware of in enterprise, there are typically provisions in contracts for code-access, verifiable builds, ability to reject updates and so on and so on. I don't know if these provisions exist in the sovereign cloud contracts that the cloud companies are building, but I would be really surprised if they went to all this trouble replicating Azure/GCP/etc in entirely air-gapped data centers with duplicated staff and hardware and all that, but don't bother to vet the code they get!


The US state just ask the UK GHCQ to get the data to them instead. That's what they already do for decades, and likewise the GHCQ gets the US data. Under the national security umbrella, so they'll deny any data exchanges. With Germany the figure is known to be 10%. With the UK the figure is 100%.

The EU should really fight these illegal circumventions


If that is the case, how can I manage my EU Azure instances via the regular Azure Portal, yet US-Microsoft not having any access?


I think just having servers in an azure data center in the EU is different from proper sovereignty products.

These sovereignty products I don't think are just a check-box you can tick to get it, they're separate things and probably cost the earth too.

Only officially public one that I know of: e.g. https://www.s3ns.io/en (but I hear whispers of others)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: