- entry 2015/10/16

The American Cloud - crashing and burning

Three fundamental provisions of importance here are:

• Article 7: Respect for private and family life - Everyone has the right to respect for his or her private and family life, home and communications.
• Article 8: Protection of personal data - 1. Everyone has the right to the protection of personal data concerning him or her; 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified; 3. Compliance with these rules shall be subject to control by an independent authority.

Herein lies a mammoth problem with "the Cloud". Data is pushed to the Cloud, this whimsical netherworld of assorted digital rubbish. We use the facilities that are made available to us, and we hardly ever think much about where it goes, who can access it, and who it gets shared with.
I use Google Docs from time to time. It can be useful to write blog articles in the car on the iPad and later pick up the text with my PC. A bit of markup and the job's done. But have I ever thought about where this data is stored?
So I looked it up. The IP address for Google Docs is 74.125.133.100 which is supposedly located at Mountain View, California, United States (just above San José). Which would imply that anything that I place in Google Docs not only falls under US law, but is also open for the three letter agencies and their ongoing data grab.

That's me. That's my choice.

Now try another approach. A number of parents in the UK may have heard of something called Edmodo. It is a school collaboration/grading/evaluation (etc) platform that is used by a number of schools in the UK. Their Privacy Policy says (quotes):

• When you use the Services, you are consenting to have your data transferred to and processed in the United States.
• Edmodo complies with the U.S.–E.U. Safe Harbor Framework and the U.S.–Swiss Safe Harbor Framework set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information from European Union member countries and Switzerland. Edmodo has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement.
• In compliance with the US-EU and US-Swiss Safe Harbor Principles, Edmodo commits to resolve complaints about your privacy and our collection or use of your personal information.

What they don't tell you is that recent(ish) American legislature have introduced, from the PATRIOT (in capitals) Act to the Freedom Act and the ever-popular FISC (FISA Court; that's the "secret" court with little (if any) oversight (it's all a big secret) that rubberstamps what the NSA would like to do). Ever heard of PRISM (oh, look, more capitals)? Look it up.
Essentially, if you are a foreigner, you have no constitutional rights. The three letter agencies can help themselves you your information, profile you, track you, examine your preferences. Oh, don't think that they care much about you or me - most of this is automated, likely only raising a flag when something noteworthy appears. I guess this blog post would put me in the box marked "subversive".

With that in mind, let me ask you - is any data sent to the United States "safe"? The answer? No.
Can any hosting company or service provider with American operations guarantee safety and privacy of Europeans' data? The answer? No.

This is the same conclusion that the top European Court came to. The entire concept of Safe Harbor was in jeopardy following 9/11 when the PATRIOT Act was introduced (introduced, apparently, without even being read by a worrying number of the Senators that voted for it - what sort of twisted democracy is this?). The difference? Now it has been tested and found not worth the paper it was printed upon.
American companies cannot respect Europeans' rights. They just can't.

The ECJ specifically said that while individual companies may follow the requirements of Safe Harbor, United States public authorities are not themselves subject to it.
Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons.

Of course, in the fallout, America is screaming at Europe. American politicians are pointing to Brussels. Companies on both sides of the Atlantic are freaking out of the immeasurable cost to business.

Let's try some reality instead.

Number one - this problem starts, lives, and ends in Washington. I'm sorry everybody, but the American government has created a situation that is toxic to the basic rights of Europeans. Now I know that the likelihood of American law changing, or anybody reigning in the NSA, are practically zero - but that's what the problem is. The left hand side of the Atlantic.

It isn't that we don't like or trust American service providers, we cannot trust them. Not when the legal process means that anything written in their Privacy Policies are not worth the time spent reading them. Our data is not safe in America; no American company can respect our laws and our privacy no matter how much they may want to; the legal process stymies any such ideas. That's the truth of it, and perhaps instead of looking to Brussels for rectification, affected companies might prefer to talk to their Senators. The ECJ quote just above makes this painfully clear.

Let me quote again a part of the European charter: Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
We all know that advertisers track us, correlate our preferences, and try to profile us for better knowing what clickbait we are most likely to fall for. Funny, I bought myself a new shaver so Amazon (not terribly cleverly) is using their embedded adverts to try to sell me really expensive shavers. Google's AdChoices is slightly better - I get cute girls and kanji. Dunno what the hell the advert is for (I can read about 40 katakana and maybe five kanji) but it's some icon-sized eye candy. Now, these are the two that I know. There are many more. Where's my ability to access the data that the advertisers have on me? As a European citizen, I have that right.

I have just downloaded my Google search history (from here, click on the three stacked dots (upper right) and then choose "Download searches"). My file? A brief HTML document saying 0.0 bytes total. Nothing.
That's right. Because I have turned off all of my histories. Google, Maps, YouTube, the lot.
Yet I get advertising in Japanese on third party sites. Why is this?

So I exported my entire Google profile (excluding Docs files, GMail emails, YouTube videos, and Panoramio photos). The result? A 3.1MiB archive. My bookmarks contain Sakai, Fukui Prefecture, Japan and Minato, Tokyo, Japan ... but three times as many French locations. If that was the cause, I should be getting content in French.
My remembered contacts? Contains NHK World and a .co.jp company; but numerous others in France, UK, USA...
Google Photos? A picture of KFC that I uploaded to Maps. It isn't a great picture, but it is the one now used for that KFC when you look for it in Maps. Cool.
Oh, and they credited me. Nice, now people can get a direct link to a rather weird Google+ profile. ☺

Blogger pictures? Four copies of the same thing. I must have been trying to upload it from my phone in a bad reception area.
Drop box - a drawing and photo of when I reported a rather important Map navigation fail. Surprised that's still kicking around.
A photo I sent to Rob using Hangouts. A rather crap photo at that...
My profile photo. It's Haruhi. I'm not that cute. Or a girl.

My profile itself? Yeah - it contains stuff like this for my "bragging rights": I am really a time-travelling ninja code warrior who has come back to the latter days of the dominance of humanity. It's all downhill from 2037 as this species of ours is replaced by little laughing fairy-things (their name is not pronounceable with the limited vocal apparatus of the average human). And cigar-smoking processed chickens. El Psy Congroo.
Working out which animé (plural) I am referencing is an exercise for the reader.

And, finally, my YouTube search history (despite it being turned off!): Kalafina, please don't touch polly scattergood, Uvek kad u nebo pogledam, and 川嶋あい 旅立ちの日に. What was that least one again? River something some...oh, I give up. Probably a song.

So, yes, there is some Japanese in there, but nothing that would necessarily favour it over, say, French. Or English for that matter.
But then it is rather hard to ask for the right to inspect/modify that which you don't know exists. I'm sure these companies would gladly point to some set of terms that references American law. Well, I don't ask to be tracked by Facebook every time their stupid "Like" button appears on a page I'm visiting. I don't ask to be tracked around the web by doubleclick.net. Did I actually agree to this behaviour? I don't mean a stupid cookie-like "by visiting here you agree to..." as is parodied at the top of the page (as of time of writing), I mean an actual "here's who we are, here's what we're collecting, here's how you can view and correct this data".
No. I didn't. Neither did you. And if you're a European, whee, your rights have been infringed. Again. And again. And again.

Getting back on track...

What we need to rectify this problem is, first, a non-US company with no dealings within America. Why? Because a circuit court judge demanded Microsoft to release the content of Hotmail emails hosted in Ireland. The American Department of Justice told a federal appeals court that The United States government has the right to demand the emails of anyone in the world from any email provider headquartered within US borders. Microsoft has refused, stating "This is an execution of law enforcement seizure on their land" (referring to the fact that Ireland is a sovereign nation and doesn't subscribe to American law) and the counsel for Microsoft rammed the point home by adding "We would go crazy if China did this to us". At the time of writing, no decision has been made; however given America's usual blunt unwillingness to acknowledge that other countries and legal systems exist - only two weeks ago the US mission to the EU slapped down the Advocate General's opinion and offered the idea that the PRISM programme is "duly authorized by law" which appears to be suggesting that if it is acceptable to American law, it is acceptable everywhere, right?
Wrong. Very very wrong.

So. We need a European company. And we need them to offer Cloud services.
It's that simple. European data in European servers in Europe.

This doesn't mean we will be exempt from snooping - GCHQ have been co-operating with the NSA to a degree that could make a person wonder if they are committing treason to their own country, and France has just enacted a (potentially unconstitutional) snooper's law. However, what should change is that there will be a legal framework in place within the EU.

No doubt the ink will soon by drying on a replacement agreement that will likely fail when tested in court (after all, look how long it took to tear up the Safe Harbor that everybody know was worthless for the past, what was it, thirteen or fourteen years?) and business will continue as usual.
Only, it doesn't have to be that way.

Your comments:

Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺ ADDING COMMENTS DOES NOT WORK IF READING TRANSLATED VERSIONS.
 
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.

VinceH, 16th October 2015, 22:36

Amen to that.    My Google history is also non-existent. I do have a few client-related files in Google Drive (client's choice, not mine) but I only ever log-in when I need to do anything with them, then log back out again. I also have stuff on YouTube but, again, I only log-in when adding stuff, then I'm out.    Add to that my cookie management and use of NoScript, and it's easy to see why.

Gavin Wraith, 17th October 2015, 14:18

<cough>I think you meant "rein in"</cough>. Reigning is what monarchs do, though conceivably the two words may have a common root from a very distant past.    My cookies are kept in null:. I do not use Facebook, Twitter or LinkedIn. The cloud is only of interest because the word used to mean the same as clod - a big mass of water vapour can resemble a big mass of air. Clodhopping?     A long time ago I had a copy of the Whole Earth Catalogue and a similar confection, given to me by Dana Scott, that celebrated the libertarian and hippy possibilities of computing. It even suggested the concept of hypertext, decades before Sir Tim Berners Lee. I suppose that the authors understood that the advent of VLSI and microcomputers heralded a new era when computing was no longer the purlieu of big business, but their triumphalism was premature. The day of the common man is not yet upon us.

Rick, 17th October 2015, 14:22

Yup. And the "Three fundamental provisions" (with two listed!) should be "The fundamental provisions".  Had to get up early this morning so I uploaded the text without re-reading it in the browser to catch typos and dumb errors. Oh well.

Add a comment (v0.11) [help?] . . . try the comment feed!
		Your name
		Your email	(optional)
		Validation	Are you real? Please type 09683 backwards.
		Your comment