Curious: Why would you trust a cloud service operating outside the US more than one operating within?
If you use Google, your data is basically guaranteed to be secure - the biggest vulnerability is search warrants from the US government.
If you use some provider in another country, the attack vector has to be way larger, right?
This is an honest question - people always talk about using their own servers or non-mainstream providers, but I don't see how they necessarily reduce your risk.
Are you saying that everyone else outside the US is somehow incompetent? The 300 million in the US are super special and the other 6.7 billion people are stupid? Cause 'murica? For example all the countries in the EU, Canada, Australia, etc.
Or are you saying privacy laws in the rest of the world are somehow worse? For example, the EU has generally much better privacy safeguards and is generally known to be much more consumer friendly than the US.
> Why would you trust a cloud service operating outside the US more than one operating within?
Because I'm an American in America. If you aren't in America's sphere of influence, the United States may be one of the best places to host your data. (No data retention laws; freedom of speech; working courts; et cetera.)
Because some countries - namely in Europe - have much stronger personal data protection laws than the US. Switzerland for instance.
Also because the country where the data is stored, even if internally has personal data protection laws as lax as the USA, will in basically all cases have much bigger restrains about allowing a foreign government (namely the USA) to access that data.
Most people are preoccupied about what their own country's government or a big superpower's government can do with their data, not really what Norway's (another example) government can do with their data if they don't even live there.
You would do on-prem and not cloud if your potential legal adversaries included the government because they would then have to come and take your emails from you with a warrant vs. being able to silently take it from cloud providers and compelling them to not inform you.
For any reasonably sized multinational, governments are potential legal adverseries.. and so they avoid keeping mail servers and financial transaction data in the cloud
Weigh the cost of corporate controlled robots peeking at your emails against the increased probability of extra-corporate attackers pilfering your data.
"If you use some provider in another country, the attack vector has to be way larger, right?"
I think Nexor, Thales, Fox-IT, Sirrix, Data61, and recently ProtonMail might have something to say about such claims. Starting with better security architectures than most vendors in the space. Maybe throw in GPG-based things like Enigmail since Snowden leaks showed NSA worried about it so much.
> If you use some provider in another country, the attack vector has to be way larger, right?
If you just mean "Google has more resources than most European services, so it's probably more secure", you have a point, but it's not entirely accurate, and that's because of how Google handles encryption. It prefers to keep the encryption keys to itself, so from that point of view it will always be more vulnerable than services that don't do that - small or large.
And if you meant "because the NSA wouldn't target Google, or it would just target those companies more" then I believe that's completely false. Google is absolutely a high priority target for the NSA. Any large company is, no matter where it is. We've learned that by now.
Also because Google actually did get completely owned by the NSA a few years ago:
Guaranteed to be secure? Are you joking? Aside from the fact that nothing is guaranteed to be anything in the security world, if you go read the documents put out by Snowden there just no way you'd say that.
More like it is that there are any number of zero days floating around at all times many of which Google doesn't know, and the government itself is regularly taking data from these companies and then gagging them, and when that doesn't work, rooting them directly.
Outside countries are just as susceptible to hacking, but they can't be as easily made into gagged cooperators.
And google may have a lot of smart people but they have a collossal attack surface due to sheer size and product offerings. And they're made of humans. They run hackathons soliciting bugs and regularly find them. No one is perfect, definitely not google.
The overall security picture out there is grim, and it's very rational for people to control the risks they can and part of that is using outside of the US services
skylark|9 years ago
If you use Google, your data is basically guaranteed to be secure - the biggest vulnerability is search warrants from the US government.
If you use some provider in another country, the attack vector has to be way larger, right?
This is an honest question - people always talk about using their own servers or non-mainstream providers, but I don't see how they necessarily reduce your risk.
mattmanser|9 years ago
Are you saying that everyone else outside the US is somehow incompetent? The 300 million in the US are super special and the other 6.7 billion people are stupid? Cause 'murica? For example all the countries in the EU, Canada, Australia, etc.
Or are you saying privacy laws in the rest of the world are somehow worse? For example, the EU has generally much better privacy safeguards and is generally known to be much more consumer friendly than the US.
JumpCrisscross|9 years ago
Because I'm an American in America. If you aren't in America's sphere of influence, the United States may be one of the best places to host your data. (No data retention laws; freedom of speech; working courts; et cetera.)
jbmorgado|9 years ago
Also because the country where the data is stored, even if internally has personal data protection laws as lax as the USA, will in basically all cases have much bigger restrains about allowing a foreign government (namely the USA) to access that data.
Most people are preoccupied about what their own country's government or a big superpower's government can do with their data, not really what Norway's (another example) government can do with their data if they don't even live there.
sfifs|9 years ago
For any reasonably sized multinational, governments are potential legal adverseries.. and so they avoid keeping mail servers and financial transaction data in the cloud
unknown|9 years ago
[deleted]
burrows|9 years ago
nickpsecurity|9 years ago
I think Nexor, Thales, Fox-IT, Sirrix, Data61, and recently ProtonMail might have something to say about such claims. Starting with better security architectures than most vendors in the space. Maybe throw in GPG-based things like Enigmail since Snowden leaks showed NSA worried about it so much.
mtgx|9 years ago
If you just mean "Google has more resources than most European services, so it's probably more secure", you have a point, but it's not entirely accurate, and that's because of how Google handles encryption. It prefers to keep the encryption keys to itself, so from that point of view it will always be more vulnerable than services that don't do that - small or large.
And if you meant "because the NSA wouldn't target Google, or it would just target those companies more" then I believe that's completely false. Google is absolutely a high priority target for the NSA. Any large company is, no matter where it is. We've learned that by now.
Also because Google actually did get completely owned by the NSA a few years ago:
https://www.theguardian.com/technology/2013/oct/30/google-re...
moxious|9 years ago
More like it is that there are any number of zero days floating around at all times many of which Google doesn't know, and the government itself is regularly taking data from these companies and then gagging them, and when that doesn't work, rooting them directly.
Outside countries are just as susceptible to hacking, but they can't be as easily made into gagged cooperators.
And google may have a lot of smart people but they have a collossal attack surface due to sheer size and product offerings. And they're made of humans. They run hackathons soliciting bugs and regularly find them. No one is perfect, definitely not google.
The overall security picture out there is grim, and it's very rational for people to control the risks they can and part of that is using outside of the US services
deftnerd|9 years ago
herbst|9 years ago
herbst|9 years ago