A place to cache linked articles (think custom and personal wayback machine)
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
  1. title: The End of Safe Harbor and a Scary Path Forward
  2. url: http://lucumr.pocoo.org/2015/10/6/end-of-safe-harbor/
  3. hash_url: 2d7603b0da4eff5a720982e2d957a803
  4. <p>In the Austrian internets <a class="reference external" href="http://www.politico.eu/wp-content/uploads/2015/10/schrems-judgment.pdf">the news about the end of the safe harbor act</a>
  5. has been universally welcomed it seems. Especially from non technical
  6. folks that see this as a big win for their privacy. Surprisingly many
  7. technical people also welcomed this ruling. And hey, if Snowden says
  8. that's a good ruling, who will argue against.</p>
  9. <p>I'm very torn about this issue because from a purely technical point of
  10. view it is very tricky to follow the ruling and by keeping to the current
  11. state of our data center environments in the light of some other rulings.</p>
  12. <p>I'm as disappointed as everybody else that government agencies are
  13. operating above what seems reasonable from a privacy point of view, but we
  14. should be careful about what how this field develops. Fundamentally
  15. sharing information on the internet and the right to privacy stand in
  16. conflict to each other and the topic is a lot more complex than to just
  17. demand more privacy without considering what this means on a technical
  18. level.</p>
  19. <div class="section" id="what-was-safe-harbor">
  20. <h2>What Was Safe Harbor?</h2>
  21. <p>The US-EU Safe Harbor laws declared US soil as a safe location for user
  22. data to fulfill the European Privacy Directive. In a nutshell: this was
  23. the only reason any modern internet service could keep their primary user
  24. data in the United States on services like Amazon EC2 or Heroku.</p>
  25. <p>In essence Safe Harbor was a self assessment that an American company
  26. could sign to make itself subject to the European Data Protection
  27. Directive. At least in principle. Practically very few US companies
  28. cared about privacy which is probably a big reason why we ended up in this
  29. situation right now. The second one is the NSA surveillance but I want to
  30. cover this in particular separately a bit later.</p>
  31. </div>
  32. <div class="section" id="what-changed">
  33. <h2>What Changed?</h2>
  34. <p>Maximillian Schrems, an Austrian citizen, has started an investigation
  35. into Facebook and it's data deletion policies a while ago and been
  36. engaging with the Irish authorities on that matter ever since. The Irish
  37. rejected the complaint because they referred to the Safe Harbor act. What
  38. changed now is that the European Court of Justice ruled the following:</p>
  39. <blockquote>
  40. <p>In today’s judgment, the Court of Justice holds that the existence of
  41. a Commission decision finding that a third country ensures an adequate
  42. level of protection of the personal data transferred cannot eliminate
  43. or even reduce the powers available to the national supervisory
  44. authorities under the Charter of Fundamental Rights of the European
  45. Union and the directive.</p>
  46. <p>[…]</p>
  47. <p><strong>For all those reasons, the Court declares the Safe Harbour Decision
  48. invalid</strong>. This judgment has the consequence that the Irish supervisory
  49. authority is required to examine Mr Schrems’ complaint with all due
  50. diligence and, at the conclusion of its investigation, is to decide
  51. whether, pursuant to the directive, transfer of the data of Facebook’s
  52. European subscribers to the United States should be suspended on the
  53. ground that that country does not afford an adequate level of
  54. protection of personal data.</p>
  55. </blockquote>
  56. <p>The detailed ramifications of this are a bit unclear, but if you were
  57. relying on Safe Harbor so far, you probably have to move servers now.</p>
  58. </div>
  59. <div class="section" id="why-was-safe-harbor-useful">
  60. <h2>Why Was Safe Harbor Useful?</h2>
  61. <p>So if you take the internet three years ago (before the Ukrainian
  62. situation happened) the most common of legally running an international
  63. internet platform as a smallish startup was to put the servers somewhere
  64. in the US and fill out the safe harbor self assessment every 12 months.</p>
  65. <p>To understand why that was a common setup you need to consider why it was
  66. chosen in the first place. The European Data Protection Directive came
  67. into effect quite a long time ago. It's dated for the end of 1995 and
  68. required user data to be either stored in EFTA states or optionally in
  69. another country if it can be ensured that the same laws are upheld. This
  70. is what safe harbor did. In absence of this, all data from European
  71. citizens must be stored on European soil.</p>
  72. <p>After the Ukrainian upraising and after Crimea fell to the Russian
  73. Federation a few things changed. International sanctions were put up
  74. against Russia and Russia decided to adopt the same provision as the
  75. European Union: Russian citizen's data has to be stored on Russian
  76. servers. This time however without an option to get exceptions to this
  77. rule.</p>
  78. <p>It's true that the US do not yet have a provision that requires US citizen
  79. data to be stored in the States, but this is something that has been
  80. discussed in the past and it's a requirement for working with the
  81. government already. However with both Russia and Europe we now have two
  82. large international players that set the precedent and it can only get
  83. worse from here.</p>
  84. </div>
  85. <div class="section" id="privacy-vs-data-control">
  86. <h2>Privacy vs Data Control</h2>
  87. <p>The core of the issue currently is that data is considered power and
  88. privacy is a secondary issue there. While upholding privacy is an
  89. important and necessary goal, we need to be careful to not forget that
  90. the European countries are not any better. While it's nice to blame the
  91. NSA for world wide surveillance programs, we Europeans have our own
  92. governmental agencies that act with very little supervision and especially
  93. in the UK operate on the same invasiveness as in the US.</p>
  94. <p>A European cloud provider will have to comply with local law enforcement
  95. just as much as an American cloud provider will have to be with federal US
  96. one. The main difference just being the institutions involved.</p>
  97. <p>The motivation for the Russian government is most likely related to law
  98. enforcement over privacy. I'm almost sure they care more about keeping
  99. certain power over companies doing business in Russia to protect
  100. themselves against international sanctions than their citizens privacy.</p>
  101. </div>
  102. <div class="section" id="data-locality-and-personal-data">
  103. <h2>Data Locality and Personal Data</h2>
  104. <p>So what exactly is the problem with storing European citizens data in
  105. Europe, data of Americans in the states and the data of Russians somewhere
  106. in the Russian Federation? Unsurprisingly this is a very hard problem to
  107. solve if you want to allow people from those different countries to
  108. interact with each other.</p>
  109. <p>Let's take a hypothetical startup here that wants to build some sort of
  110. Facebook for climbers. They have a very niche audience but they attract
  111. users from all over the world. Users of the platform can make
  112. international friendships, upload their climbing trips, exchange messages
  113. with each other and also purchase subscriptions for "pro" features like
  114. extra storage.</p>
  115. <p>So let's say we want to identify Russians, Americans and Europeans to keep
  116. the data local to each of their jurisdictions. The easy part is to set up
  117. some servers in all of those countries and make them talk to each other.
  118. The harder part is to figure out which user belongs to which jurisdiction.
  119. One way would be to make users upload their passport upon account creation
  120. and determine their main data center by their citizenship. This obviously
  121. would not cover dual citizens. A Russian-American might fall into two
  122. shards on a legal basis but they would only opt into one of them. So
  123. let's ignore those outliers. Let's also ignore what happens if the
  124. citizenship of a user changes because that process is quite involved and
  125. usually takes a few years and does not happen all that commonly.</p>
  126. <p>Now that we know where users are supposed to be stored, the question is
  127. how users are supposed to interact with each other. While distributed
  128. databases exist, they are not magic. Sending information from country to
  129. country takes a lot of time so operations that affect two users from
  130. different regions will involve quite a bit of delay. It also requires
  131. that the data temporarily crosses into another region. So if an American
  132. user sends data to a Russian user, that information will have to be
  133. processed somewhere.</p>
  134. <p>The problem however is if the information is not temporarily in flux. For
  135. instance sending a message from Russia to America could be seen as falling
  136. as being a duplicated message that is both intended for the American and
  137. Russian jurisdiction. Tricker it gets with information that cannot be
  138. directly correlated to a user. For instance what your friends are.
  139. Social relationships can only be modelled efficiently if the data is
  140. sufficiently local. We do not have magic in computing and we are bound to
  141. the laws of physics. If your friends are on the other side of the world
  142. (which nowadays the most likely are) it becomes impossible to handle.</p>
  143. <p>Credit card processing also falls in to this. Just because you are
  144. British does not mean your credit card is. Many people live in other
  145. countries and have many different bank accounts. The data inherently
  146. flows from system to system to clear the transaction. Our world is very
  147. connected nowadays and the concept of legal data locality is very much at
  148. odds with the realities of our world.</p>
  149. <p>The big cloud services are out, because they are predominantly placed in
  150. the US. Like it or not, Silicon Valley is many, many years ahead of what
  151. European companies can do. While there are some tiny cloud service
  152. providers in Europe, they barely go further than providing you with
  153. elastically priced hardware. For European startups this is a significant
  154. disadvantage over their American counterparts when they can no longer use
  155. American servers.</p>
  156. </div>
  157. <div class="section" id="privacy-not-data-locality">
  158. <h2>Privacy not Data Locality</h2>
  159. <p>The case has been made that this discussion is not supposed to be about
  160. data locality but about privacy. That is correct for sure, but
  161. unfortunately data centers fall into the jurisdiction of where they are
  162. placed. Unless we come up with a rule where data centers are placed on
  163. international soil where they computers within them are out of
  164. government's reach, a lot of this privacy discussion is dishonest.</p>
  165. <p>What if the bad player are the corporates and now the governments? Well
  166. in that case that was the whole point of safe harbor to begin with: to
  167. enforce stricter privacy standards on foreign corporations for European
  168. citizens.</p>
  169. </div>
  170. <div class="section" id="how-to-comply">
  171. <h2>How to Comply?</h2>
  172. <p>Now the question is how to comply with what this is going into. These new
  173. rules are more than implementable for Facebook size corporations, but it
  174. is incredibly hard to do for small startups. It's also not quite clear
  175. what can and what cannot be done with data now. At which point data is
  176. considered personal and at which point it is not, is something that
  177. differs from country to country and is in some situations even not
  178. entirely clear. For instance according to the UK DPA user relationships
  179. are personal information if they have "biographical significance".</p>
  180. </div>
  181. <div class="section" id="a-disconnected-world">
  182. <h2>A Disconnected World</h2>
  183. <p>What worries me is that we are taking a huge step back from an
  184. interconnected world where people can share information with each other,
  185. to more and more incompatible decentralization. Computer games
  186. traditionally have already enforced shards where people from different
  187. countries could not play together because of legal reasons. For instance
  188. many of my Russian friends could never play a computer game with me,
  189. because they are forced to play in their own little online world.</p>
  190. <p>Solutions will be found, and this ruling will probably have no significance
  191. for the average user. Most likely companies will ignore the ruling
  192. entirely anyways because nobody is going to prosecute anyone unless they
  193. are Facebook size. However that decisions of this magnitude are made
  194. without considering the technical feasibility is problematic.</p>
  195. </div>
  196. <div class="section" id="the-workaround">
  197. <h2>The Workaround</h2>
  198. <p>For all intents and purposes nothing will really change for large
  199. companies like Facebook anyways. They will have their lawyers argue that
  200. their system cannot be implemented in a way to comply with forcing data to
  201. live in Europe and as such will refer to Article 26 of the Data Protection
  202. Directive which states that personal data to an untrusted third country on
  203. either a user given consent to this or there being a technical necessity
  204. for fulfilling the contract between user and service provider. The TOS
  205. will change, the lawyers will argue and in the end the only one who will
  206. really have to pick up the shards are small scale companies which are
  207. already overwhelmed by all the prior rules.</p>
  208. <p>Today does not seem to be a good day for small cloud service providers.</p>
  209. </div>