[artofcode]

From the article:

> "The UK government can certainly insist that a company not based in the UK carry out its orders – that situation is specifically included in the new law – but as to whether it can realistically impose such a requirement, well, that will come down to how far those companies are willing to push back and how much they are willing to walk away from the UK market."

[antouank]

Missed that. Thanks.

But I cannot see why someone would comply with that. For example getting an AWS machine in Ireland, is that within the "UK market"? Does amazon have to comply just because many customers are in the UK? And will we ever know if they do comply? What a mess.

[artofcode]

Exactly. And think about private keys for SSL certificates. I'm not even sure if those are covered by the legal wording, but I wouldn't be surprised if they were.

[antouank]

Still, I'm not sure how that will work. Say I spawn a VPS, and I start my VPN server in there. Can Amazon just go in there and snoop somehow? My keys are encrypted, even if they can see the disk they are on, and the traffic also. All it can do is see the network traffic that originates from that machine, and log that.

[pricechild]

Assume that if someone has physical access, the machine is compromised.

[foobar__]

They can easily look at the RAM of the VM and get the plain-text encryption keys for SSL or VPN or whatever.

I'm absolutely sure by now someone has written a program to automate this, and to be honest I expect some governments already force some companies to do this.

[setrofim_]

The answers to your questions will come down to which a particular company values more -- their UK revenue or the privacy and safety of their UK customers.