If you want to have data storage that's secure from the NSA then you are going to need to do client side encryption. Moving your data to a company/country that promises not to access it isn't going to cut it.
Encryption won't help you, since a judge will simply throw you in jail for contempt until you cough up the key or give them a copy of the decrypted data. Honestly, in this hostile government environment, if you have something worth protecting you need to have a "dead man switch" on your data. Unless you take an action every few days (which you can't if in jail) then your data gets deleted.
I may be misreading this, but I think there's a big difference between "being readily accessible to the NSA" and "taking a judge to make it available."
If, through whatever means, they become interested enough in your data, they can just go judge shopping until they find one that decides that NSA suspicion is enough to issue a search warrant.
A provider can give you all the assurances in the world, but the real assurance is using your own encryption with your own best practice and controlling the data store as it exists on the providers filesystem.
This is why it's important to give users a raw, open filesystem that they can manipulate any way they see fit, and not a fancy, highly abstracted backing store with a pretty GUI on the front.
Without a substantive commitment to open standards and open platforms, this is just a PR move.
If so, then the law essentially forces you to give your files up and no server location will protect you.
For any person who is not being forced into giving their keys up, encrypting their own files must be safer than hoping a cloud provider won't freely hand them over to the US government.
Fine. If you're foreign, encrypt your files and store them anywhere you like. If you're a US citizen, do the same and know that the government only has them when they force you to hand the keys over.
(Barring them being able to hack them some other way, e.g. simply grabbing your keys off your machine.)
Stay away from the UK - here a judge can throw you in jail for failure to provide keys, even if there's no evidence you still have the keys, and said judge would pretty much be guaranteed to believe that you did not hand over the correct keys if the result is garbage.
A couple of people have been convicted of refusing to hand over their encryption key.
It's worth noting that this is a separate offence, so there's a determinate prison sentence. You can't be held in contempt of court for refusing to hand it over.
What about a Suadi National accused of plotting terror attacks in NYC? Would you want the same laws applied to him? Or would you want to able to force someone like this to de-crypt their files in order to stop an attack?
I really don't know what the right answer is, but sometimes laws intended to keep us safe, also give shelter to bad guys.
>I really don't know what the right answer is, but sometimes laws intended to keep us safe, also give shelter to bad guys.
Americans inherently know this. We were brought up with the idea that freedom isn't free and that the price of liberty is eternal vigilance. Just because it is more convenient to violate the civil liberties of all to catch a few bad actors doesn't mean it is what our country is all about.
Europeans often find that sentiment ridiculous. But that is just the cost of privacy and liberty - one that our forefathers were welcome to pay.
Good suggestion, I've been using Amazon Glacier with the CloudBerry backup software which supports client-side AES encryption (http://www.cloudberrylab.com/amazon-glacier-backup-software....) and couldn't ask for more. Of course you will have to trust CloudBerry not to put a backdoor in their Software, but it seems there are no OSS alternatives right now that work as easily.
From their website, it seems that tarsnap can't be counted as OSS:
"The Tarsnap client code is built around the open source libarchive archive handling library. While the Tarsnap code is not distributed under an open source license..."
Unless specified otherwise in individual files, the contents of this
package is covered by the following copyright, license, and disclaimer:
Copyright 2006, 2007, 2008, 2009, 2010, 2011 Colin Percival
All rights reserved.
Redistribution and use in source and binary forms, without modification,
is permitted for the sole purpose of using the "tarsnap" backup service
provided by Colin Percival.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
My reading of that is that you aren't allowed to redistribute any modifications or use it for anything other than accessing the tarsnap service.
So not really open source software in any sense that I understand.
[NB My comments is not intended as a criticism of tarsnap or Colin's licensing policy - he wrote it so, in my book, he can license it any way he wants.]
The Tarsnap client code isn't Open Source, but the source code is available, which means it can be audited.
s1kx's caveat ("Of course you will have to trust CloudBerry not to put a backdoor in their Software") therefore doesn't apply (as strongly, anyway) to Tarsnap.
While I mostly agree I also think that having some legal/jurisdictional protection is a good thing. If nothing else for the case where there turn out to be an exploitable weakness in the client side encryption you are using.
"Yes, all datatraffic between your computer and Jottacloud is encrypted with 256 bits AES high grade encryption, which makes it virtually impossible for unauthorized persons to use the information being sent."