[vidarh]

As a Norwegian, let me just say:

Yeah, right.

1. The Norwegian security services have a long history of violating Norwegian law (and when, for example, extensive illegal politically motivated surveillance of mostly left wing politicians was uncovered in the 90's they then had the gall to place an MP and member of the committee investigating them under surveillance while he was working on the report about their illegal surveillance), and have always been extremely cosy with the US.

2. Most bandwidth to Norway goes via Sweden. Sweden is not a safe country to pass data through if you want to avoid surveillance. See the FRA law: http://en.wikipedia.org/wiki/FRA_law ; unless they guarantee that they get their bandwidth via alternative means, this is a risk. Sure, you can encrypt the data, but if you trust that this is sufficient, then hosting your backups in the US should not a problem either. If you think Sweden's neutrality means a shit in this case, consider that Sweden has admitted to having been complicit with renditions of political asylum seekers to the CIA in direct violation of Swedish laws, so clearly they do not worry about cooperating with US intelligence agencies. To hand your data over to the NSA would not even require them to break any laws, and they've already demonstrated they don't have the moral backbone to stand up to far worse requests.

3. Norway is subject to the EU data retention regulations, and otherwise likes to bend over backwards to comply with EU directives despite not being an EU member (we're a member of the EEA, which means we get all the directives, but don't have a say - how anyone thought that was a better alternative is beyond me). In fact, Norway is "best in class" when it comes to implement EU directives - ahead of most EU countries... This doesn't impact this to a great extent, except it means all your communications with this company will be subject to retention laws, and if you consider it important enough to avoid the reach of the NSA for your hopefully encrypted backup data, this is worth keeping in mind too.

In other words: If you encrypt your communications and backup files well enough that you believe it is safe from the NSA in Norway, they'll likely be just as safe from the NSA in the US.

[Kimmono]

Well, what you say is not correct. First of all the Data Retention Directive have to be valid for you. I work for the Norwegian email provider Runbox and the EU Data Retention Directive is not applicable for us. It is only valid for carriers that own their own infrastructure down to the data center, called "communication providers". We even have it confirmed by both Kripos (FBI-ish) and Post- og Teletilsynet (Norwegian Post and Telecommunication Authority). We have tried to explain a bit why here: http://www.runbox.com/why-runbox/email-privacy-offshore-emai...

[vidarh]

And you don't believe your data passes through a "communications provider"?

By the argumentation on your page, almost none of the electronic data targeted by the data retention directive would in fact be retained if the directive is not also applied to data that merely transit a providers network, given that the vast majority of e-mail addresses in use today are not hosted by "communications providers". If that is indeed an actual loophole, it will be closed quickly if/when everyone realizes that they're not getting the data they expect.

This is in any case a minor point, as in terms of dealing with backup data, it's the two first points of my message that are by far the most serious. And I don't think they're that serious, in that I don't really believe there are any suitable alternatives that are safe enough that you can prevent surveillance based on location, so you'll depend on the crypto, and the combination of the two makes the location of the data rather moot.

[Kimmono]

It does, but they dont offer email or phone services. So they are also exempt. We use Blix: https://www.blix.com/

What you call a loophole, was no secret in the hearings about the new law. The government wanted this implemented mainly for the phone providers. They understood that foreign email providers like Gmail and Hotmail that most use in Norway, could not be under the law in any practical way, so they restricted who this is applicable to.

[tombrossman]

I read your website and tried your service for a few days this past April. I cancelled immediately after you emailed both my web hosting and support account credentials. In plain text. That is egregious.

I mention this only to point out that without proper security procedures your data privacy policy is irrelevant. Not one-way hashing and salting passwords negates everything else you do.

I'm happy to try again some day but you really have to have airtight security at a minimum to appeal to privacy-conscious users. Password reset is one of the first things we test for any new service.

[mpyne]

If you're worried about the NSA or other nation-states then I wouldn't stop with hashing+salting. You need to be using something like scrypt/bcrypt/PBKDF2. cperciva has a paper about scrypt, bcrypt is at least widely known for this use case, and PBKDF2 is even a "certified" way to do that.

[Kimmono]

Both your web hosting and support account credentials are encrypted. I see you point not sending them to you when you setup the services, but you have to understand that we do offer services for a wide range of people. Some really want a copy of their login in their email that they have locally.

But I take your point about this and we will try to make that optional. It is optional when you setup email sub-accounts for the administrator.

[e12e]

This sounds strange, as far as I understand it:

http://www.lovdata.no/ltavd1/filer/sf-20130514-0484.html#1-2 http://www.lovdata.no/ltavd1/filer/sf-20130514-0484.html#2-6

together states that if you provide email services, you are required to store metadata (which is what the Data Retention Directive is all about).

On a side note, if the secret services cooperate to do massive ingress/egress storage of data on the network level (say for 6 months) -- having easily passable meta-data would help turn that massive data dump into useful information (assuming index and organization around ip/date or something similar).

As for being safe from NSA outside of the US (even with an ally) -- that makes no sense. While it is against Norwegian law to hack into Norwegian businesses - the NSA isn't subject to Norwegian laws, their subject to US law. The secret services are explicitly set up to preform illegal actions in foreign territories (which is why the NSA story is about spying on Americans, rather than on spying in general).

[Kimmono]

If you are a layman, it does. But this quote is very restrictive in the interpretation by Post og Teletilsynet: "Tilbyder av elektronisk kommunikasjonsnett som anvendes til offentlig elektronisk kommunikasjonstjeneste og tilbyder av offentlig elektronisk kommunikasjonstjeneste er lagringspliktig."

What we dont do is offer "Tilbyder av elektronisk kommunikasjonsnett". That means we are outside. Then the rest is not relevant.

We have been in the courts about this and both Kripos (they wanted information) and the judge found that we are outside the scope of this.

[e12e]

Ok, it wasn't entirely clear to me that you'd been in court over this after the law was enacted. That certainly is good news.

Does indeed sound like the directive is tailor made to make ingress/egress snooping on data useful. The kind of snooping we saw with NSA's "secret rooms". Such illegal wire tapping would fit very well with meta data stored at the ISP level -- and could also explain why anyone not at that level are not required to store meta data (it would be redundant).

[ra]

Is there a jurisdiction on the planet where data is safe from domestic wiretapping [1] (i.e. international espionage not withstanding)?

Serious question.

1. Clarification: I mean warrantless wiretapping.

[snowwrestler]

No. Job #1 for a national government is national security, and governments inherently have the power to intrude upon privately operated companies.

I think that in the long run, the U.S. is still a good place to keep data.

U.S. citizens have an instinctual distrust of government that Europeans often mock, but in this case I think is an advantage.

In addition the U.S. has some of the strongest protections for freedom of expression in the world, which means that everyone can learn and argue openly about intel programs and other sub-topic of freedom vs. security.

[derefr]

> Job #1 for a national government is national security, and governments inherently have the power to intrude upon privately operated companies.

I would say that job #1 of a government is establishing and enforcing domestic property rights (to allow an economy to function); and job #2 is building public-good infrastructure like roads.

"National security" is job #1 of an organism interested in its own survival--but there's no reason a government needs to be such a thing; the only reason I can see for it is the precedent set by monarchies, where each current king wants the government to persist in its current form so that they themselves will stay in control of it. A government could run a country perfectly capably while leaving itself undefended from being "eaten" by a foreign government (or populist coup) at any time.

[DannoHung]

National Security is intrinsically about enforcing domestic property rights. It covers issues like terrorism but also foreign hostilities. Don't be a doof and pretend that National Security doesn't at least start with the interests of the citizens in mind. Seems like it gets awfully lost in the woods, but you can't pretend that if people just had the right ideals things would be fine.

[zxcdw]

Yes, that's what I too think right now in June 2013, although I am an European. But... How about in the future, considernig the progress towards a surveillance state which began around after 9/11 and Patriot Act? (And some say it began even earlier, but was greatly accelerated by Patriot Act)

The progress seems to be to give up individual liberties and freedoms in the name of War on Terror. Because the changes are incremental, people don't quite realize the progress until it is too late. By then, they consider it a status quo and youngsters don't even know what they are missing. It's the so-called boiling frog analogy.

[mpyne]

Except that even in the U.S. it has literally been much worse, even before computers. We have always had an ebb-and-flow with civil liberties.

First we enslaved the blacks, then we started making them free. Then we made a slave control law to forcibly rendition captured slaves back to their masters in the slave states. Then we fought and died and FREED THE SLAVES!.... except that we didn't, as it turns out. Reconstruction was a high-water mark, then Jim Crow and the KKK came.

Hell, we didn't even start off from a great place. Go read about the Alien and Sedition Acts when you get a chance.

And likewise with privacy rights. We didn't start off with those either. As long as the government didn't have to search you or your property to find something, it was fair game. But then we added controls for postal mail. Then telephones, and eventually cell phones, beepers, and more. We also had the Supreme Court essentially create "reasonable expectation of privacy" out of whole cloth (which I don't blame them for, but goes to show how we didn't start off with Jefferson's dream government just to beat back all the attackers over time).

Of course in between there were COINTELPRO, FBI watchlists, HUAC & McCarthy's red scare, J. Edgar Hoover (which even MULTICS referenced, IIRC), ECPA, CALEA, attempts at the Clipper chip, munitions controls on crypto, etc. etc.

So it hasn't all been consistent progress but it also hasn't all been consistent withdrawal. So while I respect and greatly admire those who fight for increased privacy because they think it's the right thing to do, I can only assume those who characterize civil liberties in the U.S. as something that has simply been slowly eroded over time have not studied as much U.S. history as they should have.

[brown9-2]

It seems like it would be hard to find a jurisdiction where data is immune to the government breaking their own laws.

[wslh]

It seems like we need an independent project Loon but with servers attached to the balloons!

[rdl]

The US and Canada are actually some of the better places for a privacy-protecting provider, as long as you want to use strong cryptography. CALEA in the US is the main impediment to making a system where the operator intentionally can't disclose information, and that can be solved (for now) by not being a CALEA-covered provider (essentially, PSTN or VOIP interconnected with PSTN, or some kind of broadband physical access layer).

[gasull]

Not a jurisdiction, but your data is pretty safe from warrantless wiretapping in a Tor .onion server.

[gasull]

Why the downvote?

[pasbesoin]

Thank you for taking the time to describe this. I'd been, naively, hoping -- yet to research -- that Norway might be somewhat better than Sweden.

I'm coming to the impression that none of the Scandinavian countries may be particularly friendly to data privacy advocates.

[Kimmono]

How did you come to that conclusion?

[ryangripp]

+1