[regal]

Much as I'd like to see some kind of "tidal wave of people doing this", purely in the interests of sending a message to somebody somewhere that data sniffing = not cool, I don't personally know anyone who's taken the time or energy to move all his data off of bugged U.S. servers onto bugged European or Asian ones or attempted to host it himself in less-efficient email clients, etc., nor plans to, nor do I hear very many people online talking about doing this, nor planning to, nor have I done this myself, nor do I plan to.

There's a lot of pulling of hair and gnashing of teeth going on right now in the blogosphere, but strikingly few people actually doing anything, and the actual movement looks more like a tiny ripple in an otherwise calm tide pool than it does a 100-story wave.

I suspect that until better, easier-to-use services come along than the ones being skewered in this post, most people are simply going to stay right where they are.

And once those services do come along, and attract a large enough user base, I'm pretty certain they will in turn attract agencies like the NSA (or whatever the local government equivalent may be, if not in the U.S.), showing up with hands out and secret court orders up.

If privacy was paramount to people, no one would be on Facebook (I'm certainly not, and haven't been for years). Yet, Facebook, much as everyone constantly complains about its blatant disregard for users' privacy, seems to be doing just fine, with its billion or so users and its $80 billion valuation.

The Internet is living, breathing, functioning proof that, at least to 99.9999% of human beings, utility > privacy. Unless the U.S. government starts skimming off the top of people's bank accounts, I don't think there's going to be much of a mass exodus any time soon - the motivation simply isn't there.

[rapind]

U.S. policy is greatly influenced by corporations. Let's assume that an alternative non-american gmail shows up with most of the key functionality in place but with extensive user privacy being a selling point. I for one would switch in a heartbeat. I think a lot of other technically minded people would as well. Many of which are probably influential when it comes to technology decisions among their peers. It doesn't have to be a mass exodus. A trickle of influential can turn into a tide. We've see it before, especially with internet companies.

Google's a data company. They're definitely going to see this and if it's non-trivial then they're going to react. Lawyers and lobbying ensues. Policy may be affected.

[mcv]

I admit I'm kinda waiting for someone to say: "We're exactly like GMail/Dropbox/whatever but we take security seriously and we're outside US jurisdiction. Click this button and we'll migrate your data for you."

I guess I just don't value my boring private data enough to put much work into this right now. But if I ever need a new cloud service, being outside the US will definitely count as a big plus.

[bhauer]

I completely agree that the technologies used for self-hosting have been neglected during this era's obsession with what I call the "plain cloud." As you point out, convenience is paramount. The plain cloud has seen the lion's share of R&D and has been sold to consumers as the pinnacle of convenience.

However, I contend that had an equal amount of R&D been invested in a distributed cloud (what we used to refer to as "the Internet," not to be snarky)--especially one that provided federated encrypted data backup among trusted friends and family, a model that would embrace high-bandwidth symmetric connections to consumers' homes and the notion of self-serving--we'd be better off now.

In other threads at HN, I believe this has been covered sufficiently, so I'll cut that short.

I think your first paragraph may be correct insofar as there are many of us who were already doing self-hosting of our data. Those concerned with privacy were already assuming the situation was fairly bad, although I think even we were surprised at how bad it is.

My data is no more interesting than the OP's. Boring e-mail, boring family photos, boring unpopular music, boring documents. Yet out of principal, I self-host it. Self hosting is not that remarkable, but it is a rapidly disappearing practice. As recently as five to ten years ago nearly everyone in the world self-hosted their personal data.

Since my first DSL line in 1998, I've always splurged a bit for a symmetric connection. Since then I've found it disheartening that symmetric connections were and remain marginalized. Today, I can connect to my home VPN relatively easily from any of my devices to access my data. It could certainly be a lot better (I've ranted elsewhere that VPNs suck; they've not seen genuine R&D in ages).

Running a personal mail server is pretty simple too. With so much *-as-a-service out there, I admit that some people are losing the will to install a service of their own, but assuming you do a little bit of research, some modern options are more or less install-and-play, with decent anti-spam.

Again, had a distributed cloud continued to see bountiful R&D as the plain cloud has, the self-managed options would be 5-10 years more mature today. Had Thunderbird not been effectively neglected for the past ~4 years, it would probably be a (slightly) nicer e-mail client.

[jacquesm]

Large companies have a pretty strong set of rules to guide them in the EU DPD en privacy laws of individual countries, that means that they need to subcontract with others in such a way that they can fulfill this.

From a few months ago if you were serious about trying to comply with the law in Europe then by now you are either migrating to EU hosting, you've already migrated or you are planning your migration. If not you run the risk of being found non-compliant at some point in the future or to get very pointed questions when a new investor decides to step on board or when you're in a position to sell your company to a larger entity.

This is not going to be advertised, it isn't going to be in the headlines, it is just happening underwater and out of sight. But it definitely is happening. Individuals making those same choices are doing so for different reasons than corporations.

[jlgaddis]

> I don't personally know anyone who's taken the time or energy to move all his data off of bugged U.S. servers onto bugged European or Asian ones or attempted to host it himself ...

Hi there. This is, in fact, exactly what I've been working on over the weekend.

I have ~8 GB of mail spread across three e-mail accounts hosted by Google (excluding my original @gmail.com account, which I never use). I've now got my own server set up and about 0100 UTC today (Monday) I "flipped the switch" (changed MX records) and have been keeping an eye on it since then.

I did an initial run with imapsync to move the bulk of the mail over and, after 0100 UTC (when the TTL expires) I'll do another run to make sure I've gotten anything that ended up in the mailboxes on Google's servers since then.

Afterwards, I'll delete all of the messages in those Google accounts and, finally, remove the whole domain and such. I'm sure that Google will still have a copy of all of that for a good while but, at some point, they'll delete it.

In the grand scheme of things, I know that it isn't really going to make a difference. It's more symbolic than anything but I can feel a little bit better knowing that my data is more secure/private than it was.

I've been meaning to do it for the last few months and I'm happy that I finally devoted the time to making it happen.

(For the curious... a RHEL derivative, configured according to the CIS RHEL6 Benchmark and DoD/DISA RHEL6 STIG (for the most part), running Postfix and Dovecot (w/ SSL/TLS and a "real" certificate although I'm starting to think I'd be more comfortable if I had just made my own) w/ AMaViS and ClamAV thrown in as well.)

[lsc]

>The Internet is living, breathing, functioning proof that, at least to 99.9999% of human beings, utility > privacy.

Imagine, for a moment, that evidence comes forward that Snowden wasn't the first.

Imagine that someone in Snowden's position did exactly the same thing, only for financial gain, say, selling private company secrets to a competitor.

That would change the situation, would it not?

[aragot]

+1, the NSA is one player amongst all the countries, corporations, and ...work colleagues who might be interested in your files. There are more commercial agencies around than we'd like to think, who are given 10 grands to ruin your reputation or make your laptop disclose your next commercial move...

[bborud]

I don't think the worst consequences are in people moving their data off services now -- the real impact is how this affects long term IT strategy. Even small changes to the slope of the adoption curve now will result in massive accumulated losses over time.

A lot of companies with a lot of data are asking themselves whether or not to put that data in the cloud. Storing data in the US right now is a bit like suggesting you store your confidential files in 1980s Soviet union -- only, they would probably have been a lot safer in the 1980s Soviet union.

[agentultra]

It's scary that they don't care but not surprising. We live in a world where the majority of people with privilege are comfortable with the fact that racial profiling still pervades the criminal justice system. In fact, such a statement will be viewed as controversial and debate will be diluted by meaningless argument about whether racial profiling exists or whether the use of the term, "privilege," is even fair. Privacy, I believe, faces the same conundrum: it's a problem but the consequences of it are so divorced from the individual that most people won't even think about it.

The rub for me is not that some NSA goon could snoop on where my gaming group is meeting up next week. It's that they could use the scale of their surveillance powers to profile and target groups of individuals in much finer strokes. They don't need to mobilize a state police force to stop random persons and check their papers anymore. It's much more quiet now and less noticeable. We can let our imaginations run rampant about what they could do with this information but I think there's evidence of what they do use it for already and the reality is often much more frightening because it seems so benign.

[ewams]

Please explain what "the reality" is in regards for what they use it for that is more frightening.

[agentultra]

From: http://www.nsa.gov/public_info/_files/speeches_testimonies/2...

     When conducting 702 FISA surveillance, the only information NSA obtains results from the use of specific identifiers (for example email addresses and telephone numbers) used by non-U.S. persons overseas who are believed to possess or receive foreign intelligence information.
     
     Foreign terrorists sometimes communicate with persons in the U.S. or Americans overseas. In targeting a terrorist overseas who is not a U.S. person, NSA may get both sides of a communication. If that communication involves a U.S. person, NSA must follow Attorney General protects the privacy of U.S. persons.

     The collection under FISA section 702 is the most significant tool in the NSA collection arsenal for the detection, identification, and disruption of terrorist threats to the U.S. and around the world.

It's probably all true. I'd wager the majority of information gathered from surveillance activities under the FISA is to spoil terrorist threats against the U.S. However denials like this have a way of avoiding the definition of, "terrorist threat," or explaining the scope and restrictions the information so gathered must be used.

I suspect they might use the aforementioned section of the FISA to enable the extradition and persecution of whistle-blowers as terrorists. This would allow them to black-van these people and remove them from the world. However one can only speculate that this is true. And therein, in my opinion, lies the danger.

Edit formatting issues...

[x0x0]

   echo "my quote" | fold -s -w 77 | sed "s/^/   /"

append pbcopy if on a mac: echo "my quote" | fold -s -w 77 | sed "s/^/ /" | pbcopy

   When conducting 702 FISA surveillance, the only information NSA obtains 
   results from the use of specific identifiers (for example email addresses 
   and telephone numbers) used by non-U.S. persons overseas who are believed to 
   possess or receive foreign intelligence information.
        
        Foreign terrorists sometimes communicate with persons in the U.S. or 
   Americans overseas. In targeting a terrorist overseas who is not a U.S. 
   person, NSA may get both sides of a communication. If that communication 
   involves a U.S. person, NSA must follow Attorney General protects the 
   privacy of U.S. persons.
   
        The collection under FISA section 702 is the most significant tool in 
   the NSA collection arsenal for the detection, identification, and disruption 
   of terrorist threats to the U.S. and around the world.

also, to address the lies you're spreading:

I have no idea about 702 fisa surveillance, but what we do know is:

1 - the nsa collects intelligence

2 - if you, as an american, communicated with a foreigner, you're fair game.

2b - if you, as an american, communicated with an american who communicated with a foreigner, the nsa collects your communications.

2c - if you, as an american, communicated with an american who communicated with an american who communicated with a foreigner... the nsa collects your communications.

2d - why yes, if you're observant, you might think this is virtually every american.

3 - if they accidentally collected your, as an american, communications, they keep it. "Accidentally".

4 - since all pigs are liars, they distribute this to, amongst others, the irs and the dea, along with a guide to whitewashing where the information came from. So the dea can, what do you know, pull over a random van for a busted tail light or not signaling a lane change or signaling a lane change to early or just cause they feel like it -- there is always, 100% of the time, a reason for a cop to pull over a car if they want to. Then they randomly find drugs! Who knew, must be just a coincidence! [1]

   The undated documents show that federal agents are trained to recreate the 
   investigative trail to effectively cover up where the information 
   originated, a practice that some experts say violates a defendant's 
   Constitutional right to a fair trial. If defendants don't know how an 
   investigation began, they cannot know to ask to review potential sources of 
   exculpatory evidence - information that could reveal entrapment, mistakes or 
   biased witnesses.
   
   I have never heard of anything like this at all, said Nancy Gertner, a 
   Harvard Law School professor who served as a federal judge from 1994 to 
   2011. Gertner and other legal experts said the program sounds more troubling 
   than recent disclosures that the National Security Agency has been 
   collecting domestic phone records. The NSA effort is geared toward stopping 
   terrorists; the DEA program targets common criminals, primarily drug dealers.
   
   It is one thing to create special rules for national security, Gertner said. 
   Ordinary crime is entirely different. It sounds like they are phonying up 
   investigations. [1]

5 - yes, regarding #4, all pigs are liars, and this would be lying directly to the court. Not that they will be prosecuted for it.

6 - since this already migrated from "omg terrarism" to drugs, you may wonder where it will end. tip: it won't just be with drugs, it never is.

[1] http://news.yahoo.com/exclusive-u-directs-agents-cover-progr...