So, the cloud

I had intended to follow up my last post with a long, informative piece about where the various cloud hosting providers were registered and where they kept their data.

I had hoped to work out how to escape from the situation in which all of my personal and business data is being provided to foreign authorities that consider me, my company, and my customers to have no legal existence except as surveillance targets.

But I can’t do it.

The short answer seems to be that every cloud document hosting, music sharing, email hosting, code hosting, or online office applications company you have ever heard of is either an American company, or using American hosting, or both. If you are not an American citizen, information about you is being used by American security authorities, and you have no legal standing that might allow you to question how it is used.

And in any case, if you’re British like me, your own government has also engaged in all sorts of baroque deals to make its own internet data available to the American security authorities, and then to share the analysis results without any of the legal obligations.

I think that I have nothing to hide from any legal authority, and it’s incumbent on people like me to help to make the point by moving away from those authorities that we can no longer depend on. But it’s not easy to do.

For what it’s worth, I have moved my email hosting from Google mail (American company, American hosting, named in NSA leaks) to Fastmail.fm (Australian company, American hosting, not yet named in an NSA leak)—a marginal improvement.

And I’ve moved all of my web hosting—apart from this blog!—from Rackspace (American company, American hosting) to Hetzner (German company, German hosting). Perhaps next we’ll learn a bit more about the German government’s own monitoring apparatus.

It’s not enough.

“It didn’t violate the First Amendment because Americans weren’t among the people targeted”

We’ve recently been told quite a lot about the activities of the US National Security Agency in monitoring internet communications. Much of it could be described as “stuff you might have feared, but that’s a bit depressing to have confirmed”.

For people outside the US, one perhaps surprising thing is that the US government seems happy to say the NSA’s surveillance programmes are OK because they are only aimed at non-Americans.

It involves extensive procedures, specifically approved by the court, to ensure that only non-U.S. persons outside the U.S. are targeted.

— US administration official quoted at http://www.huffingtonpost.com/2013/06/06/obama-administration-prism-program_n_3399858.html

Blanket orders from the secret surveillance court allow these communications to be collected without an individual warrant if the NSA operative has a 51% belief that the target is not a US citizen and is not on US soil at the time.

http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data

For people outside the US who have been encouraged over many years to use American internet and cloud-hosting companies, it comes as a bit of a surprise not just that the US government feels this way but that it is so unashamed about it.

Although the details about NSA snooping are new(ish), this principle isn’t a new one. It turns out it’s normal for constitutional safeguards not to apply to non-Americans, even when they are using the services of US companies. A current case:

Chevron… is asking Google, Yahoo, and Microsoft, which owns Hotmail, to cough up the email data. When Lewis Kaplan, a federal judge in New York, granted the Microsoft subpoena last month, he ruled it didn’t violate the First Amendment because Americans weren’t among the people targeted.

http://www.motherjones.com/politics/2013/07/chevron-ecuador-american-email-legal-activists-journalists

Now this one has nothing to do with the NSA; it’s about gathering evidence for a court case. The only reason it is considered news is because the opposition argues that the hosting service didn’t know for sure that its users were not Americans.

This is so problematic not because the US necessarily behaves worse than any other country—I suspect it has better oversight in place, for its own citizens, than the UK—but because people like me from outside the US have got used to thinking of US-based hosting, services and companies as the norm in the Internet world.

This attitude long pre-dates pervasive cloud computing. Hotmail, the example above, has been one of the world’s most popular email hosting providers for around 15 years, with (I’m guessing) a couple of hundred million users outside the US.

But it’s quite a problem now that cloud hosting is routinely used to store business data and private documents. And it seems obviously problematic for EU-based businesses, which have a legal obligation to follow data protection rules that presumably don’t include sending their customer data off to a country whose government is unapologetic about taking a copy of it, just in case.

America

I’ve been a bit prickly about the USA and Americans a few times before on this blog. That prickliness has the same cause: I’m sensitive about having become so dependent on American companies and attitudes myself. I have grown used to engaging with American companies, working methods, and laws, almost more than those of my own country, and certainly more than those of other European countries. That has a lot to do with the USA’s historical reputation as a stable, reliable democracy with visible workings, answerable to a relatively incorruptible legal system.

But this dependency increasingly seems just perverse.

I have become used to giving all my personal and business records to companies that have promised to make it all available to a spy agency run by a foreign government that openly declares it has no interest at all in my rights.

Why would anyone want to do that?

“Various nifty functions”

Further to the code-literate judge in Oracle v Google, via Groklaw we now have his ruling that the Java APIs are not copyrightable.

It’s an exceptionally clear piece of work and a good introduction to the subject. I certainly couldn’t have written a better technical summary, although I’m sure there are bits that a non-programmer would still struggle with—for example, the judge uses the term “subroutine” without explanation.

I like the jaunty language:

After Java’s introduction in 1996, Sun [...] wrote hundreds more programs to carry out various nifty functions

And he is certainly decisive. The section describing the code at issue (rangeCheck) is introduced thus:

Oracle has made much of nine lines of code that crept into both Android and Java. This circumstance is so innocuous and overblown by Oracle that the actual facts, as found herein by the judge, will be set forth below for the benefit of the court of appeals.

And in the closing remark,

[It] is important to step back and take in the breadth of Oracle’s claim. Of the 166 Java packages, 129 were not violated in any way. Of the 37 accused, 97 percent of the Android lines were new from Google and the remaining three percent were freely replicable under the merger and names doctrines. Oracle must resort, therefore, to claiming that it owns, by copyright, the exclusive right to any and all possible implementations of the taxonomy-like command structure for the 166 packages and/or any subpart thereof — even though it copyrighted only one implementation. To accept Oracle’s claim would be to allow anyone to copyright one version of code to carry out a system of commands and thereby bar all others from writing their own different versions to carry out all or part of the same commands. No holding has ever endorsed such a sweeping proposition.

As an aside, nice to see our old friend Sega v Accolade cited again. I haven’t read all that many US legal opinions on software copyright, but I think pretty much all the ones I have seen have referred to Sega v Accolade.

You can read the whole thing on Groklaw.

Speaking of learning to code

Dialogue in Oracle vs Google, between Judge Alsup and Oracle’s lead counsel David Boies:

Judge: We heard the testimony of Mr. Bloch. I couldn’t have told you the first thing about Java before this problem. I have done, and still do, a significant amount of programming in other languages. I’ve written blocks of code like rangeCheck a hundred times before. I could do it, you could do it. The idea that someone would copy that when they could do it themselves just as fast, it was an accident. There’s no way you could say that was speeding them along to the marketplace. You’re one of the best lawyers in America, how could you even make that kind of argument?

Oracle: I want to come back to rangeCheck.

Judge: rangeCheck! All it does is make sure the numbers you’re inputting are within a range, and gives them some sort of exceptional treatment.

(via Groklaw)

A dot com is an American domain

Verisign seizes .com domain registered via foreign Registrar on behalf of US Authorities” (via Daring Fireball) — a gambling site based outside the US, using a .com domain registered by a non-US registrar, has had its domain seized by US authorities after prosecutors in Maryland asked Verisign, who control the top-level .com nameservers, to hand it over.

The prosecutor noted that “sports betting is illegal in Maryland, and federal law prohibits bookmakers from flouting that law simply because they are located outside the country”. It’s not clear whether the site was doing anything that would be considered illegal outside the US, but I can’t see anything in the story to suggest so. It looks like a legal business in the country it operated in.

In my earlier post about the now-postponed SOPA regulations in the US (Why the proposed US copyright regulations should worry UK citizens) I wrote

The definition of a “domestic” site [in the draft legislation] is brief, but not without ambiguity: it’s a site with a domain name registered or assigned by a US registrar, or (if it has no domain name) a site hosted in the US.

I can’t tell whether that means names whose top-level domains have US-based sponsoring registrars, including all .org, .com and .net domains, or only those whose registration was carried out by a US-based registrar.

This case shows that US authorities may be inclined to treat any .org, .com or .net domain as being under US jurisdiction, no matter where its registrar was based.

Here in the UK, I think we’ve become too used to thinking of .com or .org domains as meaning simply “of the Internet” rather than of any specific country. That will have to change.

I’m not going to suggest we should rush to replace all our .org domains with .org.uk ones—chances are many of them are hosted in the US in any case—but it’s time to forget the old ideal of an Internet domain rather than a national one. A dot com is an American domain.

Why the proposed US copyright regulations should worry UK citizens

Referring to today’s 24-hour Wikipedia blackout in protest against proposed US copyright regulations, a colleague at work asks:

Could someone explain to me why wikipedia et al wouldn’t just move hosting to a different country if they have issue with US regulations… this blackout kind of implies that US law regulates the whole internet

A site like Wikipedia is unlikely to be in any position to relocate, given that it’s run in the US by a US-based foundation and has many US editors, but for those of us in the UK with more modest sites this is a legitimate question. Why worry?

You may in fact fall under US regulation

The proposed regulations divide the Internet into “domestic” sites, which are considered to be US-based and so to fall under US regulation, and “foreign” sites, which are all the others.

The definition of a “domestic” site is brief, but not without ambiguity: it’s a site with a domain name  registered or assigned by a US registrar, or (if it has no domain name) a site hosted in the US.

I can’t tell whether that means names whose top-level domains have US-based sponsoring registrars, including all .org, .com and .net domains, or only those whose registration was carried out by a US-based registrar. Either way it will cover quite a high proportion of sites being run outside the US at present. I’m also unsure whether non-US domains such as .co.uk might be considered domestic if they were registered through a US registrar.

Even if you don’t, these laws are intended to affect you

One of the “selling points” of this legislation is that it imposes effective controls on foreign sites as well as domestic ones.

Provisions are included to require infrastructure sites within the US, such as search engines, payment processors, or ad networks, to remove access to or stop working with any foreign sites deemed infringing. The US still operates much of the Internet’s infrastructure and is the biggest market for many of its services. This could be a big problem for many sites even in places that don’t formally consider the US to be the centre of the world.

There’s no effective comeback

The question of whether a foreign site is “infringing” or not would be determined in US courts, and the only way to argue it would be in US courts. That might not be something anyone outside the US would wish to do.

The US has a record of targeting small-scale infringers

It’s tempting to think that none of this would apply to any of us unless we start running sites that intentionally host pirated material. Unfortunately, the US has a track record of aggressively pursuing action against individuals for relatively minor infringements (see 1, 2, 3, etc). It’s not unreasonable to fear that a general blog-hosting site in the UK, or any site that permits comments, or a research site that refers to audio or video media, could end up being harshly punished for something it never intended.

Afraid, or just concerned?

It’s possible that none of this would affect any of us, in practice.

But it’s also possible that these regulations might be more of a headache for people outside the US than for anyone within it, given their explicit provisions to deal with foreign sites and lack of recourse for foreign site operators, and the concentration of Internet resources and facilities inside the US. If Americans are worried, we should at very least be keeping a wary eye open as well.

See also

Update: I had missed this article on The Verge which answers and clarifies several of the things I had wondered about, and also makes the situation look even worse from a UK perspective.