I accept the principle; I wish people would take more action, but I for one am American and I have shifted most of my hosting out of the US because of it. I probably don't have much worth spying on, but on principle I oppose any form of blanket surveillance.
Nope, everyone happily shovels all of their data, as well as all of the data their customers provide them, into AWS, which is very cosy with the US military.
You can be reasonably certain that anything in AWS is available to US military intelligence without judicial oversight.
Every American service and product needs to be treated as compromised, it really comes down to that.
Individual companies now need to earn back basic trust.
This doesn't mean you have to completely abandon your favourite service, just have to modify the way you utilize it.
For example, if you absolutely have to use Google Drive, be sure to encrypt your files with appropriate strength first and assume they are actively trying to decrypt and build a file on you.
Why single out America, Snowden's leaks showed the entire Anglo-sphere is compromised(Five Eyes). Is there any reason to think this isn't the case in any NATO/OECD/etc. country?
I live in Denmark and buy hosting/email from a Danish company, but their servers are in Germany. I wonder if they will switch to having servers in other countries (or locally, as they used to have). Otherwise, I'll have to find a different provider.
Possibly, but it's much harder to intercept and mitm specific traffic at that level. On the ISP-side, that's different: they can with high certainty say that some traffic is coming from/to a specific suspect, much like a phone surveillance. This might also apply to individual service, e.g. an email provider.
I think you can collect a lot of good data for law enforcement purposes by tapping datacenter networks. Remember the NSA's "SSL added and removed here :-)" slide?
Raise your hand if you use TLS between your database server and your web frontend. Keep your hand up if you rotated that certificate in the last month. Keep your hand up if you know whether your database's certificate has been tampered with. (i.e. do you check that it's signed by your internal CA? Then who is signing it? Who maintains the ca-certs package? What does the certificate verification code even look like?)
No hands up? Good! The government thanks you for your service. Keep doing what you're doing, they'll keep you safe.
Yeah, but Germany's intelligence services aren't the NSA, neither regarding technical ability, nor regarding the lack of mission constraints. I'm sure they'd love to get their hands on DE-CIX as a whole, but they won't unless somebody with a US passport sits in on the meeting - and if they have that person, they don't need German laws.
I believe that these changes target ISPs and providers like mailbox.org, posteo etc, that have been "privacy first" and not too friendly. These laws aren't for wholesale data intake, they are more like phone surveillance with the added bonus that they (the ISPs and service providers) will be not only required to let them listen in, but to also allow them to inject trojans into the traffic that is being transported. These are very closely related to our laws for mailing services that contain similar things (the wording is very similar as well). They're not for the intelligence services to just walk in and say "Hi, we'll take everything, please", they still require a court order and target specific individuals.
Its german BND sitting at DE-CIX, but they fully cooperate with NSA to the point where they had to answer some ugly questions about why the fuck they helped a foreign intelligence service to literally spy on the german governement. Answer was: they don't verify what NSA queries, they automatically run the selector list and send them the data.
Yes, but as you see, that's already legal (especially if with US-involvement). This is different from that, as it contains the requirement for the provider to manipulate traffic.
> Raise your hand if you use TLS between your database server and your web frontend. Keep your hand up if you rotated that certificate in the last month. Keep your hand up if you know whether your database's certificate has been tampered with. (i.e. do you check that it's signed by your internal CA? Then who is signing it? Who maintains the ca-certs package? What does the certificate verification code even look like?)
But they'd need to filter out traffic for a specific suspect. It's unlikely that their approach will be to try to install trojans on every client computer that has traffic that goes through some DC. And if they want to take over a server they know the location of: they already can.
From my experience in a case where a previous version of that tech has been involved (though normal LE, not intelligence), they do take all the available measures to only hit the target, it's not a shot gun approach.
