French, German Leaders: Keep European Email Off US Servers 115
jfruh writes "In her weekly podcast, German Chancellor Angela Merkel said she'd be discussing European email security with French President Francois Hollande. Specifically, in the wake of the NSA spying revelations, the two leaders will try to keep European email off of American servers altogether to avoid snooping. This comes as Merkel's government faces criminal complaints for assisting aspects of the NSA's programs."
Re:Huh? (Score:5, Funny)
You mean if one were to send an email from Munich to Paris, it'd cross the Atlantic and come back?
Depends... Sometimes the German Army brings it directly in person.
Re: (Score:2)
Ja genau.
Re: (Score:1)
Let's be realistic. (Score:5, Insightful)
If you're sending an email from anywhere to anywhere, odds are that at least one or both of you are using an email account with one of the big US-based internet companies (Google, Yahoo, Microsoft, etc.). Or you don't even bother with email and use Facebook instead.
So your message is very likely to not only cross the Atlantic, but also get stored and backed up redundantly in several datacenters including servers in the US. This has nothing to do with internet architecture, just market forces and poor consumer options.
Internet routing only begins to matter to email security if your email account is hosted privately or by a local organization - and even then, you're better off securing the email by encryption than trying to compartmentalize a network that was designed from the beginning to ignore physical locations and borders.
Re: (Score:1)
I'm pretty sure European governments aren't using Gmail, Yahoo! or Hotmail, which I believe was the real point.
Politicians only have to feign anger for the privacy of the citizens. They know they're doing the same thing. It's when someone is watching the Watchmen that they get real anger over. Which past reports have stated that the German chancellor and French president were angry when they found out THEIR conversations were recorded.
Re: (Score:3)
Quite a few government organisations in the UK use Google Apps.
Re: (Score:3, Funny)
I don't know about official EU officials but I have it on good authority that royalmomma69@compuserve.net is the queen of england's email addrress.
Re: (Score:2)
I don't know about official EU officials but I have it on good authority that royalmomma69@compuserve.net is the queen of england's email addrress.
Actually that would be the address of the late Queen Mother, rest her soul.
Her Majesty, queen Elizabeth the second, has an @aol.com address.
Re: Let's be realistic. (Score:2, Informative)
This. Why aren't the Europeans moving to push client-side encryption instead of SMIME? If the NSA wants to access email on a foreign server, they can do that, either by breaking in or by asking the friendly local govt (ironically, the Germans and French are known for collaborating) to do it for them. The only thing that makes life harder (not impossible) is good crypto implemented right (no key escrow, etc).
Re: (Score:3)
Comment removed (Score:4, Insightful)
Re: (Score:1)
Yes, and changing that is not an option (Score:5, Interesting)
You mean if one were to send an email from Munich to Paris, it'd cross the Atlantic and come back?
NSA aside, that's a pretty sucky setup.
It's how the Internet works. To quote directly from the experts: A target's phone call, e-mail or chat will take the cheapest path, not the physically most direct path. [wikimedia.org]
Physical distance is not as important as congestion on the routes. So it might very well be that your data takes a much longer path that what you'd think, simply because it uses the fastest way, not the shortest.
Angela Merkel's approach is pretty idiotic, and it cannot fix the problems. First of all, most emails are routed through the US either because the sender or the recipient has an American email provider (Germans love Gmail, too). Secondly, even if that is not the case, can you be sure that the NSA doesn't spy on traffic in Frankfurt [wikipedia.org]? It wouldn't surprise me.
Only true end-to-end encryption can be a solution. The government in Germany is currently pushing for DE-Mail [wikipedia.org], which relies on transport encryption only. So that means that your email provider can still snoop and so can the German government, which is probably the reason why they designed it like that in the first place. End-to-end encryption would have been possible, especially since the German government is spending much money rolling out their own PKI, with keys for every citizen right on their new national ID card.
There's a presentation [media.ccc.de] about DE-Mail from last December's Chaos Communication Congress, it's worth watching (video also has an audio track with English translations).
Re: (Score:2)
It works the same way with cars and roads. Often, going five miles out of your way will get you there half an hour faster because the interstate is 70MPH and the shorter route is badly congested and only doing 25.
And the longer route will use less gas.
For you car analogy guys...
Re: (Score:1)
"Only true end-to-end encryption can be a solution."
I doubt even that. If NAS can't break the encryption, they put a keylogger on your computer and break the encryption that way.
One time pad is a pain in the ass for key management, but it is impossible to break and the NSA may well waste a lot of cycles trying.
Key management here is to keep the keys on your hard drive and do a military grade erase on the blocks you have used.
Sending the key on three memory sticks by different routes and xoring them togethe
Re: (Score:2)
You mean if one were to send an email from Munich to Paris, it'd cross the Atlantic and come back?
NSA aside, that's a pretty sucky setup.
Many Europeans have accounts at gmail or hotmail. In this case, the email does indeed cross the Atlantic and back.
O, and "creative" routing, as you outlined, does happen often enough too, unfortunately...
Re: (Score:2)
If the other party doesn't want to pay up the packets to T-Online often get routed really strangely, often over the atlantic.
Funny thing is that the Telekom is publicly pushing for packets staying within national borders while they are the worst offenders and tech-illeterate politicians are joining up on that
Re: (Score:2)
Depends what provider youre using. Not everyone is well off enough to have global servers.
Re: (Score:2)
It seems merkel either doesn't know what she is talking about or is oversimplifiying.
The real answer depends on what you mean by "send an email from munich to paris"
If you mean a user using a mailserver based in munich sends an email to a user using a mailserver based in paris then the mail is unlikely to go anwhere near the US. Europe (unlike some other parts of the world) has a highly functiona internet infrastructure with good in-region peering.
However if you mean a user in munich sends an email to a use
You, uh... Know... (Score:5, Informative)
You COULD mandate end-to-end encryption if you were really that worried about it. That probably also wouldn't avoid snooping, but it'd make it a bit more difficult. We should probably also move away from using the browser as a mail client. But you're not really worried about snooping, are you? You're just worried about US snooping.
Re: (Score:3)
Well yeah, Merkel isn't really worried about the German police reading email. If she were, she could do something about that problem more easily...
However I think in addition to being worried about US snooping, this is also a convenient opportunity for promoting local technology firms. If a bunch of people move from Gmail to European email providers, that's good for the European tech industry regardless of whether it actually hampers spying.
Re:You, uh... Know... (Score:4, Funny)
this is also a convenient opportunity for promoting local technology firms
The European Internet brought to you by SAP AG [sap.com]?
Re: (Score:2)
That might be more like it. They want to pull a China and encourage their own knockoffs of Google, Amazon, eBay, FacePlant etc.
Re: (Score:2)
"However I think in addition to being worried about US snooping, this is also a convenient opportunity for promoting local technology firms."
The thing is, though, they could have done this LONG ago. They could have paied to lay their own cables, and paid to develop their own backbone infrastructure. Instead, they decided to go the cheap route and ride the coattails of the U.S.
That's all fine, but bitching about it later makes HER look bad, because it was a choice freely made. These options have always been available. They're just making political hay out of the situation, that's all.
Re: (Score:2)
They do actually have the cables and backbone. Despite the weird wording she doesn't seem to be talking about an actual European network, since that already exists: if you ping from Sweden to Italy it goes through Germany, Austria, etc., like you'd expect. The problem is that many of the successful hosted services are in the USA, so while the ping stays within Europe, when you email from Sweden to Italy, it probably hits up Gmail in the USA.
Re: (Score:2)
"he problem is that many of the successful hosted services are in the USA, so while the ping stays within Europe, when you email from Sweden to Italy, it probably hits up Gmail in the USA."
That's even less of a real issue! Yes, the companies are American. That's because they were started via American ingenuity, work, and investment. They started here, they got big here.
If they want to use other services, then they can damned well build their own. They have even less of a moral leg to stand on in that respect! If they don't want to use American companies, then they can fucking well use German companies. Nobody is stopping them.
Re: (Score:2)
If they want to use other services, then they can damned well build their own.
That seems to be kind of what Angela Merkel is proposing? The whole proposal is: Europe should build their own online services and stop using America's.
Re: (Score:2)
I have absolutely zero problem with the idea. I just don't think bitching about the situation is called for, when the solution to it has been available to them all along. Failure to take advantage of it was nobody's fault but theirs.
Having said that: sure, it might not be nice for NSA to spy on people, but the UK is approximately as guilty, so there still isn't much room to bitch.
Re: (Score:2)
That's not what she wants as that again would cripple german law enforcement.
Lest anyone forget (Score:5, Insightful)
The German Prism: Berlin Wants to Spy Too [spiegel.de]
French officials can monitor internet users in real time under new law [theguardian.com]
And some of the reports of "NSA spying" were in fact NSA being given phone data from European agencies.
Re: (Score:1)
And while we're on the subject of Merkel | Germany | spying:
Merkel's cellphone said targeted by 5 countries' spy agencies [upi.com]
German Chancellor Angela Merkel's cellphone was tapped by at least five foreign intelligence agencies, not just by the United States, a German magazine said.
Besides the U.S. National Security Agency, Merkel's phone was monitored by the British, Russian, Chinese and North Korean surveillance agencies, weekly news magazine Focus reported, citing an unnamed German security official.
Re: (Score:1)
The "nasty purpose" is to prevent people from being killed, including Europeans - both in Europe and the US.
And we all know how well this has worked.
It prevented the attacks on 9/11/2001, it prevented the bombing at the Boston Marathon, and it
cures asthma too. Oops, it actually didn't work for any of this. So the argument that lives are being
saved is just a goddamned lie, because FACTS DON'T SUPPORT IT.
In other words, spying on all of us hasn't ACTUALLY worked very well to prevent violence. And the truth is,
the claims made by the government worker who calls himself "ColdFjord" are just plain old fear mongering.
If
Re: (Score:2, Interesting)
It would have been hard for measures taken after 9/11 to have prevented 9/11, wouldn't it? I take it that didn't register when you were writing that nonsense?
There are no guarantees. The work of law enforcement and intelligence agencies only make it less likely that a successful attack will occur. But people still keep trying, and get arrested. In fact there have been hundreds of arrests and convictions on both sides of the Atlantic. If you want to ignore facts, that is up to you, but don't expect me t
Re: (Score:2)
It would have been hard for measures taken after 9/11 to have prevented 9/11, wouldn't it?
Yeah, but the NSA has been spying on us Europeans far before that - ever heard of ECHELON [slashdot.org]? It's almost conspiracy theory inspiring that the EU tried to get ECHELON stopped in 2001 - and bamm, planes fly into buildings, so we need more surveillance.
Re: (Score:2)
And having a police department and a justice system hasn't prevented crime, so we should abolish it because it didn't work 100% of the time.
Re: (Score:1)
That is a change of subject. But in addressing that subject, there are many reasons for intelligence operations. If you will note above in this thread where I replied to the first post you will see that there were at least five nations trying to monitor Merkel's phone. At least two of them were European. If you can't think of any reasons for that interest you aren't trying.
Suggesting that there isn't genuine interest in preventing terrorist attacks isn't true. And neither is suggesting that the only re
Re: (Score:2, Interesting)
Very much this. Hey, I do agree with cold fjord for once!
As disgusting as the whole Snowden revelations about NSA are (and as much as I think the whole NSA/Homeland "Security" thing has gotten out of hand and should be put under strict democratic control), the "secret services" this side of the pond (and their apologists) are (mis)using the whole scandal to further their dirty little agendas.
I won't forget that it was Merkel's party which pushed for horrid data retention laws across the whole of EU. I won't
Re: (Score:2)
It's good to keep in mind, lest germany tries to become a tech hub based on the premise that they won't spy like the NSA, but until then, let her help us keep the spotlight on the NSA.
Favorite part (Score:4, Interesting)
> This comes as Merkel's government faces criminal complaints for assisting aspects of the NSA's programs."
> twitter facebook linkedin Share on Google+
My favorite part of the whole thing is that they are facing criminal complaints for assisting the NSA, all while having also been spied on by the very people they assisted. Hmm a happy satisfied feeling from seeing others get what has been coming to them? I believe the Germans just might have a word for that.
Re: (Score:1)
I believe the Germans just might have a word for that.
Zeitgeist?
Poltergeist?
Fahrvergnuegen?
Brutosozialprodukt?
Sauerkraut?
Re: (Score:1)
I think GPP is thinking of whatever the German word is for schadenfreude.
Re: (Score:2)
INCOMING!!!
>>>joke**** WHOOSH ****joke>>>>
No shit Sherlock.
Re: (Score:2)
Re: (Score:1)
> This comes as Merkel's government faces criminal complaints for assisting aspects of the NSA's programs."
> twitter facebook linkedin Share on Google+
My favorite part of the whole thing is that they are facing criminal complaints for assisting the NSA, all while having also been spied on by the very people they assisted. Hmm a happy satisfied feeling from seeing others get what has been coming to them? I believe the Germans just might have a word for that.
Negativhandlungsreziprozitätsbeobachtungsfröhlichkeitszufriedenheitsgefühl? ;-)
France and Germany gets snotty at the US (Score:2)
News at 11.
Re: (Score:1)
I'm very disappointed to see that SMTP-connections are often not encrypted. It's cheap to do and makes snooping much harder.
Nice try Euros, but (Score:4, Insightful)
Spy sapping mah mailbox (Score:1, Funny)
-- edited by NSA -- I think the US is a wonderfull place to live in full of freedom and democracy. I think all other countries are plotting terrorist attacks and they will fail.
Re: (Score:2)
Because of course... (Score:2, Redundant)
As a Canadian (Score:4, Interesting)
It's even a law in Canada to prohibe company with data on canadians people to avoid any storage/transport of these data using any IT infrastrure in the USA.
Re: (Score:3, Interesting)
Re:As a Canadian (Score:4, Interesting)
The fact is that the privacy law prohibit transferring personnal data outside Canada. Period. And, except from some west reformist, Outside-Canada include the USA.
Re: (Score:2)
You would be incorrect. [priv.gc.ca]
The Canadian firm is responsible for ensuring that a breach doesn't happen when the data is in possession of the foreign firm, but it's not illegal to send it there at all.
Considering the Canadian firm's responsibilities, it can certainly be argued that it's rarely, if ever, a good idea, but it's certainly not illegal.
Re: (Score:2)
From the link
Comparable Level of Protection
"Comparable level of protection" means that the third party processor must provide protection that can be compared to the level of protection the personal information would receive if it had not been transferred. It does not mean that the protections must be the same across the board but it does mean that they should be generally equivalent.
Of course sending data in the USA can't give comparable level of protection since it's know that the US gouvernement will snoo
Re:As a Canadian (Score:5, Interesting)
It's even a law in Canada to prohibe company with data on canadians people to avoid any storage/transport of these data using any IT infrastrure in the USA.
The data protection act has restrictions on exporting data... In my experience pretty much everyone is ignoring those restrictions when it comes to migrating to "cloud" services, and that's not going to stop until people start getting hit by big fines.
Re: (Score:2)
I think, it's just because proofs are hard to show in these case, until some private info of a canadian will be part of some breach .
Re: (Score:2)
I think, it's just because proofs are hard to show in these case, until some private info of a canadian will be part of some breach .
Sorry, I forgot to add "here in the UK" to my previous post. I'm unconvinced that (here) the information commissioner's office even cares, so I'm not expecting any kind of enforcement action soon.
Re: (Score:2)
Many places where I have worked strongly avoid using cloud services for company business. In the education industry in particular, they were quite strong on avoiding remote hosting in order to protect student data.
Some places even go so far as to block Google Drive, dropbox, etc entirely.
Re: (Score:2)
Many places where I have worked strongly avoid using cloud services for company business. In the education industry in particular, they were quite strong on avoiding remote hosting in order to protect student data.
Some places even go so far as to block Google Drive, dropbox, etc entirely.
I work with the education sector and we're increasingly seeing schools moving to cloud services, such as Exchange Online, and even Dropbox and iCloud. No consideration seems to be being made regarding data protection laws, which are almost certainly being broken by using these services (IMHO there's no realistic way to ensure that personal data isn't placed on these services). Also, there seems to be no consideration for the increased load such services place on the internet uplink - suddenly stuff like e
Re: (Score:1)
Which province?
And if all of the servers are in the EU? (Score:2)
Re: (Score:2)
The latency is only about 150ms. This is simply unnoticable for email, so major US email providers aren't going to have servers in the EU for latency reasons.
Re: (Score:3)
The latency is only about 150ms. This is simply unnoticable for email, so major US email providers aren't going to have servers in the EU for latency reasons.
That would probably be true for classic client server email, but consumers (and by consumers I mean people who don't read Slashdot) expect their email to be a web based client. And for all of the back and forth an interactive web client is going to have with the server, 150ms could be killer.
Re: (Score:2)
Nope, not even for a website will 150ms latency be a killer.
Re: (Score:2)
I think it's more scary that this is a blatant display of them not having the hint of a clue what they're making decisions about.
The cost of the NSA spying (or being leaked) (Score:2)
It's not just that the French and German government are going to move to doing business with non-US companies for email. There are many reports [citation needed] of governments and companies throughout the world choosing non-US cloud providers who promise not to have servers in the US. This is showing up on companies earnings reports in reduced overseas sales.
At first I thought it was silly - all governments want to be able to get their hands on data stored in their domain, so moving from the US just
Wait a second (Score:3)
If some NSA/FBI/CIA goon walks into an google/yahoo/whatever office in the US and hands a secret court order for a US citizen to dig through the German server the guy is going to dig through the German server. If anything a google run German based server is actually more legally friendly to the CIA/NSA as now they can be fairly certain they aren't trolling through US-US communications.
So if the US passed a law tomorrow (that was actually obeyed) that 100% banned any interception of communications of one US citizen with another then setting up European only servers would be something the NSA would want Google to to.
If Europe is truly serious about defending their privacy they would insist upon audited servers stationed in Europe run by natural born European citizens with single nationality and no family or economic ties outside of their legal reach. Then they would need to make a ferociously punitive fine for any employes, management, or companies that violate these privacy rights with a huge portion of the fines going to any whistleblower.
Another suggestion I have is for some European company to buy blackberry and make those phones truly and uncompromisingly secure with features such as one time pads.
Re: (Score:2)
German staff helped design a telco network to allow one site tapping for all of "West" and now "Germany" knowing all the data was flowing to a few outside countries.
How does the German gov go to their top telco staff at a gov and private sector as ask them to help the NSA less and look after Germany starting in this decade?
Too many top telco staff members will honour an
Could someone clue her in? (Score:2)
Someone could maybe tell Merkel that there is no "German internet" and no "American internet"?
Saying that you want to "keep emails in Europe" is like sitting in the swimming pool noticing that some piss in the pool so you decide to put a chain across the middle of the pool and declare that in your side only non-peers may swim while those that pee in the water have to stay on the other side.
EU companies may break the law by using US ISPs (Score:3)
EU Data Protection laws require a company to protect the privacy of the people it receives email from. Now the fallacy of the Safe Harbor agreement has become clear, using US providers means knowingly placing privacy in jeopardy.
Silicon Valley has a MASSIVE problem on its hands in this context: even if a US company WANTED to protect client information (and let's be honest, lots of them actually do), they are legally not in a position to do so. The biggest problem is that this is a legal issue, and that will take at least a decade to fix...
Re: (Score:3)
It's a trust issue more than a legal issue. As it turns out American companies were for years under gag orders for certain kinds of government (FISA) data requests. They couldn't even discuss their existence. Under pressure from leaks, now the US government is relaxing [reuters.com] and allowing them to reveal some aggregate data about these previously-secret requests.
The fact that all this "openness" has only come under duress makes one strongly suspect that the spying will only shift into some new program. The legality
Um, GCHQ? (Score:3)
Re: (Score:2)
I'm very unhappy with what the NSA is doing and believe that I needs to be stopped/limited but to believe that the U.S. is somehow uniquely guilty here is just naïve.
Re: (Score:1)
I wonder if Scotland will join the EU but still send emails thru London?
Will not work (Score:2)
We already have nodes running inside both countries which tap the main lines.
Illegal? Of course.
Unconstitutional? Only if, as they are designed to do, they capture American emails too.
Stupid? Heck, this is America ... does that answer your question?
Re: (Score:1)
If those nodes are in countries other than the US, the question whether they are unconstitutional is decided by the constitution of the country those nodes are in.
Re: (Score:1)
Yes, but the US does not recognize other countries constitutions.
For example, we signed legally binding Data Privacy Treaties with Canada and the EU and we still steal your data.
QED.
Please tell me I'm dreaming! (Score:3)
The 1990s called (Score:2)
They want their technology back. Honestly, Angela should talk to people who know what they are doing before making such silly statements.
Yes, Let's put another dead bolt on that front door. Don't worry about the unlocked screen door in back. Nobody sees it. Besides, they certainly wouldn't dare go back there, would they?
Heh.