💾 Archived View for gemini.circumlunar.space › users › laur%C3%AB › mail › on_privacy-respecting_law… captured on 2024-02-05 at 10:27:53. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-12-28)

-=-=-=-=-=-=-

On "privacy-respecting" laws

One of the major ways various privacy frauds advertise themselves. I've pretty much ignored this issue while rating singular providers, since it's so common and requires a dedicated section to analyze. The claim usually goes something like this:

"Our service is hosted in (insert uber-private country of choice), which, instead of (insert non-private country of choice - usually UK or the US), has super-strong privacy laws. Only a valid court order can force us to release your data!"

You might have already detected the issue while looking at the last sentence. The "super strong privacy laws" claim is based solely on whether a court order is required to release the data. Let's assume they do bring that valid court order - what ends up mattering, then? The data that a service has actually stored, since they can't release what they don't have. Nothing prevents a service from storing whatever they want despite being positioned in a supposedly privacy-respecting country. More than that, many of the countries commonly claimed to be private actually force providers to store certain data. Examples from specific providers above:

Thanks to the above, we end up with some funny situations like RiseUp (hosted in non-private USA) keeping metadata only for one day compared to KolabNow's six months. But in the end, the law is your enemy, not your friend. It imposes the minimum amount of data a provider is required to store, while not preventing them from collecting more if they want to. Being hosted in a country with "strong privacy laws" is purely a marketing strategy that mostly seems to arise from US and UK citizens scared of their nations' mass surveillance programs. But other countries - like France or Germany (realistically - probably all of them) - run them as well. More than that, many of them cooperate with each other. In 1946, the UK and US formalized an agreement to share intelligence data between them; a few years later Australia, Canada and New Zealand joined in (this was called the "five eyes"). Eventually the number of eyes increased to 14 as more and more countries became apart of the alliance (with even more "unofficial" members such as Japan or Israel). Edward Snowden's leaked documents revealed that the eyes work closely together to share electronic communication data (abbreviated as "COMINT" and "ELINT").

And they admit the operation is becoming more and more effective as time goes on (you can learn more about the history of the "eyes" here). What does it mean for the people, though? Choosing a provider from a supposedly privacy-respecting country does not help avoid surveillance - many of them are apart of the "fourteen eyes" and even if they aren't, they might still cooperate with foreign intelligence. I mean that's exactly what Iceland (non-14 eyes) did during the Silk Road investigation. They've literally let USA agents in to do whatever they wanted. Therefore, in the end, you shouldn't focus too much on the country issue (just assume they're all in it together anyway), but instead on the provider's actual policies, history and trustworthiness. That plus using encryption, a VPN and good OPSEC should protect you from surveillance way better than falling for red herrings like the service's location.

To put the final nail in the coffin for this idea, we have to come back to the court orders again. To begin - what makes you so sure that a provider will actually require a court order as they state? Remember that ProtonMail has already broken that promise in a case of alleged "terrorism". How much resources do some of the smaller companies have to fight the data requests in court? Do they even have lawyers on board to determine if a court order is valid? SafeMail.nl (based in "private" Netherlands) has admitted they will not fight court orders and just hand over the data. On the other hand, Lavabit (from "non-private" United States) did everything they could to protect their users from surveillance, including trolling the government. Eventually, they preferred to shut down their service rather than give in to the spies' demands (similar to what RiseUp promises to do today). How many of the providers hosted in supposedly privacy-respecting countries would do the same, instead of just saying "fuck you" to the users and giving up the data? Taking all that into account, I hope we can put the location non-issue to rest...