(Archived) Security for Data from Europe (Patriot Act, NSA and so on)?

[HerbyDE 101]

In Germany we have a heavy discussion about the actual news (data from Google, Facebook and other US-Companies are screened by NSA and other US-Institutions - called "Prism").

 

I know that Evernote signed the "European Safe Harbor" from the 90th, but our data protection officer says this is no guarantee .....

 

How far is Evernote involved in the actual events of NSA screening and so on?

 

I know you have a subsidiary in Zurich, but I think, Evernote servers are staying in USA?

 

Evernote is a very good service and I have no problem with my personal data. But it is a very important matter for German companies to know, who can read their business data.

[GrumpyMonkey 4,319]

For those who have not hear about PRISM, here is the latest news on it (http://www.guardian.co.uk/world/2013/jun/07/clapper-secret-nsa-surveillance-prism). The relevant sections from the Evernote Privacy Policy (http://evernote.com/legal/privacy.php):

----------

Where Is My Data Stored?

When you use Evernote Software on your computing device, Content you save will be stored locally. When you synch your computing device with the Service, that Content will be replicated on our servers, which are located in the United States.

Please be aware that Personal Information and Content submitted to Evernote will be transferred to a data center in the United States. If you post information to the Evernote sites you are confirming your consent to such information, including Personal Information and Content, being hosted and accessed in the United States.

----------

A Special Note to Users in Europe and Switzerland

Evernote complies with the US-EU Safe Harbor Framework and US-Swiss Safe Harbor Framework as set forth by the US Department of Commerce regarding the collection, use and retention of personal information collected from users residing in the European Union and Switzerland. We have certified that we adhere to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access and enforcement. To learn more about the Safe Harbor program, and to view our certification page, please visit http://www.export.gov/safeharbor/

----------

we only disclose information when:

We believe it is necessary to investigate potential violations of our Terms of Service, to enforce those Terms of Service, or where we believe it is necessary to investigate, prevent or take action regarding illegal activities, suspected fraud or potential threats against persons, property or the systems on which we operate the Service.

We determine that the access, preservation or disclosure of information is required or permitted by law to protect the rights, property or personal safety of Evernote and our users or is required to comply with applicable laws, including compliance with warrants, court orders or other legal process.

[jbenson2 2,147]

After reading the recent stories and finding out this has been going on for over 5 years, I am taking the position that no matter where you are, your data information is totally hosed (unless it is strongly encrypted).

 

edit: this issue does affect Evernote, as well as all other cloud based products.

 

The National Security Agency is monitoring customer records from the major phone networks as well as emails and Web searches, and the agency also has cataloged credit-card transactions.

 

It is just going to get worse and worse (backdoor access). We are powerless to stop this.

Had enough government yet?

[Metrodon 2,184]

This is why I've been wearing a tin foil hat for the last 5 years.

[Metrodon 2,184]

Amusingly, Microsoft are running a campaign around privacy on British TV. Someone should tell them.....

[BurgersNFries 2,407]

This is why I've been wearing a tin foil hat for the last 5 years.

And let me tell you...you look mahvelous!

[jbenson2 2,147]

Amusingly, Microsoft are running a campaign around privacy on British TV. Someone should tell them.....

 

The Brits are joining the "spy on all your citizens" bandwagon.

Eavesdropping by the British GCHQ security agency is legal and no threat to privacy.

No threat to privacy? Wanna run that by me again?

In other words:

Do what we say, not what we do.

http://www.reuters.com/article/2013/06/09/us-usa-security-europe-idUSBRE95805S20130609

[Metrodon 2,184]

I can't believe that anyone is really surprised about this.

I pity the poor sods if they ever have to look at my work email.

[jbenson2 2,147]

I can't believe that anyone is really surprised about this.

 

 

Along with the majority of American citizens, most of Congress was left in the dark.

Senate Majority Whip Dick Durbin (D-Ill.) said he recently learned about the two programs [data and phone surveillance] himself only after requesting a briefing under “classified circumstances”.

http://www.evernote.com/shard/s2/sh/2a87a036-b8c3-4805-a302-9b71dbc490f0/3349ee280cd75abad42b533d914f04c5

 

[evernote-fan 34]

The revealing of prism shocked me very much! We Germans do have a complete different understanding of privacy than the USA. For us, privacy is the basic requirement for liberty.

 

I think this program is a big danger for all cloud services as they rely on user trust.

Perhaps, Evernote could offer specific privacy options for European customers such as the EU modelling clauses. 

[GrumpyMonkey 4,319]

The revealing of prism shocked me very much! We Germans do have a complete different understanding of privacy than the USA. For us, privacy is the basic requirement for liberty.

 

I think this program is a big danger for all cloud services as they rely on user trust.

Perhaps, Evernote could offer specific privacy options for European customers such as the EU modelling clauses.

I agree that this has a potentially detrimental effect on US-based cloud services. I think everyone agrees that US government laws regarding privacy are inadequate at the moment, though there is disagreement (and lots of debate) about where to go from here. I am afraid there isn't much Evernote can do to influence the debate one way or the other.

However, your suggestion is a good solution for dealing with customers who live overseas. I imagine it would be a nightmare to implement, though, because Evernote will still have to figure out how this would work under US law (they may not be able to exempt you from data collection requests).

In my opinion, the only feasible solution that would address everyone's concerns is to offer zero-knowledge encrypted notebooks. In other words, we would encrypt the notebooks, we would have the keys, and Evernote would literally be incapable of reading the data. They might still have to turn it over to the government, and hackers might still gain access to it, but it would be encrypted. Otherwise, there will always be lingering concerns about privacy.

Spider Oak (https://spideroak.com/) is a cloud service that does this. Obviously, you would lose a lot of search functionality, because Evernote cannot index the content of an encrypted notebook, but for some notes, this would be appropriate.

In the end, as many of us have said, you'll want to think about what you do/don't put on the cloud, because once it leaves your device, there is inevitably risk (http://www.christopher-mayo.com/?p=288). Fortunately, Evernote currently has local notebooks, and I think that is the best way to keep your data private and secure. Of course, there is data that is somewhat sensitive that you would like to be able to sync and have available on other devices, but at the moment, you'll have to encrypt each individual file/note yourself if you want protection.

[cwb 225]

 you'll have to encrypt each individual file/note yourself if you want protection.

 

 

Underscoring that that means with a strong external tool, not the built in encryption.  Evernotes 64bit RC2 might be considered minutely stronger than 56bit DES (crackable in about 30 minutes on basic hardware), except that RC2 has known vulnerabilities.  So it may as well be pig latin or rot13 to the NSA.

[cwb 225]

 

 

How far is Evernote involved in the actual events of NSA screening and so on?

 

 

 

In no way and every way.

Evernote can be 100% non-participatory, 100% privacy conscious, and yet 100% vulnerable.

All indications are that PRISM takes a copy of the data at the TIER1 backbone router level before it gets to services like Evernote.

If one has an issue with that, then local client side encryption is required.  And at that point there's franky just better tools for that, and there's not much point keeping Evernote as merely a distribution system.

It's likely best to just keep sensitive stuff out of it.

[GrumpyMonkey 4,319]

How far is Evernote involved in the actual events of NSA screening and so on?

In no way and every way.

Evernote can be 100% non-participatory, 100% privacy conscious, and yet 100% vulnerable.

All indications are that PRISM takes a copy of the data at the TIER1 backbone router level before it gets to services like Evernote.

If one has an issue with that, then local client side encryption is required. And at that point there's franky just better tools for that, and there's not much point keeping Evernote as merely a distribution system.

It's likely best to just keep sensitive stuff out of it.

I don't think we know, or will ever know the full extent of government surveillance. I think it is too soon to know how this will play out. "Direct access" to servers is pretty ominous and vague.

I agree that ideally we would encrypt on our end, and we would have the encryption key so that even if Evernote is compelled to give access, they are only giving away encrypted data no one can read. I don't know if / when this might happen.

As you said, it's best to keep sensitive data off the cloud. Local notebooks can help with this.

[jbenson2 2,147]

As you said, it's best to keep sensitive data off the cloud. Local notebooks can help with this.

 

 

I doubt that keeping sensitive data off the cloud is feasible. The users might try to stay clean, but their data is still accessible from other channels as noted below:

On June 7, the Wall Street Journal reported NSA monitors customer records from the three major phone networks as well as emails and Web searches. NSA has established similar relationships with credit-card companies, and the agency has cataloged credit-card transactions.

[cwb 225]

The thing is, they dont need *direct* access. Tapping into the stream upstream of the providers is all they need.

That *can* be with participation as in the now know case of the ISP side of AT&T with the "special room" (SG-3 at 611 Folsom, San Francisco's office). But it can also be done along the way, as we know has been done for years with undersea cables.

Information (even the acronym itself) points to PRISM just being more of the same:

https://www.grc.com/sn/sn-408.htm

[GrumpyMonkey 4,319]

The thing is, they dont need *direct* access. Tapping into the stream upstream of the providers is all they need.

That *can* be with participation as in the now know case of the ISP side of AT&T with the "special room" (SG-3 at 611 Folsom, San Francisco's office). But it can also be done along the way, as we know has been done for years with undersea cables.

Information (even the acronym itself) points to PRISM just being more of the same:

https://www.grc.com/sn/sn-408.htm

Well, that is what I meant. "Direct access" doesn't necessarily mean equipment in each company, or even surveillance with their knowledge, as you pointed out. I am just saying that even if we find out X amount of information, we may never hear about techniques Y and Z because the government is not being forthcoming about their activities. Again, without getting too political, I feel that the climate in the US is such that it would be best for companies like Evernote to take matters into their own hands in terms of encryption, privacy, and security.

As you said, it's best to keep sensitive data off the cloud. Local notebooks can help with this.

 

I doubt that keeping sensitive data off the cloud is feasible. The users might try to stay clean, but their data is still accessible from other channels as noted below:

On June 7, the Wall Street Journal reported NSA monitors customer records from the three major phone networks as well as emails and Web searches. NSA has established similar relationships with credit-card companies, and the agency has cataloged credit-card transactions.

Actually, you are probably correct. Even if we don't upload our tax, bank, medical, or personal thoughts onto the cloud, the government can get all of that data from somewhere (the IRS, banks, doctors, emails, phone conversations, journal entries, etc.) and construct a pretty detailed picture of you. Still, I prefer not to make it easy for them, and do my best to keep it out of the cloud.

[kcRush 0]

spy plot!!!

we are under the government's invisible eyes

[Gerd 0]

We heard the lawyers answer.

 

This is the technical answer by Jacob Applebaum at the 30C3: 

 

Gerd

[jbenson2 2,147]

Gerd, I just watched the very chilling video. Wow! Wow! Wow!

 

It is obvious our data is no longer private. The NSA has hundreds/thousands of ways to spy on absolutely everyone, in the cloud, in the office, in the home, in the car, and in the woods. They say their spy activity is to keep us safe. Does that really make sense? If so, how come they didn't stop the Boston marathon bombers?

The video makes the following article from Forbes even more legitimate - the NSA is literally grabbing purchased laptops, installing their "spyware", then shipping it onward to the customer. Another chilling story that shows we are powerless to stop them.

http://www.forbes.com/sites/erikkain/2013/12/29/report-nsa-intercepting-laptops-ordered-online-installing-spyware/