Move d.o. servers / DA to another country

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
attiks's picture

Original title: Move d.o. servers to an other country

Disclaimer: Added the part about the DA, since only moving servers still owned by an American company is not going to make a difference.

Given the new political changes and the changes to respecting the privacy of non US residents, it might be a good idea to move the DA and all hosting to a country that does respect the privacy.

Since I've been accused of trolling some clarification:

  • From last week "agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens."
  • Privacy shield setup between some US companies and the EU is an empty shell
  • Safe Harbour was also an empty shell
  • According to https://www.drupal.org/drupal-services there are 310 companies in USA, 500 in Europe
  • It's not only about username and web logs, also about all purchases made through the DA since Drupalcon, Inc. is registered in Portland, USA
  • Why now, and not sooner? The same concern has been raised before, will add a link once I find it

Conclusion

Is the USA the worst country regarding privacy of residents and non-residents? Certainly not.
Are there countries doing a much better job? For sure

Solution

Not really sure, moving both the DA and all hosting to - for example - Switzerland might be a valid idea, there are some concerns

  • Changes to tax laws
  • How will this impact current staff
  • How will this impact business in the USA
  • Will it be that much better
  • Is it worth the effort

PS: This is not a personal problem, most of my data is public available.

--- Original post ---

Given the new political changes and the changed to respecting the pricacy of non US residents, it might be a good idea to move all hostings to a country that does respect the privacy.

Some background: https://euobserver.com/justice/136699

"agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens."

Comments

Trolling?

larsdesigns's picture

Trolling...

Not at all, this is a very

attiks's picture

Not at all, this is a very serious issue

Legit question

DamienMcKenna's picture

With how ... messed up .. the US is getting right now, it's a valid question.

Quite serious

jpoesen's picture

@larsdesigns Voicing privacy concerns is not trolling.

The privacy of non-US citizens within the US (physical or digital) is sketchy at best, with discussions about whether or not the recent Executive Order violates the US-EU Privacy Shield frameworks still ongoing.

I agree that at the very least a serious discussion within our community should take place to identify and quantify these (let's be optimistic and call them 'potential') privacy issues.

The US is not the center of the world. If there are legitimate concerns impacting the global community, then those should be addressed.

@jpoesen If there is a

larsdesigns's picture

@jpoesen If there is a legitimate privacy concern, it was not stated or proven. Or even presented in a convincing light.

The US is currently the center of Drupal's world according to funding, adoption, usage, office locations, hosting, supporting businesses, etc. However, this may change in the future and hopefully continue to distribute more across the continents but I do not foresee a radical shift on the horizon.

I think it would be great if the global Drupal community worked on a distributed model of Drupal infrastructure and outreach but that is likely to be a long way off.

US-EU Privacy Shield is unenforceable and loosely recognized even in the EU.

But, then, where to?

Riaan Burger's picture

As a non-EU non-US Drupal user I'd like to add that this is definitely not a trolling topic for me. Thank you for raising it and thank you for keeping the discussion open.

I went to go check the Freedom House listing of countries and browsed about a bit. I also recall that some laws regarding privacy in the 'States actually makes basic privacy as the average person would understand it (did the IT department check out my porn browsing habits) strong if not stronger than most countries' so that many VPN exit points work quite well there. Of course that is a very basic understanding of the problem. Fundamentally, we should consider that when a person's data leaves the legal jurisdiction of the country they live in, things change. Within that country there may be additional concerns regarding privacy, but once it leaves, people often have little or absolutely none of the legal rights afforded them within their country with regards to their own data which can be much more effectual than simply one's browsing habits.

Now, while I love that the Drupal community can talk about this, I don't see how we can do much right away. An EU citizen may want Drupal.org hosting to move there, but:

  • if the hosting touches on anything done by a company with legal entities (persons or otherwise) under US law, then you may as well consider it compromised because these odd few legal cases we see in the news that may make it seem the average law enforcement can't gain access to your data there are just the public acts to placate the masses while rulings by the FISA Court are not made public and come with a gag order together with compulsion to comply. Not to say I don't think other countries may have similar laws and mechanisations, we just really didn't expect this from America (well, generation X didn't so much as generation Y did) ;-)

  • if you're not from the EU nor the 'States (just a few billion of us) there are no real additional legal protection benefits, are there?

I don't see Drupal changing it's fundamental nature to support storing user data in different countries... well, maybe by Drupal 10, and wouldn't that be great ;-)

So if there were ever votes for this sort of thing, I'd definitely vote to have moved away from the 'States back when Snowden shared some insight and again now that I see who will be taking on senior positions in the government in the next few years. I'd like to know where one would move to though? Obviously a country known for the values we treasure, written into the very Libre licence of the Drupal project and forming a free open community that we all love. I just don't know which countries are good options?

Switzerland

fizk's picture

From the protonmail website:

A question we often get asked is, Why is ProtonMail based in Switzerland and are there any real advantages?

We believe there are and in this article, we will share why. The first thing that comes to mind is that Switzerland is outside of US and EU jurisdiction. Unless you host your servers on a boat in international waters, you will need to be under some legal jurisdiction and in the post-Lavabit environment, this choice is particularly important. A common misconception is that the EU offers more legal protection than the US, but many of the same surveillance directives that exist in US law also have EU counterparts, in particular, German law may actually offer less legal protection than American law.

Switzerland however, is NOT part of the EU, and Switzerland applies a very different set of privacy laws. In the US and EU, gag orders can be issued to prevent an individual from knowing they are being investigated or under surveillance. While these type of orders also exist in Switzerland, the prosecutors have an obligation to notify the target of surveillance as soon as possible, and the target has an opportunity to appeal in court. There are no such things as National Security Letters and all surveillance requests MUST go through the courts (this is not the case in Germany). Furthermore, while Switzerland is party to international assistance treaties, such requests for information must hold up under Swiss law which has much stricter privacy provisions.
Nearly every country in the world has laws governing lawful interception of electronic communications. In Switzerland, these regulations are set out in the Swiss Federal Act on the Surveillance of Postal and Telecommunications Traffic (SPTT) last revised in 2012. In the SPTT, the obligation to provide the technical means for lawful interception is imposed only on Internet access providers, so ProtonMail, as a mere Internet application provider, is completely exempt from the SPTT’s scope of application. This means that under Swiss law, ProtonMail cannot be compelled to backdoor our secure email system. As a Swiss company, ProtonMail also cannot be compelled to engage in bulk surveillance on behalf of US intelligence agencies.

This combination of factors means that a Lavabit like situation cannot occur with ProtonMail. However, ProtonMail has taken the Lavabit concept one step further and actually does not even possess the keys required to decrypt user data. As a result, even if ProtonMail was forced to turn over all our computer systems, email contents will continue to be encrypted.

We believe that comprehensive security can only be achieved through a combination of technology and legal protections and Switzerland provides the optimal combination of both. By coupling Switzerland advanced IT infrastructure with its unique legal environment, ProtonMail can deliver a service that is both reliable and secure.

For more information about internet surveillance in Switzerland and requests for information made to ProtonMail, please view our Transparency Report.

Right, so we have a clear better options...

Riaan Burger's picture

At least in terms of privacy rights, we have a clear and better option for hosting Drupal.org.

I also see my NoScript and RequestPolicy blocking Google fonts and the more recent pest on the block, New Relic trackers on Drupal.org's front page. So just moving servers won't solve all the privacy problems though fixing those will be easy in comparison ;-)

I'm not familiar with the Drupal.org hosting infrastructure. Anyone know if it is geographically redundant, tied to or hosted on any butt-based service like AWS etc?

Last time I read about it everything seemed physical, on decent hardware and very impressively put together. Moving may be a tough and potentially costly affair, unless of course it can be planned well enough to coincide with upgrades or the like. Maybe first go for geographic redundancy, then move the US point to another good location. One still has to wonder who will pay for all this and who will do all the work. (Time and money seem to blend in my life these days.)

There may be some really good sponsorship options available, I mean, I don't know the Swiss options for hosting (we use Hetzner (in Germany and South Africa)) and when I google Swiss hosting barely any of the sites that come up can be accessed due to their asset loading dependencies from 3rd partly URLs. Not exactly privacy conscious. So if the right one (or several) can be found, they may sponsor some of the costs in exchange for having been chosen for these exact values and building their brand. In the mean time, I prefer direct recommendations to googleing, so if you know of any / preferably a few comparable, to Hetzner, bare metal and collocation hosts in Switzerland I'd love to check them out?

The bulk of the drupal.org

gchaix's picture

The bulk of the drupal.org servers are physical hardware located at the Open Source Lab at Oregon State University in Corvallis, Oregon (http://osuosl.org). There are some auxiliary services hosted elsewhere (AWS, CDN, etc.) but for the most part the gear is in the US.

For this topic to be valid

larsdesigns's picture

For this topic to be valid and not just a case of political trolling, it would have to be proven that there is a legitimate privacy concern for US data centers, hosting and the related business activities.

Which is just not proven. The US privacy laws are very strict, enforceable and have recently been strengthened especially in the last two years.

I'm not advocating for change

Riaan Burger's picture

I'm not advocating for change here, though I love that this is a topic of discussion at all and that some people do recognise the need.

That said, it's reasonable, as larsdesigns say, to want to prove there's a need for this. We're surrounded by very rational people in this community (thankfully creative too). If we had some proof of this being a problem, one would think there would be an outcry in society at large and the actual original problem would be fixed rather than having to address it on the level of Drupal.org hosting.

Thing is, this is not a court of law nor are we busy with the scientific method here, this is pure discussion only. So we can enter circumstantial evidence right ;-) Two parts that I can think of:

1) There would be no EU privacy shield, nor the many countries' legal requirements to keep their citizens' data within their legal jurisdictions if there were no concern. It's rather obvious to me that your data has different (and likely fewer) rights in another country than it may in your own as that country has no real duty to look after you (you don't get to vote in that country). Different countries, different levels of privacy assurance.

2) So we have that FISA court, we have the PRISM program and we have slides like this but hey, those can't be entered into evidence (or thought about?) because they were obtained illegally?

As I said, I think the US is still around the top of listings of countries for freedom and while I'd personally be very happy with a hosting move, I think its unlikely to even be a consideration now. Let's at least keep the discussion open. I for one have already learned a bit, feel encourages (as I often do when reading Drupal topics) and have new homework to do.

While the future (on Twitter) looks dismal to many for privacy in the states, I'd not be so quick to hit the Prozac. As larsdesigns mentions, the laws are already changing in response to the Snowden leaks and there will hopefully be a normalising response, over time to any immediate changes we read about in the news. Also, the 'States are federated right, so lovely devolved powers and sentiment will also kick in.

Yes, this is political. If you have freedom and inclusiveness in your project and community, you will inevitably face politics.

I've long since started culling my online profile,adapted my browsing habits and behaviour. While I can see very little exposure for myself from data hosted about me on Drupal.org that isn't freely available (i.e. also published on Drupal.org for everyone to see), I worry more for other people's privacy concerns these days.

We're web developers and we deal with a lot of other people's data every day. We should concern ourselves with their concerns, not just our own. This is a very valid topic and while I see loads of tie-ins with politics (in just about every country, but perhaps more so right now in the 'States), it can surely be discussed. A quick glance at attiks' Drupal.org profile should also reveal that this thread is unlikely to have been started as a casual political trolling topic.

EFF Audit?

jpoesen's picture

Quoting myself in my first response:

"I agree that at the very least a serious discussion within our community should take place to identify and quantify these [...] privacy issues."

"If there are legitimate concerns impacting the global community, then those should be addressed."

In summary: as a community we should discuss IF our existing concerns are valid and if so, we should address them. If not valid: cheers for everyone.

As this is a very complicated matter, both legally and technically, maybe we can see if something like an external audit by the EFF[1] is feasible?

[1] https://eff.org

Some background info If you

attiks's picture

Some background info

If you are storing European visitor data on servers based in the USA, you are exporting “personally identifiable information”, or PII, of users in Europe to the United States. European law does not allow exporting of user PII unless companies can demonstrate they will protect European user’s privacy and data.

See also https://en.wikipedia.org/wiki/Personally_identifiable_information

From https://safeharbor.export.gov/list.aspx

U.S.-EU Safe Harbor

On October 6, 2015, the European Court of Justice issued a judgment declaring as “invalid” the European Commission’s Decision 2000/520/EC of 26 July 2000 “on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.” As a result of that decision, the U.S.-EU Safe Harbor Framework is not a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.

On July 12, 2016, U.S. Secretary of Commerce Penny Pritzker joined European Union Commissioner Věra Jourová to announce the approval of the EU-U.S. Privacy Shield Framework as a valid legal mechanism to comply with EU requirements when transferring personal data from the European Union to the United States. The EU-U.S. Privacy Shield Framework replaces the U.S.-EU Safe Harbor Framework. The Department began accepting certifications on August 1, 2016.

As of October 31, 2016, the Department stopped accepting all U.S.-EU Safe Harbor certifications. The Department will maintain the U.S.-EU Safe Harbor List of participants.

As far as I can see Drupal Association and/or Drupalcon Inc are not certified, https://www.privacyshield.gov/list

To participate as a US based company, https://www.privacyshield.gov/article?id=Requirements-of-Participation

This might be a possible first step, although not sure how much effort is required to get certified.

Totally legitimate concern

jimcaruso's picture

Concerns about privacy and access to confidential date are completely legitimate for an individual member or company member of the DA and Drupal Community.

EFF.org has a lot on the subject, just search Google using this string:

USA EU privacy 2016 2017 site:eff.org

There are certainly trade-offs and costs with any change.

In addition, political situations and laws can change, sometimes quickly (note the UK's Investigatory Powers Bill (Link: https://www.publications.parliament.uk/pa/bills/lbill/2016-2017/0066/170...)


Jim Caruso
MediaFirst

Jim@MediaFirst.net
@jimcaruso
(M) +1.404.788.0188
http://MediaFirst.net


IP logging

catch's picture

Something very quick that any Drupal contributor could help with, would be to stop Drupal logging IP addresses with every comment, and on top of that to anonymise all IP data in logs too.

This would reduce the amount of personal data that all Drupal sites store by default. Comments especially are kept permanently in the database - no rotation of logs so this never goes, and many Drupal site owners won't even be aware it happens.

There are two issues, one has a patch that's more or less RTBC for comment module. https://www.drupal.org/node/2828793)

https://www.drupal.org/node/19690 is the more general issue but could use discussion and I'd be happy to help anyone via irc who wants to contribute to getting it moving.

Slightly off topic, but the less data is stored, the less there is to share.

Data, not location

Crell's picture

While I'm very sympathetic to the concerns about the new US administration, as several people have noted moving the physical servers, even if practical, would be largely ineffective. Even if the servers physically moved, and all DA staff physically moved, the DA is legally chartered in the US; it has to be able to do business in the US, which means it needs a presence here of some sort, which makes is subject to US law. (One reason the DA exists in the US now is because when it was a Belgian organization we had to keep creating pass-through companies in the US in order to do anything here, which of course would then be subject to US law.)

However, as catch notes you cannot subpoena data that doesn't exist. That can be helped by

1) Ensuring that Drupal itself can be anonymized sufficiently that it doesn't collect potentially subpoena-worthy data by default.

2) An audit of the DA's own existing data collection policies with an eye toward "what do we do if the Feds come around asking". I have no idea what those internal policies are currently, but it's very likely that, like most organizations, the DA (via Drupal.org) collects all sorts of data that they don't even realize they're collecting. An internal audit-and-self-purge, now, to ensure that it doesn't even have data we don't want to turn over would be more effective than trying to dodge US jurisdiction entirely.

Goes beyond data collection

fizk's picture

Any efforts to anonymize data can be reversed by FISA Court order.

The FISA Courts can secretly compel the DA to backdoor the infrastructure to collect data, either en-mass or for a specific target. That is the main reason why ProtoMail decided to establish themselves in Sweden.

The FISA Courts can secretly

attiks's picture

The FISA Courts can secretly compel the DA to backdoor the infrastructure to collect data, either en-mass or for a specific target.

This is scary

Yes, completely. It's been

fizk's picture

Yes, completely. It's been scary and appalling ever since Edward Snowden revealed the massive global surveillance that was happening.

Sorry, I meant to write

fizk's picture

Sorry, I meant to write Switzerland, not Sweden.

You are always welcome to Sweden! :)

rteijeiro's picture

You are always welcome to Sweden! :)

Calm Down & Clear the Cache

the DA is legally chartered

attiks's picture

the DA is legally chartered in the US; it has to be able to do business in the US, which means it needs a presence here of some sort, which makes is subject to US law

I assume there are other ways to solve this, like creating a new company in another country and make the US company a subsidiary that handles the business in the US and even employs people, but has no control over the servers and the data. The subsidiary has to obey US laws, but at least the feds has no access to the servers and other data.

PS: This might also make it easier to do business in Middle East countries

I agree, some kind of

fizk's picture

I agree, some kind of subsidiary structure may allow us to have a presence in the U.S. without having DA servers in the U.S.