Oct 14 2013
I’m not sure why anyone has the illusion that their data would be safer in Europe than it might be in the US. While some of the countries in Europe seem to have better laws for protecting email, it’s not a clear cut thing and there are always trade-offs. While they might have better protections for data at rest, while in transit it might be fair game, or vice versa. Plus, if you’re an American, you’re the foreigner to those nations, so many of the protections you might think you’re getting are null and void for you.
Rather than simply speculate, as many of us do, Cyrus Farivar at Ars Technica has written an article, Europe Won’t Save You: Why Email is Probably Safer in the US. If you examine the laws closely, you’ll find that while countries like Germany appear to have stronger privacy laws, some of the caveats and edge cases make a lie of that appearance. In this particular example, German law puts a gag order in place by default that prevents your service provider from notifying you in case they’re served with a subpoena or similar device. Think on that for a moment: if your service provider is served, you’ll never hear about it by default, rather than only when the large intelligence agencies take an interest in you.
Since I moved to the UK I’ve been hip deep in similar arguments with regards to cloud service providers. Many folks in and around Europe seem to think that their own laws will somehow protect them from the threat of having their data raided by the NSA or some other, even more shadowy US organization. But the reality is that in many countries they have less protection from their own governments than they do from the US. Which barely scratches the fact that the core internet routers in many, if not all, countries are compromised by multiple governments, who are getting feeds of every packet that flows across their infrastructure.
The other concern that I hear quite often is about US businesses and information leaving the European Union. I find this concern interesting, and believe it is likely to be a much more legitimate issue. In the EU, the data protection laws appear to be much stronger than they are in the US, especially the Safe Harbor Principles. But the reality is that businesses see the value of having as much personal information as they can get their hands on, so Safe Harbor is given lip service, while the businesses find ways to get around these requirements. Or in many cases, ask users to opt out of some of the protections to get additional functionality out of a site.
Don’t think that hosting your email or other service is going to protect you if a government wants to get its digital fingers into your email. As Farivar points out, the closest thing you’ll have to privacy is if you store your email on your own devices and encrypt it with your own encryption keys. Storing it anywhere else leaves you open to all sorts of questionable privacy laws between you and your hosting provider. You can’t just consider the jurisdiction you’re in, you have to consider every route your data might take between point A and point Z. Being the Internet, you’ll never know exactly what route that is going to be.
Personally, I’m not pulling the plug on my Gmail account any time soon. No government is worse than Google when it comes to intrusive monitoring of your email, lets be honest.