Linode take on Prism

As a costumer I would love to ear where you stand in relation to PRISM and whether your datacenters outside US are also under US law.

thank you.

18 Replies

This pretty much answers the US Law question.

PRISM seems to primarily target data being stored by particularly large and widely-used companies; I wouldn't expect Linode to be within scope. Other mechanisms exist for monitoring data on the move well upstream of Linode (e.g. Room 641A).

Also, for what it's worth, if Linode were a part of this program (or targeted by other things, such as NSLs), they would be forbidden from disclosing that to anyone not immediately involved in fulfilling the request.

@zunzun:

The US Government cannot legally force a Russian citizen who physically lives in Mongolia and is a a company officer for a Swedish corporation to give them data from servers in South Africa, because they cannot directly threaten such people.

The US can and does wreak economic damage on foreign companies all the time. That's what the Denied Persons List (http://www.bis.doc.gov/dpl/thedeniallist.asp) is all about.

But I'd be more scared about the CIA program of rendition and torture if I was pissing off the US in any serious way.

Maybe you also want look up the My Lai massacre before judging what the US is and is not prepared to do.

@fimdomeio:

As a costumer I would love to ear where you stand in relation to PRISM and whether your datacenters outside US are also under US law.

Just make sure your SuperVillain costumes don't have toooo many superpowers and you should be left alone.

@fimdomeio:

As a costumer I would love to ear where you stand in relation to PRISM and whether your datacenters outside US are also under US law.

thank you.

Linode have actually said before that they don't hand over any data without a court order, but if they do get such an order they have to follow it. I think Caker also suggested that you can encrypt your disk image if it makes you feel safer.

PRISM isn't meant to get data from companies like Linode, it's meant to get data from the likes of Skype and Google where the data is in a predictable format and therefore useful without having to burn man-days working out what the hell it is.

If you really want a serious answer from Linode you might want to open a support ticket.

Linodes, wherever they happen to be hosted, are under control of a US company and subject to US law. That says all you need to know really. I doubt Linode can say more without risking a holiday in gitmo or facing the wrong end of a drone strike :-) Don't ya love freedom.

Not that hosting with a non-US company is guaranteed to be different since many countries have similar laws and intelligence sharing relationships. If you value privacy keep off the Internet and if you are likely to be a persecuted minority at some point in the future and must communicate online then you probably need end to end encryption.

I imagine lots of companies already avoid US based cloud and VPS services to comply with local privacy laws and to avoid commercially sensitive information being given to US competitors so I imagine the impact of Prism on Linode business will be minimal.

I wouldn't assume my Linode mail server is any more protected than gmail. Incoming smtp is all plain text and likely captured on the backbone. I talk to it over TLS or ssh but with the keys in my VPS and its backup it probably wouldn't be hard to MITM.

@shirro:

Incoming smtp is all plain text and likely captured on the backbone.

Some? Yes.

All? No.

All the major MTAs and many of the large email providers support STARTTLS, and that will be used to encrypt SMTP between compatible MTAs.

Now, I'm not saying that this encryption is un-breakable, but it's certainly not plain-text.

@vonskippy:

Just make sure your SuperVillain costumes don't have toooo many superpowers and you should be left alone.
How to name your SuperVillian: http://www.smbc-comics.com/index.php?db … 3006#comic">http://www.smbc-comics.com/index.php?db=comics&id=3006#comic

@anderiv:

@shirro:

Incoming smtp is all plain text and likely captured on the backbone.

Some? Yes.

All? No.

All the major MTAs and many of the large email providers support STARTTLS, and that will be used to encrypt SMTP between compatible MTAs.

Now, I'm not saying that this encryption is un-breakable, but it's certainly not plain-text.

Where SMTP is encrypted practically no-one sets up the certificates right to detect the other side is who they claim to be and even if they do the whole SSL certificate system is screwed in such a way most governments, and some criminals, could get a certificate to claim they are anyone at all.

SMTP level TLS can't be trusted but yes, it's better than plain-text.

PGP can be trusted but it's a pain to use in practice.

The US government's assurances that PRISM only spies on non-US citizens does not give me much peace of mind, what with the whole not being a US citizen and all.

I'm expecting PRISM to prompt a renewed call in our organization to move our server from Linode to OVH's North American datacentre, since there is no US involvement there (French company, Canadian datacentre).

It's really just simpler to assume that everything you do is monitored and go from there. Assume any message you send is going to be tapped somewhere along the way, and if you really need for it to get to the remote party without snooping, encrypt it.

I think you mean Torontreal? Ontario is a province, not a city. We don't have any large-scale nuclear reactors left in Quebec, but Ontario does, so I guess they could provide the radioactive sludge.

America loaned us some nuclear bombs back in the day. Haven't had any for a few decades though.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct