Sign in Subscribe
3 min read

What am I fighting against?

What am I fighting against?

This blog is my quiet rebellion. I am pushing back against global systems and laws, mostly from the United States and China, that allow governments or corporations to access personal data without meaningful oversight. Even in Sweden your data can be swept up into these systems.

If your cloud, email, storage or identity runs on a US or Chinese provider your data may be accessed under their national surveillance laws, even if it is stored in Stockholm or Helsinki. This is because jurisdiction follows the company, not just the data centre location.

United States surveillance frameworks

Cloud Act
Enacted in 2018. Allows US authorities to compel US based companies to hand over user data no matter where in the world it is stored. Local privacy laws do not block this.
http://en.wikipedia.org/wiki/CLOUD_Act

FISA §702
Part of the US Foreign Intelligence Surveillance Act. Targets non US persons outside the United States through US service providers. No individual warrant required.
http://www.intel.gov/foreign-intelligence-surveillance-act/fisa-section-702

PRISM
A program under FISA §702. Direct data access from major US tech firms such as Google, Apple and Microsoft. Used to pull stored communications like emails, documents and chat messages.
http://en.wikipedia.org/wiki/PRISM

Upstream collection
Also under §702. Intercepts data directly from the internet backbone, including fibre cables and routers. Collects traffic to, from, or about a target.
http://en.wikipedia.org/wiki/PRISM

Executive Order 12333
Signed in 1981. Gives NSA broad powers to collect signals intelligence outside US borders without court oversight. Often used for cable tapping and bulk collection.
http://www.fieldfisher.com/en/insights/us-surveillance-s702-fisa-eo-12333-prism-and-ups

National Security Letters
Secret data requests from FBI and other agencies. No court involvement. Companies receiving them cannot tell users about the request.
http://policyreview.info/articles/analysis/mitigating-risk-us-surveillance-public-sector-services-cloud

Patriot Act
Introduced after 9/11. Expanded surveillance powers and lowered thresholds for data access. Many provisions remain in force today.
http://scholarworks.sjsu.edu/cgi/viewcontent.cgi?article=1032&context=secrecyandsociety

Chinese surveillance and data laws

PIPL – Personal Information Protection Law
Came into force in 2021. Requires informed consent and regulates overseas transfers of personal data. Does not limit state surveillance powers.
http://www.robin-data.io/en/data-protection-and-data-security-academy/news/data-protection-law-china-personal-information-protection-law-pipl

DSL – Data Security Law
Also from 2021. Classifies sensitive data, mandates localisation, allows audits and gives state agencies direct access when needed.
http://policyreview.info/articles/analysis/mitigating-risk-us-surveillance-public-sector-services-cloud

Cybersecurity Law and Network Regulations
Requires real name registration, mandatory vulnerability reporting and on site inspections. Foreign companies operating in China must comply.
http://www.wired.com/story/china-cyber-security-police-in-internet-headquarters

EU surveillance proposals
New proposals could require data retention, interception capabilities and weakened encryption. Examples include ProtectEU and the revived Chat Control law.
http://www.techradar.com/vpn/vpn-privacy-security/the-eu-wants-to-decrypt-your-private-data-by-2030

Data localisation laws
Countries such as Russia and Indonesia require user data to be stored locally. This can protect against foreign jurisdiction but often increases state access risk.
http://www.csis.org/analysis/real-national-security-concerns-over-data-localization

GDPR like laws worldwide
Over 120 countries have adopted data protection laws inspired by GDPR. In most cases this is positive for user privacy but enforcement and scope vary greatly. Examples include California CPRA, Chile’s privacy amendment, Israel’s data laws, Japan, India and Brazil.
http://insights.comforte.com/countries-with-gdpr-like-data-privacy-laws

Why the choice of cloud provider matters

Jurisdiction follows the company, not just the server location. If you use a US or Chinese provider your data falls under their national surveillance laws no matter where in the world you place your servers.

Major public cloud providers

Google Cloud
US based. Subject to US law including the Cloud Act and FISA §702.

Amazon Web Services (AWS)
US based. Same legal exposure as Google Cloud.

Microsoft Azure
US based. Same exposure under Cloud Act, FISA and PRISM history.

Oracle Cloud
US based. Same exposure as the above.

Alibaba Cloud
China based. Subject to PIPL, DSL and Cybersecurity Law.

European and Nordic alternatives

Elastx (Sweden)
Subject to Swedish and EU law. No exposure to US or Chinese surveillance law. Full GDPR compliance and strong legal safeguards.

Hetzner (Germany)
Subject to EU GDPR. No US or Chinese jurisdiction.

OVHcloud (France)
Subject to EU GDPR. Operates data centers worldwide but EU hosted data is under GDPR.

UpCloud (Finland)
Subject to EU GDPR. Data centres in EU and other regions.

Scaleway (France)
Subject to EU GDPR.

Exoscale (Switzerland)
Subject to Swiss privacy law which is similar to GDPR.

If you value privacy and data sovereignty, self hosting or choosing a Swedish or Nordic provider ensures you stay under GDPR and local privacy protections. You avoid gag orders, forced data disclosure under foreign law and silent compromises to your encryption. This is the legal and jurisdictional layer of digital sovereignty.

Published by:

David Hall

Member discussion