Comment by gregman1

Comment by gregman1 a day ago

6 replies

View on Hacker News

Afaik Hetzner has a couple of server locations in the USA. Is it correct to say that Hetzner has to comply to US CLOUD Act and therefore give away any data requested?

MonkeyClub a day ago

Depends on which data center you're hosted.

The one under US jurisdiction operated by Hetzner US LLC must comply, while the German ones are operating under the GDPR, which has extraterritorial clauses can can deny or challenge the request.

Reply View 4 replies
  • rvnx a day ago

    It's not that guaranteed.

    The reality is that if you have any interest, company or employees in the US you can be coerced to do anything the US government wants.

    Either legally through courts, or through business influence, or through harassment (e.g. hardcore checks from the IRS).

    Sorry, Stripe rejects you now because you are high-risk (you have to explain why you refuse to help in criminal cases, though there is a court requesting you).

    You don't like to comply to US requests and protect terrorists ?

    https://support.stripe.com/questions/how-to-resolve-blocks-o...

    Still don't comply ?

    You are added to sanctions list, end of the game.

    https://home.treasury.gov/news/press-releases/sb0185

    Even Microsoft acknowledges that these cross-border requests cannot be avoided.

    https://www.convotis.com/es/en/news/microsoft-access-eu-data

    The same way that EU can force fetching data from the US entity.

    Now on the EU side:

    GDPR fine of 4% of your worldwide income. Well, too bad, your US entity refused, we will have to punish your EU entity very strongly.

    If small provider, oh right you refuse ? Well, we will notify your bank that you do not respect the court orders, etc.

    The law is one of the way of enforcement, but there are multiple stages of pressure.

    Still refuse ? Well, let's come to you at 6am then.

    https://www.insurancejournal.com/news/national/2020/07/10/57...

    Reply View 3 replies
    • mk89 15 hours ago

      There are EU alternatives to Stripe.

      I know what you meant, but I think that there are alternatives, even if they are maybe not as good as the ones made in US.

      Also, if the goal is to go all in on data sovereignty, so be it - put the companies in the sanctions list. It will only grow.

      Reply View 0 replies
    • kaveh_h 19 hours ago

      Any company opting for building digital sovereign systems should build a redundant and decentralized organization so that in worst case the company can split up its operations geographically to avoid being in the crosshairs of any host countries government.

      Reply View 1 reply
      • rvnx 18 hours ago

        Absolutely, but imagine, Zuckerberg creates a new company:

            "Storm" -> "the European end to end encrypted privacy-conscious messenger app"
        Now, an US court, requests data from that project to protect an imminent attack where people are going to die.

        He refuses, his company refuses, everybody refuses.

        Do you think he can evade US justice even if the company is incorporated in the EU ?

        Collaborating is the path of least resistance, and as long as you can claim somewhat "we didn't have any choice, we were coerced" then you are fine. This is also why Apple, Google, Meta, NordVPN, etc, are all collaborating with the infamous FBI DITU group.

        Reply View 0 replies