As a costumer I would love to ear where you stand in relation to PRISM and whether your datacenters outside US are also under US law.

thank you.

This pretty much answers the US Law question.

PRISM seems to primarily target data being stored by particularly large and widely-used companies; I wouldn't expect Linode to be within scope. Other mechanisms exist for monitoring data on the move well upstream of Linode (e.g. Room 641A).

Also, for what it's worth, if Linode were a part of this program (or targeted by other things, such as NSLs), they would be forbidden from disclosing that to anyone not immediately involved in fulfilling the request.

_________________

/* TODO: need to add signature to posts */

deleted

The US can and does wreak economic damage on foreign companies all the time. That's what the Denied Persons List (http://www.bis.doc.gov/dpl/thedeniallist.asp) is all about.

But I'd be more scared about the CIA program of rendition and torture if I was pissing off the US in any serious way.


Maybe you also want look up the My Lai massacre before judging what the US is and is not prepared to do.

Just make sure your SuperVillain costumes don't have toooo many superpowers and you should be left alone.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

Linode have actually said before that they don't hand over any data without a court order, but if they do get such an order they have to follow it. I think Caker also suggested that you can encrypt your disk image if it makes you feel safer.

PRISM isn't meant to get data from companies like Linode, it's meant to get data from the likes of Skype and Google where the data is in a predictable format and therefore useful without having to burn man-days working out what the hell it is.


If you really want a serious answer from Linode you might want to open a support ticket.

deleted

Linodes, wherever they happen to be hosted, are under control of a US company and subject to US law. That says all you need to know really. I doubt Linode can say more without risking a holiday in gitmo or facing the wrong end of a drone strike Don't ya love freedom.

Not that hosting with a non-US company is guaranteed to be different since many countries have similar laws and intelligence sharing relationships. If you value privacy keep off the Internet and if you are likely to be a persecuted minority at some point in the future and must communicate online then you probably need end to end encryption.

I imagine lots of companies already avoid US based cloud and VPS services to comply with local privacy laws and to avoid commercially sensitive information being given to US competitors so I imagine the impact of Prism on Linode business will be minimal.

I wouldn't assume my Linode mail server is any more protected than gmail. Incoming smtp is all plain text and likely captured on the backbone. I talk to it over TLS or ssh but with the keys in my VPS and its backup it probably wouldn't be hard to MITM.

Some? Yes.

All? No.

All the major MTAs and many of the large email providers support STARTTLS, and that will be used to encrypt SMTP between compatible MTAs.

Now, I'm not saying that this encryption is un-breakable, but it's certainly not plain-text.

_________________

How to name your SuperVillian: http://www.smbc-comics.com/index.php?db ... 3006#comic

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

Where SMTP is encrypted practically no-one sets up the certificates right to detect the other side is who they claim to be and even if they do the whole SSL certificate system is screwed in such a way most governments, and some criminals, could get a certificate to claim they are anyone at all.

SMTP level TLS can't be trusted but yes, it's better than plain-text.

PGP can be trusted but it's a pain to use in practice.

The US government's assurances that PRISM only spies on non-US citizens does not give me much peace of mind, what with the whole not being a US citizen and all.

I'm expecting PRISM to prompt a renewed call in our organization to move our server from Linode to OVH's North American datacentre, since there is no US involvement there (French company, Canadian datacentre).

deleted

deleted

It's really just simpler to assume that everything you do is monitored and go from there. Assume any message you send is going to be tapped somewhere along the way, and if you really need for it to get to the remote party without snooping, encrypt it.