Your home country can tell you "Give us your data" and you have to comply.
"I will never give up customer data" is a very tough promise to keep, if the government threatens you with your business license being revoked, your servers and domains being forcibly seized by the police, and you personally going to jail.
(Under the current US administration, we can add "A close examination of the immigration status of all foreign nationals employed by your company, followed by probable deportation or jail" to the list of potential consequences for resisting the government.)
There's also an open question of how possible it is to run a system that doesn't collect/store data in a way that makes it possible to be collected by the government. The US government can force companies to compromise their systems or shut down their services if they refuse. In the past they've even threatened that shutting down a service instead of compromising it could still get operators in legal trouble.
At this point anyone who wants to keep the US government out of their data should avoid using any US company.
More recently they've started collected the contents of messages into the cloud too, yet to this very day their privacy policy opens with the lie: "Signal is designed to never collect or store any sensitive information." which hasn't been true for a very very long time. I consider their refusal to update their privacy policy to be a massive dead canary warning people that the service has already been compromised, but feel free to take your chances.
I'm also not sure where you've read that they collect the contents of messages, because as far as I'm aware they still aren't doing that and I can't find any info online that indicates that they are (other than their secure backup feature that's opt-in only I suppose)
The fact that Signal users are still unaware of where their data is going and when should tell you all you need to know about how trustworthy the service is. Not being 100% clear about the risks people take when using software which is promoted for use by people whose freedom and/or lives depend on it being secure is a very bad look for Signal.
As for message backups they are at least opt-in (for now anyway) and you can learn more about them here: https://signal.org/blog/introducing-secure-backups/
https://blogs.microsoft.com/on-the-issues/2025/04/30/europea...
Not all countries have an equivalent to the USA CLOUD Act.
It seems the solution is ages old. Don't have the holding incorporated in an empire...
If you don't have a spine, sure
That's what US companies are seen as from a European perspective: Spineless and untrustable
It's a great sales argument for locally grown software though, so I'm not complaining :)
That's what he would say if the company was under a gag order in the US. So I would take anything they say with a mountain of salt.
This make it less likely he's lying. It could be possible Microsoft France has a "rogue" employee system where a key person only obeys to Microsoft US orders rather than his French boss and French law. Then the boss can swear to the Senate that they're complying.
This is exactly the system the US Congress accused TikTok of having set up.
In practice the US HQ could mandate a security update that secretly uploads all data to the US but that's a whole other can of worms that I don't think anyone is ready to open.
in a modern cloud dater center you don't need someone physically plugging a USB stick in a server, you just need a back door in a cloud software stack many times the size then any modern operating system which often even involves custom firmware for very low level components and where the attacker has the capabilities to convince your CPU vendor to help them...
incredibly ambiguous/unsatisfying sentence. if this french hearing is concerned about french data security, then asking a question about your "in practice" is exactly a can of worms the french would like to open.
"Every accusation is a confession" remains undefeated
> It could be possible Microsoft France has a "rogue" employee system where a key person only obeys to Microsoft US orders rather than his French boss and French law.
I would think that is not just a possibility, but a certainty.
Including certain contractual "standard"(1) agreements which would make some of their higher management _personally_ liable for undue data access even under Cloud act from the US!!!
(1) As in standard agreements for providers which store lawyer data, including highly sensitive details about ongoing cases etc.
So you can't really trust MS anymore at all, even if personal liability (e.g. lying under oath) is at stack. And the max ceiling for the penalties for lying under oath seem less then what you can run into in the previous mentioned case...
You also have to look a bit closer at what it even means if "the french MS CEO swears they are complying" it means he doesn't know about non compliance and did tell his employees to comply and hired someone to verify it etc.
But the US doesn't need the French CEO to know, they just need to gain access to the French/EU server through US employees, which given that most of the infra software is written in the US and international admin teams for 24/7 support is really not that hard...
And even if you want to sue the French CEO after a breach/he (hypothetically) lied he would just say he didn't because he also was lied too leading to an endless goose chase and "upsi" by now the French CEO somehow is living in the US.
And that is if you ever learn about it happening, but thanks to the US having pretty bad gag orders/secret court stuff the chance for that is very low.
So from my POV it looks like MS has knowingly and systematically lying and deceiving customer, including such with highly sensitive data, and EU governments about how "safe" the data is even if it lead to personal legal liabilities of management.
And I mind to remember that AWS was giving similar guarantees they most most likely can't hold, but I'm not fully sure. Idk. about Google.
Oh and if you hope that the whole Sovereign Cloud things will help, it wont. It's a huge mage pretend theater moving millions over millions into the hands of US cloud providers while not providing a realistic solutions to the problem it is supposed to solve and neglecting local competition which actually could make a difference, smh.
There wouldn't be any lawsuit. If you do this kind of things you get arrested, get a trial and then you are in prison forever.
and leading management also technically doesn't need to know that is happens for it to be doable. Or in other words they have a lot of reason to "accidentally" not know about it/have it overlooked
this means even if it happens they are very unlikely to be charged for anything more then negligence
but the contracts I mentioned above basically state "it doesn't matter why it happens and if you knew or if it was your fault as long as there was the smallest bit of negligence on your side you are on the hook for it personally". So in a situation where they can effectively avoid espionage trials (because they didn't commit espionage, just negligence) they still are hold responsible
if high level management would reliable go to prison for things like that you wouldn't need additional contracts to make sure they actually have insensitive to actively try to find/prevent anything like this/act very non-negligent.
Participating in a plot to supply french state information to the US is espionage. France also apparently has a broad definition of espionage, relative to some other EU countries.
States have a tendency of coming down rather harshly on this kind of thing, so this idea about negligence is I think unlikely. If you know about it the charges will be espionage charges. If it happened it would be the biggest thing ever. They'd arrest most Microsoft employees in relevant teams as well the leadership, probably many others too. Just interrogation would probably take half a year due to lack of interrogators.
It's also possible that US employees had access to French servers without anyone in France knowing.
From the FAQ page I linked:
> In accordance with our Privacy Policy, OVHcloud will comply with lawful requests from public authorities. Under the CLOUD Act, that could include data stored outside of the United States. OVHcloud will consider the availability of legal mechanisms to quash or modify requests as permitted by the CLOUD Act.
It’s the other way around.
> From the FAQ page I linked:
Which is for the US company.
You can actually. Becton Dickson did it and shafted loads of their employees by saying they no longer have pensions with them.
It rarely makes economic sense to deploy workloads onto the public cloud unless you have critical uptime requirements or need massive elasticity.
Most of the time countries do, because they are all swapping data on their citizens between themselves to skirt various laws.
In the case where the US really wants something, and the country won't yield, they'll fund contras or destabilize the government (if small enough to be bullied) or impose sanctions so drastic it's effectively a soft act of war.
This is all to say that, the US has nearly unlimited authority while it stands as the world's defacto superpower.
Pretty funny you're jumping straight to warfare. This proves why Americans cannot be trusted.
In any case, it's better for me that the Americans will need to start a war with the EU to get at my data instead of just giving it to them.
Any nation with any amount of leverage has abused it.
(I work there.)
Every AWS employee knows where his bread is buttered - Seattle not Brussels
"If it's certified, it must be good".
Then the next level is regulators in EU also have to care and can't just say "ok, you have a separate DC building with EU employees only. Good. My job is done, I checked" and move on.
If you do something that the EU doesn't like it's response will be relatively rational and proportional. While the US government is currently run by unpredictable and volatile people. So risk/reward wise it's rather obvious whose orders they will be following.
s/U.S./Chinese/
Tomato <=> Tomato
On top of that, the US can update it all remotely, including the hardware now thanks to things like intel ME.
Let's hope we never get into a conflict with them, because even without bombs, they can basically shut us down with a few keystrokes: https://www.bitecode.dev/p/the-eu-can-be-shut-down-with-a-fe...
Or at least have everything they need to develop such a capability. And it's not like the current people in power care much about alienating other countries.
Let's not be excessively alarmist; AFAIK, the Intel ME is not (unless you're using things like vPro) exposed directly to the network, you need the cooperation of the operating system to reach the ME.
Of course, said operating system is usually Microsoft Windows, which can be updated remotely... (and even Linux users often use USA-based distributions).
I would absolutely love to see the EU invest in developing processors and operating systems. It'd benefit us all to have real competition in those spaces, and it's the only way the EU can ever keep their data out of the hands of the US government.
If they can make successful tax shelters they can architect the entities and the architecture to remove this option.
There's some 9-eyes thing where this is a feature not a bug
[0] https://en.wikipedia.org/wiki/Microsoft_Corp._v._United_Stat...
The GDPR is incompatible with the Cloud Act, and so the only legal (or so it should be) way to use US companies is to treat them like unsafe third countries - no matter the data center location.
But everyone wants to continue like before. Having to ensure that Amazon and Azure never touches unincrypted personal data is hard. So one "compromise" after another has been tried - never solving the actual problem.
As a EU citizen I think it's entirely embarrassing. Either the EU should have the power to force European subsidiaries to be exempted from the cloud act, or everyone should be forced to abide the law, which would greatly boost EU tech. Instead we are just rolling over.
Hearing a distant shout of "hold my beer" from the White House...
"Cloud" is not only for storage; it's also for compute. Doing compute directly on encrypted data (homomorphic encryption) is very slow and very complicated, so when using a cloud, the data is usually either unencrypted, or encrypted but the key is elsewhere in the same cloud.
I get that FHE is not realistic today, but can’t I use ( if it’s really critical) a combination of confidential vms and an external hsm ? I understand I’ll be limited to traditional workloads , and not managed services though.
I asked the wrong question, what I really meant was ‘if I run in a less trusted environment, am I not supposed to use all possible crypto mechanisms available to make that environment more trustworthy , so that I can’t be deceived by my cloud operator sending my data to the us government’
Absolutely do what you can, but understand that it's futile to defend against your own cloud provider.
The only issue left would be managed services though, which then I wouldn’t use, but I’d be able to run my own postgre safely on infra I’m renting.
The interesting thing is that the US is acting in the exact way that they accuse China of acting. Companies like Huawei are forbidden from installing telecom infrastructure for "national security" reasons [1]. One of justifications for first banning then forcing a sale of Tiktok was because of possible Chinese government interference. It's only a matter of time before the EU and China start making the same determination against US tech giants (eg Meta executive brags about silencing dissent [2]).
This administration really is killing the golden goose.
[1]: https://www.reuters.com/business/media-telecom/us-fcc-bans-e...
A better faith interpretation is that people are free to criticize Israel and Zionism on Meta, just not using racist tropes.
- Ben Shapiro excuses antisemitic remarks by Ann Coulter because she's pro-Israel [1];
- ADL defends Elon Musk for making the Nazi salute (twice) on stage [2]
- We brutalized people with the police for organizing peaceful protests to say "maybe we shouldn't bomb children" or to get their respective universities to divest their endowments from the state doing the bombing;
- We went so far as trying to deport legal permanent residents for organizing said peaceful protests (ie Mahmoud Khalil); and
- The IHRA definition of antisemitism includes criticisms of the state of Israel.
[1]: https://x.com/benshapiro/status/644505141299671041
[2]: https://www.aljazeera.com/news/2025/1/22/adl-faces-backlash-...
We can only judge big tech company policy based on its declaration or application. So far I see no supported criticisms of either, though I am open to them.
But it would be a mistake to single out Meta here. All these big tech companies move in lockstep with US foreign policy to appease the administration to get approvals for mergers, to end investigations and antitrust suits, to get government contracts and so on.
[1]: https://www.hrw.org/report/2023/12/21/metas-broken-promises/...
https://dirkjanm.io/obtaining-global-admin-in-every-entra-id...
This is actually amazing that all the tenders have not been rejected under national security grounds or simply security services (yet again) have not done the job tax payers pay them to do.
They should have arranged to get a 100 euro refund every time it happens, or 440 euros if the UK does it.
I'm sure if you asked the current administration what they think of France, they'd reply, "all they do is wine!"
Crazy to even think that such a law exists.