Privacy Archives - Nextcloud https://nextcloud.com/blog/category/privacy/ Regain control over your data Fri, 20 Dec 2024 10:11:57 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 https://nextcloud.com/c/uploads/2022/03/favicon.png Privacy Archives - Nextcloud https://nextcloud.com/blog/category/privacy/ 32 32 Nextcloud Office: your privacy upgrade as Microsoft Office end-of-life approaches https://nextcloud.com/blog/nextcloud-office-your-privacy-upgrade-as-microsoft-office-end-of-life-approaches/ Fri, 20 Dec 2024 10:00:00 +0000 https://nextcloud.com/?p=271028 By 2025 the most popular Microsoft Office products fall out of support.

We believe there's a need for a real Microsoft 365 alternative that protects your privacy.

The post Nextcloud Office: your privacy upgrade as Microsoft Office end-of-life approaches appeared first on Nextcloud.

]]>

By 2025 the most popular Microsoft Office products fall out of support, including the most widely used Office versions: Microsoft Office 2016 and 2019. Microsoft’s recommendation? Move, of course, to their subscription-only Microsoft 365 offering which changes the scope of data privacy, access, and the financial relationship SME’s depend on — becoming subject to sudden price changes, like the previous up-to-25% price hikes.

We believe there’s a need for a real alternative.

The clock is ticking

Currently more than 80% of small and midsize enterprises (SMEs) in Germany use Microsoft Office packages that will have reached end-of-life next year, including Office 2016 and Office 2019. Essentially, “support for Office 2016 and Office 2019 will end on October 14, 2025 and there will be no extension and no extended security updates.” states Microsoft. Without an upgrade “you could expose yourself to serious and potentially harmful security risks.” And… they’re right.

Why businesses hesitate with Microsoft 365

Microsoft’s recommendation to move to Microsoft 365 carries significant implications for essential everyday office tools in enterprises. Data show that enterprises are hesitating to upgrade, with market share of Office 2010, 2013, 2015 and 2019 remaining stable in the last 24 months. Why the hesitation to upgrade?

We can think of a few reasons.

The financial implications

The soon-to-expire versions of Microsoft Office follow the traditional licensing model, which SMEs expect and appreciate for it’s predictability. With Microsoft’s suggested move to Office 365, that model gets thrown away for the monthly subscription model with cloud services. Which leads us to question…

Why does Big Tech love subscriptions?

Price control: increased prices at any time

There’s an incentive to lock you into recurring pricing through subscriptions that cause price control: the ability for them to raise prices at any point, leaving SMEs at the mercy of their new subscription overlords.

The reason this is so effective?

Cancelling is painful: the vendor lock-in guarantee

Subscription models provide a perfect vendor lock-in scenario, creating this dependency and making it both difficult and costly to switch providers if the service does not meet expectations. Another step to this vendor lock-in includes the technical challenges associated with a massive migration from a subscription service.

What about my data privacy?

Is it acceptable that internal documents, Intellectual Property, and private communications are the new building blocks for Microsoft’s AI models?

How open-source AI models help you take control of your privacy

Moving to Microsoft 365 also drastically changes the expectations of data privacy, sovereignty, and transparency. With the suggestion to move the entire office suite to Microsoft’s cloud, your data may no longer be solely yours.

Microsoft’s Privacy Statement even states “As part of our efforts to improve and develop our products, we may use your data to develop and train our AI models.”

Even the European Commission this year was found to infringe on its own EU data protection laws through its use of Microsoft 365, which “failed […] to ensure that personal data transferred outside the EU are afforded an essentially equivalent level of protection as guaranteed in the EU.”

Nextcloud Office: refreshing alternative to Microsoft technologies

Nextcloud Office presents a migration path that addresses all of these Big Tech problems, from the grips of vendor lock-in to the critical data privacy concerns. It’s your ideal Microsoft 365 alternative!

By allowing self-hosting on secure and self-controlled servers, or with trusted sovereign cloud hosting partners, Nextcloud Office prioritizes your data sovereignty and GDPR compliance. This gives Nextcloud an edge over Microsoft 365, where data is stored on Microsoft’s servers and may be subject to access by US authorities.

In addition to real-time collaborative editing of documents, spreadsheets, and presentations, Nextcloud Office also seamlessly integrates with other Nextcloud apps like Nextcloud Talk and Nextcloud Groupware applications, enhancing overall team productivity.

Success in Germany’s federal state

From the public sector, the federal state of Schleswig-Holstein in Germany migrated away from the grasp of subscription models into Nextcloud’s suite of open source, data sovereign solutions including Nextcloud Office. This transition has been explored in details by Schleswig-Holstein’s CIO Sven Thomsen in a recent episode of the Nextcloud Podcast.

With the adoption of Nextcloud Office in the last years, the value proposition that Nextcloud put into place totally changed for us: Nextcloud migrated in our view from a simple OneDrive alternative to becoming our central hub for collaboration and collaborative document editing. From an IT operations point of view, Nextcloud being open source is the perfect implementation path as a new solution.

Sven Thomsen
CIO of Schleswig-Holstein
Sven Thomsen

Migrating to Nextcloud? Let us help!

We can directly help you migrate to Nextcloud Enterprise or to one of our trusted partners. We offer support for migration from a multitude of platforms, and encourage you to contact our sales team.

To smooth the transition, Nextcloud also supports many Microsoft integrations to make the journey a success!

Nextcloud Office: Your new path forward

As Microsoft Office 2016 and 2019 reach their end-of-life milestones, SMEs face a critical decision, and an opportunity for a better path forward.

An upgrade to Nextcloud Office prioritizes your data privacy, sovereignty, compliance, and vendor lock-in freedoms. Our open source suite of solutions allows SMEs to maintain control over their sensitive business information and avoid the risks associated with Big Tech’s cloud-based services.

Don’t get left behind by the changing landscape of Microsoft’s products. Join the growing community of organizations that have successfully migrated to Nextcloud Office.

Take control of your data and your future.

Nextcloud - Explore Nextcloud Office

Explore Nextcloud Office

Your update journey to a more private and collaborative document editing.

Learn more!

The post Nextcloud Office: your privacy upgrade as Microsoft Office end-of-life approaches appeared first on Nextcloud.

]]>
Confidentiality and data protection in research institutes https://nextcloud.com/blog/confidentiality-and-data-protection-in-research-institutes/ Thu, 23 May 2024 09:00:13 +0000 https://nextcloud.com/?p=208707 Research institutes produce some of the world’s most valuable data, so how can we ensure it's secure and protected?

The post Confidentiality and data protection in research institutes appeared first on Nextcloud.

]]>
Research institutes produce some of the world’s most valuable data: research of human beings, animal/plant life, society’s and cultures, and so much more. This data being collected is integral to future advancements in our society, yet we must ask ourselves how it’s being protected today. For the sake of confidentiality and privacy, how can we keep critical research data protected?

Research institutes are responsible for conducting, storing, analyzing, using and ultimately sharing research data. Before research begins, there should be data protection protocols in place to prevent data loss, manipulation or theft. Read on to discover how research institutes can actively prevent data infringement and protect their data with Nextcloud as their platform.

How can research institutes’ data be protected with Nextcloud?

1. Access controls

One of the best ways to protect research data is to limit access to it. Only a handful of people will need to open the research folders and sysadmins can control this process down to a tee.

In Nextcloud Files, advanced permissions that limit and/or restrict access are state-of-the-art and trusted by our customers and community.

Just a few examples of advanced permissions:

  • Setting permissions on a shared file to: read, create, edit, and/or upload.
  • Watermarking confidential documents to make it harder to steal data.
  • Enabling a password protection or expiration date on a public file or folder.
  • Blocking downloads so the user can view and even edit the shared file(s), but not download them.

Watch the webinar recording!

Learn more about how your organization can collaborate on research data with Nextcloud

Watch recording

2. Antivirus

On a daily basis, external contacts send files and documents by email or through other channels which need to be scanned for threats like viruses. The Nextcloud Antivirus app (AV) performs automatic virus scans. Whenever a file is uploaded, it first gets handed over to the AV app.

3. Encryption

Nextcloud provides optimal security for research data and communication through encryption and hardening.

We offer three types of encryption:

  1. Encrypted data transfer with industry-standard TLS (Transport Layer Security)
  2. Server side encryption
    1. Enables researchers to store files locally and securely with encryption keys and ciphers
  3. End-to-End encryption
    1. E2EE file sharing: Enables researchers to share confidential files to other users and can be synced between devices.
    2. E2EE file drop: Allows researchers to receive files from external users through sharing a secure shared link. The external user only has the option to upload a file in the end-to-end encrypted folder.

4. Intrusion detection software

With machine learning based suspicious login detection, research institutes can increase security and productivity even beyond our brute-force protection and 2-factor authentification.

Suspicious Login Detection uses a locally trained neural network to detect attempts to login by malicious actors.

Are you a research institution or university?

Try Nextcloud today to protect research data, communication and the privacy of people and things

Start a trial now

The post Confidentiality and data protection in research institutes appeared first on Nextcloud.

]]>
How to protect yourself against deepfake scams in video calls https://nextcloud.com/blog/how-to-protect-yourself-against-deepfake-scams/ Wed, 17 Apr 2024 09:01:02 +0000 https://nextcloud.com/?p=209151 Read out guide to learn what deepfake scams are, how spot a scammer, and how to protect yourself with the right techniques and software.

The post How to protect yourself against deepfake scams in video calls appeared first on Nextcloud.

]]>
How to protect yourself against deepfakes

Ongoing public concerns over real-time video scams has been the spur to gain global attention as we witness new major incidents taking place increasingly more. Take a Hong Kong MNC recently falling prey to a scammer in a colossal $25.6 million heist — the deepfake technology has already evolved enough to bring on a whole new brand of fraud.

What remains is a call to action. Are there ways to protect yourself and your organization against con men posing as your boss, your business partner, or even your own mother? Let’s find out!

First things first, let us start with the definition.

What is a deepfake?

In case the definition of a deepfake is still unclear to some, a deepfake is content generated using deep learning techniques that is intended to look real, but is in fact fabricated. Artificial intelligence (AI) used to generate deepfakes typically employs generative models, for example, Generative Adversarial Networks (GANs) or auto-encoders.

Deepfakes are used not only in video content, but also in audio recordings and images. The purpose of a deepfake is often to depict an individual or a group saying or doing something that they never did in reality. To produce content that appears convincing, the AI must use large datasets in its training. It allows the model to recognize and reproduce natural patterns present in content it is designed to mimic.

While deepfake technology is a breakthrough with great potential in the film industry and game development, as well as a rising social media trend, it also opens dangerous opportunities for illegal use. The examples are numerous and include identity theft, evidence forging, disinformation, slander and biometric security bypass. In all cases, fraudsters typically leverage the depicted person’s authority over the targeted individuals or personal connection to them, depending on the setting.

Secure your calls with Nextcloud Hub

Watch back our webinar on secure conferencing in Talk. learn how to set up reliable access control, prevent leaks and track back all suspicious activity.

Watch

Where can you encounter a deepfake?

Deepfakes are used to produce video, audio or image content, as a recorded media or a real-time stream. It can be a YouTube video, a ‘leaked’ recording in a social post, a phone call or a video conference – the opportunities are practically unlimited.

Depending on the purpose, the format is picked accordingly. For example, political disinformation works best where mass engagement is possible, meaning that spreading it publicly via social media is the best tactic. Whereas seeking a private gain from a company or or individual requires a more intimate setting and often a personal conversation.

When it comes to threats to your personal life, finance or security, we can narrow down the most dangerous deepfake scenarios to encounters with people you care about, trust , or report to. This can be a family member, a friend, or an authority figure at work such as your boss or a company executive.

The setting will most likely be private: whether over a phone call or a video meeting. Personal meetings are much easier to execute and give the faker much more control over the situation. The conversation, whatever the background is, will lead you to an action under a sense of urgency or fear – most likely to transfer a sum of money. The tactic is to deceive your logic and common sense using fear, compassion or even ambition.

As generative AI development drives a huge interest and investment, we are entering a dangerous zone: real-time video, the most sophisticated and convincing deepfake use case yet, still has a very little awareness.

Deepfakes in real-time video

Real-time video deepfakes generate manipulated video content in real-time for immediate application during live streams and video calls. Voice cloning and face swapping are the most frequently used techniques to compose a complete faked environment.

Face swapping

Face swapping is a common application of deepfakes, allowing the software to replace facial features of a target person with fake features, most often those of another person. With facial landmark detection and manipulation techniques, the blending appears seamless and hard to spot when caught unaware.

Voice cloning

In addition to looking convincing, a faker also needs to sound convincing. For this part, voice cloning is used. In voice cloning, the AI replicates the voice of the individual. A significant amount of high-quality audio data is required to train a voice cloning model, usually obtained from recordings of the target person speaking in various contexts and using different intonations.

Curiosity time: how does a deepfake setup actually work?

Deepfake technology is capable of impersonating real-life individuals and doing it in a real-time setting, making the result even more convincing (and terrifying!). But how does the software work in a way that we encounter deepfakes using familiar meeting platforms?

Deepfake generation software can be integrated with streaming platforms and video conferencing tools in many ways:

  • It could function as a separate application that captures the video feed, processes it in real-time, and then sends the manipulated feed to the video conferencing software.
  • Alternatively, it might be integrated directly into the video conferencing software as an optional feature or plugin.
  • Another way, even more sophisticated and hard to detect is camera input, namely a virtual camera. Virtual camera intercepts the video feed from the physical camera of the faker. It then outputs the manipulated feed to the video conferencing software. The faker just picks the virtual camera as their camera input and voilà! (not funny, we know).

How to protect yourself against deepfakes?

Finally, to the most important part. How do you protect yourself against a deepfake, or at least get prepared to spot a fake boss making a sketchy request over video?

Nextcloud Talk in Hub 7

Privacy-first videoconferencing software is a key to safe meetings. Meet Nextcloud Talk, a powerful chatting and meeting platform that lets you regain control.

Watch out for red flags

AI face swapping technology maybe advanced, but it’s not perfect. There are red flags you can spot, or at least learn to look out for when something seems off or unnatural:

  • Unrealistic facial expressions or movements, including unnatural eye movements, inappropriate blinking, and/or weird lip sync.
  • Inconsistencies in lighting and shadows that don’t match the surroundings.
  • Unnatural head or body movements, as well as visible blurring or pixelation around the face or neck.
  • Inconsistent quality in audio and video and mismatch between the picture and the sound.

Suspicious? Be proactive

There are methods to help you fish out the red flags that generally won’t make the conversation awkward if the person is in fact real.

First, there’s nothing more natural than a casual conversation. Engage in small talk: ask about their day, routine, questions about people you both know, etc. A complete stranger will struggle to be spontaneous and maintain the same personal connection. It’s also easier to catch one off guard when they lose a sense of control.

You can also use other video conferencing features: ask the person to share their screen and show you something related to your common tasks. This will be very difficult to replicate without access.

Finally, once they make a suspicious request, you have more freedom to be alert openly — politely ask them to confirm their identity by providing some exclusive information or send you a confirmation message via a different channel.

Set up a passphrase

One more way to ensure confidence when it comes to sensitive topics is setting up a password or passphrase. This is an easy way to confirm the identity of the people you know, both at work and between family members, and it is equally effective via voice, video and text communication.

Verify identity outside of the meeting

If a faker poses as a person you know well, chances are you have more than one communication channel to reach out with. Use email, a messenger or a personal phone number to contact them and raise a question — the reason is valid.

Don’t let them harvest your data

To replicate and manipulate a person’s voice or image, AI needs a massive amount of data. This data is often gathered beforehand, during online calls and meetings. Features like Recording Consent in Nextcloud Talk may help you protect yourself and others from such a data haul.

Giving consent before joining call - Nextcloud Talk

Use company software

It’s unlikely for your real boss to set up a meeting via a platform you never use for work. And if they do, they must have a good reason! Don’t be afraid to stand up to suspicious activity.

Using company software means better control over the data and compliance with privacy regulations. Even better — if you run it on premise! Should an incident happen, the company IT team can run an audit to retrieve the relevant data and investigate.

Ensure secure access to your videoconferencing platform with settings like 2FA, strong passwords, data encryption, activity monitoring, and login restrictions. This applies to your personal settings and administrative controls.

Nextcloud Talk: video and chat with privacy in mind

Using a privacy-oriented, unified workspace with admin control in all apps makes sure your security protocols are in place to detect and prevent breaches. Nextcloud Hub provides a user friendly videoconferencing platform that keeps users happy to stay within company IT.

How Nextcloud Talk protects your data:

  • AI-powered suspicious login detection
  • Multi-layered encryption with end-to-end encrypted communication
  • Brute-force protection
  • Fully on premise, 100% open source

Nextcloud is an open-source project backed by a strong community with proactive approach to vulnerability research and patching. It is designed to let you stay compliant with GDPR, CCPA, and the upcoming EU ePrivacy Regulation.

Nextcloud - Get Nextcloud Hub

Get Nextcloud Hub

Download and install Nextcloud Hub here!

Get Hub

The post How to protect yourself against deepfake scams in video calls appeared first on Nextcloud.

]]>
Educating Bild: password-protected sharing https://nextcloud.com/blog/educating-bild-password-protected-sharing/ https://nextcloud.com/blog/educating-bild-password-protected-sharing/#comments Wed, 13 Mar 2024 10:00:00 +0000 https://nextcloud.com/?p=203900 The German tabloid Bild featured an article covering the press release published by the German Ministry of Defence about the recent leaks of WebEX calls between army generals. The Bild noted that the password the Ministry of Defence used for the shared Nextcloud link was “1234”, assuming this was meant to ‘secure’ the link. While […]

The post Educating Bild: password-protected sharing appeared first on Nextcloud.

]]>
The German tabloid Bild featured an article covering the press release published by the German Ministry of Defence about the recent leaks of WebEX calls between army generals. The Bild noted that the password the Ministry of Defence used for the shared Nextcloud link was “1234”, assuming this was meant to ‘secure’ the link.

While a press release is obviously meant to be public, which is why the simple password was chosen, you might wonder why the ministry didn’t just use a completely password-less link for their Nextcloud share?

Secure sharing with Nextcloud

Nextcloud differentiates itself from public clouds like Microsoft 365, Dropbox or Google Drive with a focus on privacy and data sovereignty. Unlike public clouds, Nextcloud often runs on private cloud environments, giving the organization deploying it direct control over the data. It wouldn’t make sense for the German government (or any other) to hand over important data to foreign tech firms, which is why Nextcloud is widely deployed in the European public sector.

Protect your public links with passwords

With Nextcloud, users can share directly with other users. This makes sure no data leaves the government data center. But sometimes data must be shared outside the organization, either to a single individual or fully in public like with a press release.

Nextcloud allows users to create one, or more, public links for this purpose. A public link lets a third party who has the link view and (depending on the settings) download and edit the file. As you might share a document for editing with one person, and create another link with only viewing permissions to a second, each link can have its own protections. Including a password, expiration date and more!

The system administrator can put in additional controls, to ensure data is always protected. The File Access Control can use rules to stop files from being accessed outside Germany, for example. Or a mandatory 30 day expiration date can make sure links get cleaned up after a while. And last, but very relevant, administrators can enforce a password on each public link.

This setting is clearly enabled on the Nextcloud server used by the German Ministry of Defense, and explains why a simple password (1234) had to be chosen. Note that administrators can even enforce a certain degree of password quality, blocking such simple passwords from being chosen by users!

In other words. Mr. Pistorius does not use the password ‘1234’ to protect any data – it was meant to make it easy to access the press release.

We hope the readers at Bild appreciate out explanation!

For a more detailed exploration of our file sharing features available throughout Nextcloud, see our in-depth docs on File Sharing or our Sharing features overview.

The post Educating Bild: password-protected sharing appeared first on Nextcloud.

]]>
https://nextcloud.com/blog/educating-bild-password-protected-sharing/feed/ 1
Data Privacy Week: Who owns your data? https://nextcloud.com/blog/data-privacy-week-who-owns-your-data/ Fri, 26 Jan 2024 14:07:28 +0000 https://nextcloud.com/?p=196486 With Data Privacy Week in full swing, we're excited to be part of the conversation — and part of the solution — in regaining and maintaining privacy of your personal and corporate data.

The post Data Privacy Week: Who owns your data? appeared first on Nextcloud.

]]>
Data Privacy Week: Who owns your data? — Nextcloud

Here at Nextcloud we love reasons to celebrate data privacy, to continue exploring and improving our privacy goals. Respecting privacy is a deep aspect of our company and community culture, our shared mission, and a concept we interact with daily. With Data Privacy Week in full swing, we’re excited to be part of the conversation — and part of the solution — in regaining and maintaining privacy of your personal and corporate data.

We encourage you this week to be introspective, to re-evaluate your current privacy landscape, and to explore steps you can take to regain aspects of your data privacy. And in case you’re already a privacy advocate, we encourage you to help guide others to a more private digital lifestyle!

Who owns your…

If you’ve met us at conferences and corporate events around the world, you may have seen our swag with memorable nudging queries:

Who owns your
?

We encourage you to ask yourself regularly: Where is your contact book stored, and who has access to that data? What about your calendar, or your email? Medical data? Your location?

And with everyday technology’s every-evolving pace, we can also begin to ask: Who owns your AI prompts? Your intellectual property and corporate secrets? What of your home surveillance videos? Your Bitcoin wallet?

We’re proud that together with our open source community we’ve built the industry’s leading privacy-respecting online collaboration platform as recommended everywhere. PrivacyTools.io highlights Nextcloud in their list of “Top 10 Privacy Tools” and “Best Encrypted Cloud Storage in 2024“. PrivacyGuides.org features Nextcloud at the top of many categories from Productivity Tools and Collaboration Platforms, to File Sync.

Think Dropbox, Google Drive, or iCloud, except that you have complete control over where and how your files are stored.

ProPrivacy’s review of Nextcloud
Read review

Most trustworthy cloud storage… With Nextcloud, you, of course, decide where to keep your data.

ZDNET’s Best Cloud Services of 2024
Read more
ZDNet logo

Nextcloud’s many privacy solutions

Nextcloud Hub, our collection of tools all under one unified platform, offers many solutions to help you secure your private data.

Nextcloud Hub - content collaboration platform

Local, private Artificial Intelligence

Several types of AI integrations are also available throughout Nextcloud Hub, from completely self-hosted options to integrations with external services. For a fully private AI experience, all self-hosted AI features in Nextcloud are built-in and run completely on your server, meaning none of your data leaves your premises and you’re in full control. We encourage you to read more about our Ethical AI Rating system, our dedication to transparency, and the various AI-assisted features available to you:

Open Source: non-private code by design

When it comes to assuring privacy and security concepts are upheld in our software, we actually prefer to share our development in the open; transparent for all to see, inspect, share and participate in. Following open source development practices is deeply embedded in our identity, building trust in both the people and the code that goes into Nextcloud.

Curious? Explore what thousands of contributors create together on our GitHub!

Where to start?

While we firmly believe your data privacy is equally important every week of the year, we hope this Data Privacy Week encourages you to consider your current practices, and where you can take action to improve your data privacy. There’s plenty of opportunity to make improvements, collaborate with others, and to have fun along the way. We hope, too, that our excitement to make Nextcloud a central part of your data privacy toolkit helps make your journey that much more successful.

We all deserve privacy — after all, it has been declared a UN Human Right. Our goal is that together we can help make private-by-default the standard in all our technological endeavors.

Streamline your move to Nextcloud with our migration tools

We’ve created a number of migration tools to help you easily transition from platforms like Google, Microsoft, and more. With just a few clicks, you can move your documents, photos, chat logs, and calendar items into Nextcloud — a platform trusted by millions of users worldwide.

We currently offer migration tools for Google, Dropbox, OneDrive, and ownCloud to help you create a smooth transition, whether you’re a family or an enterprise.

We look forward to joining you on your data privacy journey! We also encourage you to discuss your data privacy with your family, friends, colleagues and those who care for your data.

Get started now!

Launch your own Nextcloud and start owning your data!

Get Nextcloud Hub

The post Data Privacy Week: Who owns your data? appeared first on Nextcloud.

]]>
BREAKING NEWS: ECJ rules US Cloud services fundamentally incompatible with EU Privacy laws https://nextcloud.com/blog/breaking-news-ecj-rules-us-cloud-services-fundamentally-incompatible-with-eu-privacy-laws/ https://nextcloud.com/blog/breaking-news-ecj-rules-us-cloud-services-fundamentally-incompatible-with-eu-privacy-laws/#comments Thu, 16 Jul 2020 09:00:05 +0000 https://nextcloud.com/?p=8434 The US “culture of surveillance” received a major EU push back today, with the European Court of Justice ruling against the legitimacy of the EU’s Standard Contractual Clauses as a way of transferring data to legal regimes outside of the Union. As we wrote 2 years ago, the Austrian Max Schrems, responsible for the previous […]

The post BREAKING NEWS: ECJ rules US Cloud services fundamentally incompatible with EU Privacy laws appeared first on Nextcloud.

]]>

The US “culture of surveillance” received a major EU push back today, with the European Court of Justice ruling against the legitimacy of the EU’s Standard Contractual Clauses as a way of transferring data to legal regimes outside of the Union. As we wrote 2 years ago, the Austrian Max Schrems, responsible for the previous dismissal of the ‘Safe Harbour’ agreement between the US and EU, stated that its successor “Privacy Shield goes down as soon as EU Courts deliberate”. It seems he was right.

As covered yesterday at Euroactiv:

Schrems’ concern is that Section 702 of the US Foreign Intelligence Surveillance Act (FISA), permits the National Security Agency to collect foreign intelligence belonging to non-Americans located outside the US, by way of obtaining their data stored with electronic communications services providers, such as Facebook.

EU Court of Justice in session
The European Court of Justice in session (image via Court of Justice of the European Union)

Indeed, regulations like the Cloud Act have already resulted in US cloud companies giving up the fight for privacy, prompting European cloud giants to team up and provide an alternative.

Ruling today: no more “Privacy Shield”

Today, the CJEU Judgement invalidates “Privacy Shield” in a US Surveillance case. The first statement from Max Schrems’ NOYB organization on the CJEU ruling can be read here.

Their statement notes that the EU Commission gave in to US pressure, not undertaking a deep assessment of US surveillance laws but quickly passing Privacy Shield to protect the business of US businesses to the detriment of the privacy and security of EU citizens. Quoting Herwig Hofmann, law professor at the University of Luxembourg and one of the lawyers arguing the Schrems cases before the CJEU:

The CJEU has invalidated the second Commission decision violating EU fundamental data protection rights. There can be no transfer of data to a country with forms of mass surveillance. As long as US-law gives its government the powers to vacuum-up EU data transiting to the US, such instruments will be invalidated again and again. The Commission’s acceptance of US surveillance laws in the Privacy Shield decision left them without defence.

Many German Data Protection Authorities have already concluded at various points that the use of Office 365 in schools is illegal and use of foreign-hosted chat and video communication services poses compliance problems, recommending Nextcloud Talk instead. The Swedish and Dutch have come to the same conclusion repeatedly. The CJEU rules that DPA’s have a duty to take action and not bow under political pressure, as has happened repeatedly already. Just looking away is not a solution.

Consequence: US cloud services not GDPR compliant

US cloud firms like Microsoft are already regularly shown to flaunt European privacy laws, as was shown again recently in an extensive Data Protection Impact Assessment of Office 365 by the Dutch government exposing dozens of GDPR violations.

With this latest ruling, the ECJ puts another major roadblock in the way of US cloud services, challenging the basic premise that they are a viable solution for use with any privacy-sensitive data. Businesses, schools and government organizations putting data from their employees, customers, students and citizens on Office 365, Google G Suite or one of the dozens of other US-based SaaS services now risk massive fines under the GDPR.


DPIA commisioned by the Dutch government mid 2020 shows a series of issues in Office 365

The post BREAKING NEWS: ECJ rules US Cloud services fundamentally incompatible with EU Privacy laws appeared first on Nextcloud.

]]>
https://nextcloud.com/blog/breaking-news-ecj-rules-us-cloud-services-fundamentally-incompatible-with-eu-privacy-laws/feed/ 6
US cloud companies give up fight for privacy after CLOUD act is signed into law https://nextcloud.com/blog/us-cloud-companies-give-up-fight-for-privacy-of-their-users/ https://nextcloud.com/blog/us-cloud-companies-give-up-fight-for-privacy-of-their-users/#comments Tue, 10 Apr 2018 10:04:59 +0000 https://nextcloud.com/?p=3916 The Verge reports how Microsoft and the US Department of Justice have withdrawn the Supreme Court Case about accessing data operated in different countries. The reason is that the new CLOUD Act, signed by President Trump, guarantees US access to data under jurisdiction of US companies. In other words, if Microsoft can access the data, […]

The post US cloud companies give up fight for privacy after CLOUD act is signed into law appeared first on Nextcloud.

]]>

The Verge reports how Microsoft and the US Department of Justice have withdrawn the Supreme Court Case about accessing data operated in different countries. The reason is that the new CLOUD Act, signed by President Trump, guarantees US access to data under jurisdiction of US companies. In other words, if Microsoft can access the data, an US court can order them to hand it over. That the data might be in a German, Dutch or Indonesian data center does not matter. For obvious reasons, this is a decision the Electronic Frontier Foundation strongly disagrees with. What does this mean for European and international companies handling data of European customers? We think that the full access guaranteed to US authorities and law enforcement means no US owned or operated cloud service can legally be used for any privacy-sensitive data of Europeans.

Giving up the fight

With Microsoft and other US cloud companies basically giving up the fight for privacy and security of their users, US legislation guarantees law enforcement and government agencies in general have full access to cloud data hosted by US companies. It does not matter if that data is located in the US, Europe, China or anywhere else. This means European companies who think they are safe and can ignore US law, using for example European-hosted services from US companies, are up for some potentially huge fines under the GDPR (or DSGVO in Germany).

What does this mean? Microsoft is pretty honest about it:

  • We will not disclose data hosted in Microsoft business services to a government agency unless required by law.
  • If we are compelled by law to disclose customer data, we will promptly notify the customer and provide a copy of the request, unless we are legally prohibited from doing so.

We know pretty much any request for data of companies or users comes with a so called ‘gag order’, forbidding any communication to the targeted organization or individual, so when the data is given, you won’t know. That’s one big advantage of a local data center: if you’re compelled to hand over data to a government agency, at least you’ll know and can take appropriate measures. And, of course, it can only be the government in the country you’re operating in – not the government of any country your hosting company operates in.

Serious business risk

It should be rather obvious that when the US government can compel Microsoft, Google, Dropbox or others to hand over data of users and businesses (in secret), you can count on other governments to be able to do the same. From Australia to Zimbabwe, if Microsoft wants to have a presence, they have to and promised to abide by local law. And if that law requires them to hand over data and not talk about it, they will.

Perhaps you trust government 100% with the data of your customers. Maybe you don’t. In either case, if data of your customers leaks due to incompetence or malice of any of those governments that can compel your hosting provider to hand over data; or if your customers simply find out you (or your hosting provider) handed over data to the government of Zimbabwe, China, Japan or Monte Negro, lawful or not, they can sue you under the GDPR in Europe.

The post US cloud companies give up fight for privacy after CLOUD act is signed into law appeared first on Nextcloud.

]]>
https://nextcloud.com/blog/us-cloud-companies-give-up-fight-for-privacy-of-their-users/feed/ 6