Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Is moving offshore really crazy?

Today ZDNet published an article titled “The lunacy of trying to avoid NSA spying by moving e-mail and cloud out of the US” – I’m still trying to figure out if the position is naive, or intentionally ignores important facts.

In short, the author (Steven J. Vaughan-Nichols) states that your data is safer in the US because outside of the US, the NSA has much less restrictive rules to operate under. This is actually true – the NSA is a spy agency; like most spy agencies, they spy on people.

For those outside of the US, or those that routinely communicate with those that are outside of the US – as far as the NSA goes, you are fair game. Anything and everything you do, if they can see it, they’ll use. So on that point, ZDNet was right.

But their points only hold true if you ignore cryptography.

When your data is outside the US, you have to rely on encryption to protect your data; inside the US you have to rely on FISC to protect you. The Lavabit affair (or Hushmail if you want another example) should make it clear that inside the US, encrypted data held by a third-party shouldn’t be seen as secure as it once was – for that matter, it probably shouldn’t be viewed as secure at all (if your adversary is the US Government; in which case, you don’t have much hope anyway).

When somebody posted a link to the article, I made my point short and sweet:

It’s hard to break properly implemented, strong cryptography – on the other hand, getting FISC to order a provider to hand over your data seems to be quite simple. Given the choice of relying on encryption or a rubber-stamp court to protect my data – the right choice seems obvious.

Now, in all fairness, it’s worth noting that the NSA likes to collect and examine encrypted communication more than other things – and the odds of your data passing through the NSA is certainly higher if your data is offshore. If properly encrypted though, the odds of them seeing the content is reduced.

So is it insane to move data offshore to avoid the NSA? If you want them to not see anything you do, then yes, yes it is. If you want to reduce the odds of them seeing the content – it’s actually a reasonably prudent move.

Adam Caudill

Related Posts

  • OPSEC, The NSA, and You

    It’s been two weeks since news broke about the NSA collecting massive amounts of data from Verizon; and likely everybody else. There’s also PRISM – whatever the hell that is – it seems there’s no agreement on that, and I doubt there will be anytime soon. What really matters here though, is we have proof that people are watching – and if it’s happening in the US, it’s probably happening everywhere else.

  • Worried about the NSA? Try AES-512!

    …or, The Cost of Wild Speculation. “We need to boost our security – I think the NSA has broken everything we use. AES-256 is too weak, I don’t trust it. Find a way to implement AES-512.” Double-AES-256! It’d be easy, and double encrypting has never bitten us before. So, let’s write some code! def encrypt(msg, iv, key) return e(e(msg, iv, key.slice(0..31)), iv, key.slice(32..63)) end def decrypt(cipher, iv, key) return d(d(cipher, iv, key.

  • Crypto, the NSA, and Broken Trust

    Even as a child I was fascinated by cryptography – and often left the local librarians with puzzled looks thanks to the books I would check out. It’s so elegantly simple, and yet massively complex. There is one very unusual property of crypto though – it’s not about math or modes, it’s about trust. Cryptography, especially as used today, has the most wonderful dichotomy of trust; on one hand crypto, by its very nature, is used in situations lacking trust.

  • Making Android NSA-Proof

    As it turns out, it’s quite easy to make your Android phone NSA-proof. It’s a simple method, and anyone can do it – all you need is a few ounces of thermite! Too extreme? Tools & Tips Let’s shoot for something a little more attainable – spy resistant. We can’t stop every attack, but we can reduce the attack surface a bit. Here are a few tools that I’ve been using recently to do just that.

  • Crypto Front Door: Everyone Welcome!

    For decades, the US Government has fought — sometimes with itself — to prevent the use of secure cryptography. During the first crypto war, they allowed strong cryptography within the US, but other countries were limited to small keys — making brute force attacks practical. But what about those pesky US citizens? They didn’t really want them to have strong crypto either — enter key escrow. What is key escrow? According to Wikipedia: