There is so much I want to say about this comment! First of all, it sounds like you had a terrible experience because you picked a bad ISP. I sympathize. But then you generalize from that and imply that anyone wanting an EU host will experience the same. Obviously that's not true - or do you believe no good ISPs exist in France? Second of all, why did you fork your code? Did you write your service to use proprietary Azure APIs without regard to vendor lock-in? Why not take this as an opportunity to incrementally extract the proprietary apis out of your application and replace them with processes you actually own? This will allow you to undo the fork and continue on, able to deploy your application anywhere you want.
We did our research, and settled on the French cloud provider that fit our parameters. They made promises about support hours that they did not keep. Changing cloud service providers is not cheap. We were a small team, and this cost us lots of effort.
We didn't fork our code, we forked our services. We ran everything on Azure. Then we had to configure our kiosk devices to either talk to Azure, or to talk to our servers in France.
"Did you write your service to use proprietary Azure APIs without regard to vendor lock-in? Why not take this as an opportunity"
I'm sorry, do you have any idea of the cost of doing these things?
If you have 6 developers, total, how many of them are you willing to allocate to rewriting your stack, so that you can sell your product in Europe?
>I'm sorry, do you have any idea of the cost of doing these things?
Oh indeed yes, which is why for years now I've been warning people to not write to proprietary APIs in the first place. It's a faustian bargain and sooner or later the bill is going to come due! If not because of legal requirements, then because MS or Amazon saturates the market, and has to increase revenue somehow. This is an example of where an ounce of prevention is worth a pound of cure. The upshot is that ignoring the warnings of people like me was a mistake.
(It's funny how people have moaned for years about "vendor lock-in" WRT Oracle. "They charge for every core!" But the cloud providers charge for every invocation, which is infinitely worse. And yet no-one seems to worry about it. It's really odd.)
So yeah, using HTTP to connect to a server that happened to be in the US...
That's the thing that prevented us from selling in France.
But thanks for lecturing me that "vendor lock in" was what killed our 6-developer team that was developing hardware, and computer vision, and 3D computer graphics, while developing a health care product under the tons of regulation that comes with that.
Hey, I feel your pain. Companies are like children to a founder, and you have described the heroic acts you've taken to save your child. It absolutely sucks to be in your position.
I think it's important to warn "parents" (or future parents) to avoid this particular tragedy, which I think is quite avoidable. I want to encourage people to question the orthodoxy around cloud, that everyone is doing it so its fine, and worse is better anyway, yada yada. It may be insensitive to use your situation to illustrate the downside of cloud vendor lock-in, but my motivation is not to look down on you, but to warn others about this very real, very painful outcome that they court when they make the popular choice.
I wasn't a founder. I was one of the 6 developers.
We happened to not use any vendor-specific APIs.
And it still killed us to fork our stack, and to teach our kiosks to be able to talk to the right server, and the extra cost of the servers in France, and the lack of support we saw from the provider in France...
Many noble efforts fail this way. You are not alone. This is one of those lessons you learn in regards to keeping your audience narrow, and executing on one thing at a time.
It's embittering, hardens the heart, and makes you want to give up, but you've gotta redouble and bust through it.
And by all means, shame the provider if they didn't live up to their end of the bargain.
Sorry if I don’t follow your reasoning, I’m still stuck at this piece of USA policy you seemed to have glossed over:
> Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
"Agencies" refers to parts of the US govt; that is a US govt regulation for its own agencies with respect to its own citizens and the regulation of immigration. It has nothing to do with e-commerce, cloud storage, start-ups, web services, etc.
Just as France accords its own citoyens rights that foreigners aren't entitled to.
your frustration is justified. azure/aws is the entire environment. i dont think you could have implemented the suggested magical suggestion in any relevant or practical way.
Thank you for this response. Calling it a magical suggestion really does feel accurate. I was sitting here trying to think how you would even do this when everything is running on AWS (or Azure).
A better wording would be “don’t make calls into jurisdictions that violate our legal statutes”.
Ok, let me make a simple “marvel comics” example: what if all your calls were funneled through “Putin servers” or “Iran cloud” or “ People's Liberation Army computers”? Would you mind?
I hear you arguing “but we’re the good guys! We’re USA, flag bearers of Democracy!” but no. Really according to EU law, under USA jurisdiction Pricacy Rights are fair game for people like Zuck. The guy that said “ I have over 4,000 emails, pictures, addresses, SNS. People just submitted it. I don't know why. They "trust me". Dumb fucks.”
Now, granted: our politicians likely want to stay on top of the consensus forming media, and make sure it’s within reach of their network. Annoying to see all the action moving to a different platform after all the years spent building relationships with the old media, but that’s the business.
I am so delighted I am able to access blog posts from people in Russia or Iran or China. Otherwise, it would be far easier for human rights abuses to exist. (This is somewhat tongue in cheek. My point is that information wants to be free, and we're all better off if there's LESS friction.)
When I found out Parler was being hosted on Russian servers, I immediately informed everyone I knew who was thinking about switching to Parler that it was a really bad idea. And it's their choice whether to use Parler or not.
I think it's great if companies can't hide that they're doing something like routing data through Russia. I think it's pretty stupid to not let someone use a product that routes data through Russia.
I also think that if Facebook stands up servers in France, it'll still be just as problematic as it is today.
This sounds really americentric. Have you considered that the every non-US citizen'd PII is fair game for US companies one in the county? As a European I wouldn't want my stuff to be routed through the US the same way you don't want your data going through Russia.
Yeah, it sucks that the US doesn't respect non-citizen data. But TBH I really don't think it respects citizen data either. Consider that Snowden discovered all kinds of ways the CIA and NSA were hoovering up data, in defiance of the law. But did the American people get pissed and force a change in those agencies, and call the leadership to account for disregarding the law because it was convenient? No: they successfully demonized the whistleblower who is still on the run. (Although I will say that excessive snoopiness is a lesser evil than censorship).
In the end, though, there is a high-tech solution here, and that's to migrate to 100% asymmetrically encrypted messaging, at the application level, regardless of underlying transport. This would force nation states to risk large scale hacking of devices, but that's more visible and easier to combat, as long as we remain free to make (and buy) the compute hardware we want to make.
The U.S. doesn't even respect Citizen@s data half the time. Remember, the Courts ruled that expectation of privacy, and therefore 4th Amendment protections are waived as soon as you engage with a Third Party.
His whole comment was about how he want to let traffic route through Russia even though he doesn't like it... but it's really Americentric? Could you explain that point please?
Do cloud service providers like Azure not have a way to "pin" some of your service instances to servers in specific countries? Seems like this capability would be important differentiating feature given EU privacy laws about where user data is hosted.
AWS most certainly isn't for as far as the data protection is concerned. An EU entity runs the EU regions of AWS cloud, you enter a contract with that entity and _not_ with the parent and the data is under the EU law.
The core issue here are the CLOUD ACT and FISA Section 702.
Basically the US government says it gets free access to all data stored by any US company or its international subsidies anywhere and that non-us-citizens have absolutely no right to any data privacy at all.
However european citizens do have such a right, and as such, companies can not process personal information using american subprocessors, because those can not guarantee to respect the citizens rights.
For a long time this was all about some contractual clauses between processor and sub-processor: the american subprocessor guarantees by contract to respect the data subjects fundamental right to data privacy.
And then the USA made the CLOUDA and FISA and all those contracts are no longer worth the bits they are encoded in. American companies are by law required to not respect the right to data privacy and can not guarantee to respect it in good faith, as they are themselves subjects of a surveillance state.
Now look at how AWS reacted to this problem: they added new clauses to the contract with their european customers, in which they promise to challenge law enforcement requests, especially those that are overbroad.
When EU goes after FAANG like this, it pushes them to position themselves against mass surveillance and in favor of a global basic human right to data privacy. In my honest opinion this fight is very necessary and i can only hope that humanity wins against surveillance capitalism in the end.
The small startup I worked for in Hamburg had a similar problem. They had to run all their infra on premise due to some wording of some of their largest clients and some odd rulings from BaFin.
The colo/managed provider they chose and had been working with for years was nigh incompetent. I was positive that being able to spin up infra in any of the clouds would have been a ton more reliable.
