It depends on who you are and who you deal with. We house a lot of our stuff in Azure, but we entered into an agreement with an European based Microsoft child company.

If the us wants access to our data, they’ll need to go through the Danish courts.

We spend a lot of money though, but it afford us our own private servers in the Irish farm, that we have physical access to and our data never enters the public part of Azure.

If the US government wants to get access, it probably can, after a few months in various EU courts, but all they’ll find by the in our little vault will be a tape recorder playing twister sisters - we’re not gonna take it on repeat.

Of course American companies will be replaced by an European competitor if the US government doesn’t wise up and stops being dicks. If there was a real alternative to American clouds we’d have left by now.

There are a lot of other cloud providers in Europe besides OVH and Hetzner:

- Upcloud (based in Finland)

- Cloudsigma (based in Switzerland)

- Deutsche Telekom TelekomCLOUD (based in Germany)

- Online.net / Scaleway (based in France)

- Aruba Cloud (based in Italy)

- Swisscom (based in Switzerland)

- etc.

Unfortunately none of them offer the breadth of services like Google Cloud, Amazon or Azure, but they most likely will be more than enough for many purposes.

Your best plan is [1]: a) don't be a US citizen/resident, and b) store your data in a country where disclosure of this information is banned by law.

Under these conditions, the provider can (and has incentives to) challenge the order requiring the production of the data. If the order is quashed, the US government would need to get an order from the local government under MLAT for the data.

As for your German datacenter question... Under the text of the law, it depends on whether that data is within a US electronic communications or remote computing service provider's "possession, custody, or control." In theory, a service provider might contract out the management of these aspects of its operations, but it would be hard to imagine a service provider feeling comfortable moving the data outside of its control.

[1] See p 2205 of bill text for the CLOUD act part. http://docs.house.gov/billsthisweek/20180319/BILLS-115SAHR16...

I mean... duh? If you don't want your data accessible by a particular sovereign entity, its best to ensure your data is never in the jurisdiction of that sovereign entity. The meaning of sovereign is "We can do whatever crap we want here, and there's no higher authority that can judge us". If you're not okay with that crap, then don't interact with that entity, because -- as the term 'sovereign' implies -- there's no court you can appeal to to settle your dispute in your favor.

I don't think #2 (Azure) applies. Your best bet is to store cryptographic keys offsite and leave the data in the cloud. There's a market opportunity for someone who can wrap that up in a reasonable API/library for use on EC2/GCP/Azure.

It's a matter of herd mentality. The more the issue is raised, the more people will be willing to use services from other countries instead of US-based services, which means more non-US companies will gain prominence for certain services, which will encourage even more users to switch to them.

As long as everyone thinks everything is fine if they keep using the same old US services they've always used, none of those steps will happen. Expect to get a push-back from users who prefer continuing to use US-based services so they can justify their own choice.

That's always been the case - US law has had global jurisdiction for decades

To their credit, Microsoft have resisted US Government pressure [0] on this subject in the past.

[0] https://www.washingtonpost.com/world/national-security/micro...

Hetzner requires a copy of your ID which I find more intrusive. Does OVH?

If there is a way to sign up for Hetzner without giving them a copy of your passport, does anyone know?

‘Avoiding lawful warrants’ is just not a service you’re easily going to get from a developed Western country.

MLAT would probably allow a US court to ask a foreign entity via a foreign court to provide data of US entity, even if the data and the provider are outside of the US.

Alibaba cloud? Presumably Chinese govt can snoop but not sure how much power US has.

[this was not entirely correct.. so I'm removing it]