It is no longer safe to move our governments and societies to US clouds
367 comments
·February 23, 2025pclmulqdq
jandrewrogers
It isn't uniform by any means but the US runs on a physically independent cloud, often in their own facilities, designed by the big cloud companies. When using the public cloud for unclassified work (e.g. working with outside vendors), the data is only allowed to reside in specific data centers that have been vetted by the government, not all US regions have the same authorization. For example, government data in an S3 bucket in the public cloud may only be accessed and processed within the same region, which can be annoying if your infrastructure is elsewhere.
The US is far ahead of most countries when it comes to government use of the cloud. Other developed countries often learn how to do it from the US but are less comfortable with the technical requirements, which slows down adoption.
rapatel0
The US Gov't has their own GOV Cloud Datacenter Regions. It's run by azure and AWS but there are restrictions on who is allowed to use it. It's not really public
https://aws.amazon.com/govcloud-us/?whats-new.sort-by=item.a...
https://learn.microsoft.com/en-us/azure/azure-government/doc...
cmckn
GovCloud is only for federal contractors. There are classified regions that are airgapped, that’s what the 3-letter agencies use:
ocdtrekkie
The point is Amazon and Microsoft surely have vested interests in government data they are not supposed to be privy to.
ivanmontillam
Yes, I agree.
I make the parallel with "gold." Whoever has your gold, got you by the hanging spheres.
Given the importance of data today, I am baffled common citizens are not familiar with the "Data at rest" principle.
closeparen
The US government’s secrets are routinely held and processed by contractors. The prototypical government secret is something like the plans of an airplane designed and manufactured by Lockheed Martin.
GeoAtreides
pretty sure my remote encrypted backups[1] can keep a secret or two from the cloud storage provider
cogman10
This does raise a valid question of what secrets can or should the government have.
I think it's obvious that some secrets should be kept. It makes little sense to expose our nuclear secrets, counter espionage, or ongoing investigation efforts. But how far does or should that extend? Should everything the NSA/CIA/FBI/IRS does be secret? Should they stay secret for years or decades or forever?
IMO, the US goes too far in it's secrets. Stuff gets classified that just makes the government look bad and that's dangerous.
And that's where I'm somewhat less concerned about putting US secrets into the cloud. Sure there's highly sensitive stuff that shouldn't go there, but there's also a lot of stuff that shouldn't have been a secret in the first place.
dcrazy
“Secrets” is a broad term that covers everything from payroll information to the history of CIA clandestine operations. Only some kinds of these are stored in the cloud.
rcpt
Security isn't a "safe" vs. "not safe" bool
dmantis
The world literally has hard proofs of mass espionage by the NSA and CIA after Snowden and Wikileaks Vault 7. Moving your government secrets to the US cloud has been madness for at least 12 years.
raverbashing
Cool, encrypt everything before uploading. Keep the key client-side
See, parent is right? Safe/not safe dichotomy helps nobody
rcpt
https://www.usenix.org/system/files/1401_08-12_mickens.pdf
Alright so get a magical amulet.
dijit
Correct, it's more like a bitmask.
Except if any of the bits are flipped you're f-d; especially so if your adversary is a nation.
pedropaulovc
This is nothing new, Microsoft signed an agreement with the French government to build a sovereign cloud called Bleu [1] operated by Orange and Capgemini using Azure and Microsoft 365 technology. The German government did something similar and launched Delos Cloud, operated by SAP and Arvato Systems.
[1] https://www.globenewswire.com/en/news-release/2021/05/27/223...
[2] https://www.bertelsmann.com/news-and-media/news/first-sovere...
gmuslera
Since now? It was safe before, as in what is happening now was totally impossible before, and somewhat it happens anyway? Do they started to care about making backups after they lost data?
Risk is not about "something happened, so it may happen again", but if something bad can happen, if it is possible, and maybe weight it as probable or not. Black swans exists, and if you bet everything on that they not, you may lose everything.
And the process of moving government and societies to some controlled by a foreign power cloud takes time to get in, and to get out. And you can't tell that something bad was being done while showing a smiling face.
It is not something coming out of the blue. There was strong signals of intervention back to the start of internet, and a more or less official confirmation of what was happening in the shadow with Snowden's revelations. But somewhat is now when that is perceived as a risk.
wongarsu
It has always been unsafe, it is very questionable under the GDPR (though governments are obviously excluded from the GDPR itself), and lots of governments and companies have been using or working on alternatives. But the temptation of of US clouds has been strong, and now is a good time to remember everyone who previously thought the benefits outweighed the risks
graemep
Its never been a good idea. I do not think non-EU European countries can rely on EU cloud, not can EU countries can necessarily rely on each other.
The only effect the distrust of the current US government will have is a few articles. It expensive and difficult for this to be sufficient incentive to change anything.
We should probably grateful they have not put it all on Chinese clouds.
altacc
I work at an large Europe based multi-national and hosting has always been a concern due to the big differences in data protection and privacy rules. We never use a service not hosted in the EEA.
The current threats that the US is making to Europe about it's data protection, privacy, consumer protection, etc... laws is very much of concern and is already beginning to be a factor in our ongoing RFPs and procurement process. We're not just following the law, we also don't trust some companies with our reputation.
watwut
America is literally allying itself with Russia, trying to turn Ukraine into basically colony (by demanding their resources forever), threatening annexation of Canada (repeatedly). Oh, and in the process of starting a trade war.
Non-EU can trust EU waaay more then anyone except Russia can trust to America. American leadership made it clear that norms, laws or morality are only for suckers.
The levels of behaviors between the sides here are not symmetrical
whimsicalism
EU also demands resources in exchange for military support such as the French+UK-led intervention into Libya. Saying US is an ally of Russia is a pretty big stretch, meanwhile the EU has members that are actually allied with Russia and lots of large Russia-aligned multinationals like Gunvor
cuuupid
One oft forgotten thing is that the US government clouds rated for IL5/6 are secluded on SIPRnet and JWICS. These are totally separate networks with CDS’s being the only way to go from one net to the other.
In practice this means the US Government remains in control of the network backing their cloud. ITAR regulations make it treasonous to have foreign eyes on these clouds. Foreign governments are not afforded any of those protections when sitting on US clouds.
Even among FVEY, there are designations for data relative to member states and information is not as free flowing on JWICS as one might assume. It is more like a controlled stream than a raging river
jmclnx
I guess "Make America Great" may spawn a big Cloud Industry in Europe. If I was in Europe, I would never use any US Tech products.
Maybe Linux will end up making big inroads in Europe, replacing Windows and MicroSoft Office and Office 365 along with Google Docs.
vachina
European companies are so deeply entrenched in American software ecosystem I can’t even. Just this past week my EU company deployed an agentic LLM hosted on Microsoft Azure with models developed by… Microsoft, on top of the existing GPT hosted on the same platform. They also recently moved their entire in-house HR platform to Oracle.
It’s no mistake China banned foreign companies with infinite money from setting up shop there. It is dangerous and expensive in the long run.
toomuchtodo
But would they still if the EU used tariff like policy to prohibit it? "The best time to plant a tree was 20 years ago, the next best time is now." Make the law, enforce the law, encourage the behavior and outcomes necessary to achieve the success criteria.
As someone with an infra background a lifetime ago, I am confident I could spin up Kubernetes and Deepseek R1 in OVH or Hetzer within a few days. The primitives exist, the EU simply needs to lean into cultivating and supporting them (orgs, platforms, etc) to push EU entities consuming these services away from US Tech. Perhaps the tech stack is a national security interest, just as a manufacturing base and supply chain is. Better to be prepared than to be entrenched in the US Tech ecosystem and then suddenly be held hostage for reasons.
petercooper
If you look at other countries/regions that impose high tariffs, their companies continue to buy and use American technologies and absorb the cost (to their local customers' detriment).
I'd certainly enjoy the case studies of European enterprises jumping from full-scale Azure and AWS deployments to OVHcloud or Hetzner, though. That'd make for some interesting reading.
hedora
Tariffs don’t really work for software, especially if the software provider holds lots of foreign government contracts, and you assume the foreign government and provider are colluding to get control over your systems.
jimbob45
The EU’s problem is that it doesn’t foster company growth on any level and doesn’t help with problems specific to the EU (e.g. multiple languages, differing laws, varying levels of unionization, and more).
Blaming Trump for their own well-known problems is silly. They were dependent on the US before him and they will continue to be dependent on the US after him until they look in the mirror and decide to fix what is broken.
crimsoneer
Hosting LLMs at scale without Azure/Bedrock is still a massive pain, and they offer EU based data sovereignty, so not clear what the problem is there (or are we now saying no doing business with US companies at all?)
hedora
If Microsoft is providing EU data sovereignty, then they’re either in violation of US law (the US CLOUD Act, specifically) or do not have the technical capability to access data on those servers. (So, for instance, the machines could be air gapped, or they could be configured to never honor MS credentials, including on the software update path).
In practice, this means no US cloud providers provide foreign data sovereignty (though many claim to).
TheBlight
The EU doesn't have a significant tech industry.
baq
It doesn’t have megacorps. It’s full of engineers working for US ones.
Fraterkes
Pythonblendervim? Ah sorry thats just the netherlands
sieabahlpark
[dead]
bittermandel
Definitely is, it trigger us at Molnett, Clever Cloud, Safespring and others to start believing in competing with the hyperscalers!
jaybrendansmith
Europe has done this before. Airbus did not exist but now it is the best aircraft maker since Boeing decided to retire all their senior engineers in favor of quick profits. Europe created Airbus, they can do the same with a new Cloud provider.
tensor
There is already a decent cloud industry in Europe. OVH has been around for decades, and many companies in North America even use them because they are often a bit cheaper. But you also have newer players like Scaleway and CDNs like Bunney.net that are growing fast.
I think the harder services to replace are things like Github and O365/Google Workplace.
petercooper
The EU hasn't even got a home-built social network with significant market reach, let alone the wherewithal to pull off ditching Microsoft and Google. It'd be nice to see that change, but there's surely some sort of blocker after 25 years of the Web being a mainstream technology.
danieldk
The used to exist (e.g. Hyves, StudiVZ), but they are murdered by FAANG. However, there are still locally successful companies that could expand to the rest of Europe if US companies were dropped. E.g. just speaking of The Netherlands, Bol.com is much more popular than Amazon, Marktplaats is more popular than eBay (which is pretty much non-existent here) and owned by a Nordic company, etc., iDEAL is much more popular for payments than PayPal, Stripe, etc. (and works far better). Such companies can fill the void.
Microsoft will be tough to replace. There are good alternatives, but retraining personnel, etc. will take years. Google, I am not sure. Their cloud services are replaceable. Search may be tougher, but the quality of Google Search has become so bad that it's often easier to ask an LLM.
selimthegrim
Tuenti?
ozim
With social networks or any EU startup problem is you have to deal with different languages right at the start.
Being US startup with English only you have access to 300m people right away.
There were country specific social networks but then all cool kids were on FB so everyone moved there.
The same with LinkedIn, our country specific business social network closed down finally last year. First 3-5 years it was growing then everyone moved to LinkedIn so that network was ghost town for 15 years someone kept it alive just in case but seems like they stopped wasting money.
c-fe
I think the language problem will become less of a problem in the future due to (1) more (young) people living in citys and (2) all young people in cities speaking english. At least compared to previous generations imo. This could be my subjective view based on luxembourg, netherlands, and visiting other european cities.
psychoslave
Maybe so called social network is not something to reproduce. Who cares who runs them if they deteriorate sociality, generate addictive consumption of things detrimental to mental health and favor extremists point of view?
toomuchtodo
There is an active effort currently to have the EU contribute towards funding https://freeourfeeds.com/ (to enable a distributed, global AT Proto network). Does the EU need the network to be home grown or have the valuation matter? I argue no, it is a utility, not a business to be captured and squeezed by investors or other potential controlling interests.
(as of this comment, Bluesky has ~32M users and counting)
Reventlov
And that's why we need to stop being dependent on the US: everything in there is described in terms of « market share », and not in terms of usefulness, ethics, or independence.
bloomingkales
They can fork phpbb. You didn’t really think these social networks are anything more than that?
We just need to see if phpbb can scale to a billion, and if not, why not.
petercooper
Well, I'm all for the return of the classic forum experience!
The UK's largest "social" sites are pretty much forums (e.g. Mumsnet, The Student Room, DigitalSpy, MoneySavingExpert) and while they're good for their respective topics, they don't cover the Reddit/Facebook/Instagram use cases (they could be arguably considered on a par with individual sub-reddits).
fsflover
PeerTube is made in France, Mastodon AFAIK in Germany.
tbrownaw
So we're about to finally get the year of Linux on the desktop?
qwerty456127
Almost every EU company I worked with, migrated from Windows to Ubuntu at some point.
century19
I've worked with many and it was always Windows, with some use of MacBooks in recent years. Never once seen Linux desktops.
mattmaroon
It's been one year away for 30 years!
pton_xd
> I guess "Make America Great" may spawn a big Cloud Industry in Europe.
Have you tried using OVH? It's... not ready for prime time. Don't get me wrong, I love it for cheap EU servers, but man is it a pain in the ass to deal with.
Xenoamorphous
Not just cloud but military and many other things.
I think MAGA is good for Europe, there’s a big incentive to remove any kind of US dependency.
bloopernova
I'm in the process of moving my various google data onto Hetzner storage share[1]. It's a Nextcloud instance with 5TB of storage for $16/month. My wife and I each have a normal user, we can share stuff just as well as before, and we can install things like a simple Kanban app, sync to our Android phones, etc etc.
So far it's been great, I highly recommend it.
k8sToGo
Regardless of any cloud:
I hope you have a proper backup strategy
bloopernova
Multiple local copies, a cloud copy, and an archive copy on a different provider.
Zenst
Store a local copy offsite with a friends or relative you visit regularly(encrypted). One fire and all your local copies gone otherwise.
matt-p
The main problem to my mind is that we have none. OVH are perhaps the only semi serious option and that's super depressing.
everfrustrated
As someone who been using US clouds for over 10 years now, I was looking in the state of EU clouds recently.
It's like going back in time 15 years.
OVH co-mingling postgres customers on the same underlying server with no noisy-neighbour protections! AWS RDS is obsolete tech these days and they can't even match that!
matt-p
Yes, I know. I wouldn't really want to use OVH for anything besides bare metal, same for hetzner (even then, they're not great at it).
The only good providers I'd use again are London based.
hinkley
OVH, who burned down a data center because it didn’t have fire suppression. Never forget.
null
this_user
That has been obvious since 2013 at least.
crazygringo
That ship has sailed with technology in general.
Sure, it isn't safe for EU governments to store data on US clouds.
It also isn't safe for US governments to rely on chips made in Taiwan that China could invade. Or for TikTok to be a primary media source in the US.
The fact is, we're an economically interconnected world at this point, in terms of software, in terms of hardware, and in terms of hardware supply chains.
And it's hard to see it going backwards. Economic efficiency is a powerful force. It often seems like the solution has to be to try to implement as many safeguards as possible, rather than cut off sources of technology. But I don't know... it's an incredibly difficult question.
hinkley
There’s an old civics aphorism: if goods don’t cross borders, then armies will.
Giving all your data to foreign states though may be a bridge too far. That’s not the same as buying cars or Swedish Fish.
It was never safe for any government to move any secrets to any cloud. The fact that the US government is okay with doing this with its own secrets surprises me to this day. You have no secrets from the person who owns your hardware.