Do you need a privacy respecting cloud?

22 replies [Last post]
happy_gnu
Offline
Joined: 08/06/2017

Hello everyone!

I am a Lawyer, Free Software advocate and I care about privacy a lot. I've been a member of this forum a long time, but right now I run Parabola with Guix.

Right now I am studying a master on Law of Technology and Privacy. I care a lot about Free Software and Privacy, I've even met Richard Stallman in person and I had the luck to eat lunch with him.

Anyway I talk about this because I want to start offering a cloud service, could be syncthing or Nextcloud. I plan to make it free and maybe ask for donations. Having 100 to 150USD in donations a month would e awesome, that way I could buy more storage.

The reason why I want to do this is because there are not many Free Software and privacy respecting clouds for free. Much less with a Lawyer who cares about privacy and will fight the government for your privacy and also happens to be studying a master about it.

Right now I think using syncthing and encrypt my connection with tor would be great. But I am open to suggestions and feedback.

Please let me know if you are interested and if you have any questions!

calher

I am a member!

Offline
Joined: 06/19/2015

I would be interested. I already have email, storage, web, and XMPP, but
I would like stuff like calendar syncing and other "Google-y" things.

--
Caleb Herbert
KE0VVT
816-892-9669
https://bluehome.net/csh

commodore256
Offline
Joined: 01/10/2013

Whatever happened to the days of self-hosting?

I have a gigabit fiberoptic line on the east coast, so it's close to NYC, Boston and I tested with speedtest-cli and I can get 100Mbps up to both San Fran and London at 90ms. I'm not saying that to brag, but perhaps somebody who has a line as good as I am would be willing to part with some of their upstream pipe. I know in addition to myself, Beko also has a gigabit line.

I would be willing to provide a contract in exchange for some freedom friendly hardware and cash. I would of course need a protection from an act of god. but some of that investment would go to a UPS and on top of that, the Server would be a T400 running Trisquel and Libreboot. So it would be all free software, have a UPS and since it's a Laptop, it pretty much has a UPS built in, so there would at least be some protection there. Though I'm not very experienced in self-hosting, this would be a crash course for me, I never really setup Port Forwarding or a DNS, but I have played with Apache, SSH and Samba when I modified an iMac G3 SCSI Cable to take standard 5.25in IDE optical drives.

happy_gnu
Offline
Joined: 08/06/2017

That seems great, but I am not a US Citizen so I would not be able to protect people's data from government lawsuits there.

I am not only trying to offer a technology, but also the legal fight in case something happens :)

Beko
Offline
Joined: 08/31/2019

I would love to help! Alas we are both in the country where PRISM and 14 Eyes was founded. If the US gov is coercing Google/Amazon/Apple/Microsoft/etc.. to pass over data, they could much more easily do it to you or me.

PrimeOrdeal
Offline
Joined: 09/15/2019

I'm not an expert on this but could it be possible that what you are discussing is an anonymous encrypted peer to peer (P2P) network which could also be a "friend to friend" (F2F) network?
https://en.wikipedia.org/wiki/Anonymous_P2P
https://en.wikipedia.org/wiki/Friend-to-friend

I cannot comment on whether this is a good thing because I have not got experience of it but I was quite interested to read about FreeNet ...
https://en.wikipedia.org/wiki/Freenet

Has anyone got experience of FreeNet and can comment on whether it worked for them?

PrimeOrdeal
Offline
Joined: 09/15/2019

I think there is strength and resilience in decentralised / distributed services. There is privacy in encryption. Centralised services have inherent security vulnerability.

GNUser
Offline
Joined: 07/17/2013

Hello happy_gnu,

First of all, thanks for considering the creation of a User respecting service using Libre software. A special note for wanting to create one where the User is LEGALLY protected, which usually doesn't happen in free (as in gratis) services. However, I will ask you to consider the amount of money it would require to do such legal protection... If the service really comes under attack from governments and legal agencies, you will probably need to give it full time attention, so 100USD donations a month won't cover it. I only say this to help you better understand that supporting the technical infrastructure is a lot different (in terms of money) from what you wish to do. To give you an idea, take a look at how much trouble the Tor Exit Nodes have to go through every month and the amount of money spent there.

All that being said, I see it as a good thing, which I don't really need right now but is indeed useful for other people. I also see that as a lawyer interested in Free/Libre software you could provide legal assistance for other projects that would benefit the community and maybe not be such a burden on you. Tor exit nodes as an example (get in touch with www.torservers.net which is a great project), maybe help in some FSF advocacy projects.

Wish you all the best.

happy_gnu
Offline
Joined: 08/06/2017

I think you are being condescending and that bothers me. First of all what leads you to believe you can tell me What to do with my free time or with my money?

I am not living in United States I can't help foreign tor nodes. I won't provide assistance to the FSF. When I talked about it to RMS a few years ago he answered "We don't need a mexican lawyer".

When it comes to the "legal costs" There is a far far lower chance there is a legal request here. And it case it does, well I'm a lawyer already and I have my own office, I don't see why it would cost me money some government request. Perhaps law is different where you live?

Besides, what can they ask me for? Encrypted data? Or non existen logs?

GNUser
Offline
Joined: 07/17/2013

> I think you are being condescending and that bothers me.

I wasn't trying to be.

> First of all what leads you to believe you can tell me What to do with my free time or with my money?

Again, wasn't trying to.

> I am not living in United States I can't help foreign tor nodes. I won't provide assistance to the FSF. When I talked about it to RMS a few years ago he answered "We don't need a mexican lawyer".

RMS is no longer a part of the FSF, maybe their stand has changed. If you still don't want to, or cannot, that's up to you. I understand why you didn't like his statement.

> When it comes to the "legal costs" There is a far far lower chance there is a legal request here. And it case it does, well I'm a lawyer already and I have my own office, I don't see why it would cost me money some government request. Perhaps law is different where you live?

I don't know how things work in your country, here yes it is different, but you are wrong in one thing...

> Besides, what can they ask me for? Encrypted data? Or non existen logs?

This is where you are wrong. They won't be asking you for non-existent logs. If your service comes up in an investigation that brings in international agencies (FBI, Interpol, etc) they will demand, and force you to provide, unlimited backdoor access to all the connections in real time. Read what happened to Lavabit, an email service provider that was forced to shutdown to avoid betraying their users. In case you try to resist, those said agencies will make up false accusations against you. Again, read Lavabit's past history.

So, I am totally supportive of creating a service such as that, which I had said before, read my initial comment. I am just letting you know some of the problems you will be facing. But hey, don't let me stop you from doing it, I am sure you will do great! ;)

happy_gnu
Offline
Joined: 08/06/2017

Ok the thing in we have an amazing legal tool in México it is called 'Amparo.

Basically it can stop any cop from arresting you or any authority order from being executed if it is against your human rights. It can stop laws from applying to you, judge orders, cops, and a lot of stuff.

It is emitted by a Federal judge and that way it can give me enough time to at minimum let people know what's going on, so they can take appropriate steps.

It is meant to protect your constitutional right, so if they come and say 'gives all your data', you can just go to a judge and say 'this is against my human right to Internet' (here internet is a human right protected by the constitution)

There are more legal details, but let me say I think we have a pretty solid law to protect people, that's why I want to do this for free for the free software community.

commodore256
Offline
Joined: 01/10/2013

Well, that depends on if it's enforced. There's a country that has a constitution that supports freedom of speech and the Press. That country is North Korea.

Lawmakers will always add ambiguous language and make the constitution not worth the paper it's written on.

Masaru Suzuqi -under review-
Offline
Joined: 06/06/2018

But that 'Amparo seems to be a great thing. I envy it. I did not know Mexico was such a democratically developed country.
And law itself usually seems to be able to be taken ambiguous since the nature of languages. I suppose how to handle the ambiguity is a lawyer's chance to show her/his skills.

commodore256
Offline
Joined: 01/10/2013

It is in theory until they just stop caring. Like over here, we have a right to keep and bare arms and it even says that right shall not be infringed and they just infringe it anyway and no, they didn't mean "just muskets", that's like saying freedom of the press only applies to a printing press. But they meant whatever hardware they could get their hands on.

Just watch Amparo be infringed, it always happens. Here we have something called "the supreme court" in the states and they can reinterpret the constitution. All you need is a dirty communications bureaucracy that controls competitors to news broadcasts with a dirty executive branch that can appoint dirty "Justices" and they can have their kangaroo court and what the "Justices" say is what every Lawyer will go with because it would be an up-hill battle to overturn a Supreme Court ruling even if you got new appointed Justices that were clean because it would be very expensive and you would have to request so many appeals and not get rejected along the way..

Lawmakers will always find loopholes.

happy_gnu
Offline
Joined: 08/06/2017

It always happens? Seriously? An order by a federal judge which if an authority doesn't obey goes to jail?

Not only you compare México to North Korea you are going to throw an argument so bold with no proof?

What is that leads you to believe you can just throw arguments out there with no basis? You clearly are just making stuff up for the sake of arguing.

happy_gnu
Offline
Joined: 08/06/2017

It is a great thing!
And fortunately our Supreme Court has done a lot of work in recent years to push hard for Human Rights.

happy_gnu
Offline
Joined: 08/06/2017

It is a great thing!
And fortunately our Supreme Court has done a lot of work in recent years to push hard for Human Rights.

GNUser
Offline
Joined: 07/17/2013

Thanks for the reply, I don't know about Mexico legal system, nor its politic situation. I see that, in such a protected environment, one will feel more at ease to deal with such a service, and since you have the possibility to do so, by all means, do so! The world will greatly benefit from your work!

Still, be careful since politics and laws might change at any time in the future, and make sure that in a technical perspective there is not much you can do to spy on your users... Instead of a "no logs policy" make the service available as Tor Onion Service and I2P eepsite, so that there are no IPs to log in the first place. Avoid using Javascript for GPG (kinda like ProtonMal does), that way there will not be any keys in your servers to begin with. You know, actually make it so that if FBI, NSA, Interpol, and even your mother try to force your hand you cannot actually do it, because it is not possible. There is a saying "make it secure by design and not secure by policy". It's a good principle.

Like I said, I will not likely use it, since I don't have a need for it at the time, but it's a good tool for lots of people, do it! I believe your expertise might be a powerful tool to empower people all around the globe! Good to have you with us.

happy_gnu
Offline
Joined: 08/06/2017

.

happy_gnu
Offline
Joined: 08/06/2017

.

Dmitry Alexandrov
Offline
Joined: 03/07/2019

name at domain wrote:
> Do you need a privacy respecting cloud?

A cloud? [0] What exactly do you mean by ‘cloud’? ;-)

[0] https://www.gnu.org/philosophy/words-to-avoid.html#CloudComputing

> could be syncthing or Nextcloud.

If a private remote file storage, then no, I believe, we do not need it. There is actually no much privacy issues with them, as by their nature they: (a) do not need to have an access to your data unencrypted, (b) do not tend to provoke legal issues, so existing services do not insist on knowing who your are.

So there is virtually nothing to improve here.

> I am a Lawyer, Free Software advocate and I care about privacy a lot.
> I care a lot about Free Software and Privacy
>
> I want to start offering a cloud service

If you are really willing to contribute your legal and management skills to the strengthening privacy on the Net by staring some kind of service, then there is such kind of service: an anonymous VPS/VDS (and later dedicated too) hosting that accepts cryptocurrency payments.

Besides Digital Ocean resellers there are indeed very few of them, practically a Red Book specimen.

Dmitry Alexandrov
Offline
Joined: 03/07/2019

Dmitry Alexandrov <name at domain> wrote:
> If you are really willing to contribute your legal and management skills to the strengthening privacy on the Net by staring some kind of service, then there is such kind of service: an anonymous VPS/VDS (and later dedicated too) hosting that accepts cryptocurrency payments.
>
> Besides Digital Ocean resellers there are indeed very few of them, practically a Red Book specimen.

Or, if you think that dealing with hardware is not for you, there is another type of service, that would benefit Internet privacy a lot, which is — on the contrary — completely virtual. It’s a proxy for registering domain names anonymously.

They are even rarer than anonymous VPS hosting: I am aware of no more than three.

strypey
Offline
Joined: 05/14/2015

Hi happy_gnu. You express some admirable goals here. I think there will always be a need for more people running online services using free code software, to help avoid a situation where the growing numbers of the users who want those services (and don't have the skills or resources to self-host yet) end up as a burden on a small handful of stressed services. Here's some info that might help.

Do you have much experience in hosting servers for large groups of users? Calmstorm mentions Disroot, which hosts a NextCloud instance along with many of services using free code software. The Disroot admins often talk about how much work it is to maintain these services, and how carefully they consider the added work when they think about adding new services. Framasoft, another user-respecting host, recently announced they are shutting down a lot of their hosted services, presumably because of the workload involved in maintaining them as their user numbers grow.

Perhaps as a first step, it might be worth contacting community-hosting organizations like these that already run a service (including RiseUp.net, OurProject.org, Peer.community, Commonscloud.coop, and many others), and offering them legal help? Perhaps you could propose a skill swap, where in exchange for your legal help, they help you learn more about setting up and maintaining servers for large user numbers?

Finally, let's say you are aware of the workload involved in running a hosting service and you really want to set up a new one based in Mexico, to take advantage of the legal protections you've identified there. If by "cloud" you mean a Dropbox-style file-hosting and sync service, SyncThing is not an option for you, since it is P2P software that syncs between devices without any need for servers. NextCloud is probably your best bet, although you could also evaluate Cozy:
https://docs.cozy.io/en/tutorials/selfhost-debian/