Overseas

This question comes up frequently, the answer many services give is is a flat "yes, because it adds red tape", but that answer is often completely wrong. The true answer depends upon your threat model and local law. You must properly identify your threat model and then local law is the most important thing to consider.

For example, I have seen claims made that Hong Kong and Malaysia are safe havens for people wanting to hide from the US. On the face of it that makes sense, both governments are not overly friendly with the US government. The problem is that it's a wrong assumption, in fact in most circumstances Hong Kong and Malaysia are easier places for the US authorities to get data from than it would be if they were trying to get it from a service within their borders. Why is this?

Besides the fact that political hostilities do not exist at all levels of government and some levels actually maintain somewhat friendly ties, both Hong Kong and Malaysia have signed MLATs with the US and have virtually no local laws protecting privacy or data

http://findarticles.com/p/articles/mi_m0WDQ/is_2006_July_31/ai_n26951553
http://travel.state.gov/law/info/judicial/judicial_690.html
http://www.fas.org/irp/congress/1997_hr/s970410r.htm


An MLAT is effectively a portal for a foreign entity to pursue a wanted person or crime on a foreign shore, as long as it is done under the local laws there and guidelines of the treaty. This means that what matters most for your protection is the local law. Well, in both Hong Kong and Malaysia there are no protections for the seizure of server data in local law. The local police can just walk in and take it any time they want. So the Hong Kong and Malaysian MLATs can translate into few restrictions for the US to get your data, possibly even less than they'd have in getting data from a US based host.

You are probably thinking "Hong Kong isn't going to turn over political or state secrets to the US" and this is likely true. This is where threat model comes into play. If you are trying to hide Malaysian or Chinese state secrets from the US, those servers would be a good choice. However, if you are trying to hide something they didn't really care about politically and could be handed over secretly, without public outcry, or with public approval, then you picked the wrong place. You've effectively removed red tape in choosing a location where local law offers you less protection than the jurisdiction from which you originated.

So whether or not overseas is safer depends upon your threat model and local law. Hiding from cyberstalkers, gambling online, filesharing, criticizing the government, and enemy of the state are all different threat models and have different answers as to where you can do it safest. Local law is extremely important because MLATs provide a portal so that local law is nearly the only restriction.

The answer is already more complex than yes or no and there is still yet another variable. The answer today could change tomorrow because local law is often very dynamic. All countries are restricting privacy on the Internet. While the US seems to be the one the press focuses on, for every law the US passes, there are three passed in the EU, two passed in Australia, one in Canada, and so on that also restrict privacy. It's a lot to consider when evaluating what will protect you best, especially when what protects you best today can offer you no protection tomorrow.

So there is no pat answer to the question "Is overseas safer?". The best answer can only be "only if you understand your threat model and have properly researched current local law and found that it better protects you. And if you continue to follow local law to ensure that it continues to protect you better. Finally you have researched MLATs and found no way direct or indirect MLAT agreements* can compromise you".

A very complex answer, as you can see, and it is a far cry different than the "yes, because it adds red tape" answer. It shows that those who give that answer don't really understand the issues. That pat answer may have been true a long time ago, but it's not true as a blanket statement anymore. Times have changed.



* The term "Indirect MLAT agreement" is being used to identify the scenario where one country may not have a direct MLAT with the target, but another country they have an MLAT with has an MLAT with their target and this is used as a back door in.

Additional Notes:

The exististance of an MLAT may not always be a negative. In situations where local law is stronger, you've added protection. For example, you live in a country without freedom of speech and you want to criticize your President/Dictator/Government. Picking a country with local laws that specifically protect freedom of speech works in your favor, even with an MLAT in place.

Remember that it is local law that trumps and data/ID won't be turned over if it is protected by local law. A recent example of how local law trumps happened in Sweden with Piratebay, a local, unrelated to privacy or piracy, political law overturned a server seizure and shutdown for the US even though the US has an MLAT in place with Sweden. Interestingly, the PirateBay issue still doesn't mean that it is safe to be a software pirate in Sweden, PirateBay fell under very specific issues. Properly identify your threat model.