<i>Again, we are not the police and not a court of law. Authorities can and do require access to customer data from time to time in a way justified by local law; we comply with the law in those cases.</i><p>Really?! And what are you suggesting your principled stance is going to be when they shove a law in your face that violates and contradicts another law or an edict or the US Constitution you grew up believing was sacrosanct?<p>The problem is that they make any law they want to make, then keep it secret. Then they enforce the law they just made, forcing you into a position where you either have to give them the middle finger or subject your business to the possibility of being shut down - legally. Should you decide you want to challenge the enforcement of a law you believe is illegal, on behalf of one of your customers, you can't tell the press, you can't have an open proceeding in view of public scrutiny, and you can't inform your customer of the challenge. When the ruling eventually comes down (from a court who's sworn to as much secrecy as the agency you were fighting), you aren't even allowed to share <i>that</i> with anyone either.<p>I applaud what you probably believe is a line in the sand. But we can't even get to the real debate of privacy until we are allowed to challenge the very instruments that lay claim to authority over us... in public. It's that simple.
Excellent points. One other thing I'd like to see is a commitment to notify customers to the extent permitted by any court orders and to fight for additional notification rights (as Twitter has done).<p><i>We have set-up our corporate structure so that each cloud location is managed by a local company and therefore subject only to that jurisdiction (our holding company is Swiss and unlike US holding companies it has no concept of extra-territorial jurisdiction, if that were to change, we'd change holding company, it is that simple).</i><p>IANAL, but this seems a very significant point. However, I wonder if the US claims jurisdiction on the parent company if there's a US-based subsidiary?
Of course, the majority of these feature are shared by most or all of the very "biggest competitor" cloud providers they are comparing themselves with, and in many cases more effectively than this tiny company possibly can. So that's a bit misleading, to claim these as competitive advantages.<p>The corporate structure point is interesting, but I'm skeptical about its legal efficacy.<p>The part that's most interesting to me is the part of #1 where they say "sole root/administrative access" and "we have no file system level access". Is this actually technically possible, given that it's not just storage (obligatory props to Tarsnap!), but actual computing? I mean, I know that there are encryption schemes that allow you to do certain particular kinds of transformation on the encrypted data without unencrypting it... but isn't it impossible to do what they say, run a generalized IaaS/PaaS, without being able to see your data?<p>In summary, is there a single competitive advantage here this is all of<p><pre><code> * actually a competitive difference, and
* is actually possible, and
* actually has any effect
?</code></pre>
The blog post claims that they only accept https on a page that is not served over https: <a href="https://www.evernote.com/shard/s120/sh/e57bad7c-811d-4632-adaf-1bc2eb492cd5/2d5ac67eef5c1c3f8380ad9bd40de74c" rel="nofollow">https://www.evernote.com/shard/s120/sh/e57bad7c-811d-4632-ad...</a>
...and the NSA has tapped into every strand of fiber in the world making this sales pitch meaningless. They already have access. They only request access to allow what they already know to be admissible in the courts.