Except that legally speaking bulk collection is even easier for NSA overseas where the Fourth Amendment doesn't apply. Given the way cloud computing works all they'd have to do is "target" the top 3 or 4 cloud-based source code hosts and get everything, and there'd be no legal defense against it.

For U.S.-based cloud infrastructure it's at least possible to take it to court (as Levison did).

So it's a pick your poison thing unfortunately. If you think you can outwit targeted surveillance then by all means use an overseas hosting provider but if they would be targeting you either way then it might actually be safer doing what The Guardian does, and using U.S. law as a shield.

> Except that legally speaking bulk collection is even easier for NSA overseas where the Fourth Amendment doesn't apply

Treating notionally allied countries as free-fire zones is a curious definition of "easy". You run this kind of risk: http://en.alalam.ir/news/1528560

And for that reason, anyone with regard to the long term would deploy that kind of thing cautiously, if at all. But I have no idea if that applies to the NSA.

It's curious, I have seen this kind of comment on HN before, essentialy saying "US law doesn't apply in other countries therefore the NSA can do anything that they want there" ignoring that other countries have their own laws, often stricter in terms of privacy. My suspicion is that this is a particularly USAian myopia, which does not bode well for the NSA. Clearly they have gotten away with for a decade or more; but it relies on goodwill and secrecy; and those reservoirs are looking very low lately.

> My suspicion is that this is a particularly USAian myopia, which does not bode well for the NSA.

I am telling you literally like it is. Whether or not you want the Fourth Amendment to apply outside of the U.S. (keeping in mind that amendment is the only part of U.S. constitutional law restricting electronic surveillance by the U.S. government anywhere in the world), the fact is that legally speaking it doesn't. I'm not telling you how the world should be here, I'm telling you how it actually is.

This is not specific to the U.S. though. Does Germany have constitutional laws forbidding them to collect intelligence from networks in France?

> Whether or not you want the Fourth Amendment to apply outside

Now you have changed the subject. The original assertion was that it was "easier" for the NSA to collect bulk data outside of the USA. If the 4th amendment was the only factor then it might be so. My point was that the 4th is not the only factor.

For another example of this, how seriously would someone like Lavabit take a US court order to hand over keys and shut up if they were based in Reykjavík?

> Except that legally speaking bulk collection is even easier

Did you miss the "legally speaking" in my original sentence before you accused me of changing the subject?

I did actually miss that, and the purely legal aspect of it is not the whole and interesting picture. But I don't think that it makes a difference.

TAO (I.e computer network exploitation) may be easier if you possess a legal/ethical framework whereby allied counties are free-fire zones; at least up to the point when they're no longer allied.

But bulk data collection is not TAO. As far as I can see, it relies on firstly on physical access to network infrastructure, so you can put a secret room at the Phone company or copy off the network traffic off the undersea cable as it lands. This is legally easier in your own country.

Secondly it relies on legal authority over companies. US agents arrived at lavabit with a US court order to hand over the crypto keys and tell no-one. How would that play for a company based in Reykjavik? I expect that after the laughter and blog posts, a bit like this: http://www.infosecurity-magazine.com/view/30559/iceland-expe...

> But bulk data collection is not TAO.

Except, of course, when TAO allows you access to data in bulk. That was my whole point, and if you guys keep conflating legal jurisdiction, technical capabilities, and scope of effect with each other then you'll have only yourself to blame when you get outwitted and your data ends up in a database with ALLCAPS naming conventions. :P

> when TAO allows you access to data in bulk

You should write an article about that, I do like to learn more. So long as it doesn't consist of "lol you got outwitted :P" style taunting.

Interesting how your loyalties are expressed in that comment. BTW, based on your other comments, what exactly do you do "in the military" ?

Quite right. Even better is hosting your git yourself so that the data never leaves the premises. it is more work; but from a security point of view it's even better.