> That's not how sovereignty works.
Actually, it is. It will operate as a subsidiary company based in Europe. That means it's 100% subject to European law, not American law. And being staffed by Europeans means they are immune to any US legal threats. I.e. the US can't compel a European employee to reveal data under a subpoena the way it could compel American citizens.
Amazon remains the owner and controls the technology, yes. But as long as things are encrypted correctly and the hardware is in Europe, the data is secure from the US government. Sure Amazon or any cloud provider could build a back door, but that will eventually be discovered whether by hacker or whistleblower and their reputation will be forever ruined and they'll lose all corporate and government business forever. It's not in Amazon's corporate self-interest to allow a back door like that.
> It will operate as a subsidiary company based in Europe. That means it's 100% subject to European law, not American law.
As a subsidiary company, does Amazon retain operational control over that branch?
If so, it's subject to the CLOUD act, and therefore, not compatible with EU rules.
> Amazon remains the owner and controls the technology, yes.
So, basically, the answer is that the EU subsidiary is not independent. Consider Lavabit's story, the US admin would have no issue asking Amazon to trojanize their tech.
> their reputation will be forever ruined
That happened 20 years ago.
> It's not in Amazon's corporate self-interest to allow a back door like that.
They wouldn't have a say in the matter.
> If so, it's subject to the CLOUD act, and therefore, not compatible with EU rules.
I'm assuming the CLOUD act is the entire reason why they're explicitly going with European-only staff.
That way Amazon can honestly say it has no operational control to violate EU law because there's no American employee they can command.
Operational control isn't all-or-nothing. European employees will do whatever Amazon tells them unless it breaks European law, in which case they won't. Amazon is intentionally setting it up in a way that it won't be able to do anything about that.
Not quite. If it works like the Thalès / Google S3NS thing, then Amazon employees have no access at all to the EU infra, and any software updates Amazon needs to make can only be delivered to a quarantine environment from which then can only be passed on to prod by EU, non-Amazon employees, after validation.
That's in line with the requirements laid down by the ANSSI (French govt security agency), and those are tight. Believe it or not, they are not stupid.
A joint venture would work, indeed. There is still the possibility of a supply-chain attack, but it's still better than a subsidiary operating the system or hiring european employees.
> That way Amazon can honestly say it has no operational control to violate EU law because there's no American employee they can command.
> Amazon is intentionally setting it up in a way that it won't be able to do anything about that.
They can say whatever they want but when the NSA knocks on the door, they'll covertly implant a backdoor anywhere they ask and ship the update to the "sovereign" EU cloud. This is nothing but a ruse.
> Operational control isn't all-or-nothing.
When the US government has no issue asking a company to hand over its tls keys, it really is.
If the company has no keys to hand over, because they gave them to the Europeans, then obviously that's quite a different situation.
The US can ask. That doesn't mean it gets what it wants. The government loses in court all the time.
Have you heard of many national security letters successfully challenged in court?
If it's not hand delivered or certified mail, into the trash it goes! :D
Or they’re attempting to ‘green wash’ something that US parent can definitely actually control, so they have some plausible deniability. It is not even close to the first time something like that has occurred.
Being "100% subject to European law" doesn't override the parent company's obligations under US law. At best, it creates a legal conflict where AWS must violate either US or EU law. Which one will the US parent company prioritize if/when faced with enforcement actions?
The only way this would work is if the European operation were truly independent & separately owned, no corporate control from the US. But I don't think that's what AWS is proposing.
> Being "100% subject to European law" doesn't override the parent company's obligations under US law. At best, it creates a legal conflict where AWS must violate either US or EU law. Which one will the US parent company prioritize if/when faced with enforcement actions?
IANAL/etc, but the subsidiary and the parent are different people (legal personhood). The US parent is only responsible for the EU subsidiary’s actions under US law to the extent it has effective control of them. If the parent tells the subsidiary to obey a US legal order, and the management of the subsidiary refuses on the grounds of EU law - then the management of the parent has done what US law requires them to do. The US management might consider firing the EU management and replacing them with new managers - but if the job requirement is “must be willing to break local law”, nobody with an appropriate background is going to apply, so if they fire them they won’t be able to replace them, hence they are legally justified in not firing them.
It is normally true that a wholly-owned subsidiary just does whatever the parent’s executive management demands, but this is one of the rare cases where that generalisation breaks down. (If we consider non-wholly-owned subsidiaries, it becomes a much more common thing.)
> nobody with an appropriate background is going to apply
You don't need any “appropriate background” if you are going to be a one time tool to enforce an action.
And given the previous managers know that they have no power to stop the move anyway (because their replacement will comply) I doubt many would be willing to sacrifice their position just to keep the moral high ground.
That is a rather laughable actual protection isn’t it? People do stuff because their bosses tell them too.
I know people (even members of my own family) who have resigned jobs because they felt the personal legal risk to themselves was excessive. In my experience, it is a much more common event at the C-suite level, where that risk is most acute, than at the level of individual contributors. If the company goes bankrupt, the ICs in accounting are unlikely to be personally found liable for the company’s debts - but if the CEO and CFO are proven to be guilty of “trading while insolvent”, they can be.
Sure, then they replace them with someone with no such insight/scruples. They quit because the company wasn’t going to change ‘the orders’, yes?
Eventually they found someone who would do what they were told without quitting, that is how this works.
Right, and then if the US parent company orders EU managers to violate EU law, and when the managers refuse, replaces them with EU managers stupid enough to obey an illegal order - then what happens? The new EU managers get arrested and possibly end up in prison. Worse case scenario for the US parent, is the US parent company is (civilly or criminally) prosecuted under EU (or member state) law for giving the illegal order, convicted, and then as punishment, they are deprived of their local assets, including ownership of the subsidiary in question.
The parent company is ultimately at greater risk than the subsidiary-the parent can be deprived of ownership of its subsidiary, there is no equivalent consequence for the subsidiary.
Assuming it ever gets detected, which certainly isn’t going to be common eh?
I’m not really sure the point of your comment, actually. Are you asserting that no one would ever tell someone to do anything illegal because someone else might get in trouble for it?
Because if so, you might want to read the news?
> replaces them with EU managers
why would they do that? they'd put a US manager there temporarily
That would be illegal. They are offering this service to EU governments (and government contractors) under contractual terms which promise EU management. Replacing the EU management with a US manager would at a minimum be a breach of contract - and since some of these contracts are for sensitive / national security use cases, possibly much more serious legal consequences than just garden variety breach of contract
> Replacing the EU management with a US manager would at a minimum be a breach of contract - and since some of these contracts are for sensitive / national security use cases, possibly much more serious legal consequences than just garden variety breach of contract
and the EU has no leverage to do anything about it
if they did they wouldn't have selected AWS "Sovereign" cloud in the first place
The EU has no leverage?
This is located within the EU. They can walk in and arrest the US manager or deport them immediately, and throw any direct reports in jail if they obey the US manager.
The EU has all the leverage here. Sovereignty over a geographical area does actually mean something.
> They can walk in and arrest the US manager or deport them immediately,
how? they'd be in the US (hence "US manager")
> The EU has all the leverage here.
it has one threat: to shut it all down, at which point the EU re-enters the dark ages
threatening to blow off your own leg is not leverage
> and the EU has no leverage to do anything about it
Absolutely they do have leverage – maximum they could possibly do would be confiscate Amazon's EU assets (physical, financial, corporate and intellectual)
> maximum they could possibly do would be confiscate Amazon's EU assets
so they can turn off their own critical services?
threatening to shoot yourself in the foot with a tactical nuke is not leverage
At this point, you might as well use no cloud provider because at some point someone may be able to be leveraged? Whether that's by your country, another country, or some other nefarious entity.
That is where this is clearly going, yes. Which is why AWS is making this move, to try to head it off.
For those with nothing they particularly care about, it will be enough. For those with something to lose - currently small, but increasing, see the 80’s and the French Industrial espionage scandal - they’ll move back to on-prem if they haven’t already.
They generally don't when the boss is safely protected in another country, but you'll go to jail in your own country.
They do all the time. See every mining company, ever.
Or every restaurant, or construction company.
> At best, it creates a legal conflict where AWS must violate either US or EU law.
No, that's the whole point of this setup. Amazon will not be violating US law when its European subsidiary says no, we won't respond to your subpoena. It would be if Amazon USA owned the European data centers directly and employed American workers. But it will do neither. The US courts can't compel companies to do things they have no legal authority over. It doesn't matter that Amazon owns the subsidiary -- fundamentally, the subsidiary is a foreign entity.
Case in point: China. China forces foreign companies to run this setup all the time, and its one of the chief issues with outsourcing and IP property theft/transfer (depending how you look at it).
This is an arrangement which enormously benefits Europe because it's quite similar.
Amazon has ownership of the company not a management stake. If you had a startup and filled all your boards seats with only EU board members. That doesn't mean the CEO and other officers are bound by EU law. Sure they could fire CEO and other officers but I bet the bylaws of the company requires officers to be EU citizens.
The EU is being squeezed by USA and China on all sides whilst staring down the barrel of a Russian invasion on their eastern borders. They're in a really bad place and don't have a lot of options. It's why they were so quick to succumb to Trump's lopsided trade agreement.
> It will operate as a subsidiary company based in Europe.
Already was - I pay Amazon Web Services EMEA SARL ("AWS Europe") an entity established in Luxembourg.
> That means it's 100% subject to European law.
Always have been. What is it with tech companies thinking the law doesn't apply to them because muah internet?
> US can't compel a European employee
Courts compel companies not employees, companies get fined and CEOs go to jail for failure to comply.
> Sure Amazon or any cloud provider could build a back door, but that will eventually be discovered whether by hacker or whistleblower and their reputation will be forever ruined and they'll lose all corporate and government business forever. It's not in Amazon's corporate self-interest to allow a back door like that.
In which alternate reality is that? This already happened with Snowden's leaks when we learned about Microsoft's, Apple's, and Google's participation in the PRISM program and their market dominance has only grown since then. There were no consequences, the market didn't care, the shareholders didn't care, their customers largely didn't care, and they didn't lose any sleep over it.
> their reputation will be forever ruined and they'll lose all corporate and government business forever
Unfortunately this is not how it works. A cynic in me would say just the opposite, looking how Crowdstrike is doing now after causing one of the biggest technological disasters of the decade by their incompetence.
So no backdoors, right? Pinky swear?
So Amazon becomes a supranational entity.
You should be ashamed of yourself for shilling for this shit. Curtis Yarvin would be proud.