> It will operate as a subsidiary company based in Europe. That means it's 100% subject to European law, not American law.
As a subsidiary company, does Amazon retain operational control over that branch?
If so, it's subject to the CLOUD act, and therefore, not compatible with EU rules.
> Amazon remains the owner and controls the technology, yes.
So, basically, the answer is that the EU subsidiary is not independent. Consider Lavabit's story, the US admin would have no issue asking Amazon to trojanize their tech.
> their reputation will be forever ruined
That happened 20 years ago.
> It's not in Amazon's corporate self-interest to allow a back door like that.
They wouldn't have a say in the matter.
> If so, it's subject to the CLOUD act, and therefore, not compatible with EU rules.
I'm assuming the CLOUD act is the entire reason why they're explicitly going with European-only staff.
That way Amazon can honestly say it has no operational control to violate EU law because there's no American employee they can command.
Operational control isn't all-or-nothing. European employees will do whatever Amazon tells them unless it breaks European law, in which case they won't. Amazon is intentionally setting it up in a way that it won't be able to do anything about that.
Not quite. If it works like the Thalès / Google S3NS thing, then Amazon employees have no access at all to the EU infra, and any software updates Amazon needs to make can only be delivered to a quarantine environment from which then can only be passed on to prod by EU, non-Amazon employees, after validation.
That's in line with the requirements laid down by the ANSSI (French govt security agency), and those are tight. Believe it or not, they are not stupid.
A joint venture would work, indeed. There is still the possibility of a supply-chain attack, but it's still better than a subsidiary operating the system or hiring european employees.
> That way Amazon can honestly say it has no operational control to violate EU law because there's no American employee they can command.
> Amazon is intentionally setting it up in a way that it won't be able to do anything about that.
They can say whatever they want but when the NSA knocks on the door, they'll covertly implant a backdoor anywhere they ask and ship the update to the "sovereign" EU cloud. This is nothing but a ruse.
> Operational control isn't all-or-nothing.
When the US government has no issue asking a company to hand over its tls keys, it really is.
If the company has no keys to hand over, because they gave them to the Europeans, then obviously that's quite a different situation.
The US can ask. That doesn't mean it gets what it wants. The government loses in court all the time.
Have you heard of many national security letters successfully challenged in court?
If it's not hand delivered or certified mail, into the trash it goes! :D
Or they’re attempting to ‘green wash’ something that US parent can definitely actually control, so they have some plausible deniability. It is not even close to the first time something like that has occurred.