zlacker

Why would an organization deliberately put their core business outside the jurisdiction where they are incorporated, have offices, or do their primary business? They would not, just for some sort of tinfoil hat avoidance of legal repercussions, while in fact they could compound their legal troubles, and invite extra scrutiny, if they are crossing state lines, and/or setting up in "interesting" regions.

>>NoZebr+(OP)
> if they are crossing state lines

In the US, if your business is on the internet, it is crossing state lines, even if all your computers are in the same state.

In fact, pretty much all business in the US is considered across state lines.

>>NoZebr+(OP)
I think it depends. I don’t think putting their data outside their local jurisdiction would help much because as a cloud provider they would service a lawful warrant across regions unless the accounts are owned by a foreign entity then it would have to be complaint with the region both of the data and the entity owning the account. Some jurisdictions are “safer” than others and some are less willing to honor a warrant from a us court against a local entity.

I think this is fairly complex though to avoid a potential issue that likely won’t exist. By simply instrumenting audit and using service provider encryption services like aws KMS with CMK with audit trails turned on you generally insulate yourself from most warrants. You can still be compelled to turn over data, but it would have to be done with you being aware of it and often with your direct involvement. More importantly you would retain a copy of everything and all your infrastructure. If they have convincing evidence you’re using your infrastructure to commit crimes the cloud provider may freeze your account, though, but it would have to be more than “we think you have evidence of a crime in your data” and more like “you are using ec2 instances to commit crimes actively”