zlacker

I think it depends. I don’t think putting their data outside their local jurisdiction would help much because as a cloud provider they would service a lawful warrant across regions unless the accounts are owned by a foreign entity then it would have to be complaint with the region both of the data and the entity owning the account. Some jurisdictions are “safer” than others and some are less willing to honor a warrant from a us court against a local entity.

I think this is fairly complex though to avoid a potential issue that likely won’t exist. By simply instrumenting audit and using service provider encryption services like aws KMS with CMK with audit trails turned on you generally insulate yourself from most warrants. You can still be compelled to turn over data, but it would have to be done with you being aware of it and often with your direct involvement. More importantly you would retain a copy of everything and all your infrastructure. If they have convincing evidence you’re using your infrastructure to commit crimes the cloud provider may freeze your account, though, but it would have to be more than “we think you have evidence of a crime in your data” and more like “you are using ec2 instances to commit crimes actively”