No US SaaS for European businesses?

Private SaaS: a new gold standard?
May 24, 2023
Navigating LLMs challenges in data security & compliance
October 3, 2023

In today’s episode, Sylvain is joined by Ayedo CEO Fabian Peter. In this episode, we discuss personal data exchange between Europe and the US, and a world where European companies may not be able to use American internet services. Fabian is in the process of stopping the use of US-based SaaS for his business. In 2020, Europe canceled the Privacy Shield agreement for failing to protect European citizens’ personal data. Indeed, US government agencies such as the NSA had easy access to this data.

A new agreement, the Data Privacy Framework, was implemented to address that. However, companies following that framework have faced confusion and higher compliance costs while this new agreement isn’t addressing the issues for which the Privacy Shield was canceled. And because there is no way for US companies to guarantee that European citizen data won’t be handed out to government institutions. It is possible that Europe will eventually deny its companies from using American internet services. The implications would be massive. How would this work?

Key takeaways:

  • Data Privacy Concerns: The cancellation of the Privacy Shield agreement in 2020 raised significant data privacy concerns for European companies using American internet services, as U.S. government agencies had easy access to European citizen data.
  • Sovereignty and Security: Striving for sovereignty in data handling is crucial for European companies. Focusing on building technical solutions to enhance security is emphasized over relying solely on legal frameworks.
  • Gradual Migration Strategy: A gradual approach to moving away from U.S. internet-based services is recommended. Starting with less impactful applications like Jira and Adobe and transitioning to self-hosted alternatives for critical services.
  • Challenges in Email Migration: The conversation highlights the challenges of migrating email services, emphasizing reputational considerations and the need for fail-safe systems. Successful email migration away from Microsoft 365 to a German mail provider is discussed.
  • Private SaaS as a Solution: The concept of private SaaS, with segregation between the control plane and the data plane, is suggested as a potential solution. This model allows for the advantages of SaaS software with added data control, offering a way for companies to balance their needs.

Read the transcript

Sylvain Kalache 0:00
Welcome, everybody to the Data Defenders Forum. This is episode number three, and I am Sylvain Kalache. I will be your host for today. In this episode, we will discuss the personal data exchange between Europe and the US, and how European companies may not be able to use American internet services in the near future. In 2020, Europe canceled the Privacy Shield agreement for failing to protect European citizens’ personal data. Indeed, US government agencies such as the NSA had very easy access to this data. To address that, a new agreement known as the Data Privacy Framework was put in place. However, companies following this framework have reported confusion and higher compliance costs, while this new agreement isn’t really addressing the issues for which the Privacy Shield was canceled. And because there is no way for US companies to guarantee that European citizen data won’t be handed out to government institutions, it is possible that Europe will eventually deny its companies the use of American internet services. The implications would be massive. How would this work? In today’s episode, we are joined by Fabian Peter, who has actually tried this for his own business. He will share with us how in 2020, Fabian, a tech founder from Germany who ran several businesses in the space of cloud solutions, software development, and IT infrastructure with a focus on microservices and Kubernetes architecture, decided to stop using US-based SaaS. Fabian, welcome.

Fabian Peter 1:48
Hi, thanks for having me here. I’m very excited.

Sylvain Kalache 1:52
Thank you for coming. So, I got to learn about you and what you tried through a personal LinkedIn post where you reacted to a blog post by DHH. You mentioned that you tried to basically stop using US internet-based services for your company. So why did you decide to do that?

Fabian Peter 2:20
I’m not an apologist in these terms, but I share your opinion that in a few years to come, probably European offices and other regulatory offices will, in some way, make it very hard for European companies to use foreign software. And by foreign I actually mean US software, because I’ve never had this debate with Iraq, or Israel, but it’s always only the US. It’s just like a gut feeling. Given that in the past few years, these legal frameworks emerge, get replaced, emerge again and get replaced again. And with every iteration of the process, there’s more fear that we might lose the software in the future. So there’s a certain movement as we strive for sovereignty, so we are lost in the end. And the second thing is that there are very hard decisions definitely made in Germany by courts that simply deny access to certain public institutions, to Microsoft services or Google services. So for example, in Bottrop and Beckum, there has been a ruling that disallows schools from using Microsoft services for collaboration based on the assumption that the data cannot be definitively secured, or, I don’t know, locked away from external access, so to say. And I, personally, since I’m a tech founder, just think about the future in terms of if this hits us, what will be the implications, as you mentioned, it would be very, very hard for European markets to be locked out of the software ecosystem, because everything we do in Germany was running on Excel. And these days on Azure Active Directory Online and stuff like that. And I’m just asking myself, do I want my company to be in that position, back against the wall in a few years, and then I have to move all my services to alternatives that might not be established well enough, or that I do not have the skills to actually use because, you know, you need training and like muscle memory, even with your technology. Otherwise, it’s just a piece of technology, if you can, or can’t put it to use, which takes time. It doesn’t help you. So I’m just trying to look ahead and think about my problems in terms of what tech do I need to use? What problems do we need to solve? And can I replace my usual go-to service like Microsoft, MS 365, with something else that’s not in the US, that’s not controlled by US entities, that doesn’t have any looming legal conflicts in the future. And on the other hand, of course, I’m a huge proponent of avoiding walled gardens and lock-ins. So, of course, I’m looking for alternatives. But the main premise is, in a few years to come, I guess it will be very hard for us to justify why are we using a service that doesn’t guarantee you that serenity and doesn’t respect our GDPR. And I don’t want to move fast in five years, I prefer to move slow now, make good decisions. And

on the other hand, our whole business is built upon the premise that our customers do the same thing. So we are trying to provide these services to them on European hardware, open-source license, proprietary doesn’t matter. It’s just where’s the data located? And most of the time, that means not in Azure and not in Google and not in AWS.

Sylvain Kalache 6:13
Right. Yeah, I think you mentioned multiple interesting things that indeed, like a bunch of institutions are already denied from using, you know, American services. And it’s not, sometimes the data is in Europe, physically, but it’s still under the governance of American companies. And so, you know, if a government agency in the US requests the data, they have no choice but to agree. And so we see this emergence of our data needs to remain local, you know, physically speaking, but obviously, the control doesn’t just remain here, in the US, so it’s, yeah, I’m kind of surprised about, you know, like countries thinking that having the data locally, located physically in a data center in that country will change anything; maybe it’s lawmakers who don’t really understand how tech is working, or maybe it’s the first step towards this. But I find it a bit useless to be honest. And, yeah, I think it makes a lot of sense for you to do that. Because as you said, by applying it to your own business, you can then provide this for your customers who may need it in the near future or want to be ready for it. Depending on the type of industries that your customer is in, it might be already happening. Or maybe sooner or later, so and so what how, you know, so you came up with this analysis of the situation? What was your strategy? To achieve that? How did you go about it?

Fabian Peter 8:08
I moved slowly, so that’s one thing. Meaning, we or I didn’t expect to just cut out any US service and then have an immediate replacement that fulfills all my needs. So we started slow, we started by getting rid of stuff like Jira, Adobe. So things that do not have that huge impact in my daily communication, or, I don’t know, process management in the company. Then we moved away from pretty much MS Teams, we used that as a chat app a few years ago, we moved towards Metamorphosis self-hosted, which was easy. And more and more with each service that we let’s say, conquered with each application, SaaS service, it doesn’t matter if it’s US or anything else. We started migrating everything to self-hosted and on-premises stuff. So I never need to have a discussion on where’s my data located with anyone because it’s on my premises. And after a while, we decided to go with the harder cases, which in my case, the hardest thing to migrate away from Microsoft and friends, is email. So because about a year and a half ago, and we’re a small company, we successfully moved our emails out of MS 365, into a German-made provider, so we didn’t decide to make that on our own. Because there’s this whole reputational thing you with emails and just pulling up? Yes, and sending emails doesn’t get you anywhere. So we decided to move to a German entity, it’s called mailbox.org. And now we’re pretty much in the process of moving away from them to a self-hosted solution. So just to give you an idea, we planned actually three to four years just to move our email communication, to be sure we have a failsafe system that’s pretty much always available, it must have a good reputation. So we can’t lose emails in transit, stuff like that.

Sylvain Kalache 10:15
So let’s say some of our audience members want to get started doing this, like, what? What are the services that were super easy to migrate, and you know, they could start moving.

Fabian Peter 10:32
The other thing that we moved very early in the beginning, was authentication. Everything else pretty much builds upon this. So now we’re using Nextcloud instead of Google Drive. We authenticate Nextcloud with our central IDP, you know, and you build, build that up, and all our chats and whatever we use is connected to that. So for everyone who wants to start, I would start with chat solutions, because they’re easy. And I would start with owning your identity management with tools like Keycloak, or we’re using Authentik specifically, but there’s also Citadel and stuff like that. Just to be able to migrate, for example, away from Azure Active Directory, you can import those in your new thingy, synchronize that, and then have the new IDP PR Collection interface and authentication. Right. And yeah, it was for us, it actually makes

Sylvain Kalache 11:27
sense to start with that. Because, as you said, Everything plugs into it. One of the risks for European companies is not that much. I mean, like, there is one issue where there is a concern of US agencies having access to European citizen data, we have no data. And on the other flip of the coin for you, for European companies like Europe, suddenly deciding that hey, like, okay, like, you cannot use this software anymore. And that could be a huge blow to that business. And so I think, you know, it’s two sizing, but I think for European companies, it should almost be more worried about, hey, Europe deciding that, hey, this is not okay to do any more. And we say, setting, you need new model, new ways to build and deliver software. One of the concepts we’re discussing in some episodes at the Data Defenders Forum, is Private SaaS, I don’t know, if you have heard about this, but it’s this concept where basically there is a segregation between the control plane and the data plane. And so Private SaaS gives you all the advantages of SaaS software, where it’s built for you, it’s managed for you, it’s updated for you to use with the advantage of, you know, like an on-premise solution, where the data is still under your control, right? So you host it where you want, you can sit it on the public cloud or on-premise, or wherever you want. But the key is that you have control over all this data. So like, do you think a model like that, where you still have a vendor? You know, we can specialize in building the software and make profit. And, and still giving the end user access to their data, like control of their data? Do you think that could be easier? Is it a model that you think could be successful, successful in solving a lot of the issues that we discussed? And you know, interesting to that?

Fabian Peter 13:39
I think so. So I’ve actually, until now, never thought of that, or considered Private SaaS. But actually, it’s a very good idea. And at least, I’m already using services that work in that way. For example, in my home, we have, I’m using UniFi networking gear, I’m not sure if it rings a bell with you. Yeah, yeah, that’s popular in the US. They have a cloud control plane where you can hook up your devices, and they then make sure that they are updated and stuff like that, that you have access from the outside, if you want, but my data is here. So everything that will be collected in terms of metrics, or security footage and stuff like that is in my home, I can just use the SaaS layer to connect to it when I’m not at home, and stuff like that. And I think that’s a very smart way to deal with things. Because most of the concerns are actually only about data at rest, you know, and personally identifiable information. If you do not give access to that to the vendor, and you have a smart API or contract between your systems, then yeah, that seems to be a very good solution. And I don’t know, current modern tooling like Kubernetes pretty much endorses this way of operation, actually,

Sylvain Kalache 15:02
yeah, that’s very true. And while it was hard to do out of the gate to have data on Kubernetes used to be not so stable now it’s the technology has matured and data and Kubernetes is now something everybody’s doing. So you know, that’s that. I think you’re right, like and you know, in your bio, you say you specialize in microservices. And Kubernetes, this could be like a stretcher, I agree like it’s this thing. I mean, this initiative was started by Google as a way to counter Amazon’s lead in cloud infrastructure, and they’re trying to find a way to counter that. And, and the beauty of Kubernetes is that you can run it everywhere, including in Google Cloud. So I think you know that they managed to do something, and they did this with open source, which is, which is quite cool. And But getting back to our topic, like how, how likely do you think it’s possible for, for Europe to, you know, to actually pass a law that would say, Hey, you cannot use

Fabian Peter 16:20
this service, I don’t think that there will be a day where the European courts will just disallow the use of whatever comes from the US, I think it will be more subtle. I also think it will be more regional, federal governments or state governments that will or jurisdictions that will bring forward decisions along those lines, because they don’t

know try to cover their ass, or they have a very opinionated data security officer in their ranks, I don’t know. So we’ll be specifically single cases that emerge to a bigger picture where people then come to the impression that, hey, this is disallowed, so we cannot use this anymore. And I think this is also a result of how market forces work. You know, we have one demon, and while we get another and try to switch, which way to get away from the one demon with a new one.

Sylvain Kalache 17:14
Europe could try to strike a deal. And kind of, you know, get the US to agree that the government agency cannot access the data so easily. Do you think it’s possible? Do you think, you know, like the law can get there? Do you think the only way to guarantee that is to enforce it with technology, which is, hey, I have the data under my control, as you said, you know, I know it there is no conversation to have, I do think of a legal framework. Like between these two, you know, like, the countries I mean, Europe, is that a country? But if it’s like, no entity could imagine using it not possible. The only way to do that is through engineering.

Fabian Peter 18:07
Yeah, I think the only way to do that is engineering, being an engineer, and knowing how that all works, makes it absolutely apparent that the law by itself would never hinder someone from accessing what he wants to access. Okay. And I have actually no insight into how these three-letter agencies work, how deeply they are connected, how much they actually know. But if I had to assume if I just had to guess, I would say they have access to everything they want. They just have currently no legal justification to tell everyone. And I don’t think you can solve that problem technically, either. Because I don’t know, everything can be stolen if you try hard enough. So there’s actually no way to really, really protect anything here at all. I think the whole debate is more about what happens if my data, um, I don’t know, private medical data gets exposed and someone in the US some agency knows about it, and then I don’t know, does anything bad to me. It’s just a legal thing. It’s very superficial. But I’m talking about securing the data. Actually, I don’t think that’s actually possible, you know, still, I think the best way to achieve this, if that’s really, really a concern of people, is to put it in engineering and build their own solutions. And I don’t know, go go forward with conventional compute with encrypting pretty much everything at rest in transit, whatever. Go ahead. But but to be honest, I think it’s mostly a superficial debate, you know, and if anyone wants to do bad things with your data, they will find a way to do so, no law will prevent them and probably, no technology will prevent them. But what I think in terms of serenity, I mentioned I’m not an apologist, I’m not religious about But this, but I think as a European Federation as a German country and US country, I think we should, each on our own, tried to gain and, and foster our skills to build things like we need them to if we feel we are exposed too much to other people, and we should learn how to not be that exposed. But that’s not what we’re doing. We’re just talking legal stuff and trying to prevent what if scenarios, but we could have invested all the time in building a technical solution. That means we do not need whatever they have to offer from above the ocean. But we do not do that. What we do. Yeah,

Sylvain Kalache 20:39
it’s like, hey, yeah, more so to engineer or hire less law. Could be the slogan. So John, thank you a lot for chatting with me today and sharing your experience. And I think you’re on Twitter. Alright, if people want to follow up with some questions.

Fabian Peter 20:58
No, no, actually, not. LinkedIn, and LinkedIn. Right?

Sylvain Kalache 21:03
You’re very active on LinkedIn.

Fabian Peter 21:06
That’s, that’s true. So also, thanks for having me. That was a very interesting talk to have a very interesting perspective on the world. You know, it’s not so often that people all invest time and thinking and viewing the world through these lenses. Be more critical and asking questions in terms of sovereignty and security and how we can deal with it. Yeah, the struggles that we face. So that’s very interesting. So thanks again.

Sylvain Kalache 21:36
Yeah, bye bye. Bye.