Join the US-EU Safe Harbor program


#1

We are in the UK. Data Protection laws make it impossible for us to host some of our content at Dreamhost because it doesn’t comply with the Safe Harbor program.

Until you join this program (or get a European data centre) we have to host some of our content elsewhere.

Here’s some info:
http://export.gov/safeharbor/


#2

Maybe you only have to host a decryption key on a computer somewhere in Europe, and everything else can be at Dreamhost, encrypted.


#3

Good idea, but that would presumably hit the speed of the websites. They already suffer from high latency as they are served from the USA to clients in Europe (although Cloudflare helps a bit with this). A European data centre would be the best outcome for the latency issue as well.

I can’t see why Dreamhost doesn’t want to comply with Safeharbor - it just seems to entail the standard of data security that we’d all want from a hosting company anyway. Can someone from Dreamhost say what the problem with Safeharbor is?


#4

Thanks for your suggestion! I am actually one of the people here who has looked into this as a possibility (to the point of engaging our legal team to see what would be feasible). The main problem is that of enforcement - while we ourselves are absolutely treating the data which we collect in a responsible manner, due to the nature of our services it would be extremely difficult to force compliance on the part of every customer. The question has been whether or not we’re responsible for that (or, if so, how far that goes). It may be possible to cover ourselves through [minor] alterations to our ToS in addition to training and a double-check of our security practices but beyond that it could simply prove to be impossible to implement correctly (also, bear in mind that the majority of our customers are still in the US and while they may not disagree with the principles involved would likely balk at any added inconvenience).

Thanks for bringing this up again, I’ll do a little more digging and see if it’s something we’re able to get done without major disruption.


#5

I would also strongly urge DreamHost to get a Safe Harbor certification.

We’re working under French data privacy law and it would be HIGHLY advantageous for us to be able to affirm — to our users and French data privacy authorities — that our data host is Safe Harbor certified.

It is a self-certification process and while I’m not an attorney, it really doesn’t look that involved, particularly if you don’t include your own employee data among those covered by the certification. And I’m not sure this would impact your users in any way that is not positive. What “added inconvenience” do you see? Nothing in the requirements suggest any burden whatsoever on your customers. It’s all good for us!

Requirements here: http://export.gov/safeharbor/eu/eg_main_018495.asp

Please consider it at the earliest possible date.

Many thanks.


#6

Following up on my earlier post today, I’ve just received an opinion from the CNIL (the French data privacy authority) which indicates that it will only authorize us to host controlled data with DreamHost on a punctual and exceptional basis. So we are in the same situation as our UK colleague SteveWest who started this thread.

You do so many things so well at DreamHost, please add Safe Harbor certification to your toolkit of attractive features.


#7

Between using TLS1.0/RC4 (TLS_RSA_WITH_RC4_128_SHA)¹ per default for new domains and storing passwords in a reversible way (and letting Tier-1 Support gruntlings access and use them)² I wouldn’t trust DH with even a robots.txt, let alone sensible data.

¹: https://www.ssllabs.com/ssltest/index.html
²: https://discussion.dreamhost.com/thread-139556.html