5 Eyes、9 Eyes 與 14 Eyes

{5,9,14} Eyes 是先前在其他地方看到的詞,後來在「Cutting Google out of your life」這邊在講 Google 的替代方案時又有提到,然後也有解釋:「Global Mass Surveillance - The Fourteen Eyes」。

這邊提到的 Eyes 起因是大多數國家對於監視自己公民都有法律限制,所以藉由與國外的情報單位「合作」,取得對自己國家公民的監視資訊 (即使各國之間有簽訂不監視其他國家公民),而這邊列出的 {5,9,14} Eyes 就是互相有簽訂合作的國家:

The UKUSA Agreement is an agreement between the United Kingdom, United States, Australia, Canada, and New Zealand to cooperatively collect, analyze, and share intelligence. Members of this group, known as the Five Eyes, focus on gathering and analyzing intelligence from different parts of the world. While Five Eyes countries have agreed to not spy on each other as adversaries, leaks by Snowden have revealed that some Five Eyes members monitor each other's citizens and share intelligence to avoid breaking domestic laws that prohibit them from spying on their own citizens. The Five Eyes alliance also cooperates with groups of third-party countries to share intelligence (forming the Nine Eyes and Fourteen Eyes); however, Five Eyes and third-party countries can and do spy on each other.

另外還有「Key Disclosure Law」這段,在講有哪些國家有法律可以強制個人交出金鑰。

回到本來提到的 degoogle 列表,裡面列出了很多替代的服務與軟體,其中服務的部份會列出所在地區是否在 {5,9,14} Eyes 的範圍內,以及發生過的爭議事件。

當作替代方案在看,至少可以把一些足跡從 Google 抽出來...

EU-US Privacy Shield 被歐盟法院拒絕

在「EU rejects US data sharing agreement over privacy concerns」這邊看到的新聞,引用自「EU rejects US data sharing agreement over privacy concerns」這邊的新聞報導。

歐盟最高法院的新聞稿則是在「The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield」這邊可以看到,雖然 EU-US Privacy Shield 被推翻,但本來在 2010 年的框架仍然有效:

However, it considers that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid.

維基百科上的條目寫的比較簡單,主要是協議裡美國的保護機制不到歐盟的標準:

A final CJEU decision was published on 16 July 2020. The EU-US Privacy Shield for data sharing was struck down by the European Court of Justice on the grounds it did not provide adequate protections to EU citizens on government snooping.

記得這個戰了好久,最後在最高法院定案了...

Amazon S3 的 Replication 也給出 SLA 了

Amazon S3 的 cross-region replication 與 same-region replication 也提供 SLA 了:「S3 Replication Update: Replication SLA, Metrics, and Events」。

  • Most of the objects will be replicated within seconds.
  • 99% of the objects will be replicated within 5 minutes.
  • 99.99% of the objects will be replicated within 15 minutes.

對應的賠償是:

When you enable this feature, you benefit from the associated Service Level Agreement. The SLA is expressed in terms of a percentage of objects that are expected to be replicated within 15 minutes, and provides for billing credits if the SLA is not met:

  • 99.9% to 98.0% – 10% credit
  • 98.0% to 95.0% – 25% credit
  • 95% to 0% – 100% credit

不過只保證 99% 的物件在五分鐘內會被 replicate 有點低,應該跟底層的網路 latency 有關?

Amazon 需要對賣出去的產品造成的傷害負責

前幾天還蠻引人注目的案件,Amazon 被判決要對平台商家透過 Amazon 平台賣出去的產品負責:「Federal appeals court says Amazon is liable for third-party sellers' products」。

這個案例裡面是消費者透過 Amazon 的平台,向上架的商家購買 hoverboard (懸浮滑板?),結果把消費者家給搞爆了:

Last year, a judge in Tennessee ruled the company was not liable for damages caused by a defective hoverboard that exploded, burning down a family's house.

目前最新的判決中指出,Amazon 在合約裡面簽訂消費者必須透過 Amazon 的平台跟賣家溝通,使得賣家與消費者之間沒有直接的管道可以處理爭議,所以 Amazon 不能免責:

"Amazon fails to account for the fact that under the Agreement, third-party vendors can communicate with the customers only through Amazon," the ruling states. "This enables third-party vendors to conceal themselves from the customer, leaving customers injured by defective products with no direct recourse to the third-party vendor."

這個判決看起來會影響蠻大的,因為這些條款就是希望維持平台業者可以從中獲利,現在反過來殺傷自身... 看起來上訴是跑不掉的?等幾個月後再回來看...

Salesforce 打算買 Tableau

Saleforce 打算要買下 Tableau...

兩邊簽了協議並且都發了新聞稿出來,分別是 Salesforce 的:「Salesforce Signs Definitive Agreement to Acquire Tableau」,以及 Tableau 的:「Salesforce Signs Definitive Agreement to Acquire Tableau」。

這兩家都是掛在 NYSE 的公司,而這次的併購會直接以股票交易 (Tableau 的 1 股換 Salesforce 的 1.103 股,看起來是基於這三天股價計算):

SAN FRANCISCO, Calif. and SEATTLE, Wash. — June 10, 2019 -- Salesforce (NYSE:CRM), the global leader in CRM, and Tableau Software (NYSE: DATA), the leading analytics platform, have entered into a definitive agreement under which Salesforce will acquire Tableau in an all-stock transaction, pursuant to which each share of Tableau Class A and Class B common stock will be exchanged for 1.103 shares of Salesforce common stock, representing an enterprise value of $15.7 billion (net of cash), based on the trailing 3-day volume weighted average price of Salesforce's shares as of June 7, 2019.

Salesforce 想要買 Tableau 是個蠻意外的新聞...

AWS Lambda 也提供 SLA 了

在「AWS Lambda announces service level agreement」這邊看到 AWS Lambda 提供 99.95% 的 SLA :

We have published a service level agreement (SLA) for AWS Lambda. We will use commercially reasonable efforts to make Lambda available with a Monthly Uptime Percentage for each AWS region, during any monthly billing cycle, of at least 99.95% (the “Service Commitment”).

不過這種東西都是宣示意味比較重 (至少表示 AWS 認為產品穩定度夠上 SLA),倒不是希望會用到...

台美之間的租稅協定 (還在橋)

看到「因應美稅改 賴揆:加速洽簽台美租稅協定」這則消息,如果沒記錯的話,有不少服務都是美國公司出帳... (像是 AWSSlackGitHub 這類在公司裡很常用的服務)

參考「我國股利、利息及權利金扣繳率(%)一覽表」這邊的資料,應該有機會從 20% 降到 10%?也就是說實付 100 萬的金額本來要多繳 25 萬 (帳要做成 100 萬 / (1 - 0.2) = 125 萬,其中的 20% 是 25 萬萬稅,100 萬實際支付),現在只要繳 11.1 萬 (100 萬 / (1 - 0.1) = 111.1 萬)?

不過有些特殊情況本來就有更優惠的稅務方式 (像是使用國外平台提供服務 (e.g. AWS),而服務的對象也是境外使用者的情況),這些組合可以研究看看要怎麼搞...

Amazon ECS 與 AWS Fargate 都納入 Amazon Compute SLA 計算

AWS 宣佈的這兩個服務 (Amazon ECSAWS Fargate) 都納入 99.99% 的 SLA 合約範圍:「Amazon Compute Service Level Agreement Extended to Amazon ECS and AWS Fargate」。

Amazon Elastic Container Service (Amazon ECS) and AWS Fargate are now included in the Amazon Compute Service Level Agreement (SLA) for 99.99% uptime and availability.

ECS 已經跑一陣子了可以理解,但 Fargate 的概念算比較新,剛出來沒多久就決定放進去比較意外...

AWS 主動提高 Amazon EC2 與 Amazon EBS 的 SLA

AWS 主動提高 Amazon EC2Amazon EBSSLA:「Announcing an increased monthly service commitment for Amazon EC2」。

Amazon EC2 is announcing an increase to the monthly service commitment in the EC2 Service Level Agreement (“SLA”), for both EC2 and EBS, to 99.99%. This increased commitment is the result of continuous investment in our infrastructure and quality of service. This change is effective immediately in all regions, and is available to all EC2 customers.

之前是 99.95% monthly (參考前幾天的頁面:「Amazon EC2 SLA」),現在拉到 99.99% 了。第一階的賠償條件也從 99.95%~99% 改成 99.99%~99% 了 (賠 10%)。

Google 測試 CECPQ1 的一些資料...

七月的時候提到「Google Chrome 引入 CECPQ1,開始測試 Post-Quantum Cryptography」,剛剛看到 Adam Langley 寫了一些數據出來:「CECPQ1 results」。

目前看起來對於網路速度不快的使用者會影響比較大,最慢的 5% 使用者大約慢了 20ms,最慢的 1% 使用者會慢 150ms:

Although the median connection latency only increased by a millisecond, the latency for the slowest 5% increased by 20ms and, for the slowest 1%, by 150ms. Since NewHope is computationally inexpensive, we're assuming that this is caused entirely by the increased message sizes. Since connection latencies compound on the web (because subresource discovery is delayed), the data requirement of NewHope is moderately expensive for people on slower connections.

由於實驗算是完成了,加上 TLS 已經有規劃了,所以 Google Chrome 打算拔掉這個功能等標準出來:

At this point the experiment is concluded. We do not want to promote CECPQ1 as a de-facto standard and so a future Chrome update will disable CECPQ1 support. It's likely that TLS will want a post-quantum key-agreement in the future but a more multilateral approach is preferable for something intended to be more than an experiment.