Blog by Martijn Hols
← Blog index
Published

Moving away from US cloud services

For years, using US clouds in the EU has been questionable. Time and time again, data-sharing agreements between the EU and the US get busted, showing there's just no legal compatibility between EU privacy rights and US spying laws. Every few years, it's revealed that the US is spying more than expected. While everyone in the EU kinda knows storing personal data on US clouds is , they figure that since everyone is doing it, even if it's not legal, then at least you'd be wrong with everyone else, so that makes it less bad. And soon, it may become fully illegal.

But privacy isn't the only concern anymore. With the current political situation in the US, it's also starting to become clear that our entire digital infrastructure is at the mercy of US policies. It is no longer safe to rely on US clouds for our governments and societies, as the US government can shut it down at will. And it doesn't matter whether the servers are in the EU.

This isn't just speculation. In 2019 GitHub started blocking individual developers due to US trade sanctions. More recently, the US imposed new sanctions on the International Criminal Court in The Netherlands. These sanctions make it illegal for US companies to provide services to , essentially cutting them off from US services. This is a huge problem for them; the ICC fears being cut off from all of their evidence, and it may even shut the ICC down.

This sets a dangerous precedent. It increasingly appears that the US government will use tech companies as a weapon.

Taking the exit with the US cloud

All things considered, it's high time to move away from US cloud services. In this article, I'll break down how I'm migrating away, what I switched to, and the challenges along the way.

My dependencies

Before starting, I made an inventory of the US cloud services I depend on. I decided to focus on cloud services (and not software and hardware), as that's where the biggest risks are. My dependency list roughly in order of reliance:

  • Microsoft Office 365
    • Mail
    • Calendar
    • OneDrive
  • Bitwarden
  • GitHub
  • Google search
  • Cloudflare/Google DNS
  • Docker Hub
  • NPM

This list is focused on cloud services I use professionally (for my business), but I plan to migrate personal services as well (privately I also rely on WhatsApp for communication and iCloud for backups and notes).

Aside

While they're technically not cloud services, I also depend on online platforms like Hacker News, Reddit, LinkedIn, Twitter and BlueSky and WhatsApp. I use social media like Hacker News and Reddit to reach people and stay informed, and LinkedIn, Twitter and BlueSky are ways for people to find and follow me. These platforms are only as good as the people on them, making most of them irreplaceable. Not because of their infrastructure, but because of their communities.

Replacing the dependencies

With my list handy, I replaced each dependency one by one. A useful tool for finding alternatives is the European Alternatives website.

Goodbye Microsoft Office 365

Microsoft 365 was my most important dependency. It has all of my mail, including history that I'm legally required to save, my calendar, and most of my important files, which I'm legally required to keep long-term. Losing access to these services isn't an option.

On top of that, I've had long-standing usability issues with Microsoft 365. Particularly OneDrive for Mac, which was constantly draining my battery and overheating my CPU, making the switch even more appealing.

I went looking for an all-in-one solution; mail, calendar, and storage, mostly because it's simpler, but I also don't want to pay for everything separately. In the end, I settled on Proton. I had heard of Proton Mail before as a privacy-focused highly-encrypted mail provider, but never really looked into it as I had no real need for that, and I figured it would come at the cost of usability and price. But I was seriously impressed by how good Proton software is. Their apps are really . I actually have a better experience than I did using Microsoft's. I'm impressed by how they made everything work so well without sacrificing privacy in any way.

The Proton Business Suite, which includes 1 TB for Mail, Calendar, VPN, Pass and Drive, is only 12.99 per month (the non-business variant is 9.99). And just like Microsoft 365, it has full-fledged support for teams.

Another thing that impressed me about Proton is how easy switching from Microsoft 365 was. Their Easy Switch tool, handled all the data importing for me in just a few clicks. All I had to do manually was update the DNS for my domains. And as a bonus, Proton allows setting up 15 custom email domains, so I can cancel all of my separate email hosting and centralize all my mailboxes.

Yet another bonus: the Proton Business Plan includes a VPN. I only need one very occasionally and my needs were never enough to subscribe to one, so this is a nice extra perk.

Replacing Bitwarden

I was very hesitant to switch password managers. I'd used Bitwarden daily for over 4 years, and despite its usability issues, it had become a core part of my toolkit.

But as I really wanted to ditch US cloud services, I looked into replacing it. After all, even though my vaults are encrypted, they're still hosted by Bitwarden and they can restrict my access as they see fit.

The obvious place to start was Proton Pass, since it came with the Proton Business Suite. When I saw 1Password users switching, I figured it had to be good. Turns out, it really is! It has all of the features I used in Bitwarden, and more. The main new things I appreciate are sharing a password via a link, and the return of the login dropdown in login forms. Oh, I missed you so.

Shows a login form (Email or username and password) with an autofill overaly open with an option to login as "martijnhols"
The dropdown opens automatically, so I can confirm a login with a single click

Migration was even easier than mail; just export in Bitwarden and import in Proton Pass, and you're done. Even TOTP codes and secure notes transfer over seamlessly.

The GitHub challenge

I'm deeply locked into GitHub, having heavily customized my build pipelines to work within their platform. As a result, I haven't started migrating yet.

GitHub only hosts my repositories and CI; I don't store any personal data on GitHub, nor do I use it to process it. I have copies of my repositories on my computer, plus occasional backups. The only real risk is my Mac's SSD self-destructing at the exact same time; then I'd lose a few days of work.

Still, I rely on GitHub heavily for my projects, so migrating will take time. I'll find a new home for my repositories eventually, but considering the impact, this will probably be the last thing I migrate, so I haven't really explored alternatives yet.

Escaping Google search (almost)

If you've tried alternative search engines, you know: Google search is really, really good. It's very hard to find an alternative that doesn't make you want to switch back.

But I found it: Startpage

Try for yourself

Startpage is a Dutch-owned search engine that promises "uncompromising" privacy. Despite that, I was really surprised by how good its search results are. Turns out that's because it's actually a Google proxy. Bummer.

It's unclear what Startpage's reliance on Google means for privacy, but it's still much better than using Google directly. It doesn't eliminate the US cloud dependency though. Unfortunately, fully European alternatives that don't make me want to switch back are scarce.

Disconnecting Cloudflare/Google DNS

The promise of optimal DNS performance attracted me to the DNS servers of Cloudflare and Google, but this too comes with privacy issues and reliance on US infrastructure. As part of this de-US-ing, I've opted to replace those with Quad9. Quad9 is a free, Swiss-based DNS service focused on and privacy.

Switching to Quad9 is easy; just pop in these numbers in your router: https://www.quad9.net/service/service-addresses-and-features#rec or install a provisioning profile on mobile

Ditching Docker Hub

Docker Hub (a registry for ) is essential to my ; it stores the private images that my servers automatically pulls to install new versions of my apps.

I'm quite eager to move away from Docker Hub. I haven't been a fan of Docker Inc. for a long time; they make it really obvious their focus is entirely on enterprise customers. Docker started going downhill when they shut down Docker Cloud. Later, they even canceled my subscription based on their "fair use" clause because they misinterpreted their logs (they were counting HTTP Head requests as image pulls).

Since my needs are simple, self-hosting seems like the best option. I'm probably going with Harbor, but before I can set it up, I need to find a persistent storage solution for my servers. I've been putting this off as it hasn't really been essential . OVH or Scaleway Object Storage seem like good fits, but I need to do more research before finalizing a choice.

My deadline for this migration is July 1st, as that's when my Docker plan expires. But I'll probably finish this in the next few weeks to complete this migration away from the US cloud.

NPM

For NPM, a key challenge is the reliance on public . These are downloaded and installed in every build in CI, and every time someone clones the project. While these are heavily cached, NPM becoming unavailable would break most tooling.

Unfortunately I couldn't find any public European NPM mirrors (let me know if I missed any). I think this is because most large companies host their own private mirrors. I've used Verdaccio as a private registry and cache before, and setting it up is fairly easy with a Docker image. Like the Docker registry, though, this requires setting up persistent storage first. Once that's ready, I'll set this up. That way, if NPM becomes unavailable, I'll still have access to the versions I've been using, and I can get other people up to speed with them.

Wrapping up

Migrating away from US cloud services was easier than I expected. While there are some challenges left to tackle, migrating my most important dependency (Microsoft 365) was done in an afternoon. This is mostly due to Proton, which turned out to be a surprisingly good alternative to Microsoft 365.

Replacing Docker Hub and NPM required more planning. This was mostly because I hadn't set up persistent storage before—something I should have solved ages ago.

Other services, such as GitHub, will take longer. But it's on my list and seems within reach. It even seems fun to explore European alternatives. Or maybe I'll self-host something.

Google Search, on the other hand, still feels unbeatable. , but for now using a more privacy-focused proxy seems to be the only viable option.

If you're thinking about reducing your reliance on US cloud services, now is a good time to make it so. The risks, both in terms of privacy and control over your infrastructure, are getting harder to ignore. As my experience shows, some migrations may be a lot easier than you'd expect.

At the very least, think twice before signing up for new US services. Consider European services instead.

If you've gone through a similar transition, I'd love to hear what worked (or didn't work) for you.

privacy
cloud
Feedback:
More like this

The security risks of front-end dependencies

security
dependencies
maintainability

Everything about Google Translate crashing React (and other web apps)

react
machine-translation
i18n
Feedback: https://twitter.com/MartijnHols