GDPR or HIPPA compliance

I store Terrabytes of data that I pay for out of my own pocket on the Storj network. It has been very reliable for me. Assuming you are in the United States, the IRS can ask for records as far back as ten years. I would feel secure having a copy on the Storj network, but not the only copy. I would feel this way with any online service provider no matter how large they are. One local, and at least one in the cloud.

Storj employees donā€™t have access to data. All of it is encrypted and only you have the key. However, if you use the web client or S3 gateway, encryption happens server side. The encryption keys are wiped after that is done, but in theory thatā€™s where they could ā€œlisten inā€. This is just theoretical. Storj has implemented lots of measures to ensure data wonā€™t be accessible. The only reason I mention it is because these implementations arenā€™t entirely zero trust.

If you want to avoid that though, you can use uplink to transfer the data or run your own S3 gateway. In those scenarios, all encryption happens locally and there is no possible way anyone but you can access the data.

1 Like

So using FileZilla PRO does it do the Encryption on my side 1st? Seems to use a LOT of processing power when sending over the data to storj

Or encrypt the data with a software of your own choice before uploading it.
Just an example, I donā€™t know how far they are with this and if it works with Storj DCS:

Depends on the used integration. If you used a native integration (with access grant or API Key and encryption phrase), then itā€™s encrypted locally. If you used an S3 integration with Storj-hosted S3-Compatible Gateway, then you opted-in for server-side encryption.
However, if you used an S3-integration with your own Self-hosted S3-Compatible Gateway, it will use a client-side encryption.

I think storj would be very wise to enlist the help of some legal professional to either figure out definitively how we can make it compliant (specifically talking about GDPR here because thatā€™s relevant to me) or reaching out to the EU to get the regulation updated. Someone needs to get down in detail and work with the devs to make this work because (as a business owner) you canā€™t take storj seriously and that is a real shame.

Every business needs to backup to the cloud somewhere and storj is the perfect place for that imo but without the GDPR stamp itā€™s discarded as an option. Invest in making GDPR work, find a way to give us immutability controls and youā€™ve got yourself a massive market.

A crowd funded campaign could work here?

TL;DR: Storj is already working on this, and yes we do have legal council advising on these matters. We are confident that GDPR compliance is achievable.

7 Likes

Yes with that assessment from the EDP this seems achievable. But what about the others? I hope you are looking into them as well. HIPPA means healthcare and clinical data like from MRIs. CJIS means all the data from bodycams from policeofficers to cctvs in prisons and legal data like court and investigation data. FERPA is all data around schools and students and MPA could help with all movie and cinema related content.
Those sectors are huge too.

Regarding HIPPA and other standards, please refer to the statement from the Twitter Spaces by @Bryanm which I quoted in the post above yours.

1 Like

How is that an answer? Itā€™s typically vague. It does not mention CJIS or FERPA or MPA nor does it state a time frame or current status or problems and solutions.
I mean, you have attended the HPA Tech Retreat 2023 wouldnā€™t therefore a MPA certification be a great boost when talking to potential customers?

Here is some from the work in progress:

3 Likes

I think the only need for this is to form possible verified regions of datas, if customer choose to host data into a verified region to be GDPR or others compliant. By default it could be GDPR compliant, now if customer choose to be located only into a given region it is possible by satelittes subdivisions on entire world, and it could require for exemple a strong identification rule to proove nodes localization arround entire world as i have example of method as the addition of strong identification rules, a dongle or other hardware stuff to ensure localization and node scrawling node host IP configuration in real time and processesā€¦ maybe running a new Storj node model, a custom OS iso like ubuntu or debian or others OS with the ability to migrate from now to new custom Storj OS with with a incoming access on system by Storj itself in order to be sure of node localizationā€¦ I think storj could use geolocalization tracking system at least as dongle (could work in USB for virtual machines also) for Storj OS Appliance (ISO) for example or for Docker for SNO who want to host GDPR or others compliance model + using idenfication processes. Thanks for all Storj and Storj Community.

we have a geofencing option for the paid customers. You need to file a support ticket though.
And accordingly this article:

we should be compliant.

https://review.dev.storj.io/c/storj/storj/+/9978/2/docs/blueprints/certified-nodes.md#49

The United States has a rule that if node operators earn more than $600/year,
we need to file a 1099 for each of them.

I was just wondering if such requirements could be bypassed if the nodes side of the operation would be handled by a non-us company. Like if all nodes would subscribe to and get paid by a non-us subsidiary of Storj.

That might be categorized as tax evasion and IRS does not play cool with that.

1 Like

I donā€™t know. A tax lawyer would need to be consulted for that.
But without being one and just spin around that idea: When I work for Microsoft and if I am an employee of their German subsidiary Microsoft Deutschland GmbH, I donā€™t think I have to deal with IRS at all let alone pay any US taxes. So there is no tax evasion there.

Thereā€™s tax evasion and tax avoidance.
The first will get you in trouble, the second very much not.

Definitely would need ā€œsomeone who knowsā€ to give an opinion.

Itā€™s all about resources. A tax lawyer wonā€™t give free advice. The time and money would be better spent on important things like implementing partial exit or other things than ā€œa way to avoid/evadeā€ tax, IMO.

Besides no matter what you do, you will end up paying more or less tax either in USD or in your local currency. I feel the pain of paying higher tax and if it was possible Storj would have paid us using Paypal.

I also think its kinda off topic but the blueprint jots down different use cases and its mention is missing from the current title of this thread.

You are correct but German Microsoft would pay tax for getting paid by US MS then you as an employee would get taxed for getting paid. In short you do get taxed in your local currency.

Please refer to https://support.storj.io/hc/en-us/articles/360042696711-What-tax-forms-do-Storage-Node-Operators-need-to-submit- for the actual rules that apply to SNOs who are US persons vs Foreign Contractors. Foreign contractors do NOT have to file any 1099 US tax form nor will they owe any US taxes. Foreign contractors that earned more than $600 only need to file a Form W-8BEN which is informative only.

Please abstain from suggesting that SNOs or Storj Labs should try to circumvent tax laws.

3 Likes

Of course everyone gets taxed as per their local laws they fall under. But you brought up the question of IRS and what I am saying and what you basically seem to agree to is that as a foreign entity you normally do not have obligations with the IRS. IRS requirements and obligations are for US entities. And if you are not a US company - even just a foreign subsidiary of a US-company - you normally shouldnā€™t have matters with the IRS at all and therefore you donā€™t have to issue whatever IRS forms to the people you pay.

And that was the point that @jtolio was ā€˜complainingā€™ about. The amount of taxes to pay does not play a role at all here:

The United States has a rule that if node operators earn more than $600/year,
we need to file a 1099 for each of them. Our current way of dealing with this
is manual and time consuming, and so it would be nice to automate it.

He also described what is all required to keep track of.

The blueprint discusses a technical way to deal with the requirements, my thinking was about a legal way based on tax and company laws. Here is quick Google link that I found to backup my thoughts:

ā€œDo you know, if a foreign based company is not required to provide a 1099-misc, what form do you use to report income on your tax return? Thanks!ā€

"No, the IRS rules regarding Form 1099-MISC do not apply to foreign entities operating outside the US. However, a foreign-based company with an office in the US would be required to prepare 1099-MISC under the IRS rules.

As this link suggests, there is no obligation to issue (whatever) IRS forms or keep track of any of them for a foreign company. This could make running satellites and paying node operators much easier if you are not a US company as then it would fall under the sole responsibility of the node operators to report their earnings to whatever authorities they have to report it.

All tech giants - thus my example with Microsoft - are operating multiple foreign subsidiaries for various reasons, so it is not considered tax evasion or even illegal per se. And if such a corporate construct could help to save valuable resources, then I see nothing wrong with thinking about such an option. But as I have said it before, to be legally on the safe side you would have to consult with an appropriate tax lawyer as international tax and company laws are tricky.

1 Like