Switzerland, Netherlands and Norway are a good starting point. I believe that now that privacy became a major concern, we will see countries with some legislative background and experience in other sectors that require secrecy above everything else (e.g. private banking), evolve in secure havens for servers.
The Netherlands is on its way to be removed from that short list. The new WIV20xx (charter for information and security services) gives it very broad powers against very little oversight. I have been unable to find a decent source in English, but among its provisions:
- allows for "reconnaissance" on external networks, including breaking encryption or forcing targets to divulge keys. This "reconnaissance" apparently includes installing sniffers or data probes.
- allows for untargeted data collection on wired networks (including cell phone towers)
- has provisions for forcing data transit stations (including ISP's, but also AMS-IX) to comply with requests.
It depends on what you are trusting them to do. The NSA's not going to spy on you less just because you're not in the US. If anything, they'd spy on you more.
They would no longer need to ask for cooperation. Personally, I'd call that less safe.
At least in theory, the NSA could allow a compliant US business to be secure. If the NSA could not get data from a foreign business the easy way, I'm sure they would get it the hard way.
That's not what it's about for me. If companies like google and Apple want my trust they need to operate as their own government entity and make all users citizens and give them rights. Until then I'll stick to using as much FOSS as possible, never using social media for secure communication, and storing all my own data.
Basically, unless they let me see what's happening with my data by allowing me access to the code, I can't and won't trust them.
