I found MIAB through the excellent privacytools.io website. Beside using MIAB, it suggests choosing a service provider based outside the US and, ideally, also outside an alliance of up to 14 Western countries that seem to condone spying on their citizens. I interpret this advice as disqualifying the four hosts recommended in MIAB’s setup guide: Digital Ocean (US), Linode (US), 1&1 (GER), or RimuHosting (NZ). What are viable alternatives? Any firsthand experience running MIAB on such an alternative host?
All countries spy on their citizen, even with perfect encryption traffic analysis is possible. If you have a need for that level of privacy; I suggest hosting from your own premises with a static IP address, two steel security doors and a sledgehammer.
I personal use Hetzner Cloud ( https://www.hetzner.com/cloud?country=us ) hosted in Finland.
The problem with hosting outside of your own country is you have even fewer rights as a foreign national to privacy.
I used to be the senior system engineer for a trans-national human rights organisation. Nothing confidential was ever kept online that could endanger the people we were supporting and campaigning for or be used against them. The same for activists and employees working in emerging democracies, where the organisation was legally allowed to operate but disliked by the government and security agencies. At all times we treated all services as compromised and acted accordingly.
The two steel doors and a sledgehammer may sound like a flippant remark but arose from a number of conversations around security I had at that time.
Thanks for the suggestion. Isn’t Hetzner a German company?
Not necessarily a need, but a strong preference that I intend to act on. If we all did, the world’s spymasters would have to actually earn their pay. As it is, we are making their dirty work too easy for them.
I have been very happy with Time4VPS, they are in Lithuania I think, works great with Miab, excellent pricing and support.
Then my original comments stand, host from your own premise. Going outside your own country simply increases the risk.
OP I have hosted MiaB installations on Time4VPS in Lithuania without problems, although I remember setup being a bit clunky.
I have also used Forpsi based in Czech Republic. If you do not read Czech you will be redirected to their parent company’s site (Aruba Cloud).
I have also used AlphaVPS in Bulgaria.
I would not hesitate to recommend any of these hosts.
Keep in mind that it is best to use KVM virtualization.
But at least some countries data privacy laws are very strict and they are enforced. Some countries even obey their own laws, imagine that!
Thanks for the suggestions. None of the countries you mention are among the Fourteen Eyes that privacytools.io advises against. As a bonus, the Czech Republic’s key disclosure laws don’t apply to encrypted email, presumably. However, Aruba Cloud is based in Italy, so I would pass on that one. I have yet to research your other hosts in detail.
Personal recommendations outside US:
Good point. Anyone know of a well-researched list of countries that, going by precedent, can be trusted to enforce their strict privacy laws? Sort of the opposite of the Fourteen Eyes.
they are. I have a few servers from them as well and they are located in germany. Dont know if they have a site in finland as well
I would personally go for a hosting site in Iceland. They rank #1 in all privacy lists I have seen and they take personal privacy very serious. I have had good results with https://www.orangewebsite.com
They are not cheap as digitalocean etc but they have great support and very serious hosting setups. There’s also Flokinet https://billing.flokinet.is/cart.php?gid=7 which should be very good as well
Can we please once and for all acknowledge that any shared or even dedicated hosting is not secure from either the hosting company themselves or interested whether or not it is in a 3rd party country or domestic. Even a cursory glance through the two Icelandic companies ToS show numerous examples of them legally and without notification being able to access your instance be it physical or virtual. The technical aspects of such access are trivial.
I have in my professional career worked for the UK’s NHS and Amnesty International’s International Secretariat both had strict on the premise hosting for sensitive data for these very reasons.
If you want no peek hosting, host it on your own premises.
This is absolutely true, however is not the most easily attainable situation, and I would venture impossible for many/most here.
What are the minimum hardware specs of a one-person self-hosting setup superior, in terms of privacy and security, to a virtual server in, say, Iceland or Switzerland?
Great suggestions, thanks. Although Orange and Floki are about 5-6 times as expensive as the likes of Digital Ocean, hosting in Iceland may be worth it. If more of us choose them over less private alternatives, prices will soon drop due to improving economies of scale. Or so I hope.
Why do you think self-hosting is practically impossible?