That's true. You do have to make a decision about which protection you feel is stronger: the American legal system, or the current commercial state of the art in computer security lined up against the world's largest consumer of offensive security technology.

That could be true but only applies to people subject to the American legal system, i.e. those with American citizenship or living on American soil.

For the other 96% of us, the American legal system offers no protection whatsoever, as far as I'm aware.

This deficiency is not true of all jurisdictions. As far as I can tell from reading articles 1-3 GDPR, the GDPR applies to all processing that takes place within the EU or on behalf of an EU entity, regardless of whether the subject of the data is a citizen or resident of the EU. Same goes for the Swiss data protection act [0].

So as a non-American, I have a choice between services located in a country where I have no legal rights and services located in countries where I do.

This is also all from a security point of view. From a privacy point of view, I know that American companies have essentially free reign over the data I give them. They can monetize it, sell it, train machine learning models with it or do whatever else they please, regardless of whether they have my explicit consent.

Other jurisdictions have privacy protections, so I know I have some basic level of privacy if I choose say a German email provider, while I know I have essentially none if I choose an American one.

Really, as a non-American, I see no reason why I should treat American services as being any better than say Russian or Chinese services. I'm happy to listen if you have any compelling arguments though.

[0]: https://www.fedlex.admin.ch/eli/cc/1993/1945_1945_1945/en

I agree with most of what you're saying, and again, I don't want to be taken to have said "you should go out of your way to use US companies". Also, there are other important concerns! If you don't trust how a US company is going to handle your data --- cough Facebook --- you shouldn't use them, no matter what you think NSA is going to do.

But: the protections I'm talking about aren't rights accorded to non-US persons abroad. I agree, you have very few legal protections against the US as a non-US person in (say) Europe. But the US company itself does have protections. It is not lawful for NSA (or the DOJ or CIA or whatever) to hack into Google's servers; on the flip side, it is probably lawful for NSA to have pre-hacked every major information provider and telecom in Europe, if they really wanted to. My point is, if you're overseas, the largest SIGINT agency in the world doesn't even have to ask to get access.

(Obviously, they don't have to ask in the US if they simply ignore the law, but then, if you ignore the law, none of this matters, and everything is up for grabs).

That's fair, I just wanted to explain why "made outside the US" could be a valid selling point.

Regarding hacking Google and ignoring the law, isn't that essentially what PRISM was? Do we have any reason to believe US intelligence will obey the law now?

I do understand your argument but I think we place different levels of confidence in the US legal system. I have zero confidence, so assign it zero value.

I'm not really well-versed on US law, but wouldn't that hacked data not be admissible in court?

Parallel construction.

Also, NSA investigations are more likely to be resolved with a drone than with prosecution.