
US Government: You Don't Own Your Cloud Data So We Can Access It At Any Time - Sander_Marechal
http://yro.slashdot.org/story/12/11/02/1737219/us-government-you-dont-own-your-cloud-data-so-we-can-access-it-at-any-time
======
sologoub
What I don't really get here, is how is storing data in a cloud service any
different, from the legal perspective, from a safety deposit box at a bank or
a storage locker in a public storage location?

The paradigm seems very similar - I go to a service provider, pay them money
to give me certain amount of private space, put my stuff there, lock it with a
key and go on my merry way. When I want to get my stuff out, I go to the
location, unlock, get the stuff, re-lock and go.

US laws seem to have very strong protection against someone going and taking
my stuff from there. Even if the bank or the storage place go bankrupt, I'm
fairly sure no one is legally entitled to go through the stuff that is being
stored.

Further, if one of the bank's or storage place customers happens to store
something illegal, law enforcement typically needs a warrant to seize it.
However, in no way are they entitled to take or destroy property of others,
not relating to the warrant.

The ONLY meaningful difference seems to be that they can't easily just access
the "storage box" associated with the warrant, and servers are much more
portable, so they feel entitled to just take the entire thing. I guess that if
your bank had no way of opening the lockbox, law enforcement might feel
entitled to take the entire vault...

~~~
nikcub
Because with most websites when you agree to the terms and conditions you also
agree to hand over all rights to that content to the service provider.

That means that the US government only needs the approval of the service
provider (via warrant or subpoena) or no approval when they sieze that
provider.

~~~
ams6110
Most websites function as content distributors, so for them to be able to
serve your content to anyone who asks for it, you need to give them the legal
right to do so.

The difference from the storage locker or safe deposit box example above is
that for those services, you hold the key. You are not putting your stuff in
those places so that any passerby can rummage through it.

Websites/services that provide more limited distribution services, e.g.
dropbox, or anything where you need to grant permission to individuals, are a
bit closer but still not really the same as the safe deposit box example. You
should be sure that the rights you are granting by agreeing to the terms of
service are more limited.

For cloud storage where you _really_ want to limit access to the content to
yourself only, you need to be sure that not even the provider can access it.
I.e. encrypt it before it leaves your machine.

~~~
sologoub
Good point. There are services that specifically provide for encryption and
import, requiring a private key that only the user of the info has. Of course,
the encryption can be cracked with time.

However, my main concern is not so with no one reading the data, but with data
being taken and not returned.

------
gbog
This resonates well: I just finished a first proto install of a local personal
cloud with a Raspberry and a USB drive. I've always been reluctant to putting
my files in a 3rd party cloud except for backup. I have pics of my kid and
feel I have the duty to ensure these will still exist in 30 years, and in 30
years most likely none of Amazon or Apple or Google or Dropbox services will
be the same as they are now, if they are not simply discontinued.

I live and work in China, and often advoces the same lines to my colleagues,
most of whom are trusting Apple with all their files. They don't see the
danger, but even if you leave politics aside, moral values and taboos change
much faster than we think. For instance, the "loli" thing in China is not
taken as seriously (litote) as it is in the West, and many pics/drawings that
would send you to jail in US are deemed most innocent here. But in 20 years it
can be different.

The electronical devices I buy are my property, I have root access. I can
change the software running them.

My files belong to me and no-one else. I am responsible of them, if some are
lost it is my fault.

Etc.

~~~
notatoad
>"A local personal cloud"

You mean a server? I don't want to be one of those people who bitches about
using "cloud" as a buzzword, but there has to be some sort of limit.

~~~
nirvana
Well, if you get three-five small machines, put CouchBase on them, and maybe
even install the CBFS (couchbase filesystem) project, do you not have a
private cloud? Replication, failover, etc.

You certainly have a private cluster.

While "cloud" is associated with living in some datacenter somewhere, it is
not a precise technical term, and there's a lot of marketing towards
businesses to "build an enterprise cloud" (where it's a private cluster in a
datacenter or building owned by the business.)

You seem to imply that there's a minimum latency between your personal machine
and the "cloud" machines for the cloud term to apply. Or just that the servers
have to be owned by someone else?

I think the real meaning (or intended) for "cloud" is a cluster, or set of
services that are designed to run on clusters....a collection of machines that
provide services, as opposed to the specific meaning of "cluster" which is a
set of machines providing a _specific_ service.

~~~
notatoad
>You seem to imply that there's a minimum latency between your personal
machine and the "cloud" machines for the cloud term to apply.

not latency, abstraction. If i'm building a server out of parts and wiring it
up in my closet, that's a server. If somebody else wires up a server in their
closet and rents it out to me, that's a cloud. The cloud means not having to
think about things like hard drives failing, and keeping hot spares of
servers. So yes, that often means failover clusters but the real point of
cloud is that it doesn't matter whether it's a cluster or not - the physical
architecture is somebody else's problem.

~~~
switch007
> If somebody else wires up a server in their closet and rents it out to me,
> that's a cloud. The cloud means not having to think about things like hard
> drives failing, and keeping hot spares of servers.

Pre-cloud that was called "hosting" :P

~~~
notatoad
I'd say a VPS could nominally be called part of a cloud, but most serious
deployments, pre-cloud, were some sort of colo arrangement where if a hardware
part died you had to either drive up to the DC and go swap out for a new one,
or else call up the DC staff and ask them nicely to fix it for you. Your
hosting wasn't a black box.

~~~
switch007
I'm confused (and perhaps younger than you). It went like this: servers under
desk -> colo -> vps/cloud/everything as a service? There wasn't a huge
dedicated hosting market between colo and cloud?

------
mtgx
And yet they keep saying Europeans have nothing to worry about and they
shouldn't fear the Patriot Act if they keep their data on the servers of US
companies. Yeah, right.

~~~
omd
So are they claiming it applies to servers owned by US companies or servers
that are located in the US? For example as a European I'm hosted with Linode
at their datacenter in London. Not that it really matters, apparently they are
able to change the rules any time it suits them.

~~~
nitrogen
Dead comment by hastur:

 _hastur 18 minutes ago | link [dead]

US Govt can force a US-based company to handover customer data from an
overseas data center.

So no, you're not safe in London.

[In fact, due to close cooperation of intelligence services of the five Anglo-
Saxon countries (Five Eyes), you're not safe in any of them if you want to do
anything that challenges the interests that US law enforcement and
intelligence protect. That includes any activity that would unsettle current
intellectual property and copyright regimes, strong political activism,
completely free speech, etc. If you're a web startup, that of course applies
to your users too.]_

Note to hastur: it looks like your snarky one-liners got your account auto-
banned, so now nobody can read your comments that are actually interesting.

~~~
hastur_immortal
I wasn't aware of that. Thank you for reposting.

And yeah, snarkiness seems to be my involuntary hallmark... ;)

~~~
mylittlepony
How much karma do I need to be able to read dead comments? Hellban is a pain,
valuable comments keep getting lost every day. I don't think this keeps trolls
away, this is definitely broken.

~~~
Groxx
Not sure if there's a karma limit, but there is an option in your profile /
settings: "showdead".

------
hastur_immortal
Of course, US Govt is not the biggest of our problems. Others include:

\- Rogue (or just bored) employees of web companies accessing customer data
for fun or profit. (Happens much more often than you think, also in govt
agencies.)

\- Internet criminals breaking into cloud accounts and stealing data.

\- Companies using their knowledge of their customers against those customers
in disputes and legal challenges.

\- Companies trying to extract the most financial value from customer data by
selling it to questionable outfits.

\- Foreign intelligence services and outright criminal organizations getting
access (through 'hacking', bribery or threats) to any information hosted by
any web service and many government institutions.

[I mean, for Christ sakes, if a news publication (NoTW and other tabloids) can
buy some very private data of celebrities from UK police, how hard would it be
for an organization with bigger resources and no fear of legal retribution to
access any electronically stored data - especially by companies?]

* * *

And yet the trend in our merry startup world is to put everything in the
cloud. Try asking any web company for a self-hosted version of their service.

For instance, can I get a Evernote server software to roll my own Evernote
server? (Compiled and obfuscated, encapsulated in a VM appliance, I don't
care.) Even if I was willing to pay for it like for any other software? No.
Actually, Phil Libin was asked about it on the Triangulation show on TWiT. His
answer? (paraphrasing) "Well, um.. It would be hard, um... The real question
is: how do we make you trust us." Well, if that's your answer, you've already
lost me. I mean, go ahead, keep my recipes and random silly photos. But if you
expect me to trust you with my private documents or my schedule or anything of
any IP value from my work, then you have a much bigger problem than
communicating.

And so does your company, dear HN reader.

(Well, unless you're doing something frivolous, of course. If you're into the
next FartingApp™ or photo-sharing-with-a-twist website, then I guess you're
safe, for the most part.)

~~~
gsmaverick
I would counter that in fact the US Government is the biggest of the problems.
All of those other actors fall under the law and are much more likely to be
punished for their actions whereas the US Govt doesn't have to obey any laws
and constantly finds ways around the existing protections, National Security
Letters as just one example.

------
DanBC
Some elements of US seem determined to destroy any advantage that the US has
for some tech companies.

Some tiddly micro-nation will get some decent bandwidth, implement strict
privacy laws, and become Switzerland for data.

~~~
nirvana
It's balls, not bandwidth that are the concern.

Iceland and Switzerland are possibilities. As is panama.

Right now, the US has managed to violate he privacy laws of almost every
country- famously Switzerland bank secrecy is no more.

But the decade of bullying other countries in the name of "terrorism" is not
making a lot of friends, and as the power structures in the world shift,
eventually someone will get the balls to stand up to the USA.

Panama _might_ be that country, because China is heavily invested in the
expansion of the panama canal. The canal is a massive proportion of the
countries economy, and much of the economy that isn't the canal is indirectly
boosted by the canal.

With China as a strategic partner, they may be willing to stand up to the USA.
Not now, not yet, but in 5 to 10 years.

Europe and the US are both in the middle of massive financial crosses, which
will likely result in the destruction of both currencies, and a significant
amount of damage to asia as well... but as a result, confiscatory tax policies
will go into effect and capital flight from these regions will accelerate. The
diminished demand will hurt asia and south america, but increasingly
businesses will relocate to those regions.

~~~
lancewiggs
New Zealand will be an interesting possibility. The ongoing systematic
destruction of the case against Kim.com is creating some interesting
precedent.

------
mikehotel
From the Government filing: "Any ownership interest by Mr. Goodwin in that
data would be limited by at least two separate agreements: (1) the contract
between Carpathia and Megaupload regarding Megaupload’s use of Carpathia
servers; and, more specifically, (2) the written agreement between Megaupload
and Mr. Goodwin regarding use of Megaupload’s service. Those contracts not
only bind Mr. Goodwin’s use of Megaupload’s service and Carpathia’s servers,
they also likely limit any property interest he may have in the data stored on
Carpathia’s property. Thus, the Court should limit the breadth of the initial
hearing to whether Mr. Goodwin has a prima facie case, i.e. whether he retains
any ownership interest in copies of files which he uploaded pursuant to
agreements which may have severely limited any ownership rights."
[https://www.eff.org/sites/default/files/filenode/Govt_41(g)_...](https://www.eff.org/sites/default/files/filenode/Govt_41\(g\)_filing.pdf)

~~~
mtgx
Isn't that like saying that if you put your car on somebody else's property,
he now owns the car? My analogy may not be perfect, but I'm sure there are
much better analogies out there that make what the Government is suggesting
illogical.

~~~
noahc
I think their argument is that you no longer maintain control of the object.

If you share a house with someone, and leave your drug paraphernalia in the
common area, if your housemate invites the police in and they see it there
they can use it in court and leverage that to search your room.

I disagree with their argument, but they are suggesting that the cloud
provider is your housemate and you gave up control when you uploaded it to
their common area.

------
Osmium
I continue to be disappointed the US doesn't have data protection laws (in the
style of the EU), because that addresses precisely this issue: you own your
data.

Furthermore, I continue to be irritated that non-EU companies don't comply
with these laws while still offering their services in the EU. You can't have
it both ways. The physical location of the server or the legal entity behind
it shouldn't matter: if you want to offer your services to a country, you
should have to abide by local laws.

It's issues like this that really emphasise just how young the Internet is, in
that the law still hasn't caught up. I find it sad that a lot of these issues
are being resolved "accidentally" (i.e. when it comes up in court and laws
that predate the digital world are used to set bad or misguided precedents)
rather than proactively, by trying to make new laws that take the nature of
the Internet into account. Surely that's what the EFF should be campaigning
for. Why not require, by law, all cloud providers to offer an API to let users
access, modify or delete any and all of their data?

~~~
rsync
I'll just leave this right here:

<http://www.rsync.net/resources/notices/canary.txt>

~~~
mseebach
_Notes:

This scheme is not infallible. Although signing the declaration makes it
impossible for a third party to produce arbitrary declarations, it does not
prevent them from using force to coerce rsync.net to produce false
declarations. The news clip in the signed message serves to demonstrate that
that update could not have been created prior to that date. It shows that a
series of these updates were not created in advance and posted on this page._

------
leke
Imagine if the government had private data in the cloud and somebody accessed
it. Do you think that person would be able to say in court, "The government
doesn't own its cloud data, so I accessed it."?

~~~
pi18n
Well, as much as I think their position on this is complete bullshit and a
slap in the face of freedom, they aren't committing crime to get at it, they
are either asking nicely or have some form of warrant. Presumably, one would
be committing a crime to get at theirs.

~~~
Osmium
But it could be argued if the entity "asking nicely" is the government, then
that counts as coercion. While not technically illegal, it could be an abuse
of power.

~~~
pi18n
Handing out data after requests is not an abuse of power, that's a failure of
the data storage facility to do a bare minimum attempt to protect their users'
rights. I say this because the actual abuse of power is secret Patriot Act
warrants. When the government wants data, they don't use some sort of Mafia-
style coercion, they just make it illegal to not give them the data.

------
patio11
How quickly we rediscover property rights in bits when they're _our_ bits, as
opposed to the RIAA's bits.

~~~
tisme
Privacy protection of the citizens and intellectual property protection have
preciously little to do with each other. Storing your data in the cloud should
come with automatic extension of the rights that you'd normally have to data
stored on your own devices. Anything less will be a disaster, not just for the
citizens but also for all those that earn a living building cloud services. A
ruling like this has enormous implications that extend far beyond the piracy
debate.

The RIAA doesn't have any bits worth protecting in the same way that people's
private information warrants protection.

So artist 'x' is a citizen and their privacy (and hence their private data)
warrants protection just as much as any other citizens privacy. Whether or not
the data they produce and release into mainstream culture (which is in the end
an affair between citizens) warrants economic protection is an entirely
different matter.

~~~
dllthomas
> The RIAA doesn't have any bits worth protecting in the same way that
> people's private information warrants protection.

It might well, but they're in HR.

------
lambada
Link to the actual article, rather than a slashdot summary:
[https://www.eff.org/deeplinks/2012/10/governments-attack-
clo...](https://www.eff.org/deeplinks/2012/10/governments-attack-cloud-
computing) With a PDF of the Gov's filing here:
<https://www.eff.org/document/govt41gfiling>

------
grecy
A little while back the Australian government officially recommended
Australian business don't use the cloud for this very reason.

How long will it be before every country goes to extreme lengths to avoid the
American legal jungle?

------
furyg3
Is there anything currently in the "let me access my files from anywhere" (aka
Dropbox) space that supports private key encryption while maintaining some
level of convenience?

I'm happy to give up some features (collaboration, web access) for the peace
of mind that comes from random governments not being able to read my data
whenever they like...

Or do I have to roll my own?

~~~
nirvana
There's a technical problem with this. Dropbox syncs between multiple clients.
That means multiple clients can change a file. IF the files are encrypted and
the service doesn't have the key, there's little the service can do about a
file that's (effectively) simultaneously changed on two machines, that then
try to sync.

You could zip up your files, encrypt them as strongly as you want and then
upload them to some server somewhere at any time (Say you get a hosting
account) and then nobody else but you has access to your password, and
presumably that would be a solution you seek-- but maybe not the same level of
convenience.

I think the convenience (depending on what you want) is intrinsic to the lack
of security.

~~~
Dylan16807
I don't understand what technical problem you are referring to. Dropbox
doesn't marge files. If two computers change it at the same time you get two
different files and you have to manually fix it. The only thing dropbox
_needs_ unencrypted is the set of files you make public.

~~~
Evbn
Browser based downloads of decrypted files.

~~~
Dylan16807
If you have to input a key it sounds more like browser-based access to private
files than 'public files'.

------
pi18n
My opinion is that if you put anything sensitive into the cloud without
encrypting it, you are not doing it right. If you don't want the government
reading whatever it is, why on Earth would you trust the cloud providers?

~~~
teilo
Data security and data ownership are not the same thing. In many of these
user's cases, it's not about the Government reading their data. It's about
getting their data back. It is property that the Government has stolen, that
the individuals can no longer use or access.

~~~
pi18n
Good counter point. There are plenty of horror stories about this exact thing,
and it is totally different.

------
SODaniel
Like beating a dead horse: Client side encryption key creation and encryption!

Zero knowledge is the answer. We need to become accustomed to securing our
data BEFORE we make it 'cloud available'.

------
azernik
Meta-point - I much prefer links to original content e.g. the EFF statement
over links to the Slashdot (or other link aggregator/discussion forum)
discussion thread.

------
tsahyt
For me, personally this isn't much of a problem, since I've got exactly no
data at all hosted on cloud services. All the data I want to use on the go, as
well as from home, I host on my own server. Therefore the data is, as far as I
know, my property.

However, anybody running a business on customer data might want to think about
the implications of this. The real question is where to put the servers. The
EU isn't much better about this than the US (since they've spent most of the
last few years with their heads up in America's bottom anyway).

------
rayiner
What "property rights" do you have in data files in the first place?

~~~
16s
___"Copyright is a legal concept, enacted by most governments, giving the
creator of an original work exclusive rights to it."_ __\-
Source<http://en.wikipedia.org/wiki/Copyright>

One might argue that my words in a document are not property, however they are
often refereed to as ___intellectual property_ __(refers to creations of the
mind for which exclusive rights are recognized in law). They are mine and I
hold the exclusive rights to them. I want them back. What right does a
government have to take them from me?

~~~
Evbn
Copyright is totally different, and refers to publishing, not seizing.

------
jaimefjorge
I wonder what this means for services like github?

------
smogzer
It should be quite the contrary. The government(that represents the public)
data should be open, like in a stream, where anybody can see what's "flowing",
gov emails should be shouted to the stream. Then the public or some algorithm
should analyse the stream to maximize global happiness, resources, prosperity.

~~~
carbocation
The article is talking about private data, e.g., your company's strategic
documents that get backed up to a cloud service, that the government now wants
to say is not owned by the company because it is on the cloud. What access
rights should look like with regards to government produced data is an
entirely different topic... though perhaps not entirely unrelated, if cloud
data does become government data.

------
cientifico
Nice !!! So all the fimls are free as noone owns the data. That means that
films on the cloud, have no ownner, and no responsable. So if I host a film in
a server in amazon, I can also say that I am not the owner.

~~~
IceyEC
Or that, by agreeing to license their films for distribution to Netflix, every
film company involved has agreed that they no longer retain ownership of those
very files anymore?

------
tsotha
Seems like a problem tailor made for encryption.

------
known
Petition to Obama Administration <http://wh.gov/bl2>

------
peterknego
Hmm, does this apply if I use leased server in a leased space.

------
nirvana
Hear me now, believe me later: If you keep your customer data on your servers,
it behooves you to host your servers outside the USA.

If you do this now, while you're a startup, you'll have a lot less hassle in
the future when you're losing customers because of jurisdictional problems.

Right now, people are only barely aware of the growing surveillance state in
the USA. They're all aware of it, of course, but they think that only
terrorists have to worry. In the last couple years, increasingly the
government has gone after regular people, like hip hop blog authors, and
people using megaupload to avoid emails file size limits.

I'm sure for many of you, you don't care cause you're hosting cat pictures or
whatnot. But if you've got customer confidential data, especially financial
data, it would be a good idea to find a jurisdiction that still respects
privacy.

I'm not a lawyer and this isn't legal advice, but my casual explorations
indicate that Iceland might be a good jurisdiction.

~~~
greenyoda
Weren't Megaupload's servers outside the USA?

Edit: Many of their servers were located in the US.

~~~
bybjorn
Hosted in the US, according to this www.billboard.biz/bbbiz/industry/legal-
and-management/megaupload-s-pirated-content-hosted-on-u-1005937752.story

~~~
yuhong
And I think Megaupload is based in New Zealand.

~~~
uxp
Hong Kong, actually. Kim DotCom just resided in New Zealand

