
We're Fighting the Feds Over Your Email - jcabala
http://m.us.wsj.com/articles/brad-smith-were-fighting-the-feds-over-your-email-1406674616
======
pessimizer
Here's a link that will work:
[http://news.google.com/news/url?sr=1&ct2=us%2F1_0_s_0_1_a&sa...](http://news.google.com/news/url?sr=1&ct2=us%2F1_0_s_0_1_a&sa=t&usg=AFQjCNGHmh4nS7zyq9kBFT7pBItMbiUSyg&cid=52778571064969&url=http%3A%2F%2Fonline.wsj.com%2Farticles%2Fbrad-
smith-were-fighting-the-feds-over-your-
email-1406674616%3Fmod%3D_newsreel_4&ei=USvZU4mRMeOswQHtjoCYCQ&rt=SECTION&vm=STANDARD&bvm=section&did=-3008745151690388525&sid=-1639847235772389775)

~~~
CamperBob2
No good here, article is still paywalled. Why does Google even bother indexing
the WSJ?

------
panarky
Relevant excerpts:

Microsoft believes you own emails stored in the cloud, and that they have the
same privacy protection as paper letters sent by mail...

The U.S. government can obtain emails only subject to the full legal
protections of the Constitution's Fourth Amendment...

A search warrant cannot reach beyond U.S. shores...

[The US government] argues that your emails _become the business records of a
cloud provider_. Because business records have a lower level of legal
protection, the government claims that it can use its broader authority to
reach emails stored anywhere in the world.

~~~
lisper
> your emails become the business records of a cloud provider

That is simply ridiculous. Email stored by a cloud provider isn't a business
record of the provider any more than the contents of a physical letter stored
in a rented mail box is a business record of the box provider.

~~~
rayiner
A physical letter in a rented mailbox is also generally not data-mined for the
commercial purposes of the service provider.

I think cloud companies essentially want the 4th amendment benefits of
treating the cloud like real world private areas (e.g. bank lock boxes),
without any of the obligations that come along with that.

The "reasonable expectation of privacy" in things like safe deposit boxes or
storage units is based on the actual fact that service providers generally do
not and cannot access the contents of those rented spaces. To apply that same
reasoning to data stored in the cloud, we have to indulge in the fiction that
various bots and sysops cannot in fact access that data, and do not routinely
do so.

That said, I think the cloud folks are ultimately going to win, on the basis
of Riley v. California (which is noted in Brad Smith's op-ed). I think Riley
is technologically ignorant in glossing over technical distinctions between
local and cloud storage that are relevant to privacy, but it all but says the
cloud is protected under the 4th amendment. I don't know what's left to fight
over.

~~~
pappyo
>they want the 4th amendment benefits of treating the cloud like real world
private areas (e.g. bank lock boxes), without any of the obligations that come
along with that.

and...

>That said, I think they're ultimately going to win.

 __ _Warning: Total Conspiracy Theory Ahead_ __

Could this be an end-around by Microsoft to eliminate one of Google 's main
revenue streams? Follow me for a second.

1\. Let's assume Microsoft wins this court case. By doing so, e-mails will be
afforded the same protection, under the law, as physical letters.

2\. A Microsoft backed plaintiff sues Google for data-mining her email's
content, arguing under the same 4th Amendment ruling.

3\. After years of legal procedures and court battles, Google (and all other
e-mail providers) are forced throw away their master keys. Essentially all
email is blind to the providers.

4\. Google loses one of their larger revenue streams.

Everyone loves a good conspiracy theory, so indulge me for the moment. Why
would this not work (And for the record, I'm sure it wouldn't. But I would
honestly like to know why.)?

~~~
ncallaway
I think it goes off the rails in step 2. Private organizations are not bound
by the 4th amendment. For the most part, the constitution defines the powers
and limitations of the federal government (and to some extent the state
governments). The government is the entity bound by the 4th amendment, not
private companies.

I think a more likely scenario is that we end up with a court ruling that says
something along the lines of: "In order to preserve the customer's 4th
amendment rights, the company hosting the e-mail mustn't be using it for
business purposes." So, Google wouldn't be able to simultaneously mine your
e-mails _and_ guarantee that your e-mails are protected under the 4th
amendment.

~~~
pappyo
>I think it goes off the rails in step 2.

This went off the rails well before I started to write it. But let me push
back on your thoughts.

If I am understanding Microsoft's argument correctly for this court case, they
are trying to equate e-mails to letters. And, by extension, equate themselves
to UPS/USPS/FedEx whathaveyou. E-mails are private correspondence, just like
letters in the post. And please, correct me if I'm wrong in this assessment.

It is also a felony in the US to open someone's mail. So wouldn't that same
protection exist in email? Which would mean nobody can look at an email
correspondence unless they were either the sender or receiver of said email.

~~~
ncallaway
The fourth amendment doesn't protect you from other people reading your post.
It probably _does_ protect you from the government reading your post (though,
apparently not protect you from the NSA logging all your mail[1]).

It is a crime for other people to read your mail, though that protection comes
from the legislative branch, not the constitution. Specifically, Title 18,
Part I, Chapter 83, § 1702 [2]. If you could convince a judge that § 1702
applied to e-mail, you might be able to ruin Google's day. It'd be a very
different legal argument than the fourth amendment legal claim. Whatever comes
from Microsoft's legal arguments about the 4th amendment won't have a bearing
on this line of argument.

I still think the best avenue for a conspiracy theory motive for Microsoft is
to get a ruling that says "if the e-mail provider examines the communication
for any purposes other than facilitating mail delivery, then the communication
loses its 4A protections." That would allow other competitors to advertise
strong 4A protections, and force Google to choose between that sweet, sweet
personal data or also advertising 4A protections.

[1] [http://www.nytimes.com/2013/07/04/us/monitoring-of-snail-
mai...](http://www.nytimes.com/2013/07/04/us/monitoring-of-snail-
mail.html?pagewanted=all)

[2]
[http://www.law.cornell.edu/uscode/text/18/1702](http://www.law.cornell.edu/uscode/text/18/1702)

------
diafygi
So where is the line on the governments position?

If you use AWS, is all the data (S3, EC2 filesystems, RDS data+backups, etc.)
now a business record of Amazon?

What about renting dedicated servers at your local datacenter? You're
basically renting bare hardware at that point, but the hard drives are still
technically owned by the datacenter. Is the data on those hard drives business
records of the datacenter?

Not being able separate the owner of the hardware and the owner of the data on
the hardware seems like it would have a ton of modern consequences.

EDIT: Here's a fun thought experiment. Say I bought a license to analyze some
music dataset from a record label. That license requires that can't share the
music data with anyone. When I upload the dataset to S3 to run my Elastic Map
Reduce script on it, did I just violate my license because that data is now a
business record of Amazon?

------
waqf
Non-paywalled version: [http://stream.wsj.com/story/latest-
headlines/SS-2-63399/SS-2...](http://stream.wsj.com/story/latest-
headlines/SS-2-63399/SS-2-592311/)

~~~
thinkling
That link didn't get me to the full text of the article, but searching for the
headline on Google gets me through.

~~~
SchizoDuckie
_FUCKING_ annoying.

Apparently they check the referer header.

Mandatory link for lazy people:

[https://www.google.com/?q=We%27re+Fighting+the+Feds+Over+You...](https://www.google.com/?q=We%27re+Fighting+the+Feds+Over+Your+Email)

(forget about "i'm feeling lucky", that doesnt work, hit search.)

~~~
FBT
Alternative link for lazy people, which gets you directly to the article's
content:

[https://archive.today/8NKco](https://archive.today/8NKco)

------
al2o3cr
"Microsoft believes you own emails stored in the cloud, and that they have the
same privacy protection as paper letters sent by mail"

Clarification: Microsoft _now_ believes this (or claims to). They had no
problem handing PRISM the keys to the kingdom while it was still secret.

[http://www.theguardian.com/world/2013/jul/11/microsoft-
nsa-c...](http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-
collaboration-user-data)

~~~
spectre256
While it's understandable to feel down about the fact that Microsoft used to
feel it was ok to hand over emails, there's a more positive way to look at it:
this article is strong evidence that the public opinion regarding online
privacy has changed such that, were Microsoft to give up these emails, it's
own business would suffer negatively.

It's not a signal of the end of our battle for privacy, but it's something.

------
higherpurpose
If Microsoft was serious about this, they'd also offer end-to-end encryption
for their e-mails (open source protocol, otherwise they shouldn't bother).

But because they aren't doing this, it just shows they are more concerned
about not losing business overseas than "fighting for your e-mail".

~~~
TheCraiggers
I'm no longer sure that is enough. Considering what happened to Lavabit, just
offering end-to-end encryption is only going to work until the government
decides they want what you have hidden. I doubt that Microsoft will put up as
much of a fight, or take the high road out, like the Lavabit founder did.

Fighting them on the legal front to stop such practices from starting may well
be the best option right now. Even though Microsoft may be doing this for
business reasons, it'll still help everyone.

~~~
Kalium
If memory serves, the feds had probable cause and a warrant when they want
after Lavabit. Lavabit tried to fight it. Lavabit lost. So they shut down
instead and tried to spin it as the feds shutting them down.

~~~
TheCraiggers
They did indeed have a warrant for the info. The problem was how they chose to
pursue obtaining the info- that is, installing a MitM black box that could
read _all_ customer email going through it, not just the citizen for whom they
had the warrant. I'm not sure if they promised or not to only snoop on that
one individual, but even if they did you would have no way of knowing if
they're telling the truth or not. From what I read, he wasn't necessarily
trying to protect Snowden, but protect the rest of his userbase.

~~~
Kalium
What other options were there? There was only one SSL key. Once you can MitM
one user in that scenario, you can MitM them all.

To my understanding Lavabit didn't have a system in place for separating out
one user like that, and the feds would likely have been disinclined to wait
for the development of one.

So perhaps we should take this as a lesson in designing systems to be as
secure as possible even with legitimate warrants rather than as a sign of
warrants being abused.

~~~
TheCraiggers
My understanding was that he offered them his programming services to create a
method to do exactly what they wanted- pull the email info out for just one
user. True, he was going to charge them for it, but it was only $2000. A
laughably small sum for the people he was dealing with. Supposedly, they
denied this offer because they couldn't control it. From my perspective, $2k
and a couple day wait is a paltry sum to pay to not trample over the
constitution.

According to Wikipedia, just one month prior, Lavabit had complied with a
search order for one user suspected of child pornography. I'm not exactly sure
what the difference was between these two cases, but it does show he had at
least some capability to do what they asked.

I do agree that "one SSL key to rule them all" is perhaps not the best
practice. That said, the design of the system doesn't matter as much to me.
Reality is that the system was designed in the way it was, and when offered
two methods of getting their data, the feds decided to take the wrong one. (In
my opinion.)

~~~
Kalium
It wouldn't surprise me if the feds are sharply limited in what they can pay
for warrant-wise. There's a good chance they simply didn't legally have the
option of waiting and paying $2k. Understandably, the government does not want
"I have a warrant" to become the sound of a cash cow begging to be milked.

If I were to guess, I would say control is actually a huge issue. If it's
their equipment and software that's certified for this use, it probably
satisfied chain of custody and certification requirements. If it's someone
else's, who knows? It's almost certainly not certified and so it might not
stand up in court at all. Certification is a big deal in the government and a
court is likely to be skeptical about the use of an unproven and uncertified
magic software black box in executing a warrant.

So what it comes down it is that the feds may not have actually had a choice
of how they got that data.

~~~
TheCraiggers
Excellent points, which I didn't think of.

However, I'll ask you this: is it constitutionally agreeable to trample the
rights of others for the sake of gathering evidence? I would say no. Just like
how I would say searching all personal mail coming from a certain zip code
because you know of someone sending secrets would be, in my viewpoint, wrong.
I can chalk up the initial issue of a warrant to the judge not understanding
technology, but as soon as it was explained in a courtroom how it was tied
together, he should have told the feds to seek evidence elsewhere.

~~~
Kalium
Thank you.

I think it's about collecting evidence in the least invasive way possible. To
me, the priority is limiting damage while still allowing law enforcement to
function. One of the key privacy advantages of how LE access to phone
companies or gmail or similar is implemented that it allows them to be granted
access to just the data in question and little more.

What really becomes a problem is when the evidence in question is only
available from one source and there's no way to do it that doesn't run the
risk of what I'm going to term information bycatch. At that point there are
really only two viable options - allow the collection with bycatch or disallow
the collection due to bycatch.

The first is a significant privacy risk. That said, it's also not a new one.
As long as people have kept records or written letters, a search has run the
risk of exposing the private information of other unrelated people. Certainly,
the same concern applies to tapping phone calls, and that's permitted by
courts.

The second runs the risk of hobbling law enforcement entirely. Without perfect
knowledge of what a given document, packet, phone call, etc. might contain,
it's impossible to say that a search will or will not invade the privacy of
another person in addition to the subject.

My understanding is that a warrant is for information or items because it's
known and understood that information bycatch isn't always avoidable. This is
considered unfortunate but unavoidable, as there cannot always be assumed to
be other and better options.

I think this goes back to my earlier point about design. If a system isn't
designed to contain any breach, then any breach - legal or otherwise - will be
uncontained. I think this is less a constitutional problem than it is a
technology one.

------
mkal_tsr
> The government seeks to sidestep these rules, asserting that emails you
> store in the cloud cease to belong exclusively to you. In court filings, it
> argues that your emails become the business records of a cloud provider.

So, how long until Dropbox contents are just a matter of business records?

~~~
tartuffe78
I would guess back when Dropbox passed 10,000 users

------
AJ007
It is a lose-lose case for the US. If they win the case, other countries say
sorry you can't do business here. We already have seen countries such as
Brazil and Russia make moves to requiring companies to securely store user's
data in country.

This makes a good argument for open source software development and decoupling
storage. Software-as-a-service may end up being Commodity-as-a-service.
Terrible for enterprises like Microsoft, Oracle, and IBM who want to be global
"cloud" providers.

------
ak217
This is the same Microsoft that ran ads against Google based on the claim that
unlike Google's ad algorithms, they don't look at your email, then turned
around and looked at a user's email when they found out that a Microsoft
employee sent confidential information to that account.
([http://www.techrepublic.com/article/microsoft-issues-mea-
cul...](http://www.techrepublic.com/article/microsoft-issues-mea-culpa-in-
wake-of-hotmail-email-probe-seeks-to-restore-customer-trust/)).

It's also the same Microsoft that was found to have provided the greatest aid
to the NSA in accommodating their mass wiretap requests (compared to Yahoo,
Google, and other webmail providers).

The irony is delicious.

To put it very mildly, I question Microsoft's integrity and wouldn't trust
them with my data. Want to showcase a hero who actually went to great lengths
to fight the feds over your email? Try Ladar Levison.

------
junto
I think Microsoft are right here and I'm glad that they are willing to take
this on. Of is in their interests to show that their customers' email privacy
is afforded the same level of protection that normal mail does.

------
codazoda
Paywall? I'm out.

~~~
lisper
You might want to reconsider posting comments like that. You may think you're
making a principled stand against the evils of paywalls (aside: how do you
expect online publications to stay in business?) but in fact all you're doing
is advertising the fact that you're either too lazy or too stupid to take the
trivial steps required to get around one.

~~~
josefresco
"too lazy or too stupid to take the trivial steps required to get around one"

Or maybe he just doesn't want to? You know, on principle? Even skirting the
paywall, you're boosting the WSJ's viewership stats which in turn, helps them
sell more advertising/contributes to their "value".

~~~
lisper
> you're boosting the WSJ's viewership stats

That would be the case whether or not they had a paywall.

~~~
josefresco
Which is my point... maybe the parent commenter does not want to do this -
instead of being either lazy or stupid as suggested.

~~~
lisper
No, because he specifically said he was opting out because of the paywall, not
because it was the WSJ.

