
Court rules search warrant applies to US emails stored on foreign servers - marklyon
https://casetext.com/case/in-re-in-re-search-warrant-no-16-1061-m-to-google
======
nemoniac
As an EU citizen, I wonder how this conflicts with EU legislation. As I
understand it, if Google holds data in the EU, then EU law says that they may
not move the data outside the EU without the data owner's permission. Now the
USA insists that Google move data from (among other places) the EU to the USA
based on a USA warrant.

This could make gmail pretty much a non-starter for many uses in the EU and
may possibly even make it problematic for some email users to correspond with
a gmail address.

~~~
inkblot11
Data "ownership" is a somewhat complex issue. When Google, or any other data
broker offers some service in _exchange_ for the data, they are obtaining
their own data from the user. The idea of "ownership" in that case differs, as
the content and 'meaning' of the data is now no longer owned by the original
owner. In fact, the data itself has lost all or much of its value in
"ownership" or "privacy" by the user, and this is reflected in an economic
sense by the bulk pricing data brokers like Google, etc... offer through
various services for adverts, etc.

In terms of "moving data" by means of "ownership", Google and the other
companies, already state in their ToS that they can move the data between
locales at their whim. The servers, hardware and networks they utilize are
owned or rented by them. Paired with the ToS, and the simple fact that Google
offers these services in exchange to exploit their users' data as a currency,
Google is not concerned about the privacy aspects.

They are simply concerned about the _value_ of the data they are gathering.

~~~
BrandoElFollito
Legally speaking, in the EU, you can put whatever you want in your ToS but if
they conflict with EU law they are void.

Practically speaking, I agree with you.

------
JBReefer
This seems reasonable, they have a warrant and the judge seems to have
considered the case fully.

I don't get why so many people are advocating a world where the government
_can 't_ do this. Why should your email hosting provider have the ability to
make law enforcement decisions? Why should email be treated differently from
something like my bank account or diary? This seems like the optimal outcome.

~~~
avar
Let's say a Russian company opens up a chain of coffee shops in the US, has
surveillance cameras for theft prevention, keeps various records on its
customers etc.

Now the Russian government issues a warrant to demand data from the US
subsidiary. Do you think that US jurisdiction should have no say in the
matter?

If the Russians compelled their US subsidiary to hand over the data in
violation of US law, how long do you think they'd be allowed to operate in the
US?

The end result of this US overreach will be trade wars and the further rise of
national enclaves of the Internet. I'd argue that that's not in anyone's long
term interests, least alone the US's.

~~~
ocdtrekkie
On the contrary, I'd argue that it's in most users' interests for there to be
national enclaves of the Internet, for just this reason: Your data is within
the jurisdiction of the laws of your country. If this is clearly defined, you
do not have to worry about another country's laws, like Russia, affecting your
data.

It isn't in certain corporations' interests though, because the whole cloud
provider thing hinges on shoving everyone's data into a small number of
datacenters globally. I think this is an example of the quite common situation
where corporate interests and individual interests are not aligned.

~~~
oconnor663
For what it's worth, there are technical limitations to this idea. IP routing
makes basically no guarantees about what countries your data will travel
through on the way to where it's going. Crypto helps with this, but it can't
solve everything. (Sometimes all you want to know is that I visited a certain
website, for example, and it doesn't matter that you can't read my traffic.)

~~~
cryptarch
There are limitations _caused by the software configuration of most AS 's_.
Significant work is being done on novel approaches to IP routing with better
security, scalability and control guarantees by ETH Zurich, as part of the
SCION project. It's sponsored by the EU, Google, Swisscom, the NSF and a few
other entities.

Link: [http://www.scion-architecture.net/](http://www.scion-architecture.net/)

This is already "live" in the sense that it is implemented and there are 14
router nodes active, and it is meant to be incrementally deployed. I haven't
gotten around to hooking up a client myself, that will be an interesting
weekend project someday. Any interested ISP can set up their own node and join
this project.

Some cool things about SCION and its extensions:

* Isolation domains: can be used to enforce traffic to never leave a given routing sub-plane, for instance a country or a state

* SIBRA: volumetric DDoS mitigation and enablement of the creation of "dynamic interdomain leased lines"

* HORNET: high-speed onion routing

------
mjrider
tl;dr: Gmail(USA) required to provide data of persons in the USA, of
communications between people in the USA orded by a USA judge.

Sounds fine with me, even when Google has it hosted in some other country,
this seems to me a fine example of correct usage of the law and jurisdiction

~~~
simplicio
Yea, it seems like if they found the other way, every sizable corporation, or
really any sizable group, would host all their data in the Cayman Islandsor
wherever, making them more or less immune from US subpoenas. Which would be
bad for any attempt to hold them legally accountable (and, relevant to the HN
crowd, bad for Tech workers in the US as storage providers move their
facilities over-seas).

~~~
Sir_Substance
>bad for Tech workers in the US as storage providers move their facilities
over-seas

Great for the rest of the world's rights though!

------
mschuster91
So what MS, Apple and Google need to do is basically to set up a "hosting
provider" company in a country with strong data protection laws (Switzerland?
Iceland?) and delegate all their hosting operations to this company... that
could work to really prevent this sort of espionage via court, imho.

~~~
confounded
Or, those interested could just use a Swiss/Icelandic email provider.

I'm a fan of KolabNow (fully FOSS, green energy, no US presence, POWER8
servers).

~~~
nickpsecurity
"POWER8 servers"

Produced by NSA's original and longest running partner. :) Doesn't bother me
as KolabNow is just a storage and transport to me. I layer GPG-encrypted files
on top of it.

------
gettingreadyhn
these articles push me more and more to drop using gmail in favor of "self
hosted email". i really do not understand why we do not think and give it all
up for free to google (and compromise our personal security in the mean time).

~~~
stuckagain
If the feds want your "self hosted" emails they will break down your door,
shoot your dog, and take every computer-resembling object on the premises.

~~~
derefr
You could "self-host" on a cloud server in, say, China, or Russia, or Iran (if
they have any hosting services.)

I mean, the governments of those places _will_ probably snoop your emails, but
if their contents have nothing to do with _them_ , they won't care. And they
have no treaties with the US to force their hand to turn anything over.

Think of your server as Edward Snowden. What country should it hide in, so the
US can't legally get to it?

~~~
ThrustVectoring
>the governments of those places will probably snoop your emails

Uhm, how? Gmail supports Transport Layer Security (TLS), and >80% of their
emails to and from other providers do as well
([https://www.google.com/transparencyreport/saferemail/](https://www.google.com/transparencyreport/saferemail/)).
Reject non-TSL emails, give the server a public key and tell it to throw away
the email plaintext, and the only remaining threat vectors seem like "get
rubber hosed into disclosing your private key" and "server gets compromised,
causing future emails (but not past ones) to get exfiltrated".

~~~
stuckagain
SMTP TLS doesn't and can't validate the certs. It is trivial to MITM it.

------
doodlebugging
I wonder if it would be legal/practical for the email hosting company, Google
in this case, to provide the data satisfying the subpoena in the form of a
word cloud. Once the law enforcement party has that information in hand they
can search the word cloud for interesting words and potential phrases and make
a secondary request for the email provider to surrender all occurrences of the
suspicious words and phrases in order to establish the context of their use in
the subpoenaed communications.

This would provide an enhanced degree of privacy to the user since there would
not be a bulk surrender of every conversation they've had during the time
period covered by the subpoena. I have a hard time seeing why it is important
for the government to grab everything when their target is well known to them
and the medium they are searching is likely to be text-based and therefore all
targeted communications are easily separable at the email provider end.

~~~
dmix
This didn't work for lavabit who tried to print out the requested data on
paper and it won't work for Google.

------
dmix
Personally, while it's sad this didn't work from a privacy perspective we
really shouldn't be betting such important moral concepts such as privacy on
minor legal technicalities.

That's a losing battle even before you start.

As long as the warrant is specific and limited I also don't really see this as
a problem.

The bigger and real fight is with NSLs and FISA courts.

------
fankhawk
Ask any divorce attorney what happens if you refuse to turn over assets in a
foreign account.

The judge may not have jurisdiction over property in another country, but she
does have the power to toss you in jail for contempt.

------
officelineback
Can someone explain why Microsoft doesn't have to but Google does?

~~~
stuckagain
This decision is basically saying that the Microsoft decision was wrong,
setting up the possibility of resolution by the Supreme Court.

~~~
officelineback
So two different Districts, basically?

------
bheesham
Instead of self-hosting your email, why not just delete them after you're done
reading them?

~~~
wyager
As I recall, google is required to keep certain records of emails for years
(someone please correct me if I'm wrong here, this came up in conversation
with some people working on gmail so I may mis-remember). So even if you
delete your email, it might be sitting in a tape archive somewhere until
google can (legally) get rid of it.

~~~
Spooky23
That means you're under active investigation and there's already a subpoena or
warrant in place.

If you don't want somebody reading your steamy emails or social media postings
in the future, you have options... don't create them, delete, or store on
physical media in your home.

~~~
wyager
This sounds awfully close to "don't worry if you have nothing to hide". How
about this; I'll create whatever steamy emails I feel like, and I'll use
services that preserve my privacy while I do it.

~~~
Spooky23
No, it is more "manage risk".

If you are a cop, teacher, etc where your employer will demand to inspect your
social media, you need to act appropriately.

If you are generally concerned about privacy -- US Mail.

~~~
wyager
> where your employer will demand to inspect your social media, you need to
> act appropriately.

"Acting appropriately" in that case involves telling your employer to mind
their own damned business.

------
ommunist
Hmm, time to move to Fastmail completely.

~~~
xachen
... Who are colo'd in New York City.

~~~
ommunist
and at Switch Datacenters in the Netherlands. I am EU customer. And its aussie
company.

