
Digital security and due process: A new legal framework for the cloud era - Ajedi32
https://blog.google/topics/public-policy/digital-security-and-due-process-new-legal-framework-cloud-era/
======
dmitrygr
I truly do not understand why anyone would want to "help" the LEOs of today.
They are the enforcement arm of the ruling class seeking to take away whatever
privacy we have left. It truly saddens me that Google is volunteering to help
turn over data to them, for free, without a fight.

The current system is slow and inefficient, and that is _wonderful_. Think
about it. Police could always legally follow you - it only became a problem
for privacy when CCTV and hidden GPS trackers made it easy to "follow"
everyone at once, cheaply and efficiently. Much like password hashing
algorithms, some systems only work well if they are kept slow and inefficient
on purpose, to ratelimit their use. This causes each use to be reviewed and
considered carefully. I feel like turning over user data to anyone should be
one of these processes.

Let them get warrants signed in triplicate, convince ten judges, file
thousands of pages of papers, find out they lack jurisdiction, convince more
judges, etc... Only then is there a chance that they will not go on a fishing
expedition for everyone's data all at once.

Always remember these words of Richelieu: "If one would give me six lines
written by the hand of the most honest man, I would find something in them to
have him hanged." You may be an honest man (/woman/child/etc), but your
government is always on its way to becoming Richelieu

~~~
CPAhem
There is also the issue of parallel construction - basically using evidence
gathered illegally to build a case, and then not submitting that evidence
during the case, or using it for a plea-bargain.

As Snowden said, good encryption is a part defense against this. VeraCrypt
[http://veracrypt.org](http://veracrypt.org) works nicely with DropBox, while
SyncDocs [https://syncdocs.com](https://syncdocs.com) encrypts Google Drive.

Richelieu would have had a ridiculously easier time if he could select any six
lines from everything an honest man had ever written. Using encryption to make
this harder could be wise.

~~~
catdog
Encryption can't save you entirely, there is still a ton of metadata being
produced which is most of the time at least as interesting as the content [1].
Avoid the cloud and decentralize as much possible. As a bonus decentralizing
helps to avoid oligopolies and monopolies.

Big, purely money driven cooperations will follow the path of the least
resistance so it's no surprise that they automate LE requests away in the long
run. As most of the "internet giants" essentially make money by spying on
their users they have the basic infrastructure in place already.

[1] 'We Kill people based on metadata' some former CIA/NSA director once
admitted.

------
rrggrr
The proposed framework is self-serving, flawed and behind the state of art. I
say this as someone who really loves Google's products and uses them heavily.
To summarize US citizens, as a right, have and must continue to have their due
process rights adjudicated by US Courts in accordance with the Constitution.

1\. Requests under Mutual Legal Assistance Treaties (MLATs) take a long time
because the Courts don't move quickly. If Google, or a requesting country
finds the US judicial process too slow welcome to reality. Lobby for more
Court resources, advocate for decriminalization of minor offenses, etc., etc.

2\. Assertions of Extraterritorial jurisdiction (EJT) are a business risk,
just like customs regulations, tariffs and privacy regulations. If Google
finds them inconvenient then adjust the business model.

3\. "We are also seeing various proposals to require companies to store data
within local borders as a means to gain easier access. There are a host of
problems with this: small, one-off data centers are easier targets for
attackers and jeopardize data security and privacy. Further, requiring
businesses to build these data-centers will raise the costs for cloud
services, erecting significant barriers for smaller companies."

...Not credible, at all. Smaller companies don't build data centers. Data
flows like currency to centers where trade-offs among speed, security, cost,
privacy and other considerations is optimal. The market can resolve these
issues on its own in response to host country data privacy and criminal law.

4\. And, finally, assurances of adherence to baseline due process, human
rights, and privacy standards are largely meaningless to anyone paying
attention to the rampant corporate and political espionage states routinely
and sometimes/often appropriately engage in. The last thing US businesses need
is the long arm of foreign government's attitudes toward encryption, by way of
example, reaching into their data.

Again, I believe Google's contributions across all its offerings and policies
is a big net positive. Their position on this issue is horribly misguided in
my opinion.

------
wcarron
I don't see this as a good thing. I would say that I declare (my admittedly
insignificant) vote of no confidence in both any government and in
corporations. When I look at the legislation passed in my lifetime, it's
enraging. Laws are passed specifically to entrench a surveillance based police
state.

While it does appear that some legislation is outdated, I would rather it
stay, since I can only foresee it being replaced with a bill porkbarreled to
the point of bursting with surveillance measures, anti-consumer, anti-
encryption, anti-privacy clauses. The governments of today are cartels, plain
and simple. Enhanced cooperation between thugs with lots of money is not
exactly comforting.

The Alliance of Conservative Dinosaurs (read: the GOP) seems dead set on
rescinding my liberties. I'd rather they be frustrated by antiquated
legislation than surrender more freedoms under the false flag of security.

------
kijin
I don't know what definition of "countries that honor baseline principles of
privacy, human rights, and due process" they're using, but if they want to put
the United States on that list, the bar must be pretty low.

On the other hand, this is going to be hilarious...

Germany: Hey America, can I get some data on this guy?

America: No problem!

(A few months later)

America: Hey Germany, can I get some data on that guy?

Germany: Uhh, you're not a country that honors baseline privacy, human rights,
and due process.

~~~
killjoywashere
> countries that honor baseline principles of privacy, human rights, and due
> process

I actually thought that was the most interesting clause in the whole thing.
This would basically give corporations a way to make rulings on the behavior
of nations, truly an ambitious move.

~~~
duncan_bayne
> This would basically give corporations a way to make rulings on the behavior
> of nations, truly an ambitious move.

They have that option now, by choosing where they do business. Evidence
suggests that they don't care.

------
heheocoenev
How about end to end encryption in your products to protect your users from
governments, both good and bad? Can't disclosure what you can't see.

~~~
saurik
For Google Maps, they refuse to even store local search history or use the
local Address Book API to get your home address: to get either of these basic
features you have to sign in with your Google Account, and to get the former
feature you have to turn on saved search history _for your entire Google
account including normal web searches_ , and I imagine for the latter to work
you need to turn on location tracking. Google _acts maliciously_ with respect
to obtaining personal data and clearly is never going to implement end-to-end
encryption as it fundamentally undermines their mission of "organizing the
world's information": they can't organize what they can't see.

------
mr_spothawk
> Law enforcement requests for digital evidence should be based on the
> location and nationality of users, not the location of data.

prepare to answer "what is your nationality?" more frequently in signup forms.

~~~
DonbunEf7
As a simple answer, perhaps stop having signup forms!

------
awinter-py
> Today, we’re proposing a new framework that allows countries that commit to
> baseline privacy, human rights, and due process principles to gather
> evidence more quickly and efficiently.

One interpretation of this is that G will no longer play nice with countries
which operate unsanctioned warrantless surveillance (ahem america) and which
ban encryption (ahem england) and free speech (europe, depending on your view
on RTBF).

If this is a threat it's a subtle one and the end game is a bigger say in the
regulatory process.

------
Ajedi32
Here's the actual whitepaper, which goes into more detail of exactly what
Google is proposing here:
[https://blog.google/documents/2/CrossBorderLawEnforcementReq...](https://blog.google/documents/2/CrossBorderLawEnforcementRequestsWhitePaper_2.pdf)

------
joefkelley
The point about requirements to physically store data in a country seems
especially silly.

Instead of "if you operate in our country, you have to store that data in our
country", why wouldn't it be "if you operate in our country, you must agree to
give us all access to that data as if it were physically in our country".

It would be the exact same in practice (minus network latency) but without the
security concerns and business barriers brought up in the blog post.

~~~
e12e
I don't know. Say medical journals - in case of a war, where fiber cables are
cut; it'd be nice to still know how to treat people.

Consider that in the 80s, Iraq would've been considered a US ally - how might
storing most of financial and municipal data in US datacenters have affected
the later invasions?

We like to think about the current "post globalisation"-world as a peaceful
one - but it's only true until it isn't. And there are still areas where
national interests remain important.

