
On Confirmed Assumptions or, Not Trusting Google is a Good Idea - __hudson__
http://anarchism.is/
======
tptacek
_How, in short, is this shit valid under the U.S. Bill of Rights? I’d really
like someone to explain that to me. With a straight face. Preferably without
making me want to punch them in the process._

Well, he's going to want to punch me, but here's what I think(?) the answer
is:

(a) He's not a US person, but instead a well-known citizen of Iceland, living
abroad, and is thus not protected by the Fourth Amendment, at least to the
extent that anything in the Fourth Amendment conflicts with any interest of
the US.

(b) He's a person of interest in the investigation of one of the most
significant leaks of national security information in US history.

~~~
ef4
The legal theory that the bill of rights only applies to US citizens is
dangerous and wrong.

It applies to _actions_ of the United States government. It is a list of
things they may not do.

~~~
rgbrenner
No, tptacek is right... if you are a foreigner living abroad, the bill of
rights does not apply to you:

 _In 1957, the court changed its position, overturning decades of precedent to
declare that American citizens are in fact protected against U.S. government
misbehavior by the Bill of Rights even outside the country. Unfortunately for
the rest of the world, the court limited its ruling to U.S. citizens.
Foreigners remained stuck with the old rule that the Bill of Rights doesn 't
apply abroad._[0]

So US citizens are protected whether they are within US borders or abroad. And
foreigners are protected if they are within US borders... but once they leave,
it no longer applies.

[0]. [http://articles.latimes.com/2005/dec/16/opinion/oe-
raustiala...](http://articles.latimes.com/2005/dec/16/opinion/oe-raustiala16)

~~~
ef4
I'm aware that the court has interpreted it that way. That doesn't make it any
less wrong.

    
    
        To consider the judges as the ultimate arbiters of all constitutional
        questions is a very dangerous doctrine indeed and one which would 
        place us under the despotism of an oligarchy. - Thomas Jefferson,1820
    

I will also note that the data in question was within the United States, where
all property, whether owned by foreigners or not, is protected from unlawful
search and seizure.

~~~
tptacek
What warrant did Jefferson serve on the Barbary Pirates?

~~~
eksith
This is misdirection and you know it. By that same token, if we were around at
the time, I could also point to the slaves.

The reckless interpretation of the U.S. bill of rights is already precariously
close to violating the Geneva Conventions (on many cases, it probably has
already been violated. I.E. Guantanamo Bay). The idea that you're somehow
exempt from what is commonly regarded as decent and fair treatment of another
human being based on a narrow (and arguable) technicality is appalling.

~~~
ubernostrum
Jefferson would have had each state be its own absolute arbiter of the
Constitution, and free to ignore the Constitution if the state felt like doing
so.

Ron Paul arguably holds the same views now (with his various attempts to make
state actions immune from federal judicial review).

For both of them, history furnishes examples of why -- even if we hold that
the Supreme Court and federal judicial review was a bad idea -- this is _also_
a bad idea.

------
digitalengineer
"Google is, however, allowed to tell me what account is involved, and I can do
whatever I want with the information Google gave me"

So Google was allowed, _not required_. Looks like they did the right thing by
at least telling OP what they were forced to do. Shouldn't the title be "Not
trusting your Government"?

~~~
dlss
It's both. If you are going to use a cloud service, you have to trust both the
provider and the government where they operate.

(With the exception of things like tarsnap).

~~~
cube13
>(With the exception of things like tarsnap).

The chain of trust still extends to them. You're trusting that they're
actually doing everything they say they're doing.

If you don't own the hardware and the building where the hardware is, you have
to trust that they're doing everything you want them to be doing.

~~~
jmillikin

      > The chain of trust still extends to them. You're
      > trusting that they're actually doing everything
      > they say they're doing.
    

Tarsnap performs encryption in the client, which is distributed only as source
code. If you audit the client sufficiently to believe it is properly
encrypting your data, then there is no need to trust the server or the hosting
provider.

~~~
sneak
You still have to trust them and their government when you use the service.
They (or their government) could delete or compel the deletion of the files,
have or cause outages, etc.

Also, all the crypto in the world doesn't keep a service from logging (ip,
timestamp) tuples each time you access them. You can do a lot with metadata.

~~~
JoachimSchipper
> You can do a lot with metadata.

With GMail metadata, yes; with Tarsnap metadata, much less so.

------
gnosis
Google is spyware.

This has been obvious for a long time.

Most other "free" web services aren't much better.

It's sad that it's taken so long for people to start realizing and caring
about this, but better late than never.

~~~
kostya-kow
>Most other "free" web services aren't much better.

Most non-free web services are equally happy giving away your data to the
government. Apple, MS and all the other companies are no better than Google.

And Google is not the problem -- it is just a symptom. The problem is the
government that does not respect the rights of people.

~~~
gnosis
My use of the term "free" was not intended to imply that "non-free" web
services were any better.

I used the term to highlight that what most people consider "free" web
services actually have a price.

That price is usually your privacy.

~~~
spankalee
Free has nothing to do with it. Go ahead and pay for the same services, but
it'll do nothing to protect your data from a search warrant.

~~~
gnosis
Actually, it does have something to do with it.

When you don't pay for a service in money, the company providing that service
has to find some other way of generating money.

Often they do this by collecting and selling data about you.

Now, that doesn't mean that just because you paid for a service they won't do
the same thing. But they'll will have more incentive to protect their paying
customers than some service which consider you and your data as the commodity.

~~~
jkrems
This has nothing to do with privacy and free services. Yes, that is a problem,
but it has no connection at all to this case. It's about emails and private
chats being given to the government without any limitations. It's about non-US
citizens having zero protection or due process when they use US-based cloud
services. That's a couple of degrees more severe than "Google is storing
personal details about you and may give them to the government". It basically
means that foreigners upload their data de-facto directly to NSA servers when
they use US cloud services.

~~~
embolism
You can't separate the two. The reason why foreigners are uploading their data
to the NSA when they use Google is because of the way Google makes its money
and engineers its services.

Compare this to Apple's iMessage or FaceTime - Apple cannot decrypt the
contents of the messages, and therefore cannot give the contents to the
government.

They designed the service this way because their users pay for the service as
part of the cost of the devices they sell so they don't require access to the
data for behavioral profiling.

~~~
jmillikin

      > Compare this to Apple's iMessage or FaceTime - Apple
      > cannot decrypt the contents of the messages, and
      > therefore cannot give the contents to the government.
    

This is not correct.

First, when you buy a new iPhone, the way you authenticate yourself is by
entering your Apple ID and password. Once entered, your new device will begin
receiving iMessage data. This means that Apple is capable of provisioning a
virtual device with your credentials, which will receive your messages. From
there, they can be either stored or forwarded to third parties.

Second, your iPhone runs binaries distributed by Apple. There is no technical
reason why these binaries could not contain code to forward historical
messages to Apple or to a third party. Even if they don't now, a future update
to iOS (which you won't be able to audit) could introduce such code.

The only way to have private communication is for all parties to run open-
source clients. Each party must have the technical skill to audit the source
code, or there must be at least one (preferably multiple) trusted third-party
auditor. They must distribute encryption keys through a separate channel which
does not depend on the communication host.

In other words, the standard Thunderbird+GPG+keyparty system that is popular
among nerds but has seen no uptake among the general population.

~~~
embolism
First, when you buy a new iPhone, the way you authenticate yourself is by
entering your Apple ID and password. Once entered, your new device will begin
receiving iMessage data. This means that Apple is capable of provisioning a
virtual device with your credentials, which will receive your messages. From
there, they can be either stored or forwarded to third parties.

Wrong. As others who have examined the protocol have noted, your password is
used to unlock a keybag on the device itself. Apple doesn't have your password
(only a secure hash) and therefore can't unlock the keybag. The security
depends on the strength of your password, which is a weakness, but it is in
your control, not Apples.

Yes, the binaries of any system can contain arbitrary spyware or be infected
with such at any stage from development through to decommissioning. Open
source is no absolute protection against that.

At the moment we are trusting that companies are not baldly lying to us, even
Google.

~~~
jmillikin

      > As others who have examined the protocol have noted,
      > your password is used to unlock a keybag on the device
      > itself. Apple doesn't have your password (only a secure
      > hash) and therefore can't unlock the keybag.
    

Re-read what I wrote, and think about what it means.

Setting up iMessage on a new iPhone does not involve copying a "keybag" (sic),
inputting a private key, or any other form of strong client-side
authentication. All you have to do is sign into the device using your Apple
ID, and you can then receive iMessage messages.

If there were any additional barrier preventing Apple from provisioning
iMessage entpoints, iPhone users would not be able to activate iMessage with
only their Apple ID.

Do you understand now?

    
    
      > Yes, the binaries of any system can contain arbitrary
      > spyware or be infected with such at any stage from
      > development through to decommissioning. Open source is
      > no absolute protection against that.
    

It's not an absolute protection, but it is very good protection.

Staying inside your house is not absolute protection against being eaten by
bears, but your chances of being eaten by bears are much much lower than if
you walk around Yellowstone dressed in steak.

~~~
embolism

       Re-read what I wrote, and think about what it means.
    

I think it means you have a false belief about the limits of the system.

    
    
       If there were any additional barrier preventing Apple from provisioning iMessage entpoints, iPhone users would not be able to activate iMessage with only their Apple ID.
    

Wrong. Apple doesn't have your password. Only a hash. Verifying against the
hash allows apple to add another device to the backend but does not unlock the
keys to the message history. Only the password does that.

There is some understanding about how the protocol works here:
[https://news.ycombinator.com/item?id=5493514](https://news.ycombinator.com/item?id=5493514)

There are other sources around the net that you can refer to to understand
more about how such a protocol can be built, but I don't have a lot of faith
in you as a conversation partner now that you've demonstrated that you can't
be bothered to inform yourself before responding incorrectly with
condescending certainty.

~~~
jmillikin

      > Verifying against the hash allows apple to add another
      > device to the backend but does not unlock the keys to
      > the message history
    

Isn't this what I've been claiming? If Apple can provision additional
endpoints, they can provision a virtual endpoint which receives messages and
forwards them to third parties.

~~~
embolism
Doing that wouldn't provide access to the history. Unless they always do this
for every single device, there is no mountain of data to analyze.

The point we are discussing is not whether iMessage provides perfect security.
The point is that iMessage doesn't give Apple a stockpile of personal data
that can be indiscriminately targeted at any time the way GMail can.

I'm not saying it's a panacea or arguing in favor of Apple. iMessage proves
that Google could engineer a system to protect users privacy by not
stockpiling data if they wanted to, which you have incorrectly denied.

~~~
jmillikin

      > iMessage proves that Google could engineer a system
      > to protect users privacy
    

iMessage does not protect privacy, because Apple is capable of intercepting
your messages messages and sending them to third parties. To be a private
communications medium, it should be considered impossible for messages to be
intercepted.

The only thing worse than a product that doesn't offer privacy is a product
which claims to, but actually doesn't.

IMO, Apple's claim that iMessage is private is irresponsible because it
endangers people who take that claim at face value.

~~~
embolism
No modern computer can be constructed by an individual without trusting a
corporation not to have coopted some part of the system. Therefore no
communication system can exist that meets your criteria. (E.g. Because the CPU
could be compromised)

Your argument is the equivalent of 'we can't trust any corporation'. It's a
coherent position to take but it is extreme and doesn't lead to meaningful
discussions about what is possible.

~~~
jmillikin

      > Therefore no communication system can exist that meets
      > your criteria. (E.g. Because the CPU could be compromised)
    

For the purposes of this discussion it's reasonable to assume that consumer
hardware does not contain backdoors, because such extensive compromise of the
computing infrastructure would require conspiracy on a massive scale
(approximately every electronics manufacturer in the world).

~~~
embolism
Then you haven't explained how Apple could join another device to the
encryption session without the user's password.

------
mtgx
They keep the deleted e-mails too? So even if you want to escape that 180 days
law that says after 180 days it's free for all for authorities to get your
e-mails, then deleting them before that time passes won't do you much good.

So basically the authorities will have access to your e-mails anyway. It's
just that they won't get them in the first 180 days. And of course this just
applies to police/FBI, as NSA can get them from the day you sent them.

~~~
signed0
Not necessarily. Just because the government asks for them doesn't mean they
exist. I'd be surprised if they were actually deleted though.

~~~
gohrt
Google doesn't 100% say that the data is totally totally gone, but seems to
say that it is no longer indexed for lookup by your accounr, after 60days
after deletion:
[https://support.google.com/mail/answer/7401?hl=en](https://support.google.com/mail/answer/7401?hl=en)

~~~
saalweachter
I don't have any personal knowledge of this but if I were to recklessly
speculate, I would wager "deleting stuff is hard". The typical concern is data
loss, so to delete something completely you need to unwind your entire data
loss prevention stack. Delete a file, delete a row from a database, wipe a
cache from another server, scrub any ZFS-style filesystem versioning of data,
mirror the changes to any off-site on-line backups and scrub everything there,
retrieve any off-site off-line backups and wipe those...

It's a non-trivial engineering task. If you want an email service which can
readily delete your email, you need to find one with non-redundant, completely
un-mirrored databases, fragile filesystems, and no backups. But that is not
what most people are clamoring for in a service provider.

~~~
embolism
Creating a massive behavioral profiling advertising system is _hard_ , as is
creating a self driving car. Protecting users from Government intrusion is
simply a lower priority for Google.

~~~
contingencies
_Think of the architects!_

Each of them believe they are doing nothing wrong.

------
signed0
If Google has records of all emails that have been sent and deleted,
presumably even if you don't have a Gmail account the government could ask
Google for all emails that had ever been sent to your account.

Just as the Syrian government is unlikely to be able to get Google to give
them information on particular dissidents, it would be wise for American
activists to choose a email provider that is not located in the United States.

~~~
coolhandluke
Indeed. Once I manage to anonymously acquire some Bitcoins, I will be looking
for a reputable VPS host based in Europe (that I can pay with Bitcoins) where
I can run my own mail system.

~~~
sneak
Why, so that all the emails you send and receive can go right back to american
PRISM partners? There's little point to that when everyone you email uses
gmail.

~~~
dmix
The only option is for the creation of a user-friendly and encrypted
alternative that people can transition to.

Right now that doesn't exist.

------
__hudson__
I wonder if donating to wikileaks or even sending an email to wikileaks
offering to volunteer would be enough to interest someone in government in
getting all your 1's & 0's.

~~~
smokeyj
Yes, along with picking your nose and tying your shoes -- but that should only
matter to a coward.

~~~
__hudson__
I wasn't trying to sound paranoid or cowardly. I was just curious what
opinions people had on the level of involvement with Wikileaks that would be
enough to get the governments attention.

~~~
coolhandluke
I don't think it would take very much "involvement" at all.

Let's say you sent such an e-mail. It was noticed by the NSA and triggered...
_whatever_ and now they've decided that they want to monitor you. How much
difficulty is involved?

From what I've read recently, it seems that it's fairly trivial to start
monitoring an individual and continue to do so for a period of time. I would
imagine that the easier it is, the higher the chances are of it happening.

If it's a matter of hitting a few keystrokes to begin the monitoring, there's
little cost involved so why not? They could monitor you for a while, analyze
the data, and then decide if they need to keep monitoring you.

If it's extremely difficult, costly, or time-consuming to begin the process,
well, I'd imagine they would be less likely to do so (by how much I won't
begin to guess).

Basically, if they can start monitoring you and gathering data on you with
little effort or cost required, it's probably a given that they would keep an
eye on you. If there's a bunch of paperwork, warrants, etc., involved, the
chances would be lower, I think.

------
Semiapies
"Not trusting" in this case is more of an operational than moral/ethical
judgement, and more general than Google - you can't rely on privacy from any
company if the government can send them a letter saying, "Gimme everything on
this guy, bitches."

And, well, if you don't want to run to Hong Kong, you're pretty much the
government's bitch in that circumstance...

------
zenbowman
"I believe that organisations don’t really have a right to secrecy and I
believe that the more open a society, a society where people have more
information is a society where we can take more informed decisions and where
we perhaps won’t need the gatekeepers that are currently in place as much"
-Herbert Snorrason

If he doesn't believe organizations have a right to secrecy, then why does he
believe that he is entitled to secrecy. Privacy and secrecy are the same
thing, claiming to be pro-privacy but against secrecy is dishonest.

~~~
PavlovsCat
_Privacy and secrecy are the same thing_

No, they aren't (e.g. that I want to be alone when going to the bathroom
doesn't mean it's a secret what I am doing there). Even if they were, persons
and organizations are not the same thing either.

------
tyrion
Isn't all "this shit" in violation of the International Bill of Human Rights?

"No one shall be subjected to arbitrary interference with his privacy, family,
home or correspondence, nor to attacks upon his honour and reputation.
Everyone has the right to the protection of the law against such interference
or attacks." \-- International Bill of Human Rights, article 12.

I also found interesting to read the "CCPR General Comment No. 16" [1] on the
right to privacy.

[1]
[http://www.unhchr.ch/tbs/doc.nsf/(Symbol)/23378a8724595410c1...](http://www.unhchr.ch/tbs/doc.nsf/\(Symbol\)/23378a8724595410c12563ed004aeecd?Opendocument)

~~~
jkrems
I think the US government showed in the last ten years that they don't care
much about those "basic human rights". I'm pretty sure torture, drone
killings, locking innocent people away without due process, and silencing
dissidents also kind of violates the IBoHR.

------
andrewljohnson
Google should invent a distributed, encrypted email protocol and make that
network an option in GMail for storage and message sending. That would be a
great PR move - if there is no central server, and no central message pipe,
it's a little hard for anyone to think Google wants to be complicit in spying.

~~~
jmillikin
How would you implement a secure web interface to distributed encrypted
storage? The moment a user wants to view email in their browser, it needs to
be decrypted by Google's server (or decrypted by Javscript served from
Google's server, which is equivalent from a security perspective).

For users who are willing to give up the web interface, there are many open-
source email clients that provide strong encryption (e.g. Thunderbird + GPG).

~~~
embolism
The web is simply not designed with privacy in mind. People _should_ stop
using webmail.

~~~
drivebyacct2
What a truly, truly, truly absurd statement. I run my own webserver and have
Roundcube exposed. It's only accessible via my VPN and even then, it's HTTPS.
So tell me, how are you planning to compromise that?

~~~
jmillikin
In fairness, if it's only accessible via VPN then your Roundcube instance is
not part of the web.

------
ethanazir
the gmail network effect pulls in people who would rather not be grokked.

~~~
contingencies
Right. This is why we need encryption.

~~~
mpyne
We have encryption. We need to _use_ it.

~~~
sneak
My using encryption doesn't suddenly make all of the hundred people I
regularly communicate with on gmail suddenly have PGP keys or smartphones that
support encrypted messages.

~~~
mpyne
Hence why I said, "we". Every encryption scheme you propose will actually need
to be used by other people to make the system work overall.

------
tantalor
Presumably the same justification/reasoning could be used to serve a
home/business search warrant.

~~~
burntsushi
That might be the case. But you'd know about it. And _why_.

~~~
magicalist
You would know about it, but the warrant can still be sealed if it "is
necessitated by a compelling government interest", so you can no idea why it
was being done.

In theory you can get this reversed, but it is common for courts to uphold the
government's interest in keeping investigations secret well beyond normal
disclosure dates, in a few cases even _up to and during_ the trial against the
person who was served the warrant.

------
fady
off-topic: you need some line-height for that post.. very hard to read.

[https://www.dropbox.com/s/602d01t8ahqw1km/Screenshot%202013-...](https://www.dropbox.com/s/602d01t8ahqw1km/Screenshot%202013-06-21%20at%202.29.10%20PM.png)

------
lettergram
Why not just keep all your data on your own computer? No need to have a cloud
and if it's email your worried about, well, it's assured if the U.S.
government wants your conversations they will get it unless you jump through
some pretty large hoops.

------
Andrew_Quentin
Why don't you sue and find out?

------
throwaway10001
Google shouldn't be trusted with everything you have. Between Analytics,
Android, Google Search, Documents and E-mail they know what you are thinking
and virtually everything you do, online and offline. Even if the current
management are saints--I doubt it--the next team will push the envelope to
monetize it even more. And then there is the NSA and FBI and the local divorce
lawyer. If it's there they will get it.

So try things like blocking analytics at host level, using either gmail or
search etc etc. Makes it harder for NSA. Can you imagine yourself in a trial
trying to explain why you visited certain sites or searched for certain
keywords 3 years ago? Were you really researching what you saw on CSI or were
you preparing the perfect murder of your wife?

~~~
burntsushi
This just seems like a variation of the argument that you should get out of
the way of the bullet instead of demanding that the gunman not shoot you in
the first place.

I should be able to give whatever data I want to Google without worrying that
the government is going to take it from Google in secret.

~~~
embolism
That is a laudable and idealistic goal, but we don't live in that world.
Furthermore Google itself knows more than we do about how easily governments
can access the data it accumulates.

If it chose to, Google could protect users by developing services that do not
rely on Google itself examining their personal data.

Google understands the risks better than its users but chooses to expose them
because doing so is aligned with its business model and philosophy whereas
protecting them is not.

It's a bit like recommending someone travel through a war zone on a bicycle
when a tank is an available alternative, because the bike carries advertising
you profit from and the tank does not.

~~~
loup-vaillant
Still, you do want to remove that dangerous war zone itself. The problem is,
to do that, a few group of people at best needs to stick their neck out for
the benefit of everyone else.

The way I see it, the problem is that mass cooperation just isn't going to
happen. Incentives and benefits must be found at the individual level
(altruism counts as a weak incentive), and drawbacks must be dealt with,
starting with the gazillion trivial inconveniences that an otherwise privacy
aware citizen would have to put up with.

There's a reason why I don't encrypt my hard drive: my OS doesn't do it by
default, and taking the time to set it up is just such a drag.

~~~
embolism
My OS does do it by default. It also provides me with a messaging system with
end to end encryption by default.

The inconveniences can be removed by engineering - that's what we _do_. It's a
matter of priorities and Google's are conflicted in this area.

~~~
loup-vaillant
Which OS? That sounds interesting.

------
rasterizer
Abit harsh on Google. I mean what are they to do?

~~~
betterunix
Maybe engineer a service that is harder to wiretap? It is not easy, but they
have some of the best computer scientists on this planet working for them. If
I were them, I would start somewhere around here:

[http://crypto.stanford.edu/adnostic/adnostic.pdf](http://crypto.stanford.edu/adnostic/adnostic.pdf)

~~~
tptacek
It's not directly apropos this particular thread, but Google _has_ engineered
an email service that is particularly difficult to wiretap. To wit:

(a) They're the Internet's foremost adopter and proponent of DHE ciphersuites,
which drastically reduce the impact of losing the RSA key that underpins most
site's TLS security, and, just as importantly, forces adversaries to actively
MITM every connection in order to decrypt them.

(b) They're a pioneer in key pinning, which bakes the identity of their key
into the Chrome browser binary, meaning that when your Chrome browser talks to
Google's mail service, it's unlikely to trust any otherwise- valid- looking
certificate presented by a MITM attacker.

Google's mail service is better encrypted than most banks.

~~~
jkn
Am I right that a) applies only to direct communications between the end user
and Google's servers?

Actually if someone sends an email to my Gmail account using his ISP SMTP
server, is the connection between the two SMTP servers likely to be encrypted?

~~~
icebraining
Even if it is encrypted, I doubt it's authenticated.

~~~
sneak
Wiretaps almost never involve active MITM. This is a red herring.

