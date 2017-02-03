Hacker News new | comments | show | ask | jobs | submit login
Google must turn over foreign-stored emails pursuant to a warrant, court rules (washingtonpost.com)
77 points by severine 1 hour ago | hide | past | web | 46 comments | favorite





> Electronically transferring data from a server in a foreign country to Google’s data center in California does not amount to a “seizure” because there is no meaningful interference with the account holder’s possessory interest in the user data.

So, because data can be copied and doesn't deprive the original account holder of their data, this doesn't count as a seizure?

> the electronic data disclosed by Google pursuant to the warrants will occur in the United States when the FBI reviews the copies of the requested data in Pennsylvania.

And because law enforcement will review the documents in the United States, this doesn't count as a "search" outside the US.

This line of reasoning seems really crazy to me. What if these had been physical documents? Would this have been ruled in the same way? Say that the US government photocopied a set of files outside the United States and planned to only review them in the US.

reply


I wonder what effect this has on international relations and treaties. How will the U.S. government respond when a European Union country's authorities furnish a warrant to Google for information about U.S. persons, using the same precedent?

I find it hard to believe this doesn't conflict with at least one of the treaties the U.S. has signed with the EU.

reply


Doesn't work that way. The thing is as long as the people in the Justice Department get what they want, they are happy. They don't care about you.

Just like the NSA. Once they figure out a 0-day, they use it to hack foreign entities. They won't help fix it by telling the U.S. software company. In other words, they don't care if you get hacked.

reply


Microsoft was in similar boat a while ago. They refused[1] to handover foreign data, and court ruled in their favor[2]. Why does Google has to be treated differently? This type of decisions pose serious threat to competitiveness of US companies in a global market.

[1] http://www.zdnet.com/article/microsoft-refuses-to-hand-over-...

[2] http://www.zdnet.com/article/microsoft-scores-privacy-win-af...

reply


I suspect that it's because the data was produced outside the USA in the Microsoft case but inside the USA in the Google case.

reply


Emails aside, this is more about using cloud in services in general. If you use Google Compute or AWS, you are in this boat. This is why U.S. tech can't be trusted.

reply


> This is why U.S. tech can't be trusted.

Do they not have warrants in other countries?

reply


If you are Chinese, it's probably not a good idea to use a Chinese email service (or any of the "joint ventures" between American companies and Chinese ones).

It goes the same for Americans. If you want privacy from the U.S. government, don't use American services, or U.S.-hosted services.

reply


Are there any good options for cloud services outside of the US?

reply


Curious: Why would you trust a cloud service operating outside the US more than one operating within?

If you use Google, your data is basically guaranteed to be secure - the biggest vulnerability is search warrants from the US government.

If you use some provider in another country, the attack vector has to be way larger, right?

This is an honest question - people always talk about using their own servers or non-mainstream providers, but I don't see how they necessarily reduce your risk.

reply


Why is the attack vector bigger?

Are you saying that everyone else outside the US is somehow incompetent? The 300 million in the US are super special and the other 6.7 billion people are stupid? Cause 'murica? For example all the countries in the EU, Canada, Australia, etc.

Or are you saying privacy laws in the rest of the world are somehow worse? For example, the EU has generally much better privacy safeguards and is generally known to be much more consumer friendly than the US.

reply


Google has the resources to secure their systems, the ability to defend against nation state attacks, and billions in revenue at risk for losing that trust. I know of no one that offers the same experience with anything close to the same protection, do you?

reply


"he ability to defend against nation state attacks"

I'm skeptical about that. They got seriously owned by one in the past with their proposed solution switching to Mac's and Linux distros. I don't recall if they acted on that but the fact that they thought it would stop nation-states says something. They certainly have more resources to stop, detect, or recover from black hats than the average user of their service.

reply


Weigh the cost of corporate controlled robots peeking at your emails against the increased probability of extra-corporate attackers pilfering your data.

reply


Guaranteed to be secure? Are you joking? Aside from the fact that nothing is guaranteed to be anything in the security world, if you go read the documents put out by Snowden there just no way you'd say that.

More like it is that there are any number of zero days floating around at all times many of which Google doesn't know, and the government itself is regularly taking data from these companies and then gagging them, and when that doesn't work, rooting them directly.

Outside countries are just as susceptible to hacking, but they can't be as easily made into gagged cooperators.

And google may have a lot of smart people but they have a collossal attack surface due to sheer size and product offerings. And they're made of humans. They run hackathons soliciting bugs and regularly find them. No one is perfect, definitely not google.

The overall security picture out there is grim, and it's very rational for people to control the risks they can and part of that is using outside of the US services

reply


Because some countries - namely in Europe - have much stronger personal data protection laws than the US. Switzerland for instance.

Also because the country where the data is stored, even if internally has personal data protection laws as lax as the USA, will in basically all cases have much bigger restrains about allowing a foreign government (namely the USA) to access that data.

Most people are preoccupied about what their own country's government or a big superpower's government can do with their data, not really what Norway's (another example) government can do with their data if they don't even live there.

reply


"If you use some provider in another country, the attack vector has to be way larger, right?"

I think Nexor, Thales, Fox-IT, Sirrix, Data61, and recently ProtonMail might have something to say about such claims. Starting with better security architectures than most vendors in the space. Maybe throw in GPG-based things like Enigmail since Snowden leaks showed NSA worried about it so much.

reply


> If you use some provider in another country, the attack vector has to be way larger, right?

If you just mean "Google has more resources than most European services, so it's probably more secure", you have a point, but it's not entirely accurate, and that's because of how Google handles encryption. It prefers to keep the encryption keys to itself, so from that point of view it will always be more vulnerable than services that don't do that - small or large.

And if you meant "because the NSA wouldn't target Google, or it would just target those companies more" then I believe that's completely false. Google is absolutely a high priority target for the NSA. Any large company is, no matter where it is. We've learned that by now.

Also because Google actually did get completely owned by the NSA a few years ago:

https://www.theguardian.com/technology/2013/oct/30/google-re...

reply


The NSA can do way more than just sniffing some network links, please don't call that "completely owned."

According to the Snowden leaks, the NSA has done more comprehensive infiltrations, e.g. Belgacom, Petrobras, etc.

reply


OVH is one of the largest hosting companies in the world. They have an excellent network, great prices, and a fondness for privacy.

reply


This decision is not relevant to something like an AWS instance in the EU.

reply


>The court also argued that this outcome was needed to avoid absurd results.

Sometimes it feels like the law is just a means to an end. USG wants access to data regardless of jursidiction, so that's what it gets.

reply


So should we soon expect courts to reject copyright infringement or piracy claims?

So says the court in the article: "Electronically transferring data from a server in a foreign country to Google’s data center in California does not amount to a “seizure” because there is no meaningful interference with the account holder’s possessory interest in the user data."

My point is there could be analogies drawn. If taking copies of an email without the email owner's permission doesn't violate the owner's interest, then perhaps taking copies of media works without the owner's permission doesn't violate the owner's interest either? I'm suggesting strictly viewing, non-commercial use.

reply


Copyright infringements is not, even in principle, about seizure or possessory interest, so there is no relation between your question and the quote it is supposedly based o .

reply


Thank you. I'm saying the above somewhat tongue-in-cheek, because my gut feeling is that some aspect of interest has been violated in the case of the email owner or related parties. Of course, "gut feeling" is not a legal principle. So I'll go back to being Definitely Not A Lawyer.

reply


I don't understand why this is bad.

The argument makes sense. If you are conducting your business via email using an American provider, expect it to be subject to American law.

I don't see how this could be unusual or a shock to anyone.

reply


If you start behaving like that, expect foreign governments/clients to ban/boycott american providers.

Jurisdiction is an important concept, and if the american justice starts using the good economic position of its companies to bypass or expand its jurisdiction, it should be expected that the feedback will effect said economic position.

While this case seems to be a bit different from the Ms case, the court essentially orders a private entity to take action in a foreign country, something which it could not do itself. This seems wrong to me. Instead, the issue is probably that this info should probably not be foreign if the producers were domestic.

reply


I think the shock here is exactly that american law allows for this.

reply


No surprise there. Doesn't help where the servers are as long as the company is in the US.

reply


It does somewhat, Google transferred the data to the US.

reply


US companies and the data they control is obviously going to be under the jurisdiction of law enforcement where the company is located, in the US.

Especially if the data storage location is, for all user purposes, arbitrary.

reply


It's been fun, Gmail, but I think it may be time to go.

Not that I have anything to hide, but I don't like my protections being whittled away.

Any suggestions on what provider to seek out now? Lavabit?

reply


Get your own domain for your email first. That is really the biggest hurdle. Providers can be swapped out without much work that way.

reply


Because GMail is being served warrants for overseas data?

Most email providers will comply with search warrants on individuals, regardless of the government.

reply


I've been liking protonmail.com Not US based, encrypted storage, easy to use.

reply


I suggest runbox.com.

https://runbox.com/why-runbox/email-privacy/

reply


>Runbox will not disclose account information or email data to authorities unless presented with a Norwegian court order.

Isn't that the same as what's happening here?

reply


No, Google is being presented with an American court order.

reply


How about yourself?

reply


That's not really a good solution, if you setup your own personal email server your outgoing emails in many cases will unfortunately end in a SPAM box since they will originate from an unknown server.

reply


I'm not sure where to start. What do you suggest?

reply


http://www.iredmail.org/ for mail, http://radicale.org/ for contacts and calendar, http://www.rainloop.net/ for better webmail. Ask https://indiehosters.net to set it up for you for a minor fee.

reply


Well, email is a hard problem.

Hosting it yourself requires quite a bit of effort and knowledge to achieve high deliverability and low spam. Any solution is going to require you to be a mail server admin, which isn't for the feint of heart. You can't really be a casual once-in-a-while admin to get good results.

Sometimes it is worth paying a hosting service to take care of these problems for you.

With that said, Zimbra is a wonderful, easy to setup, all-in-one solution (email, calendars, contacts, etc)... and it's free (the Open Source license version).[1]

It works for small setups (<5 users) all the way up to huge installations (Comcast uses Zimbra for it's webmail service).

[1] https://www.zimbra.com/

reply


Encryption all the way.

reply


> Indeed, according to the Stipulation entered into by Google and the Government, Google regularly transfers user data from one data center to another without the customer’s knowledge

Seems like this one is completely on Google.

So if you want to be protected against this type of seizure, stop using Google, or any other American service that brings its data from its EU servers over to the U.S.

EDIT: And why is this an "opinion post"? It didn't have to be one. I thought the Washington Post was using its recent surge in profits from covering Trump non-stop to hire more investigative journalists, not pay for more biased opinion pieces?

Orin Kerr is one of the original proponents of a "golden key" for encryption, so I would at least take his suggestions with a pretty big grain of salt.

reply


I haven't read the Google ToS, but I wonder if it would matter to the USG if the Google ToS made stipulations about transparently moving data within a region versus between regions.

reply




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: