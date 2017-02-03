So, because data can be copied and doesn't deprive the original account holder of their data, this doesn't count as a seizure?
> the electronic data disclosed by Google pursuant to the warrants will occur in the United States when the FBI reviews the copies of the requested data in Pennsylvania.
And because law enforcement will review the documents in the United States, this doesn't count as a "search" outside the US.
This line of reasoning seems really crazy to me. What if these had been physical documents? Would this have been ruled in the same way? Say that the US government photocopied a set of files outside the United States and planned to only review them in the US.
I find it hard to believe this doesn't conflict with at least one of the treaties the U.S. has signed with the EU.
Just like the NSA. Once they figure out a 0-day, they use it to hack foreign entities. They won't help fix it by telling the U.S. software company. In other words, they don't care if you get hacked.
[1] http://www.zdnet.com/article/microsoft-refuses-to-hand-over-...
[2] http://www.zdnet.com/article/microsoft-scores-privacy-win-af...
Do they not have warrants in other countries?
It goes the same for Americans. If you want privacy from the U.S. government, don't use American services, or U.S.-hosted services.
If you use Google, your data is basically guaranteed to be secure - the biggest vulnerability is search warrants from the US government.
If you use some provider in another country, the attack vector has to be way larger, right?
This is an honest question - people always talk about using their own servers or non-mainstream providers, but I don't see how they necessarily reduce your risk.
Are you saying that everyone else outside the US is somehow incompetent? The 300 million in the US are super special and the other 6.7 billion people are stupid? Cause 'murica? For example all the countries in the EU, Canada, Australia, etc.
Or are you saying privacy laws in the rest of the world are somehow worse? For example, the EU has generally much better privacy safeguards and is generally known to be much more consumer friendly than the US.
I'm skeptical about that. They got seriously owned by one in the past with their proposed solution switching to Mac's and Linux distros. I don't recall if they acted on that but the fact that they thought it would stop nation-states says something. They certainly have more resources to stop, detect, or recover from black hats than the average user of their service.
More like it is that there are any number of zero days floating around at all times many of which Google doesn't know, and the government itself is regularly taking data from these companies and then gagging them, and when that doesn't work, rooting them directly.
Outside countries are just as susceptible to hacking, but they can't be as easily made into gagged cooperators.
And google may have a lot of smart people but they have a collossal attack surface due to sheer size and product offerings. And they're made of humans. They run hackathons soliciting bugs and regularly find them. No one is perfect, definitely not google.
The overall security picture out there is grim, and it's very rational for people to control the risks they can and part of that is using outside of the US services
Also because the country where the data is stored, even if internally has personal data protection laws as lax as the USA, will in basically all cases have much bigger restrains about allowing a foreign government (namely the USA) to access that data.
Most people are preoccupied about what their own country's government or a big superpower's government can do with their data, not really what Norway's (another example) government can do with their data if they don't even live there.
I think Nexor, Thales, Fox-IT, Sirrix, Data61, and recently ProtonMail might have something to say about such claims. Starting with better security architectures than most vendors in the space. Maybe throw in GPG-based things like Enigmail since Snowden leaks showed NSA worried about it so much.
If you just mean "Google has more resources than most European services, so it's probably more secure", you have a point, but it's not entirely accurate, and that's because of how Google handles encryption. It prefers to keep the encryption keys to itself, so from that point of view it will always be more vulnerable than services that don't do that - small or large.
And if you meant "because the NSA wouldn't target Google, or it would just target those companies more" then I believe that's completely false. Google is absolutely a high priority target for the NSA. Any large company is, no matter where it is. We've learned that by now.
Also because Google actually did get completely owned by the NSA a few years ago:
https://www.theguardian.com/technology/2013/oct/30/google-re...
According to the Snowden leaks, the NSA has done more comprehensive infiltrations, e.g. Belgacom, Petrobras, etc.
Sometimes it feels like the law is just a means to an end. USG wants access to data regardless of jursidiction, so that's what it gets.
So says the court in the article: "Electronically transferring data from a server in a foreign country to Google’s data center in California does not amount to a “seizure” because there is no meaningful interference with the account holder’s possessory interest in the user data."
My point is there could be analogies drawn. If taking copies of an email without the email owner's permission doesn't violate the owner's interest, then perhaps taking copies of media works without the owner's permission doesn't violate the owner's interest either? I'm suggesting strictly viewing, non-commercial use.
The argument makes sense. If you are conducting your business via email using an American provider, expect it to be subject to American law.
I don't see how this could be unusual or a shock to anyone.
Jurisdiction is an important concept, and if the american justice starts using the good economic position of its companies to bypass or expand its jurisdiction, it should be expected that the feedback will effect said economic position.
While this case seems to be a bit different from the Ms case, the court essentially orders a private entity to take action in a foreign country, something which it could not do itself. This seems wrong to me. Instead, the issue is probably that this info should probably not be foreign if the producers were domestic.
Especially if the data storage location is, for all user purposes, arbitrary.
Not that I have anything to hide, but I don't like my protections being whittled away.
Any suggestions on what provider to seek out now? Lavabit?
Most email providers will comply with search warrants on individuals, regardless of the government.
https://runbox.com/why-runbox/email-privacy/
Isn't that the same as what's happening here?
Hosting it yourself requires quite a bit of effort and knowledge to achieve high deliverability and low spam. Any solution is going to require you to be a mail server admin, which isn't for the feint of heart. You can't really be a casual once-in-a-while admin to get good results.
Sometimes it is worth paying a hosting service to take care of these problems for you.
With that said, Zimbra is a wonderful, easy to setup, all-in-one solution (email, calendars, contacts, etc)... and it's free (the Open Source license version).[1]
It works for small setups (<5 users) all the way up to huge installations (Comcast uses Zimbra for it's webmail service).
[1] https://www.zimbra.com/
Seems like this one is completely on Google.
So if you want to be protected against this type of seizure, stop using Google, or any other American service that brings its data from its EU servers over to the U.S.
EDIT: And why is this an "opinion post"? It didn't have to be one. I thought the Washington Post was using its recent surge in profits from covering Trump non-stop to hire more investigative journalists, not pay for more biased opinion pieces?
Orin Kerr is one of the original proponents of a "golden key" for encryption, so I would at least take his suggestions with a pretty big grain of salt.
