Hacker News new | comments | show | ask | jobs | submit login
Justice Department moves to end routine gag orders on tech firms (washingtonpost.com)
375 points by forapurpose 10 months ago | hide | past | web | favorite | 48 comments

This is good news overall. Glad to see some sanity coming out of the White House.

I'm a little suspicious though. Why is Microsoft pushing so hard for this? What's in it for them?

Microsoft has been battling the government over this and more for a long time. They have another major ongoing case over US government rights to demand customer data stored overseas.

> What's in it for them

The very lucrative European business market. If they can't be assured that their data is safe with Microsoft (and out of US govt hands), they will naturally move to using non-US based competitors.

At $employer we process lots of PII on behalf of customers which is covered by additional domain-specific privacy laws on top of the general ones.

Compliance is important and because we occasionally have to handle production data inhouse this has far-reaching consequences.

It's not just that we can't use US-based cloud services for production. We can't use them for anything. Anything like slack, gsuite, jira cloud are not suitable for handling the sensitive data. Even something as simple as using recaptcha required vetting by our data protection officer.

It's almost like, if you need your data to remain private, you shouldn't send it to someone else's computer.

Do you keep your money under a couch?

I understand that there are more risks to moving data around but some companies will be better than you are at a thing.

It's very dependent on what your risks are. Data integrity is a big one, though non-siezability by US govt is important to others.

If I want my money (rather, the amount of money I have, and when I spend it) to remain private, I sure do!

Out of curiosity, what doesn’t AWS comply with? I was under the impression they were certified for almost every use case involving PII.

Starting from May 2018, no US-based company can possibly comply under the strict interpretation of EU data protection laws. If an US court can possibly legally compel you to hand over the data, you cannot host any private data on EU citizens on behalf of an EU company. Next year, I cannot even legally store things like names and email addresses belonging to EU citizens on a server ran by a US company, without exposing myself to major legal liability. Many companies in the EU are now scrambling to get away from us service providers.

The text is very broad, and it has been argued that it's a stealth protectionism measure. For me to be able to do business with US-based cloud providers next year, the US law needs to change so that if an account has a "this refers to an EU citizen" bit set, that completely prevents US courts and law enforcement from acquiring any information about it without proving probable cause at an EU court of a specific crime that is of sufficient severity and criminal in both EU and the US. I don't believe that will happen.

There's two parts of concern when using AWS:

1. They comply with quite a number of information requests [0], even if they seem to oppose the weakening of legislation in place or overly-broad requests.

The NSLs under FISA are particularly concerning, because they can't even report the number they receive, only "within certain ranges set by the government". This is the same for all US companies, and Amazon are more upfront than most, but it's also a reason for avoiding a US company like Amazon.

2. Location. Where is your data? AWS' regions are quite broad in the legal sense, and sometimes crosses borders that your data would not be allowed to (X-data must remain in Y-region, cannot be copied or transferred). However, determining whether or not your data would cross such a border can be quite difficult.

[0] https://aws.amazon.com/compliance/amazon-information-request...

Limiting things to EU-region AWS might have worked on paper. But in practice there is a lot of conservativism in play. It's not just about doing the bare minimum to pass the certification audits. Some customers also demand detailed data-flow breakdowns, a manifest of data processing agreements and lengthy check lists to comply with their internal data protection policy. Combine that with with the CJEU toppling safe harbor, the Microsoft case, the snowden leaks etc. it's simply a lot easier to pass customer audits when you run on an exclusive EU-soil, EU-jurisdiction policy. And forward-looking it provides some certitude, i.e. we won't just pass the audits today, we're reasonably sure that if Privacy Shield falls too we'll still be fine.

Basically, if you provide SaaS for corporate customers and handle their PII (HR records, occasionally some medical data attached) then the intersection of various demands ends up fairly restrictive.

Not just European companies. Not being notified when the government gets their hands on your data is one reason not to put your data in a cloud service. By itself that's probably not enough to win over on-prem solutions, but it's one less con for cloud.

The 99% is lucky to be in a situation where this is possible. Imagine a world fully globalized under colluding bureaucraitc powers, and an oligarchy of tech competitors.

Don't have to strain our imaginations too hard do we?

Not naturally. EU privacy law will force them.

Even without EU privacy laws, a variety of laws in the USA have made various organizations outside the US wary about storing data in the US.

They've also been fighting the gov on subpoenas for data stored outside the US:


Presumably the business mandate is that they want to sell their cloud solutions (particularly for stuff like Outlook) to customers who don't look favorably upon the US getting access to all their data with a mere subpoena & not even being informed about it.

> This is good news overall. Glad to see some sanity coming out of the White House.

The Justice Department is not the White House, a fact that the primary current occupant of the latter has, publicly and repeatedly, bemoaned.

And I'll append an analysis which says that much more is needed because the new rule applies only to the Justice Dept, and the orders come from many places, including state and local governments:


I'll add that a rule changed by the Justice Dept can be changed again. A law may be needed.

Both good points. If I may ask, why is MS dropping the case if they had good points to make something come of it?

Microsoft sued the Justice Department. I'm not a lawyer, but since the Justice Department is no longer doing this thing, they may not have any standing for the lawsuit. I don't think they can force the lawsuit through to get a decision since they're no longer being harmed by it.

It wouldn't be the first time someone who thought they might lose backed down to avoid setting a precedent. Police departments did it with cases where people challenged the use of Stingrays, for example.

Likely because the government is a large enterprise customer who needs to not have a judicial precedent set.

I.E. This seems a lawfare move to step back general gag use, so that they can step forward again in specific gag use, rather than risk losing and finding future gags severely restricted. Microsoft is being polite because sometimes it might be reasonable for government to gag a subpoena, without it being a national security issue.

As a non-USian, is the Homeland Security (Newspeak!) under the Justice Dept, at least?

No, it's an independent, top-level cabinet position. The departments of Homeland Security and Justice are "peers", if you will.

I'm not sure it's entirely newspeak. If you look at the list of departments that were gathered together to form DHS [0], it does make some sense to have them all in the same organization.

[0]: https://en.wikipedia.org/wiki/United_States_Department_of_Ho...

The word "homeland" is propaganda-ish. Other department names are simply descriptive, such as Treasury, State, Interior, Veterans Affairs, etc. If named normally, it would have been something like 'Domestic Security'..

Personally I think the DoD should go back to it's original name, the department of war, and then homeland should take dod.

If we really want some Newspeak, how about the "Department of Peace"?

That's what Dennis Kucinich wanted to call it, though not so much in a newspeak way as just to reinforce a pacifist foreign policy.

No it's a Federal executive agency with a cabinet level Secretary reporting to the president. https://en.wikipedia.org/wiki/List_of_federal_agencies_in_th...

DHS was made after 9-11 in 2001 by rolling a lot of other agencies together with a new overarching executive agency. https://en.wikipedia.org/wiki/United_States_Department_of_Ho...

> USian

Is this a statement thing?

It's mostly a disambiguation thing, although it's definitely more popular in some circles than others. A similar term sometimes seen in more formal contexts is "US-American". "American" is sometimes construed to include all of North, Central, and South America, predominantly in Spanish and Portuguese languages (e.g. the Organization of American States / Organización de los Estados Americanos / Organización de los Estados Americanos), as opposed to modern English where the usual collective term is "the Americas".

I say it sometimes and I live here. Nothing wrong with it.

Way too late, but it wasn't meant as any sort of value judgement.

It's just an anglified états-unien (and similar in many languages).

I'm glad to see the Trump administration rolling back these Obama era privacy violations.

I think that the provisions of 18 U.S.C. § 3123(d)(2) were introduced by Bush as part of the Patriot act, after September 11, not by Obama. One might argue that Obama abused them, of course.

Certainly there are some unjust laws for which it is just as bad to leave them in place as it is to have enacted them in the first place. These may not rise quite to that level, but just because he did not sign them himself doesn't absolve Obama.

It's pretty easy to argue abuse when the Obama administration was wiretapping the opposition party just before a presidential election,


In March the Obama administration denied it for months. Now it is a matter of fact.

Criminal investigations are non-partisan. You don't get structural immunity from espionage charges just because you are "of another political party" than the current president. The wiretap was authorized by a judge. The Whitehouse also never denied wiretapping Manafort, but if they HAD done so, it would have been proper. Wiretaps are secret, by their nature. This also occurred after Manafort had been removed from his position on the Trump campaign.

>Criminal investigations are non-partisan.

Sniff. I remember when I was young and idealistic.

The Obama administration was clever enough to investigate people around Trump such that they would have pretty much everything he said in the can.

What was highly irregular, and arguably illegal, was Susan Rice at the NSC authorizing the "unmasking" of the people involved as well as a wide intergovernmental distribution. She really had no business doing that, and it effectively leaked every aspect of the investigation.

For the record, this does not include National Security Letters.

I assume this is a step towards that. As a Canadian, I know for a fact we (as in our tech industry) have a lot of business that would go to the US by default if these letters stopped existing.

Well, maybe not now, the damage is done. But it would've, and in time US tech companies' reputation will be repaired. As a foreigner, it doesn't seem like the repair process has started yet. Hope I'm wrong.

That's the outcome Microsoft has deserved my sincere respect for.

do these gag orders apply to foreign based subsidiaries of a company based in the US?


Could you please just stop breaking the guidelines? It's easy: if you're about to post something like this, don't. We've asked you many times before, and we ban accounts that refuse.


Dear SCTB,

I clearly see that generic flamebaiting is forbidden, yet how is simply humor (even if being abrasive to part of US population who can read in between the lines and downvoted to abyss) counted towards it.

Somebody clearly didn't like my comment, it got flagged, it got downvoted, but I feel not that this amounts rule violation. I always sought of HN as being better at treating unpopular, yet correct comments than other places

I'll try to say things in a less sarcastic form.

Americans, the argumentation for interception correspondence and private life perlustration provided by your 3 letter services and whole executive branch in general is laughable.

They talk about busting terror cells, then proceed to dig your personal data on facebook or somebody's very very private Snapchat conversations, as if Osama Bin Laden, with his alleged $ billions in the bank, has nothing else to do than writing a web diary with all his plans exposed in plain sight or sexting with his groupies.

The prime interest of this STASI style mass perlustration are not the so called "terrorists," but your and other citizens private life, and it is laughable for anybody to claim that this is anything other than that.

And it looks even more laughable when somebody goes beyond not only taking that as given, but even tries to insinuate a posh opposition and say to US government "you are not doing the mass domestic espionage in constitutionally correct way, you should do mass surveillance differently" as if mass surveillance can be ever become legal in USA.

Microsoft probably sees and routinely fulfills thousands of data perlustration requests a months, but rather than saying "What you do is fucking illegal, you will get that data only over my dead body," they say "Dear uncle Sam, we have a lot of dirt on you, and in particular the request no. 9877989 with very weak legal argumentation in it, play nicer with us in the future"

> Americans, the argumentation for interception correspondence and private life perlustration provided by your 3 letter services and whole executive branch in general is laughable.

I doubt anyone on this site disagrees with you. We're not the ones you need to yell at.

I hate to have to say it, but besides the 3-letter agencies, all countries and many global companies are spying. Even if the US agencies fixed their behavior, the is still the problem of the rest of the world.

I laughed my ass off when, after all the complaining the Germans did about the NSA collecting their PM's phone conversations, it turned out they did the very same thing to Hillary Clinton when she was Secretary of State travelling in Europe.

Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact