Hacker News new | past | comments | ask | show | jobs | submit login
United States v. Microsoft Corp. Dismissed [pdf] (supremecourt.gov)
220 points by ahakki 11 months ago | hide | past | web | favorite | 144 comments

You can hear the (fascinating) oral arguments to the Supreme Court here: https://www.oyez.org/cases/2017/17-2 . I didn't know these were publicly available!

An interesting tidbit:

Sotomayor, at 09:44, pushes back against the U.S. attorney, referencing what I assume to be the CLOUD act as a more reasonable compromise than what the attorney has been advocating:

> And the problem that Justice Ginsburg alludes to is the fact that, by doing so, we are trenching on the very thing that our extraterritoriality doesn't want to do, what our jurisprudence doesn't want to do, which is to create international problems. Now I understand there's a bill that's being proposed by bipartisan senators that would give you most of what you want but with great protections against foreign conflicts. There are limitations involving records that are stored abroad.

I came here pissed off, saw your comment, listened to the arguments, and walk away pleased with the performance of our justice system.

A court found personal jurisdiction over an individual before the court, issued an order requiring the disclosure of information and then expected the person to comply with the order irrespective of where said information was stored. If you break American law in America, saying "the information is overseas" isn't--and shouldn't be--a valid excuse. Extending that to a third-party providers, when both the individual and provider are in America, makes sense.

Could this be abused? Sure. But the oral arguments show the Justices giving the question respectful concern.

> If you break American law in America, saying "the information is overseas" isn't--and shouldn't be--a valid excuse.

So, by this logic, if a prosecutor in [country without privacy rights] claims one of their laws has been broken, they are able to seize emails, files, and VM images (even, say, from the US government) stored in any cloud provider that happens to have a business office in that country?

Yes. All those countries you have in mind can attempt that and likely already have. The creation of law or precedent in the USA doesn't make it happen elsewhere, nor does not having law or precedent in the USA prevent it elsewhere. This response comes up a lot, and it deserves to be considered more than rhetorically.

> The creation of law or precedent in the USA doesn't make it happen elsewhere, nor does not having law or precedent in the USA prevent it elsewhere.

If that were true, I think we in the US wouldn't be hearing so much about the EU GDPR.

If that were true, I think we in the US wouldn't be hearing so much about the EU GDPR.

It's true.

That doesn't mean you can ignore other countries laws if you want to do business there.

The EU GDPR only applies to companies doing business in the EU. Of course, if you have customers in the EU you do business there under the GDPR definition.

You are free to ignore it. Good luck trying to do any other business in the EU after that though.

There's an important distinction re GPPR: it only applies to commercial entities. LEA is generally exempt:[0]

> The European Commission hopes to set an international standard with its upcoming proposal to give police easier access to data from tech companies, and has already asked the United States to cooperate.

The US response was the CLOUD Act.

0) https://www.euractiv.com/section/data-protection/news/commis...

The US has an outsized impact on international law, though. What happens in the US, legally, can’t be ignored by other countries. I wish it could be.

Opportunity: space-based cloud servers? Microsats that rotate into service every few months as their orbits decay.

Strong cryptography with steganographic/deniable key storage is much more cost efficient.

But it can be seized because its under some national sovereignty. That was the point. And a satellite server can still be keyed and encrypted. In fact, maybe it just has to be a CA/key store.

Governmental information is likely to be protected by the terms of a treaty signed between countries with diplomatic relations, and subject to the same sort of sovereignty extended to embassies and the like.

Yes, congress just passed a bill that takes this ruling to its logical extreme. The CLOUD act forces US providers to hand over data without question to foreign government workers (“police” or “courts” would probably be to narrow a reading of the bill...)

I’m hoping this gets abused in the midterm elections to replace the people that backed with more reasonable legislators, but I doubt it’ll play out like that.

No, they are able to demand the information and punish the governed who refuse to comply. Assuming that the subpoena won't be valid of the data was stored domestically, why would the location of where the data was stored affect anything? If I rob a bank and hide the money in a different country, that doesn't make me immune from restitution .obligations

Listen to the oral arguments. The analogy is a Chinese national in front of a Chinese "court" being demanded to disclose records held by a Chinese company on servers in America. It's a narrow ruling and, given the facts and circumstances, in my opinion, correct.

They can certainly try. The foreign entities may or may not cooperate.

Thanks for introducing me to Oyez as a source for oral arguments. The audio is much easier to follow when it's paired (and synced) with the transcript.

This is probably the best we can get until that fabled day when they finally allow cameras in the courtroom.

Shameless plug: If you enjoy that, you may like a version that I made that sinks the audio and transcripts with puppies[1], available here: https://www.youtube.com/channel/UCn1ibFnn3NcXjQHY47o0yWg/vid... Though this particular case is not available yet.

[1]: The idea was originally inspired by Last Week Tonight, I just automatically generate them.

Amazing! What API are you using to weave together the clips - just ffmpeg, or some other tool?

Also I love that you coded cutaways to observers and the chicken stenographer - it makes it incredibly natural seeming. Did any news outlets end up using your outputted videos?

Also, any chance it’s open source? :)

Not OP, but it looks like it is:


What a wonderful experience. That was my first time listing to a supreme court oral argument and the site has such a clean UI it was such a joy to listen to and following along with the transcript.

You can read all (?) court submissions here: http://www.scotusblog.com/case-files/cases/united-states-v-m...

I can only encourage everyone to read some of these documents. They really dispel the myth that judges are clueless. And they are also often more entertaining than one might think.

And, as a bonus, you can often find some truly great quotes:

GINSBURG: Mr. Dreeben, may I ask you a broader question? I think the starting point all would agree in, what was it, 1986, no one ever heard of clouds.

I didn't know these were publicly available!

The SCOTUS only has audio, but the Ninth Circuit has a full video channel: https://www.youtube.com/channel/UCeIMdiBTNTpeA84wmSRPDPg

And to chip in some more, that's because SCOTUS doesn't allow cameras in the courtroom.

Personally, I think that's a good thing – having a platform for performance motivates just that, and I don't want a performance from judges, I want soberly considered and carefully constructed legal opinions.

I'm leery of even audio recordings, but too much information and nuance can be contained in tone and phrasing that it is probably necessary. Also, it is significantly harder to manipulate audio records.

Tone conveys a lot, but deserves no place in a courtroom which should be about facts and opinions, or rhetorical flourish.

I think there are a decent number of English sentences where adding or removing emphasis on words makes a significant difference to meaning. Google autocompletes "sentences where emphasis changes meaning". None of them looks like a nice list, but "I didn't say you stole my money" is proffered as an example where you can choose any of 7 words in the sentence to emphasize and end up with 7 different meanings; "I love studying English" is another.

It seems that the pattern is, there is one common face-value meaning of the sentence that is meant regardless of the emphasis, and then there is a secondary meaning that depends on the emphasis. Usually one of the words simply makes the sentence more emphatic, but emphasizing any of the other words establishes some kind of contrast (not too different from the way "if" is sometimes used to mean "if (and only if)"): e.g. "I didn't say you stole my money" implies "I did say <someone else> stole my money", "I love studying English" may imply "I don't love <doing something else with> English". Even "I didn't say you stole my money" probably implies "I did say <someone else> stole my <something else>". And often the secondary meaning is at least as important as the primary meaning.

I suspect this kind of expression is natural enough that forbidding everyone in the courtroom from using it is impractical.

Given that it can matter so much, trusting scribes to accurately record the emphasis, without keeping audio recordings around, seems dangerous. (One might say something similar about the transcription itself.)

I wasn't talking about emotion or opinion or feeling, I'm talking about emphasis and phrasing. English is often very ambiguous as spoken, without calling out emphasis, and I don't think there is any practical way to enforce purely unambiguous speech patterns (as transcribed to text) upon all participants in a courtroom situation.

It's definitely not harder to manipulate audio records than video records. Video is images + audio.


Parent likely meant as compared to text-only transcripts.

Oyez is a national treasure.

So if you want your data to remain out of scope for US warrants the only way is to choose non-US companies? Drastically reduces the options, I can only think of OVH and Hetzner that would qualify..

Or are the German data centres of Azure safe as they're run by a German company?

It depends on who you are and who you deal with. We house a lot of our stuff in Azure, but we entered into an agreement with an European based Microsoft child company.

If the us wants access to our data, they’ll need to go through the Danish courts.

We spend a lot of money though, but it afford us our own private servers in the Irish farm, that we have physical access to and our data never enters the public part of Azure.

If the US government wants to get access, it probably can, after a few months in various EU courts, but all they’ll find by the in our little vault will be a tape recorder playing twister sisters - we’re not gonna take it on repeat.

Of course American companies will be replaced by an European competitor if the US government doesn’t wise up and stops being dicks. If there was a real alternative to American clouds we’d have left by now.

Is that still valid even though the European company is controlled by Microsoft? As I understand, the agreement they have in Germany basically hands over all control to Telekom, basically like a franchise model. As long as Microsoft Europe still controls access to the data, can't they be forced by Microsoft US to reveal the data? As I understood, that was the reason why OVH hesitated for so long to build US data centres and then used a separate company for it (not sure if they went through with that plan).

Not a lawyer so pure speculation but would be interested if anyone has details.

As far as I know we’re perfectly safe within the setup we run. I haven’t been involved in the legal bits beyond asking for permission to put citizen data in the cloud and being granted permission by our government and the EU.

Maybe this verdict changes things, but if it did, I’m fairly confident that I would’ve known by now considering it’s a sensitive issue.

We do have extensive exit plans at hand, for such an event. Plans that are really just us burning money because the US surveillance state can’t get it’s damn act together.

Microsoft German datacenters are unaffected yeah. They're not connected in any way to the upstream MS Azure network, the only way for MS to control them would be through an infected security update, which they'll never do.

They are legally connected. The data may be protected by a European military, but Microsoft corporation isn't.

There are a lot of other cloud providers in Europe besides OVH and Hetzner:

- Upcloud (based in Finland)

- Cloudsigma (based in Switzerland)

- Deutsche Telekom TelekomCLOUD (based in Germany)

- Online.net / Scaleway (based in France)

- Aruba Cloud (based in Italy)

- Swisscom (based in Switzerland)

- etc.

Unfortunately none of them offer the breadth of services like Google Cloud, Amazon or Azure, but they most likely will be more than enough for many purposes.

Aruba Cloud have a 1 eur/month VMware-based VM with one core and a gig of ram in Italy an CZ.

It’s quite nice for tiny projects you don’t want to spend on.

Wow (or should I say Mamma Mia!), at that price it's rude not to.

- exoscale.com (based in Switzerland)

Your best plan is [1]: a) don't be a US citizen/resident, and b) store your data in a country where disclosure of this information is banned by law.

Under these conditions, the provider can (and has incentives to) challenge the order requiring the production of the data. If the order is quashed, the US government would need to get an order from the local government under MLAT for the data.

As for your German datacenter question... Under the text of the law, it depends on whether that data is within a US electronic communications or remote computing service provider's "possession, custody, or control." In theory, a service provider might contract out the management of these aspects of its operations, but it would be hard to imagine a service provider feeling comfortable moving the data outside of its control.

[1] See p 2205 of bill text for the CLOUD act part. http://docs.house.gov/billsthisweek/20180319/BILLS-115SAHR16...

I mean... duh? If you don't want your data accessible by a particular sovereign entity, its best to ensure your data is never in the jurisdiction of that sovereign entity. The meaning of sovereign is "We can do whatever crap we want here, and there's no higher authority that can judge us". If you're not okay with that crap, then don't interact with that entity, because -- as the term 'sovereign' implies -- there's no court you can appeal to to settle your dispute in your favor.

I don't think #2 (Azure) applies. Your best bet is to store cryptographic keys offsite and leave the data in the cloud. There's a market opportunity for someone who can wrap that up in a reasonable API/library for use on EC2/GCP/Azure.

Azure does have sovereign clouds, for instance its Germany cloud. [1] In this case data is handled by a German company and not Microsoft and so is subject to EU law.

[1] https://azure.microsoft.com/en-us/global-infrastructure/germ...

Why not use a non-US provider then? Maybe this will lead to more support for those. I can imagine that some EU companies will now struggle even more using AWS/GCP/Azure.

Depends on where your customers are and the applicable scale/latency costs of not using the biggest providers.

If you want 20ms latency to customers in the US, you're going to be hosting in North America, damn relativity and all that.

> Your best bet is to store cryptographic keys offsite and leave the data in the cloud. There's a market opportunity for someone who can wrap that up in a reasonable API/library for use on EC2/GCP/Azure.

Is there actually a market for this that people would pay for, or is it just something that people would like to exist?

Sure, for downstream SAAS to use for customers. I think it'd be a nice add-on for services with customers outside the US who are wary of overreach. So if there are two web email vendors, and one has this protection and the other doesn't, it may be the deciding factor for a customer. The one that has that protection could use this service to do that for them.

Even without the national boundary feature, good crypto APIs not bound to your compute vendor is a nice thing to have.

It's a matter of herd mentality. The more the issue is raised, the more people will be willing to use services from other countries instead of US-based services, which means more non-US companies will gain prominence for certain services, which will encourage even more users to switch to them.

As long as everyone thinks everything is fine if they keep using the same old US services they've always used, none of those steps will happen. Expect to get a push-back from users who prefer continuing to use US-based services so they can justify their own choice.

If it really changes the business then I'd guess that one of the smaller providers (DigitalOcean, Linode, Vultr) relocates their headquarters to a EU country to circumvent that. Could at least bring non-US data centres out of scope.

That's always been the case - US law has had global jurisdiction for decades

To their credit, Microsoft have resisted US Government pressure [0] on this subject in the past.

[0] https://www.washingtonpost.com/world/national-security/micro...

Hetzner requires a copy of your ID which I find more intrusive. Does OVH?

If there is a way to sign up for Hetzner without giving them a copy of your passport, does anyone know?

OVH definitely doesn't, but this requirement by Hetzner is news to me. Do you know how long this has been in place?

I can't remember that I ever provided it but I heard this a lot. They say that it significantly lowers fraud rates. It's not a legal requirement. Interestingly enough, it's debatable if copies of state-issued IDs are even allowed in Germany (there were courts saying that practices like this are illegal). EDIT: apparently that's legal now, see the answer below.

I don't like the practice but believe their argument, hosting services attract a lot of bad actors and this will probably filter out most of them from the start.

Copying ID cards in Germany has been made explicitly legal in July 2017 through a change of the relevant law.

I saw Hetzner cloud upvoted on here about 3 months ago and I liked the pricing so I tried to sign up, and they asked me to send them a copy of my ID.

So at least 3 months.

I've been using tilaa as a mail host for about ten years now; its a vm/storage provider based out of Amsterdam. I at least tell myself that my data is relatively safe there.

As others have pointed out, encryption is the only real protection.

Unfortunately, you are not supposed to do it yourself because its complicated so you have to find a trusted third party to do it that has been vetted.

But now you have to come up with a system to vet the vetters.

What a complicated world we live in.

‘Avoiding lawful warrants’ is just not a service you’re easily going to get from a developed Western country.

It's not about that. Lawful warrants can easily get confirmed by a local judge and the FBI can access the data via local prosecutors. That already works where the crime committed is very clear. It's more about cases where the US government thinks they need access but where the EU would disagree.

What are these cases that affect typical usage? And it’s not where the ‘US government thinks’. They need to show probable cause and get a warrant. Generally, when you get to that point, going from one developed democracy with fairly robust rule of law to another isn’t going to help.

FISA court rulings are usually accompanied by gag orders here in the US, under "National Security" flags... This means they'd likely be unwilling and/or unable to consult with a foreign, local law enforcement.

Not that I really agree with it, most of the time the secrecy is for secrecy sake imho, and to advantage government prosecution. It's pretty scary tbh. Does this mean it's ok for a US company operating in China to turn over US information?

None of this is really about FISA anything, so I'm not sure I follow.

But it could apply to an order by a FISA court as well? Just this specific case wasn't.

No, that doesn't make any sense. If you're doing something in the US that makes you the subject of a FISA warrant and your data ends up overseas, the people who are after your data have a party. This is all, of course, far afield from 'typical case' anyway.

What happened is roughly this: Pursuant a warrant, USG wanted something from Microsoft, Microsoft said it was on a server in Ireland and outside the reach of the warrant, USG and Microsoft went to court to sort it out. Meanwhile US Congress passed a law addressing situations like and mooting this case. That's it. In the grand scheme of things, this didn't really change anything.

MLAT would probably allow a US court to ask a foreign entity via a foreign court to provide data of US entity, even if the data and the provider are outside of the US.

But that requires a local judge to confirm the view. I guess most of us naturally trust their local judiciary system more than that of other countries so that this will go a long way for many.

The concept of "offshore companies" is that local government is a greater threat to freedom than a foreign government.

Who's freedom?

Alibaba cloud? Presumably Chinese govt can snoop but not sure how much power US has.

These are the lowest prices I have seen. Is this new? Surprised not have heard of this before.

I think they're close to a year old. Still more expensive than Hetzner though?

@projectramo (cannot reply to that): I have very good experience with Hetzner, speed is very good even if you ignore prices, considering the price it's by far the best I've used. I still have backups at other providers but switched to only using them for everything I do, saved me a lot of money. I already had an account so didn't need to provide ID but wouldn't see that as a deal breaker. You'd need to pay with credit card anyway so they'll get your name sooner or later. And it has helped with the spam problem they apparently used to have (for a while a lot of their IPs were on blacklists).

I am not mad at them for asking for my ID, but in the US that is (in my opinion) the big sign of intrusiveness.

When they want to scare people, they say "the police will start asking ordinary citizens for ID". Its a huge deal when the pharmacist asks for ID for a controlled substance.

And add to that the privacy culture here (on HN and in tech circles). I would rather pay a few extra bucks for now. But if they dropped the requirement I would use it.

I bet I am not alone and there are many others who feel the same.

I think that's down to cultural differences. In Germany, everyone has an ID and you need your ID to open any bank account or even as proof of age. Showing your ID to someone is just confirming who you are. In other countries (esp UK, US) that's very different. So asking for ID is not very intrusive for Hetzner (as they're German) but it's perceived very different by others.

I agree (although in the US, ID is used for bank accounts and proof of age).

I wonder if it would feel different if they didn't ask for a copy of the ID, but just had someone look at it.

I think it also feels different because no one else asks for it (VULTR, AWS, Dig Ocean, etc)

Also a drivers license feels less intrusive (for whatever reason) than a passport, and I believe for foreigners they want a passport.

Ironically, German history is the reason why Americans are wary of National ID cards.

USA uses ID cards for banking and employment though.

The US seems to uses SSN everywhere.

The problem isn't necessarily a national ID card (after all most people have driving licenses, passports, etc). The problem is the data that's all linked and available to governments.

In today's world, where facebook knows far more than any government can, heroes like René Carmille become more and more important.

I remember being surprised when visiting Germany that a passport was required to get a prepaid SIM card.

I tried Hetzner based on other people mentioning it on HN. Total disaster.

They managed to erase my entire environment, not have any way to recover anything, and once my case got escalated within their company the responses I received were the most unprofessional communications I've received in my career.

Honestly, I am amazed that this is a German company at all. You usually expect Germans to be more organized.. but I guess no matter where you go, the old saying is true: you get what you pay for.

Hetzner has pretty bad peering imho. I was trying to use IPSec but it was impossible because at peak times UDP packets got dropped making my latency go into 200ms.

You're right. I wish Hetzner didn't require an ID because they're cheap and (allegedly) performant.

I wonder if serverpilot etc will work equally well with these guys.

[this was not entirely correct.. so I'm removing it]

Even if they sign an agreement, access to content of EU servers run by a company based in the EU will need a local warrant. The FBI won't get access without help of local law enforcement. And that can be hard even within the EU, as Spain just found out when they tried to arrest a politician.

I think many US citizens would be outraged if a Chinese court could issue warrants to access their data stored at any company. Not sure if EU citizens trust the US judicial system much more.


Thanks for the clarification. In this case I'm not sure how many agreements they'll actually sign? Safe harbour already wasn't very popular and public opinion in the EU has shifted a lot more towards privacy in recent months (from my subjective feeling).

"On March 23, 2018, Congress enacted and the President signed into law the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), as part of the Consolidated Appropriations Act, 2018, Pub. L. 115–141. The CLOUD Act amends the Stored Communications Act, 18 U. S. C. §2701 et seq., by adding the following provision:

A [service provider] shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication ... within such provider’s possession..., regardless of whether such communication, record, or other information is located within or outside of the United States.”

So, all US companies are now forced to store a backup, or copy, of all data they store off shore? To make sure this doesn't happen again?

No. per your own quote, it "just" extends discovery protections to data held outside the US. So you can't deny the US government access just based on the data being offshore. It's captured in the first paragraph of the decision:

> a U. S. provider of e-mail services must disclose to the Government electronic communications within its control even if the provider stores the communications abroad.


The requirement to backup, preserve or disclose is exactly the current requirement for data in the US, and only applies at the provider is given notice to produce evidence. It means the provider cannot destroy evidence once compelled to produce it. It doesn't mean you are required to preserve data "just because".

It also only applies to data > 180 days old.

SCOTUS oral arguments are some of the best sardonic comedy you will ever find. It's nine well educated professional masters of their field basically who only have to care about each others opinions, grilling two very accomplished journeymen arguing opposing viewpoints. Find a case your interested in, listen in and you will probably be entertained.

Eight. Sure Clarence Thomas is there, but he rarely speaks.

It was news when he asked questions in 2016 for the first time in 10 years: https://www.npr.org/sections/thetwo-way/2016/02/29/468576931...

Attorney at the Supreme Court are also masters. The power imbalance is what makes it fun.

Providing a link for this because it was something I was interested in doing: https://www.supremecourt.gov/oral_arguments/argument_audio/2...

To clarify on the legal history - this dismissal merely states that the case no longer matters thanks to the CLOUD Act. The CLOUD Act resolves this by allowing the US Government use a warrant to force US companies to turn over data on any US citizen that it has stored abroad. To me, the CLOUD Act is a reasonable compromise. It continues to grant the US government access only to US citizen information.

It is not a ruling on whether the US government can access other data stored by US companies abroad.

The original case started because Microsoft argued that the US Government has no right to access data stored abroad, because that would give unprecedented access to non-citizens' data. The government argued that it did.

Do you mean citizens or residents?

Rather long, but I think important. The views are my own, based only on my own limited experience.

I've been a web user since the early 90s and I honestly that we are going a little astray from the original spirit of the web. Back then, it didn't matter what you posted, anonymity was the default and people used to say that no personal information should ever be shared. This move by the United States government feels like they are crossing the Rubicon towards a highly regulated and almost dystopian view of the web.

It is my opinion and I think a lot of others on HN would agree that privacy should be the norm. Certainly, law enforcement has a right in some cases to extra information but when governments are able to reach across the ocean and pluck personal data from each other then there is a serious problem. This happened to my friend who ran a startup in the financial sector who was compelled to reveal a user's data. There was no recompense for him as he didn't have the resources of a big company like Microsoft at his disposal.

Tech companies and law enforcement should more of a conversation about these issues before they are forcibly put into law.

This is not something new. It's been an issue in international legal frameworks since countries had laws.

Here's a decent overview: https://columbialawreview.org/content/international-comity-i...

The critical thing to realize is that countries are not bound by other countries' laws, only by agreements they make with each other (or ones which are militarily forced on them).

Given that this flies in the face of the traditional US approach to extraterritoriality, and the EU is implementing GDPR, I'd be very surprised if this weren't heavily circumscribed in the future.

The idea that the internet should be left to its own devices made sense as long as the internet didn't actually matter, i. e. had no influence on the offline world.

Those were easier times, but they also limited the usefulness of the medium. If it can't affect peoples' lives, it cannot be beneficial for them. Conversely, if it can be beneficial, it can also hurt them.

E-Commerce is the most obvious example: it's incredibly useful to do business online. But it's obvious that such economic activity will invariably lead to scams and frauds.

Having established that real things now happen online, the question becomes what to do about it. "Leaving the internet alone" in that context cedes all power to those with the most technical ability. That's a rather arbitrary distribution of power, and I'm not sure people would enjoy the outcome, long-term.

For better or worse, democracy and governments have long been the tool to decide and enforce the rules of societies. It's not entirely clear why that model should change just because is "..., but online!". And for all the faults of the US' democracy specifically, it's still far more legitimate than the CXOs of Google, Facebook, Netflix, and Comcast.

I fully agree and also think it's not the cloud users that are most affected but their users. As a customer of a bank you have little control where your bank stores your data (although with GDPR they'd at least have to tell you if it goes to AWS). And yet, your data could be accessed by foreign prosecutors without confirmation by a local judge.

That's a great point, and it's often overlooked. To my knowledge, the best way to combat this is to create end-to-end encrypted solutions that only the customer can access. For example, Apple phones can not be cracked even by law enforcement. The corollary is that other anti-privacy practices such as data mining and tracking can no longer be used against the users. Win-win?

Telegram may be a better example than Apple phones given the SB FBI case and previous articles shared here about hacks. As a service, device, implementation of encryption gets more use it also will get more eyes from state actors on how to find cracks in the armor.

There was a lot of understandable disdain for Telegram when it got popular because they roll their own crypto, MTProto. However, it looks to me like Russia's recent pants-on-head move (banning 2M IP addresses because Telegram won't give up their keys) indicates that MTProto, if not a very wise development to begin with, doesn't have any obvious cracks that the FSB could just quietly pry open.

AFAIK telegram has channels and groups which were used in russia for purposes the govt didn't want to encourage. To my understanding, both groups and channels cannot be encrypted, so this ban has less to do with encryption but with the fact that Telegram wasn't willing to handle over the plain text chats they have on their servers.

They certainly are encrypted, they're not end to end encrypted so Telegram has the keys. Supposedly each key is stored across multiple datacenters in different legal jurisdictions so no single government can compel them to hand over the keys, but this seems like a rather questionable legal theory.

> Apple phones can not be cracked even by law enforcement

Not true: https://motherboard.vice.com/en_us/article/vbxxxd/unlock-iph...

It seems like it's somewhat routine to set up relationships with foreign intelligence services for that reason.

Fully agree with your opinion that privacy should be norm and hopefully people will start to take back their privacy. You'd be surprised how often law enforcement uses seemingly innocent data available to them to paint a picture that supports their needs/justification all in name of "justice"

I very much worry about a heavily regulated internet.

The beauty of tech is how quickly things change and move. In a mere 2 months, Ive completed the entire front end of an app, solo.

The moment a programmer deals with government regulations, you require lawyers, not hobbyists.

Lord I hope there are more parties involved in the conversation than "tech companies and law enforcement".

Those 2 parties should play a very small role too...

It is harder to be a troll when anonymity is removed. People, at least some people, will be more hesitant to post stupid things if their stupidity is associated with their real world identity for all to see. It would also be more challenging to be a criminal or fraudster online when anonymity is voided.

Just think how much less toxic Reddit would be if there were no anonymity and employers, parents, and neighbors could see what people are really thinking about.

Also, privacy is not anonymity.

Sure, but it is also harder to be a whistleblower or to speak out against a powerful government or business when they have the power to retaliate against you.

You mean to say, when they can identify you. Most of the time, powerful people have the power to retaliate against anyone.

I agree, but for me, the benefit of anonymity outweighs the detriment of it.

Half a year ago, I saw a scientific study that people are trolling more when they are not anonymous. The opposite of what you say.

Is there any new data?

And this, friends, is why it’s important to encrypt information that you want to remain private.

What is amazing is these companies fighting the government while we have Apple hand all their customers data over to the China government.

"Campaign targets Apple over privacy betrayal for Chinese iCloud users"


Incredible contrast.

Then the cherry on top was Apple removing the VPN apps from their store in China and cutting their users off at the knees in being able to protect themselves.

"Apple removes VPN apps from the App Store in China"


This reinforces the fact that the internet is decoupled from geography.

In my view it reinforces that the internet is dominated by the US. All data stored at any of the large cloud providers falls under US jurisdictions.

EDIT: it also appears asymmetric. I doubt a French court can issue a warrant that forces OVH to turn over data stored at their Canadian data centre (similar with OVH and Finland).

Lets talk about the actual facts of the case here.

Its important to note that United States v Microsoft involved a US company (Microsoft) controlling and storing data (emails) on behalf of a US citizen. The emails were physically stored on a server that was located in Ireland. MS argued that a US judge doesn't have the authority to issue a warrant for data that is stored outside the United States and the FBI needed to go through cross-boarder channels.

I haven't read the bill but everything I read about the CLOUD Act seems to indicate that the act is meant to apply to US companies and US persons, not to foreigners as a rule. It's an extremely unjustified jump to conclude that "all data stored at any of the large cloud providers fall[s] under US jurisdictions." Unless you have more information than me that you aren't sharing.

I referred to "any of the large cloud providers" because they're all US companies (Amazon, Google, Microsoft, DigitalOcean, Linode, Vultr). Not sure if the case would've been very different if it had been for data of a foreign citizen. But from what I read, the fact that Microsoft had sole control of the data was important, and that would apply to EU citizens as well. But that might change under the Cloud Act.

> I doubt a French court can issue a warrant that forces OVH to turn over data

On the other hand: GDPR.

All countries try to pull the same moves on the internet, from Russia to Pakistan to the US and Europe. The difference is that a small market has little leverage. The EU already has data-retention laws that could be extended, and at that point any EU government would have quite a lot of leverage. It's politically unpalatable for now, but things change.

GDPR is the other way around. It applies to non-EU companies that deal with EU citizens (or people living there). It doesn't gain access to data stored by a Canadian company in Canada on servers owned and run by OVH.

It generally doesn't grant access to prosecutors, it tries to protect consumers and can lead to fines in case of violation.

The point is that it's basically a "global law". Non-EU companies could choose to ignore it, but they would risk losing access to the EU market, which is too big to ignore, and so they comply. A company could forego this or that individual nation, possibly even a big one; but the entirety of the EU market is simply too large to accept the risk.

Similarly, a US company could relocate to Iceland and thumb its nose at the PATRIOT Act and so on, but then "good luck doing any business" in the huge US market. The principle is the same: big markets can impose rules that more or less the entire world ends up following.

But you can choose to restrict your compliance to the GDPR to your EU clients. It's not the same as a law that applies to all your clients.

You've just rediscovered the jurisprudence of the Commerce Clause and the power of Federalism. Alexander Hamilton would be proud.

If OVH the company has a presence in France, I don't see why not.

This reinforces the fact that US power is decoupled from geography.

This is the right formulation. Alternatively, that the US is the only global power. Although I can't imagine the US could try something similar in China.

The real leverage it has is the base of US users.

Brave New Imperialism.

Does this apply to data of US citizens only ? If a non-US citizen stores data on a non-US server provided by e.g Microsoft, can it be accessed by the US gov ?

As far as I understand, it applies to ALL data stored at any US company. A US warrant against a French company could be valid for all their data in the cloud without a confirmation by a local court even if all data is stored outside of the US (which would be necessary for physical assets)

The right answer here is "it depends." Depending on who is asking for it, and why, they would have different requirements to compel Microsoft.

So for example, there is a major difference between the FBI vs the state of Washington vs the FISA courts asking/compelling the data. The fact that the data is on US soil, by definition means the US govt has fewer roadblocks to direct access.

My legal two cents:

1.) What 18 U.S.C. §2701 et seq. actually now says is that if you are a service provider in the US, you must have a backup of any record of your customers in the US. So if you use a cloud service that is situated outside the US, you still need to produce a backup in the US.

2.) The case is to be dismissed as mooted, because the government applied for a new warrant that replaced the original one. So the case has new grounds.

It would be interesting to see how this mandate will work in the US with GDPR in Europe.

From the transcript [0], when Justice Kennedy is asking if human intervention is required to retrieve the records, E. Joshua Rosenkranz responds:

> A human being doesn't have to do it. It is a robot.

> A human being in, let's say, Redmond tells the robot -- it sends the robot instructions.

What does he mean by robot? Is this just software, or does an actual machine have to go spin up some servers in storage?

I feel like something about the use of the term seems to imply more than just "software". Is there a legal advantage to using this word instead of "the program" or "software"?

[0]: https://www.supremecourt.gov/oral_arguments/argument_transcr...

The moving part of a "tape library" is known as a "tape robot." For the past few decades there really have been physical robot arms retrieving data from long-term storage. This is still an area of development today, because tapes are cheap but only if you don't need a drive for each one.


Thanks! I was unaware of these

I wonder if a similar system is used for AWS Glacier..

This is bad news, for sure. But it's no surprise, in the current environment. I mean, when it's the feds vs Microsoft, Congress can just change the laws. And the EU is moving in the same direction. Also China and Russia, obviously.

So anyway, the only option for those who want protection against warrants is to hide. Sure, go with providers in places that are more privacy friendly. But that can't be the only defense. At this point, I believe that the best option is local encryption, plus network connectivity through nested VPN chains plus Tor.

Edit: tone

I still think there is a lot more to this case. The risk of losing on both sides was way too high for a drug dealer. Why wouldn't they just request the data using Mutual Legal Assistance Treaty? They had no problem doing it for the kickasstorrents guy (https://torrentfreak.com/images/KAT-complaint.pdf).

The CLOUD Act is ... really not great. More about big corporate than protecting privacy in any way.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact