Hacker News new | comments | show | ask | jobs | submit login
U.S. Government Compels Google To Hand Over Wikileaks Volunteer's Gmail Data (readwriteweb.com)
175 points by mcantelon 2232 days ago | hide | past | web | 77 comments | favorite

I know Jake. I had the proud privilege of employing Jake. This is a fishing expedition, and an absolute abuse of the EPIC and PATRIOT acts.

The NYT filed a lawsuit yesterday to try to start getting some transparency into these matters -- even Congress is urging people to find out the truth: http://www.techdirt.com/articles/20111010/04043716279/nytime...

People can dislike Wikileaks all they want, but this is exactly why they exist. The raw information is not being released and they see fit to do so. When the USG has a law on the books that congress passed but the DoJ won't share their interpretation of what the law means, you know something is very very wrong. (see: http://en.wikipedia.org/wiki/The_Trial )

The headline is a little disingenuous (technically correct, yes...) - especially if thats all anyone ever reads. Google didn't hand this over on a whim, rather:

  The contacts list and IP address data of Jacob 
  Appelbaum, a WikiLeaks volunteer and developer 
  for Tor was given to the U.S. government after 
  they requested it using a secret court order 
  enabled by a controversial 1986 law called the 
  Electronic Communications Privacy Act, according 
  to the Wall Street Journal. The law allows the 
  government to demand information from ISPs not
  only without a warrant, but without ever
  notifying the user.
The problem/fault/remedy lies with the US gov, not so much the compelled company in this case.

So you quoted part of the article to give more details to the headline. That is basically how the whole article/headline thing works.

I recall that the headline was worded quite a bit differently when the GP wrote their post. The headline has since been updated.

You wanted them to put that in the headline?

It would have been easy to write a less disingenuous headline. For example, "U.S. Compelled Google To Hand Over Wikileaks Volunteer's Gmail Data."

That's what the headline reads now - what was it before?

Title on the article:

> Google Hands Wikileaks Volunteer's Gmail Data to U.S. Government

Implies that Google did so out of free will rather then being legally compelled to.

I doubt donohoe wanted to put that in the headline, I think he is suggesting the tone of the headline doesn't accurately portray what happened.

> Electronic Communications Privacy Act

Orwellian naming conventions are all the rage these days :-) Jerry Yang faced a lot of heat for doing pretty much the same thing in China. Google seems to reluctant to criticize the US government now, unlike, for e.g., the Chinese government.

EXACTLY the same thing. It's a really interesting point. When China does it, they're horrible. When the US does it, what is it? Is there a difference or not? The motivations are quite similar, and one probably can only look at whether the motivations of each country can be justified from a moral standpoint.

Perhaps the discontent comes because China is seen as something of an expeditionary market for American search providers. While you can give China the finger and get out, it's not tenable to do that in the US, so one is compelled to play by American rules.

I don't necessarily believe that China's status as an expeditionary market makes it worthwhile to stop offering services in that country, just playing devil's advocate I guess.

Collaboration with a bad government is always optional, you can cease to do business. That's definitely tenable. It takes a lot of balls to do so.

Imagine google coming right out and saying: 'Our do no evil motto is our guiding light and we have decided that being forced by the government to act in this manner to prevent our technology from being used to spy on American citizens in ways that we can not in good conscience allow is against our principles. Therefore we will cease operating today.'.

I'm trying to imagine the effect of such a move, it strikes me that the ensuing fall-out would probably see the government as the losing party and google re-instated in very short order.

Sometimes you have to make a stand, if the same thing was a good enough reason for google to cease to do business in China then maybe it should be good enough to cease doing business in the US.

I very much doubt that Google threatening to pull out of the country would cause any action in Congress. The government has no incentive to act, and all the power to spin the story if there is some sort of public outcry - something to the effect of "Google is unpatriotic and doesn't care about your safety." Most people will buy it.

If anything, Microsoft would just step in to fill the vacuum with Bing, and business would continue as usual for everyone but Google.

That's why I'm sayin' they can't just leave, and they can't just threaten. It has to be real civil disobedience. They have to be willing to say:

No, we're not going to do that. You'll have to shut us down, which will take years, and cost the economy millions of jobs and trillions of dollars.

Oh, and I hope it goes without saying that we won't be complying with any court orders related to this matter. If you're serious about doing this, there will be pictures of men pointing guns at innocent American technicians, right next to the headline "The Feds are Coming for Your Email," and underneath that, Senator, will be your name.

Then they'd say something like: "This is America, motherfucker. Land of the free. You can't get away with this shit."

...sigh. At least it'd make a good screenplay.

Look at this from the opposite direction.

You want a big multi-billion $ business to start dictating your laws?

Good luck on that one, that's not going to end badly is it?

A big multi-billion $ business deciding to dictate its own behavior or end is not the same as dictating law, even if the law reacts by changing in order to preserve the business.

The current system, where corporations often actually, literally dictate many laws is a lot less open and straightforward.

Don't they already ? Every multi-billion $ business has lobbyists that dictate the law.

Big multi-billion $ businesses can only exist in a society where a big government can enable them using bailouts, quid pro quo campaigning and cost-prohibitive compliance for frivolous regulation.

From a societal POV, big anything is bad. I wish more open-minded people could recognize that fact.

That's not true at all; many (probably most) huge companies have never received bailouts. Compliance is also a tricky issue - you don't want to let the market compete on nuclear power plant design without some sort of supervision, even if the current system doesn't work very well. Lobbyists are a different story, but Google, for example, or Amazon, got to where they are without leaning on governmental support or anti-competitive laws.


Why even bother to shut down? Google could probably just go "Haha! Fuck you. Who's your closest supervisor in an elected office?" Next day, "<Official> wants Google to share your personal information with the Federal Government" magically becomes the top hit for that name.

Bureaucrats and spooks are happy to play this game because they know it never comes back to them. Nobody who has to answer to voters would dare put their name on it-- we're looking for any damn excuse to not vote for the incumbent this cycle.

But I guess standing up for us could mean a hit to shareholder value, and some things just aren't worth sacrificing.

Nobody who has to answer to voters would dare put their name on it?

Remember that 99-1 vote for the Patriot Act? The one senator who voted against, Russ Feingold, lost in 2010 to a guy who's campaign slogan revolved heavily around "freedom".

There are many dimensions of freedom. I'll note that Sen. Feingold's name shares a place in "McCain-Feingold", which is a limitation on free speech (some may argue that it's a warranted limitation, but the fact that it is a limitation on freedom is objectively true)

Yeah, I know that some people consider limiting campaign contributions to be more damaging to freedom than creating the legal framework for a modern day KGB. I think those people are ignorant.

Fascism and communism didn't kill 100 million people because of a 2300 dollar limit on campaign contributions.

Perhaps they did so because of a total ban on advocacy ads within X days of the election? We wouldn't want people to hear about what a snake their Congressman is, when the election is close enough they might remember.

There's a heck of a lot more to McCain-Feingold than just a $2300 limit.

They could have made more of a fuss over it. Get ideas up in the air about shifting pieces of Google overseas, for example. Once the idea that Google might be locating somewhere else for concern about collaborating with the US government, public concern might have been raised.

The reality is that governments do have the ability to dictate a lot. But companies are global now and that means some competition exists. It's old news that countries compete on tax laws but competing on rights and freedoms would be nice too. To a certain extent, they do.

Google Iceland has a nice ring to it.

Also the economy there could use a boost I believe.

Applebaum, a tor developer, is i am sure astute enough not to leave unencrypted mails on gmail. he is used to governmental abuse at airpoets etc., so i am sure he saw this coming.

He can't prevent people from sending him unencrypted emails on Gmail, except by not using Gmail, nor can he force Google to delete them.

If he's receiving random emails they are probably not important or sensitive enough to be valuable to the government. If he's receiving non-random emails that contain sensitive data, it should all be encrypted.

If you do get something important that is not encrypted, you can forward the mail to yourself as ciphertext.

You're correct that Appelbaum has no control over Google's retention procedures.

The government did not request the contents of the mails in any case, but the header information: who Jake was communicating with, and when.

FYI it's "Appelbaum".

Thanks. I typed that reply on my phone, so I don't remember if that was an autocorrect thing or if I just forgot how to spell it. Nevertheless, I appreciate the correction. :)

It fairness to Google, they fought this, and they are part of Digital Due Process, a group that is trying to get this law changed.


From comments here, it looks like there aren't good options for secure email outside of the jurisdiction of the US government.

I've been interested in setting this up for myself. If you're interested, let me know on this form, and I'll begin looking into the issues of where to host, and what legal structures I'd need to set up.


If the US decides it wants access to your accounts, I don't think putting a server in another country will be enough to stop them.

The real answer to this and all other serious privacy issues is to use strong cryptography properly. There's no two ways about it. Anything that isn't encrypted before it sees a NIC should essentially be considered a public broadcast.

Dear Google,

There must be ways to protect user privacy that are better than collecting everything in a form that can just be handed over. Example: encrypt on the client side, with user-supplied, large, non-compromised keys, and don't ever inspect the data on the server. If you need to inspect data in order to serve relevant ads, do it on the client, and only send back enough information to tailor whatever ads are currently available. Maybe do the ad selection on the client too. If this doesn't work for one of your services, consider it for other services where it would work. Laws prevent you from providing service X without providing such-and-such a hook? Then don't provide service X. Provide a plugin framework instead, and let users bring their own service. Use your heads. Maybe use a bit of the compute power the client has available. You spun down a lot of your China presence because of stuff like this, supposedly. You should be able to take big steps anywhere, not just in China. You are smart. Figure. It. Out.

Would someone please remind me when Wikileaks was convicted or even accused of a crime?

That's right: Neither ever happened.

What is going on in this country? Is the desire to operate in the dark, to work behind the backs of the very people that this government represents so strong, that any organization shining light on this must be squashed?

Now the question is: What major options do privacy advocates have apart from hosting their own mailservers?

Even if you host it yourself but at a regular hosting provider "they" might just confiscate your servers. Increasing email encryption usability might be the road out of this dilemma. Otherwise email encryption is going to stay within a very small circle of users.

When I said "Host your own" I meant on a physically secure box using full disk encryption.

But I do like the idea of encryption, GPG does this really well already but key distribution is still a problem.

Just an idea for a secure physical box: Throw in a external "always on" GPS receiver on the box and have it physically destroy the hard drive if it is outside of a certain area or if it detects a certain amount of movement (think someone removing it from a rack without disabling the service first). If your server was moved/confiscated it would ensure some safety. Just a tinfoil thought.

When you say "physically destroy" do not use any form or anything that could be spun as a incinderary, explosive, or projectile device. The laws on those type of things will put you in prison for a long time.

How would one go about safely destroying multiple hard-disks anyway. Closest thing I can think of is a small compactor with the disks inside of it.

You're much better off just using full-disk encryption; throwing away the key effectively destroys all the data. You do need to make sure you actually erase all traces of the key (https://secure.wikimedia.org/wikipedia/en/wiki/Cold_boot_att...), but you need not worry about physically destroying the disks.

GPS signals are very weak, and can usually not be received inside a building such as a datacenter.

GPG. It's easy to use and can even easily plug right into Thunderbird and Thunderbird Portable (USB).

Not use email. Seriously, how many times do people have to get burned? Don't write anything down you don't want anyone to know about.


The slow and often fruitfulness process of changing the law.

Maybe Americans should use European hosts and Europeans can use American ones. Does anyone know of any good international webmail providers, with SSL?

My understanding is that using a non-domestic service would actually make it much easier to retain data under traditional espionage procedures. Perhaps this is incorrect. Clarifications welcome.

it doesn't make any difference. you us citizens are being tapped just the same as all us evil foreign terrorists these days. https://www.eff.org/issues/nsa-spying

I'm aware of the illegal NSA spying, but surely they're still somewhat more cautious about deploying domestic surveillance. Going overseas makes it all legal and OK, here they at least theoretically are not supposed to be doing things, and that's better than nothing, right?

so you're arguing that despite doing massive domestic surveillance, solidly supported by the government, they're not going to use the data because of their good moral standing.

or are you being sarcastic?

I suggest that there are legal implications that make it more difficult to use that information on cases that are not "high value".

They interchange all kinds of information. Maybe we should all use Icelandic hosts.

runbox (http://runbox.com) are norwegian and were, when i looked a year or two ago now, the best alternative i could find.

I'm always disappointed when I go looking for European web services, why is that? Why can't they have a Hotmail counterpart? China has comparable duplicates of most American services, but Europe doesn't even try. It's weird.

Interestingly www.torproject.org is currently down... I don't know if this is related.

As is http://www.appelbaum.net/ (his website)

A good (but already known) reason to leave gmail.

Hotmail would probably have had to do the same. The guy chose Gmail over Hotmail so people should leave Gmail? That's horrible logic.

This only makes sense if you get a server at an off-shore host for mail, instead of using major email providers.

You speak of "off-shore" as though it represents some magically lawless region. As useful as that might be for these purposes, it doesn't exist. Your server will exist in some country. That country will have laws; those laws may or may not favor you. That country may or may not wish to refuse a US court order. Most countries are on fairly good terms with the US, and unlikely to say "no" to a request for evidence based on what looks like a standard legal investigation. Many of the countries not on good terms with the US rank pretty high on the list of places not well known for respecting rights, least of all privacy. And on top of all that, keeping a server outside the US does not render you personally immune to a US warrant if you remain in the US.

(Most of the above applies for s/US/$country/g as well.)

You're likely better off hosting a mail server here in the US, not actually storing any mail on it, downloading the mail immediately to a local mail store on an encrypted disk, and using encrypted email to protect new mails. That still won't render you immune to prosecution, but you might consider the consequences of refusing to decrypt a server preferable to the consequences of revealing the contents of your email. Or not.

I'm not a lawyer but I believe it would be very difficult for an FBI prosecutor to raise a case to international status and get a foreign judge to issue a subpoena. Most countries are very protective of spying on their citizens or corporations.

I think the main danger of using a foreign host would be that the NSA has more spying leeway with international traffic so they probably will have already slurped and archived your mail off of the wire without needing to ask your mail host. SSL is supposed to help with that but I have my doubts that that stops the NSA if they want to target you.

Or do the above, and then delete the mail. Not with the intention of destroying evidence of course, but because your hard disk can only store 1024 megabytes and you want to save disk space.

How is it a gmail only problem? The government got a court order to force them, Google didn't hand it over willingly. It's the government who is at fault here and the shitty laws that enable it.

Right, it is a good reason for leaving all US services, just singling out gmail would be unfair. Too bad so many major ones are hosted in the US (or at least by US companies). We really need a less centralized internet... Otherwise, when the US turns into a loony military dictatorship it takes us all with it.

The article states that the government had a court order but didn't have a search warrant. It seems there is a loop in the system with the Electronic Communications Privacy Act. My questions is, did Google 'have' to give over his Gmail account information? Or do they just comply to make their lives easier?

In today's society 'having to' and making your life easier is just about the same thing. Don't want to comply citizen? We do have those antitrust hearings scheduled in a few weeks, would be a shame if we found out you were running a monopoly and had to break up your company.

When US citizens are assassinated by presidential order rather than being brought to trial it's probably time to 'make your life easier' rather than wait around for the ICC.

Interesting point. It's not unlikely that played a role in their decision not to fight it (too much).

The ISP Sonic fought against having to hand over the data and lost.

Both Sonic and Google fought over the right to inform Mr. Appelbaum of the request for his data and won (afaik).

The article says it is not known whether Google fought against having to hand over the data, like the ISP Sonic did.

Which makes me assume the writers asked Google, they didn't answer, neither did they issue a press report one way or the other. Which leads me to believe that, no, Google did not fight the actual request and unlike the small ISP Sonic did just comply in order to make their lives easier.

Of course it's just speculation but why else would we know about the other case Google did fight in this matter?

Additionally, why would Google go through that trouble, they have no interest either way, and are not in the business of protecting their users from surveillance state governments. Apparently.

Or they simply knew they were going to lose from the fact that they have already gone through this with similar cases.

The law is the law, and they must comply.

The government doesn't need a search warrant to rummage through cloud data, that's the point.

tor developer didnt use tor ? odd.

Using tor wouldn't have helped anonymize his contact list.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact