I truly do not understand why anyone would want to "help" the LEOs of today. They are the enforcement arm of the ruling class seeking to take away whatever privacy we have left. It truly saddens me that Google is volunteering to help turn over data to them, for free, without a fight.
The current system is slow and inefficient, and that is wonderful. Think about it. Police could always legally follow you - it only became a problem for privacy when CCTV and hidden GPS trackers made it easy to "follow" everyone at once, cheaply and efficiently. Much like password hashing algorithms, some systems only work well if they are kept slow and inefficient on purpose, to ratelimit their use. This causes each use to be reviewed and considered carefully. I feel like turning over user data to anyone should be one of these processes.
Let them get warrants signed in triplicate, convince ten judges, file thousands of pages of papers, find out they lack jurisdiction, convince more judges, etc... Only then is there a chance that they will not go on a fishing expedition for everyone's data all at once.
Always remember these words of Richelieu: "If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." You may be an honest man (/woman/child/etc), but your government is always on its way to becoming Richelieu
There is also the issue of parallel construction - basically using evidence gathered illegally to build a case, and then not submitting that evidence during the case, or using it for a plea-bargain.
As Snowden said, good encryption is a part defense against this. VeraCrypt http://veracrypt.org works nicely with DropBox, while SyncDocs https://syncdocs.com encrypts Google Drive.
Richelieu would have had a ridiculously easier time if he could select any six lines from everything an honest man had ever written. Using encryption to make this harder could be wise.
Encryption can't save you entirely, there is still a ton of metadata being produced which is most of the time at least as interesting as the content [1]. Avoid the cloud and decentralize as much possible. As a bonus decentralizing helps to avoid oligopolies and monopolies.
Big, purely money driven cooperations will follow the path of the least resistance so it's no surprise that they automate LE requests away in the long run. As most of the "internet giants" essentially make money by spying on their users they have the basic infrastructure in place already.
[1] 'We Kill people based on metadata' some former CIA/NSA director once admitted.
This isn't about helping law enforcement. Here's the tell:
Faced with the extended delays under the MLAT process, some countries are
now asserting that their laws apply to companies and individuals outside of
their borders. Countries asserting extraterritorial authority potentially
put companies in an untenable situation where we risk violating either the
law of the requesting country or the law of the country where we are
headquartered.
[...]
We are also seeing various proposals to require companies to store data
within local borders as a means to gain easier access.
It's about two things:
1 - Google doesn't want to be in the middle of Country X and the US where the laws conflict;
2 - More worryingly, countries are requiring data be kept within their borders and hence subject to their laws. This complicates google's business of monetizing people's data.
> The current system is slow and inefficient, and that is wonderful.
which is great until it's not slow and there is no due process. I think the key motivation may be:
> Faced with the extended delays under the MLAT process, some countries are now asserting that their laws apply to companies and individuals outside of their borders. Countries asserting extraterritorial authority potentially put companies in an untenable situation where we risk violating either the law of the requesting country or the law of the country where we are headquartered.
> USA was reminded that their laws did not apply outside of USA, and they can go use proper slow channels
They were reminded that the Stored Communications Act does not apply outside of the US, but according to the OP the Second Circuit said Congress could easily change that.
If Congress started making moves in that direction it would make sense to get out in front of it with some kind of proposal, because AFAIK there's no constitutional basis for those protections.
The US have always liked to apply their laws on American entities even on foreign soil, see e.g. IRS taxation. Based on decades of precedents like that, it's not difficult to see them attempt to apply the same reasoning for communications.
Anything that makes getting user data easier is bad. Better to fight each request. Better to not have a set procedure that is clear and concise. Let them figure it out each time. Change it up occasionally.
It seemed like it would be better if there were clear rules and guidelines that governed when and how data would be turned over. Then users and companies would be more aware of their rights and risks, and there would be an above-board and verifiable process for accessing data.
> I truly do not understand why anyone would want to "help" the LEOs of today.
Have you considered the position of the victim?
Consider some instance of cybercrime, for example: perpetrators defrauding four companies of €86m [1]. Are LEO supposed to roll over and give up on the case, just because the perpetrators reside in some other country?
The proposed framework is self-serving, flawed and behind the state of art. I say this as someone who really loves Google's products and uses them heavily. To summarize US citizens, as a right, have and must continue to have their due process rights adjudicated by US Courts in accordance with the Constitution.
1. Requests under Mutual Legal Assistance Treaties (MLATs) take a long time because the Courts don't move quickly. If Google, or a requesting country finds the US judicial process too slow welcome to reality. Lobby for more Court resources, advocate for decriminalization of minor offenses, etc., etc.
2. Assertions of Extraterritorial jurisdiction (EJT) are a business risk, just like customs regulations, tariffs and privacy regulations. If Google finds them inconvenient then adjust the business model.
3. "We are also seeing various proposals to require companies to store data within local borders as a means to gain easier access. There are a host of problems with this: small, one-off data centers are easier targets for attackers and jeopardize data security and privacy. Further, requiring businesses to build these data-centers will raise the costs for cloud services, erecting significant barriers for smaller companies."
...Not credible, at all. Smaller companies don't build data centers. Data flows like currency to centers where trade-offs among speed, security, cost, privacy and other considerations is optimal. The market can resolve these issues on its own in response to host country data privacy and criminal law.
4. And, finally, assurances of adherence to baseline due process, human rights, and privacy standards are largely meaningless to anyone paying attention to the rampant corporate and political espionage states routinely and sometimes/often appropriately engage in. The last thing US businesses need is the long arm of foreign government's attitudes toward encryption, by way of example, reaching into their data.
Again, I believe Google's contributions across all its offerings and policies is a big net positive. Their position on this issue is horribly misguided in my opinion.
I don't see this as a good thing. I would say that I declare (my admittedly insignificant) vote of no confidence in both any government and in corporations. When I look at the legislation passed in my lifetime, it's enraging. Laws are passed specifically to entrench a surveillance based police state.
While it does appear that some legislation is outdated, I would rather it stay, since I can only foresee it being replaced with a bill porkbarreled to the point of bursting with surveillance measures, anti-consumer, anti-encryption, anti-privacy clauses. The governments of today are cartels, plain and simple. Enhanced cooperation between thugs with lots of money is not exactly comforting.
The Alliance of Conservative Dinosaurs (read: the GOP) seems dead set on rescinding my liberties. I'd rather they be frustrated by antiquated legislation than surrender more freedoms under the false flag of security.
I don't know what definition of "countries that honor baseline principles of privacy, human rights, and due process" they're using, but if they want to put the United States on that list, the bar must be pretty low.
On the other hand, this is going to be hilarious...
Germany: Hey America, can I get some data on this guy?
America: No problem!
(A few months later)
America: Hey Germany, can I get some data on that guy?
Germany: Uhh, you're not a country that honors baseline privacy, human rights, and due process.
> countries that honor baseline principles of privacy, human rights, and due process
I actually thought that was the most interesting clause in the whole thing. This would basically give corporations a way to make rulings on the behavior of nations, truly an ambitious move.
"serious crimes" is another one of these weasel words. I'm pretty sure various countries have wildly different interpretations of what is a serious crime.
For Google Maps, they refuse to even store local search history or use the local Address Book API to get your home address: to get either of these basic features you have to sign in with your Google Account, and to get the former feature you have to turn on saved search history for your entire Google account including normal web searches, and I imagine for the latter to work you need to turn on location tracking. Google acts maliciously with respect to obtaining personal data and clearly is never going to implement end-to-end encryption as it fundamentally undermines their mission of "organizing the world's information": they can't organize what they can't see.
It's hopeless. Google has already given up on a bunch of end-to-end encrypted projects, and now I've noticed they've added automatic backups of messages to the cloud for Allo, which may include the messages in the "Incognito mode" (I'm not sure, but I wouldn't be surprised if they did that).
I've already moved on to ProtonMail. The days of Google being the "good guys" that will fight for you are over.
> Today, we’re proposing a new framework that allows countries that commit to baseline privacy, human rights, and due process principles to gather evidence more quickly and efficiently.
One interpretation of this is that G will no longer play nice with countries which operate unsanctioned warrantless surveillance (ahem america) and which ban encryption (ahem england) and free speech (europe, depending on your view on RTBF).
If this is a threat it's a subtle one and the end game is a bigger say in the regulatory process.
The point about requirements to physically store data in a country seems especially silly.
Instead of "if you operate in our country, you have to store that data in our country", why wouldn't it be "if you operate in our country, you must agree to give us all access to that data as if it were physically in our country".
It would be the exact same in practice (minus network latency) but without the security concerns and business barriers brought up in the blog post.
I don't know. Say medical journals - in case of a war, where fiber cables are cut; it'd be nice to still know how to treat people.
Consider that in the 80s, Iraq would've been considered a US ally - how might storing most of financial and municipal data in US datacenters have affected the later invasions?
We like to think about the current "post globalisation"-world as a peaceful one - but it's only true until it isn't. And there are still areas where national interests remain important.
I truly do not understand why anyone would want to "help" the LEOs of today. They are the enforcement arm of the ruling class seeking to take away whatever privacy we have left. It truly saddens me that Google is volunteering to help turn over data to them, for free, without a fight.
The current system is slow and inefficient, and that is wonderful. Think about it. Police could always legally follow you - it only became a problem for privacy when CCTV and hidden GPS trackers made it easy to "follow" everyone at once, cheaply and efficiently. Much like password hashing algorithms, some systems only work well if they are kept slow and inefficient on purpose, to ratelimit their use. This causes each use to be reviewed and considered carefully. I feel like turning over user data to anyone should be one of these processes.
Let them get warrants signed in triplicate, convince ten judges, file thousands of pages of papers, find out they lack jurisdiction, convince more judges, etc... Only then is there a chance that they will not go on a fishing expedition for everyone's data all at once.
Always remember these words of Richelieu: "If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." You may be an honest man (/woman/child/etc), but your government is always on its way to becoming Richelieu
There is also the issue of parallel construction - basically using evidence gathered illegally to build a case, and then not submitting that evidence during the case, or using it for a plea-bargain.
As Snowden said, good encryption is a part defense against this. VeraCrypt http://veracrypt.org works nicely with DropBox, while SyncDocs https://syncdocs.com encrypts Google Drive.
Richelieu would have had a ridiculously easier time if he could select any six lines from everything an honest man had ever written. Using encryption to make this harder could be wise.
Encryption can't save you entirely, there is still a ton of metadata being produced which is most of the time at least as interesting as the content [1]. Avoid the cloud and decentralize as much possible. As a bonus decentralizing helps to avoid oligopolies and monopolies.
Big, purely money driven cooperations will follow the path of the least resistance so it's no surprise that they automate LE requests away in the long run. As most of the "internet giants" essentially make money by spying on their users they have the basic infrastructure in place already.
[1] 'We Kill people based on metadata' some former CIA/NSA director once admitted.
https://www.veracrypt.fr/
Cryptomator is also great for working with Dropbox, Google Drive etc https://cryptomator.org
100% agreed
This isn't about helping law enforcement. Here's the tell:
It's about two things:1 - Google doesn't want to be in the middle of Country X and the US where the laws conflict;
2 - More worryingly, countries are requiring data be kept within their borders and hence subject to their laws. This complicates google's business of monetizing people's data.
> The current system is slow and inefficient, and that is wonderful.
which is great until it's not slow and there is no due process. I think the key motivation may be:
> Faced with the extended delays under the MLAT process, some countries are now asserting that their laws apply to companies and individuals outside of their borders. Countries asserting extraterritorial authority potentially put companies in an untenable situation where we risk violating either the law of the requesting country or the law of the country where we are headquartered.
which is presumably a reference to this case: https://arstechnica.com/tech-policy/2016/07/microsoft-wins-c...
Yes, except that case was decided correctly - USA was reminded that their laws did not apply outside of USA, and they can go use proper slow channels
> USA was reminded that their laws did not apply outside of USA, and they can go use proper slow channels
They were reminded that the Stored Communications Act does not apply outside of the US, but according to the OP the Second Circuit said Congress could easily change that.
If Congress started making moves in that direction it would make sense to get out in front of it with some kind of proposal, because AFAIK there's no constitutional basis for those protections.
The US have always liked to apply their laws on American entities even on foreign soil, see e.g. IRS taxation. Based on decades of precedents like that, it's not difficult to see them attempt to apply the same reasoning for communications.
I truly do not understand why anyone would want to "help" the LEOs of today.
I think some people are just naturally authoritarian. Unfortunately they also seem to be most likely to get into positions of power.
Or less cynically, the people who choose to work in government and law enforcement see themselves as doing good.
> The current system is slow and inefficient, and that is wonderful.
It's pretty fucking lousy if you're in jail on remand and haven't been convicted of a crime yet.
You're talking like Google wants to give information to LEOs without a warrant, but this post is specifically about ECPA search warrants.
Anything that makes getting user data easier is bad. Better to fight each request. Better to not have a set procedure that is clear and concise. Let them figure it out each time. Change it up occasionally.
It seemed like it would be better if there were clear rules and guidelines that governed when and how data would be turned over. Then users and companies would be more aware of their rights and risks, and there would be an above-board and verifiable process for accessing data.
> I truly do not understand why anyone would want to "help" the LEOs of today.
Have you considered the position of the victim?
Consider some instance of cybercrime, for example: perpetrators defrauding four companies of €86m [1]. Are LEO supposed to roll over and give up on the case, just because the perpetrators reside in some other country?
[1] Source is in German, sorry. http://derstandard.at/2000059612885/Cyberattacken-Bisher-86-...
What about the victims of mass surveillance? In a very real way, that is a constant attack on everybody.
> They are the enforcement arm of the ruling class seeking to take away whatever privacy we have left.
Does that make tech employment in general the research arm of the ruling class trying to take away whatever privacy we have left?
Yes
The proposed framework is self-serving, flawed and behind the state of art. I say this as someone who really loves Google's products and uses them heavily. To summarize US citizens, as a right, have and must continue to have their due process rights adjudicated by US Courts in accordance with the Constitution.
1. Requests under Mutual Legal Assistance Treaties (MLATs) take a long time because the Courts don't move quickly. If Google, or a requesting country finds the US judicial process too slow welcome to reality. Lobby for more Court resources, advocate for decriminalization of minor offenses, etc., etc.
2. Assertions of Extraterritorial jurisdiction (EJT) are a business risk, just like customs regulations, tariffs and privacy regulations. If Google finds them inconvenient then adjust the business model.
3. "We are also seeing various proposals to require companies to store data within local borders as a means to gain easier access. There are a host of problems with this: small, one-off data centers are easier targets for attackers and jeopardize data security and privacy. Further, requiring businesses to build these data-centers will raise the costs for cloud services, erecting significant barriers for smaller companies."
...Not credible, at all. Smaller companies don't build data centers. Data flows like currency to centers where trade-offs among speed, security, cost, privacy and other considerations is optimal. The market can resolve these issues on its own in response to host country data privacy and criminal law.
4. And, finally, assurances of adherence to baseline due process, human rights, and privacy standards are largely meaningless to anyone paying attention to the rampant corporate and political espionage states routinely and sometimes/often appropriately engage in. The last thing US businesses need is the long arm of foreign government's attitudes toward encryption, by way of example, reaching into their data.
Again, I believe Google's contributions across all its offerings and policies is a big net positive. Their position on this issue is horribly misguided in my opinion.
I don't see this as a good thing. I would say that I declare (my admittedly insignificant) vote of no confidence in both any government and in corporations. When I look at the legislation passed in my lifetime, it's enraging. Laws are passed specifically to entrench a surveillance based police state.
While it does appear that some legislation is outdated, I would rather it stay, since I can only foresee it being replaced with a bill porkbarreled to the point of bursting with surveillance measures, anti-consumer, anti-encryption, anti-privacy clauses. The governments of today are cartels, plain and simple. Enhanced cooperation between thugs with lots of money is not exactly comforting.
The Alliance of Conservative Dinosaurs (read: the GOP) seems dead set on rescinding my liberties. I'd rather they be frustrated by antiquated legislation than surrender more freedoms under the false flag of security.
I don't know what definition of "countries that honor baseline principles of privacy, human rights, and due process" they're using, but if they want to put the United States on that list, the bar must be pretty low.
On the other hand, this is going to be hilarious...
Germany: Hey America, can I get some data on this guy?
America: No problem!
(A few months later)
America: Hey Germany, can I get some data on that guy?
Germany: Uhh, you're not a country that honors baseline privacy, human rights, and due process.
> countries that honor baseline principles of privacy, human rights, and due process
I actually thought that was the most interesting clause in the whole thing. This would basically give corporations a way to make rulings on the behavior of nations, truly an ambitious move.
> This would basically give corporations a way to make rulings on the behavior of nations, truly an ambitious move.
They have that option now, by choosing where they do business. Evidence suggests that they don't care.
"serious crimes" is another one of these weasel words. I'm pretty sure various countries have wildly different interpretations of what is a serious crime.
Like woman driving in Saudi Arabia.
How about end to end encryption in your products to protect your users from governments, both good and bad? Can't disclosure what you can't see.
For Google Maps, they refuse to even store local search history or use the local Address Book API to get your home address: to get either of these basic features you have to sign in with your Google Account, and to get the former feature you have to turn on saved search history for your entire Google account including normal web searches, and I imagine for the latter to work you need to turn on location tracking. Google acts maliciously with respect to obtaining personal data and clearly is never going to implement end-to-end encryption as it fundamentally undermines their mission of "organizing the world's information": they can't organize what they can't see.
It's hopeless. Google has already given up on a bunch of end-to-end encrypted projects, and now I've noticed they've added automatic backups of messages to the cloud for Allo, which may include the messages in the "Incognito mode" (I'm not sure, but I wouldn't be surprised if they did that).
I've already moved on to ProtonMail. The days of Google being the "good guys" that will fight for you are over.
> Law enforcement requests for digital evidence should be based on the location and nationality of users, not the location of data.
prepare to answer "what is your nationality?" more frequently in signup forms.
As a simple answer, perhaps stop having signup forms!
> Today, we’re proposing a new framework that allows countries that commit to baseline privacy, human rights, and due process principles to gather evidence more quickly and efficiently.
One interpretation of this is that G will no longer play nice with countries which operate unsanctioned warrantless surveillance (ahem america) and which ban encryption (ahem england) and free speech (europe, depending on your view on RTBF).
If this is a threat it's a subtle one and the end game is a bigger say in the regulatory process.
Here's the actual whitepaper, which goes into more detail of exactly what Google is proposing here: https://blog.google/documents/2/CrossBorderLawEnforcementReq...
The point about requirements to physically store data in a country seems especially silly.
Instead of "if you operate in our country, you have to store that data in our country", why wouldn't it be "if you operate in our country, you must agree to give us all access to that data as if it were physically in our country".
It would be the exact same in practice (minus network latency) but without the security concerns and business barriers brought up in the blog post.
I don't know. Say medical journals - in case of a war, where fiber cables are cut; it'd be nice to still know how to treat people.
Consider that in the 80s, Iraq would've been considered a US ally - how might storing most of financial and municipal data in US datacenters have affected the later invasions?
We like to think about the current "post globalisation"-world as a peaceful one - but it's only true until it isn't. And there are still areas where national interests remain important.