> Electronically transferring data from a server in a foreign country to Google’s data center in California does not amount to a “seizure” because there is no meaningful interference with the account holder’s possessory interest in the user data.
So, because data can be copied and doesn't deprive the original account holder of their data, this doesn't count as a seizure?
> the electronic data disclosed by Google pursuant to the warrants will occur in the United States when the FBI reviews the copies of the requested data in Pennsylvania.
And because law enforcement will review the documents in the United States, this doesn't count as a "search" outside the US.
This line of reasoning seems really crazy to me. What if these had been physical documents? Would this have been ruled in the same way? Say that the US government photocopied a set of files outside the United States and planned to only review them in the US.
>Electronically transferring a movie from a server in a foreign country to one's home in California does not amount to pirating because there is no meaningful interference with the original movie holder’s possessory interest in the movie.
They said it's not seizure, they didn't say it's theft. Argument for piracy has been that it's not depriving the original owner of the content, but that has been argued against. So I'm not sure your argument will hold.
> “[N]o seizure occurs if a package is detained in a manner that does not significantly interfere with its timely delivery in the normal course of business.”
> Electronically transferring data from a server in a foreign country to Google’s data center in California does not amount to a “seizure”
I can see that that's what the US justice things about it. But what will happen to Google in the country of origin? I can rule that it is legal to kidnap criminals from another countries, but that doesn't means that you are not breaking their laws.
The court relied on the fact that google already copies data between datacentres (I suspect across borders as well). This means there isn't a lot of meaning to google copying data across borders on an order.
I'd feel very different if google was strict about keeping data within international borders.
There seems to be confusion around what this specific decision is for.
This is not about foreign emails stored in foreign servers by Google. This is about US emails that Google decided to store outside the US. Why do that? I'm guessing Google has developed technologies like Spanner [1] that distribute data on a global scale, to help with capacity, disaster recovery etc. Even for data generated in the US and accessed in the US by US persons.
So if you have a US person's emails shipped outside the US by Google for no other reason other than Google's convenience, do US warrants still apply to the foreign-stored data? It's not a simple question.
The Microsoft Ireland case doesn't seem relevant as the person in that case was a non US person. Or, to be more specific, the Ireland datacenter that MSFT was running was meant for non US email accounts.
Overall, the US law seems to offer sufficient protection to non-US person with data stored outside the US. This specific decision is not about that.
No, I don't believe this is correct. The source of the emails seems to never be brought up. The discussion in the decision is pretty readable.
Essentially the argument seems to be because Google transfers data from country to country in normal operations, the data currently stored outside of the US is somehow different than the data Microsoft was permanently storing in Ireland. As a result, Google could just transfer the data back to the US and then the search is just a normal domestic search with a warrant:
> Under the facts before this court, the conduct relevant to the SCA's focus will occur in the United States. That is, the invasions of privacy will occur in the United States; the searches of the electronic data disclosed by Google pursuant to the warrants will occur in the United States when the FBI reviews the copies of the requested data in Pennsylvania.
Seems like the judge's argument would apply to any user of a service with multiple data centers that regularly replicate (or transfer) data between them.
You're right with respect to the point about the source of the emails.
> Seems like the judge's argument would apply to any user of a service with multiple data centers that regularly replicate (or transfer) data between them.
I find this decision even more onerous than that, which is disturbing on a number of levels, specifically, this excerpt from the conclusion:
under this court's interpretation, Google will gather the
requested undisclosed data on its computers in California,
copy the data in California, and send the data to law
enforcement agents in the United States, who will then conduct
their searches in the United States.
An important note is that this is not simply because the data in question is sharded (and therefore cannot be guaranteed to be wholly present in some single sovereign's jurisdiction - this conclusion is considered ancillary to the SCA warrant extraterritoriality question).
Microsoft was in similar boat a while ago. They refused[1] to handover foreign data, and court ruled in their favor[2]. Why does Google has to be treated differently? This type of decisions pose serious threat to competitiveness of US companies in a global market.
The real answer to your question is: Because the court system.
Specifically, because the magistrate that heard Google's case disagreed with the other judge's ruling. It's specifically mentioned in the first paragraph of the article, linking to the article as well as another one stating that a rehearing on the Microsoft case was denied. Judges seem to be very split on the issue, so it's a matter of who you get.
Emails aside, this is more about using cloud in services in general. If you use Google Compute or AWS, you are in this boat. This is why U.S. tech can't be trusted.
The issue is that the US law enforcement should use a foreign legal system to request legal assistance if they want to do a search in a foreign country, which would allow affected parties to use the local court system to defend themselves.
How would you (assuming you're american) feel if the english police entered your corporate office to seize documents and told you if you had issues you would have to deal with it in england?
That's how everyone else feels about the US thinking they have jurisdiction over their documents stored on some 3rd party providers which - under local laws - have obligations to maintain the customer's privacy.
If you are Chinese, it's probably not a good idea to use a Chinese email service (or any of the "joint ventures" between American companies and Chinese ones).
It goes the same for Americans. If you want privacy from the U.S. government, don't use American services, or U.S.-hosted services.
Check out the swiss Data Protection Act and the Data Protection Ordinance. The difference is HUGE even for swiss govs it is very hard to get swiss data. Outside govs basically have no chance except a few exceptions that are not as easy as shouting out "terrorism" loud once.
Including operating systems, and any other sort of software developed by American companies.
So are we prepared to create our own stack for everything?
Note you can also not thrust FOSS software developed in American soil without thorough review of what it is actually doing.
And those that happen to live there, like in other countries, will need to create their own safe systems as well if they want to be safe from government and any future state police.
Curious: Why would you trust a cloud service operating outside the US more than one operating within?
If you use Google, your data is basically guaranteed to be secure - the biggest vulnerability is search warrants from the US government.
If you use some provider in another country, the attack vector has to be way larger, right?
This is an honest question - people always talk about using their own servers or non-mainstream providers, but I don't see how they necessarily reduce your risk.
Are you saying that everyone else outside the US is somehow incompetent? The 300 million in the US are super special and the other 6.7 billion people are stupid? Cause 'murica? For example all the countries in the EU, Canada, Australia, etc.
Or are you saying privacy laws in the rest of the world are somehow worse? For example, the EU has generally much better privacy safeguards and is generally known to be much more consumer friendly than the US.
Google has the resources to secure their systems, the ability to defend against nation state attacks, and billions in revenue at risk for losing that trust. I know of no one that offers the same experience with anything close to the same protection, do you?
This very topic is about the fact that apparently Google doesn't have the ability to defend against nation state attacks. If you are not American, the US government being able to seize your data is very much a nation state attack.
"he ability to defend against nation state attacks"
I'm skeptical about that. They got seriously owned by one in the past with their proposed solution switching to Mac's and Linux distros. I don't recall if they acted on that but the fact that they thought it would stop nation-states says something. They certainly have more resources to stop, detect, or recover from black hats than the average user of their service.
It was in multiple sources like NYT and Business Insider that they initially blamed Microsoft with a switch planned. Looking it up again, Wired reports they didn't go that far: just gave employees options with extra information informing them about the pro's and con's of them.
Of course, this is almost equivalent to original claim given they think switching between operating systems will mean much against nation states with China levels of labor. Especially if it's an Ubuntu derivative. It takes a lot of different elements to deal with them which include strong protections on an endpoint designed with that in mind. Lots of configuration checking and monitoring too.
Why do you talk about things you obviously know very little about and present them as the entire story? Reducing, not eliminating, the Windows footprint was just one of many, many initiatives. U2F security keys are one of the well known ones outside the company. Or hardening ChromeOS.
I think what you're saying is that I acted on incomplete information due to the fact that Google didn't publish much of it. Instead, I have to generate some mental model via fragments scattered among news stories, a few papers, tips in video presentations, and Twitter comments. Google publishing all their security methods in full in one place would certainly help. We know that ain't gonna happen. ;)
Now, let's look at it from my vantage point in high-assurance security: the kind that stopped nation-states regularly in the past from pen tests to the field. Obviously, any smart organization would do variations on what worked before or even hire people responsible for past successes, right? I saw this in action at Microsoft Research & some operations side where these things showed up when they tried to 180 their security:
1. Steve Lipner of VAX Security Kernel brought in to apply high security lessons to Windows, etc. Created a mini version of Orange Book lifecycle called SDL that knocked 0-days down across board.
2. Lampson and Lamport were brought in at some point to build on their strong methods for verifying software... especially protocols that were a pain point for Microsoft. I think this was independent of security effort with it more for correctness in general.
3. Microsoft encouraged as much Windows software as possible to be written in memory-safe languages on a cross-language runtime allowing best tool for the job. That cross-language concept, kernel architecture, and clustering scheme came from the ultra-robust OpenVMS.
4. Seeing driver errors, Microsoft created a formal model of the driver interface plus static analysis tools to ensure drivers couldn't crash the system due to interactions. I haven't seen a blue screen in forever due to this. My Linux desktops freeze from driver errors on occasion, though.
5. Things like VAX Security Kernel virtualized operating systems with strong, tiny TCB's that knocked out cover channels and other esoteric attacks. Microsoft helped third parties apply the successor, MILS model, to Windows via INTEGRITY-178B, LynxSecure, and VxWorks MILS. Each of these partitioning, 4-12Kloc microkernels were heavily pentested by NSA with two getting two years each.
6. Microsoft Research applied a combo of Design-by-Contract, static analysis, and formal verification to many areas of software. Tools include Abstract State Machines, Spec#, Dafny, a safe assembler, and separation logic to a number of components. Languages such as Dafny were designed from get-go to be amendable to static analysis and formal proof. Proved memory safety for a good chunk of Hyper-V. Their VerveOS was proved safe all the way to assembly. Independent team used those tools for ExpressOS in mobile space. Midori took lessons further at level of a production OS.
7. Seeing hardware issues, partnered with Trusted Computing Group to put whitelisting and integrity checking at or near CPU level. They and Beyond Trust built FDE and authentication systems on that. Fact that they also wanted DRM kept this from going anywhere past an option on PC's that many buyers ignored. Vendors for No 5 and academics utilized them when present for better schemes anyway.
8. Did a lot of what I call tactical stuff that has bypass potential such as No Execute, compiler tweaks, sandboxing, etc. Google does that, too.
9. Another Google did... with award-winning paper... was in browsers. OP Web Browser was high-assurance browser from CompSci that combined POLA architecture, formally-verified restrictions for plug-in interactions, and memory-safe language. Google, putting performance above everything, watered that down with very, clever scheme called NaCl for Chrome that raised the bar but got bypassed a lot. Microsoft's Gazelle Browser developed same year was a stronger design that combined memory-safe language, reference monitor with wider application, and fewer compromises that could hurt security. Also, what they used could tie-in to verification or isolation techniques I already mentioned since various teams intentionally reuse technology they know other teams are improving.
So, looking at what they were doing, I could tell that Microsoft Research & whoever brought in Lipner had knowledge of or experience in high-security or high-integrity software. They also knew what to invest in to get it both more productive and higher in assurance over time. This was applied from high-level languages to assembly, from CPU checks to browsers, and with whatever tactical improvements they could. Backwards compatibility (aka billions in profit) drastically reduced how much they could apply it but what applications they did hugely reduced risk. Being Microsoft, they ruined all that for me by loading up Windows 10 with surveillance features. (sighs)
So, I look at Google. I see a clever browser whose compromises predictably defeated its security goals. I saw no use early on of any high-assurance techniques for core infrastructure as above. I see a steady stream of tactical improvements like hardening of insecure platforms (OS/virtualization combos), authentication schemes, programming languages not designed for verification, and so on. No evidence they had people in key positions aware of what stopped nation states before and baking that wisdom into what they were doing. Eventually I saw them do some tamper-resistant something using a high-profile hacker (Mudge) who never designed a high-assurance system that I'm aware of. Meanwhile, IBM brought in legendary Paul Karger himself to design a CPU that enforced information flow security on its operations plus a smartcard OS (Caernarvon) that applied EAL7 lessons for bulletproofing on tamper-resistant hardware done by pros in that field.
I double down on my claim. There's no reason to believe Google can resist nation-states if they don't use the methods required to resist nation-states. They have resources to do a lot more review, testing, and monitoring than most where they might luck out. The problem is they have massive complexity + data throughput where 0-days and attackers have more room to hide. Pentetrate-and-patch with ad-hoc methods falls appart more often in such situations. Better to apply methods where economically feasible to provably eliminate entire classes of flaws like teams at Microsoft and IBM were doing. There were small-ish companies doing it, too, with some having products in about every category. Only way Google could consistently miss it is if their engineers never saw those techniques (common problem) and/or their management thought they didn't need third-party help given their people were so smart. Just a guess as in beginning of my comment I have no data to know why they didn't hire or contract the best of high-assurance field to get them a huge, head start on most-critical stuff.
Note: Don't let solipsis fool you. I'm a huge fan of Google's engineers for IT in general. The work from Google File System to F1 DBMS showed The Right Thing mentality where they learned from strong, past work plus industrial applicaiton. I also want a FOSS clone of F1 pronto. Business model I have strong hate for albeit it's understandable. I call out INFOSEC bullshit about stopping nation-states on the whole industry with Google being no exception. They did a bit better than a lot of IT companies, though. At least learned from one, high-assurance product in web space plus implemented strong tactics in ChromeOS.
EDIT to add: I'm also interested in anything Google has done that matches what's on this list. Provable correctness or security down to the assembly. Processors immune to code injection or info leaks at instruction level. Automatic or easy model-checking of correctness of protocols. I bet they do TLA+ on that one by now on top of Protobuf work.
A warrant is a form of nation state attack from a security perspective. They have also previously used DKIM keys in a way that makes them close to worthless. The NSA had some exploit strategy in place according to Snowden. Etc.
Sometimes being in the big pot is less safe than being in the small pot that is 95% as secure if only because the effort for breaching 95% vs. 100% is minor if you get 50x as much information.
> Why would you trust a cloud service operating outside the US more than one operating within?
Because I'm an American in America. If you aren't in America's sphere of influence, the United States may be one of the best places to host your data. (No data retention laws; freedom of speech; working courts; et cetera.)
Because some countries - namely in Europe - have much stronger personal data protection laws than the US. Switzerland for instance.
Also because the country where the data is stored, even if internally has personal data protection laws as lax as the USA, will in basically all cases have much bigger restrains about allowing a foreign government (namely the USA) to access that data.
Most people are preoccupied about what their own country's government or a big superpower's government can do with their data, not really what Norway's (another example) government can do with their data if they don't even live there.
You would do on-prem and not cloud if your potential legal adversaries included the government because they would then have to come and take your emails from you with a warrant vs. being able to silently take it from cloud providers and compelling them to not inform you.
For any reasonably sized multinational, governments are potential legal adverseries.. and so they avoid keeping mail servers and financial transaction data in the cloud
they would then have to come and take your emails from you with a warrant vs. being able to silently take it from cloud providers and compelling them to not inform you.
What if they just insert a box upstream of your connection via your ISP?
Weigh the cost of corporate controlled robots peeking at your emails against the increased probability of extra-corporate attackers pilfering your data.
"If you use some provider in another country, the attack vector has to be way larger, right?"
I think Nexor, Thales, Fox-IT, Sirrix, Data61, and recently ProtonMail might have something to say about such claims. Starting with better security architectures than most vendors in the space. Maybe throw in GPG-based things like Enigmail since Snowden leaks showed NSA worried about it so much.
> If you use some provider in another country, the attack vector has to be way larger, right?
If you just mean "Google has more resources than most European services, so it's probably more secure", you have a point, but it's not entirely accurate, and that's because of how Google handles encryption. It prefers to keep the encryption keys to itself, so from that point of view it will always be more vulnerable than services that don't do that - small or large.
And if you meant "because the NSA wouldn't target Google, or it would just target those companies more" then I believe that's completely false. Google is absolutely a high priority target for the NSA. Any large company is, no matter where it is. We've learned that by now.
Also because Google actually did get completely owned by the NSA a few years ago:
Sorry, but mass collection on inter-datacenter links operated by one of the largest technology companies on the planet should qualify as "completely owned", at least in spirit.
If you insist on using the technical definition, then I'd argue it's very possible that Google could be completely owned after all, in every sense of the term.
What Snowden leaked was essentially a glorified TS PowerPoint repository. Crown jewels such as partner company names didn't even make it into that level of access, and for good reason. If the NSA happened to be installing persistent implants on target systems belonging to Google's senior leadership, it'd be so compartmented you'd never hear about it.
In other words, we probably wouldn't know if Google was completely owned.
Guaranteed to be secure? Are you joking? Aside from the fact that nothing is guaranteed to be anything in the security world, if you go read the documents put out by Snowden there just no way you'd say that.
More like it is that there are any number of zero days floating around at all times many of which Google doesn't know, and the government itself is regularly taking data from these companies and then gagging them, and when that doesn't work, rooting them directly.
Outside countries are just as susceptible to hacking, but they can't be as easily made into gagged cooperators.
And google may have a lot of smart people but they have a collossal attack surface due to sheer size and product offerings. And they're made of humans. They run hackathons soliciting bugs and regularly find them. No one is perfect, definitely not google.
The overall security picture out there is grim, and it's very rational for people to control the risks they can and part of that is using outside of the US services
So should we soon expect courts to reject copyright infringement or piracy claims?
So says the court in the article: "Electronically transferring data from a server in a foreign country to Google’s data center in California does not amount to a “seizure” because there is no meaningful interference with the account holder’s possessory interest in the user data."
My point is there could be analogies drawn. If taking copies of an email without the email owner's permission doesn't violate the owner's interest, then perhaps taking copies of media works without the owner's permission doesn't violate the owner's interest either? I'm suggesting strictly viewing, non-commercial use.
Copyright infringements is not, even in principle, about seizure or possessory interest, so there is no relation between your question and the quote it is supposedly based o .
Neither is search and seizure about a possessory interest. It's about privacy and security. Even in the eighteenth century it was about "persons, papers, and effects." It was always an information security question.
A seizure is defined, basically, as something that harms a liberty (if a person is the subject) or possessory (if the subject is not a person) interest; without that there is no seizure, reasonable or unreasonable.
Likewise a search is something that harms a privacy interest.
Thank you. I'm saying the above somewhat tongue-in-cheek, because my gut feeling is that some aspect of interest has been violated in the case of the email owner or related parties. Of course, "gut feeling" is not a legal principle. So I'll go back to being Definitely Not A Lawyer.
I wonder what effect this has on international relations and treaties. How will the U.S. government respond when a European Union country's authorities furnish a warrant to Google for information about U.S. persons, using the same precedent?
I find it hard to believe this doesn't conflict with at least one of the treaties the U.S. has signed with the EU.
Doesn't work that way. The thing is as long as the people in the Justice Department get what they want, they are happy. They don't care about you.
Just like the NSA. Once they figure out a 0-day, they use it to hack foreign entities. They won't help fix it by telling the U.S. software company. In other words, they don't care if you get hacked.
I think democratic states who set themselves up as models of free societies have a higher responsibilty to live up to these values.
The fact that fascist or authoritarian states passed laws to support their excess does not change our perception of them or make anything 'legal'.
Authoritarianism couched in legalese is still authoritarianism. We are now 10 years into using the legal system to set extremely dangerous precedents and are guilty of insidiously corrupting and trivializing the democratic movement set up after the second world war.
Our evangelism of free and democratic values will now lack authenticity and will inevitably be perceived as self serving posturing and hyprocrisy. This loss of the moral high ground is a high price to pay for some generational politicians and NSA bureaucrats tinpot tendencies. The system is not working.
They are also under the jurisdiction of their foreign offices and have to adhere to privacy laws abroad. Which means it may be illegal in other countries for google to execute that order on foreign soil.
And that is why we have separate jurisdictions in the first place, to avoid such irreconcilable conflicts.
But how do you define location of the company if it have offices on other countries where the users are from? Would US assume that the rest of the world doesnt count as long as any representation of the company is physically located in the country?
Could someone explain whether this has an impact on the EU Privacy Shield law? Is this a workaround those? Does it only apply to data of US citizens held outside the US or can the FBI now seize data of non-US citizens, held abroad, without going through local (non-US) authorities?
If this is a workaround for EU privacy laws it'll be the final straw for me and I'll be moving my data from Google but it's a complicated area so some clarification would be nice.
If you start behaving like that, expect foreign governments/clients to ban/boycott american providers.
Jurisdiction is an important concept, and if the american justice starts using the good economic position of its companies to bypass or expand its jurisdiction, it should be expected that the feedback will effect said economic position.
While this case seems to be a bit different from the Ms case, the court essentially orders a private entity to take action in a foreign country, something which it could not do itself. This seems wrong to me. Instead, the issue is probably that this info should probably not be foreign if the producers were domestic.
If you start behaving like that, expect foreign governments/clients to ban/boycott american providers.
If it were a real concern to anyone, the EU countries would have simply used their big stick and started banning Google and Microsoft from doing business until they cleaned up their acts.
And they'd have done it years ago.
As long as it's the US government violating your privacy, those EU countries are perfectly happy to see their data privacy laws neutered.
The situation is not immune to change. E.g. the election of Trump, and more specifically the executive order he passed calling for the stripping of any expectation of privacy for all foreigners may spur europeans to action.
At least currently, there seems to be a trend in the EU pleading to shield ourselves from US interference, and the tech cos are probably the obvious first target.
People do that. I have several clients that _can_, by company policy, use services in pretty much any european country but nothing that has a headquarter in the U.S. sometimes a official U.S. brunch is already enough to make it a nogo.
But an American company operating in the UK is also subject to British law. Suppose if the British government compelled Google to hand over information stored in the United States on Americans. Is that okay?
This is only acceptable if you think the United States governs the world. See 'Extraterritorial Jurisdiction'.
Corporations are international entities. If a corporation conducts business in my country, has offices, personnel, and stores data in my country, pays taxes here, I would not expect to be subject to American law.
And this does not say that you are. But if you are otherwise subject to American law by jurisdiction, storing your data on foreign soil does not exempt it from warrants. However if the storage provider itself has no US presence, it is much harder for the US government to compel them. But Google and the target of the warrant are subject to US courts so the physical location of the data is not relevant.
From my POV i am dealing with a company in the next city and servers within my country and in neighboring countries. My data shouldnt move to the U.S. even once, i mean i know it does. But the google i use is a Irish coorperation with a big center in a city nearby.
If i, as swiss, would have a company in switzerland and a brunch in the U.S. and move all the data to switzerland while claiming to be a U.S. company you may would think that is wrong as well.
That's not really a good solution, if you setup your own personal email server your outgoing emails in many cases will unfortunately end in a SPAM box since they will originate from an unknown server.
Hosting it yourself requires quite a bit of effort and knowledge to achieve high deliverability and low spam. Any solution is going to require you to be a mail server admin, which isn't for the feint of heart. You can't really be a casual once-in-a-while admin to get good results.
Sometimes it is worth paying a hosting service to take care of these problems for you.
With that said, Zimbra is a wonderful, easy to setup, all-in-one solution (email, calendars, contacts, etc)... and it's free (the Open Source license version).[1]
It works for small setups (<5 users) all the way up to huge installations (Comcast uses Zimbra for it's webmail service).
> Runbox will not disclose account information or email data to authorities unless presented with a court order issued by the country we do business in.
Well Google does business in every country , so still better to be compliant with one country with better privacy safe guards than a company which has to please every government
It is a good point, I guess my assumption was this would be a lesser chance than it happening at Google. In any case, they have been reliable as an email host, so I am grateful for that. I wanted to suggest another option; not a perfect option.
I find WP's new "subscribe to read" policy extremely abusive. It will result in some random unfortunate people receiving unsolicited crap into their inboxes. I hope someone will collect their complaints and sue WP for this.
> Indeed, according to the Stipulation entered into by Google and the Government, Google regularly transfers user data from one data center to another without the customer’s knowledge
Seems like this one is completely on Google.
So if you want to be protected against this type of seizure, stop using Google, or any other American service that brings its data from its EU servers over to the U.S.
EDIT: And why is this an "opinion post"? It didn't have to be one. I thought the Washington Post was using its recent surge in profits from covering Trump non-stop to hire more investigative journalists, not pay for more biased opinion pieces?
Orin Kerr is one of the original proponents of a "golden key" for encryption, so I would at least take his suggestions with a pretty big grain of salt.
I haven't read the Google ToS, but I wonder if it would matter to the USG if the Google ToS made stipulations about transparently moving data within a region versus between regions.
So, because data can be copied and doesn't deprive the original account holder of their data, this doesn't count as a seizure?
> the electronic data disclosed by Google pursuant to the warrants will occur in the United States when the FBI reviews the copies of the requested data in Pennsylvania.
And because law enforcement will review the documents in the United States, this doesn't count as a "search" outside the US.
This line of reasoning seems really crazy to me. What if these had been physical documents? Would this have been ruled in the same way? Say that the US government photocopied a set of files outside the United States and planned to only review them in the US.