Nuh-uh, Google, you WILL hand over emails stored on foreign servers, says US judge Google has been ordered by a US court to cough up people's private Gmail messages stored overseas – because if that information can be viewed stateside, it is subject to American search warrants, apparently. During a hearing on Wednesday in California, magistrate judge Laurel Beeler rejected [PDF] the advertising giant's …
Hmm, the two places with the highest number of wiretaps as a percent of the population are the Netherlands and Italy. http://www.npr.org/2013/07/28/206231873/who-spies-more-the-united-states-or-europe
It's nice that the EU governments are so much better a propaganda than the US, but that doesn't they are any better - probably much worse, actually.
"Targeted court wiretap of a person vs blanket surveillance of the entire population."
I'm encouraged that NL has a relatively high number of wiretaps: it suggests they *need* to do so to monitor the bad guys, which indicates they may not do as much general hoovering up of everything.
I have no problem with targetted surveillance. I'm not even that bothered about whether the Security Services need warrants or not. What I am more bothered about is some unvetted desk-jockey in the Food Standards Agency or other government department being able to examine every single piece of anyone's internet history, any time they feel like it, without auditing or oversight, and perhaps even much in the way of justification. Or some hacker breaking into the barely secured archive of my web history that my ISP is forced to keep. etc.
"Wouldn't you agree that choosing the lesser evil is the better course of action when there's no better alternative?"
So 99% black vs 98% black -- We're TWICE as good as those other guys*
So only 30% of your emails have leaked to the world, instead of 99%. Gee, that makes me feel MUCH better!
* Note: some minuscule computational errors might have occurred. Some minor events, all fatal, have been reported while taking Claridryl.
And really, no -- evil is still evil. If you're only 22% (2/9th) pregnant with Satan, you're only partially evil. In 2 more months you're now averaging "normal" evil. Sometimes "No" IS the correct answer. Flush them all and try again.
----
Actually, I agree with the judge in this case. Can you bring it up on your console? Are you (Google) within my (the judge) reach? We're done here.
Or even plan B. Isn't that a fully owned and controlled subsidiary you have over there? Can you order it done? Again, we're done here.
Sorry -- you want the tax independence and freedom of being another company in a separate country? Then Be Another Company with completely independent controls.
The answer is rather simple.
You comply with the laws of your country regardless of the ownership.
In other words you politely decline to do the work stating that it would be a criminal act in the UK.
In both countries, it would be illegal for Company B to order you to break the law in the UK, even if it were not an illegal act in the US.
Sorry but your example is silly.
"What do you do?"
What you don't do is set up the arrangement you describe.
You could, for instance, have an arrangement where company A is a UK company, owned by UK shareholders and operates under UK law. It is a franchisee of company B. The franchise arrangement is also drawn up according to UK law. It includes strict terms that company B is not allowed to have access to data of company A's clients.
US government orders company B to break UK law.
Company B can't.
Which is why now, more than ever, we must encrypt end to end. No org/gov should have access to what I share between me and the other party, be they a corp or individual or my own archives. Now, it seems, I need to encrypt anywhere and everywhere just to cover all bases with respect to data privacy, as the corporations will eventually be forced by the nearest gov to hand over the dox, lest "National Security®" be thwarted in their endeavor to protect us from our privacy in the name of a quick and questionable online crime search that yields precious few convictions. And (in the nearest future) here comes the thought crime police...
" And (in the nearest future) here comes the thought crime police..."
In the future? They're already here. They call themselves the "liberal" left but woe betide anyone who doesn't strictly adhere to their officially sanctioned positions on various topics. And even by posting this I've probably being microaggressive to some weak minded snowflakes.
"You seem to be misusing the word "liberal""
No, I'm not. The word has a number of related meanings, clearly you're unaware of all of them bar one. I suggest you aquaint yourself with google.
The term is actually an oxymoron in the case of the modern liberal left since they are anything but - they're autocrats dressed up as SJWs who will brook no argument or deviation from their pseudo religious stance on any trendy issue-of-the-month they consider important (and that most other people don't give a fuck about to be blunt).
Which is why now, more than ever, we must encrypt end to end. No org/gov should have access to what I share between me and the other party, be they a corp or individual or my own archives.
Two problems with that.
1 - fine, but do keep in mind we DO have criminals. That doesn't mean I'm in favour of crypto backdoors, but you have to acknowledge that some are trying to hide some pretty shady activity, and at present I have personally no idea how we balance this. The UK has IMHO gone too far to one side (see 2), but I don't think that anarchy is the right answer either. I worked with counter-terrorism so I'm not entirely ignorant of the needs of the other side, but I also believe in Human Rights and proper legal process.
2 - UK's RIPA (and IPA, son of RIPA) sets out conditions that apply to your crypto where you may have to unseal your data. On the plus side, it means there is a process, on the minus side is the fact that it reverses due process insofar that you're guilty if not collaborating. As above, not convinced this is the right way but I understand some of the problems.
BTW, beware of experimenting with crypto: delete archives you no longer use because it is possible that you really forget a password (as it was only an experiment), and at that point you'd have a legal problem..
"Two problems with that." etc
I have been in the same position as you and share your concerns.
A few comments.
Firstly, agreed on due process. Due process is not having some officer of the investigating body authorising warrants, nor a minister or ministerial aide of whatever. Due process is a warrant issued by a court of law. Although the nature of a warrant hearing is such that the subject of the warrant doesn't normally get to hear of it when it's applied for and granted, only when its served, once it is served the subject should have a right to a hearing to challenge it if they think there are grounds for a challenge.
Secondly, but related to the first, the presumption of innocence is a fundamental part of law in a free society. An approach that seizes everyone's data first and decides what to do with it afterwards defies that presumption; it should not have been passed.
Thirdly, the jurisdiction of a country's law should stop at its borders. There are treaties which allow for the US or other country to go through proper channels to ask for access in the country where data is held and to get access which is in accordance with the host country's law on presentation of a proper case. The fact that they're not doing that suggests to me either ignorance of the channels available to them, arrogance that they think they can trample over other countries' legal systems, indolence in not being prepared to put in the work to prepare a case or, and I suspect that this is the real reason, they simply don't have a basis for preparing such a case.
Finally, the need for encryption is a necessity for transacting business over the internet. If a government doesn't want to allow it then it should say plainly that it also doesn't allow business to be transacted over the internet and see where that gets it. Otherwise those who advocate banning encryption should be prepared to put all their online banking and other e-commerce credentials etc in the public domain for a year before taking the matter further. It makes no sense to deny the public such facilities when the only effect it has on law breakers is to provide them with another law to break.
I have been in the same position as you and share your concerns.
A few comments.
A reasoned response, thank you. One final (longish) comment, though:
Thirdly, the jurisdiction of a country's law should stop at its borders. There are treaties which allow for the US or other country to go through proper channels to ask for access in the country where data is held and to get access which is in accordance with the host country's law on presentation of a proper case.
This doesn't quite hold true in matters of data residence vs ownership, and I know this because it happens to be my work. I've seen it a few times in the UK that a UK company goes and stores its data in Swiss data centres under the assumption that the data thus falls under Swiss law.
That assumption is 100% wrong, even from a Swiss legal perspective that data remains under UK law (feel free to ask them yourself, their English is some distance better than my French or German :) ). If it is a subsidiary, matters get a bit more murky (a franchise model is far easier to defend due to full ownership separation), but just hosting your data in Switzerland will not move it out of your business jurisdiction.
"Going Swiss" is actually a common ploy of US "privacy" companies, setting up a Swiss subsidiary to pretend they can protect your data. Just checking company ownership and/or directors and where they live is usually enough to expose privacy risks (the linked central register will branch out to cantonal resources where required).
Using jurisdiction to legally protect information is eminently possible, but take it from me that it takes rather substantial expertise and experience to get it right.
Microsoft's system already requires local custodians to approve data retrievals from each region. i.e. someone from the US can't retrieve data from the EU without someone in the EU authorising it. And customers can bring their own keys - to be stored in HSMs that can block access from outside their region.
I bet Googles system doesn't work like that....
Microsoft's system already requires local custodians to approve data retrievals from each region. i.e. someone from the US can't retrieve data from the EU without someone in the EU authorising it.
I wouldn't wave too much of a flag for Microsoft if I were you. When you start evaluating how they comply with EU law you quickly find that all is not as shiny as they make out to be. A bit like Windows 10, actually.
>Europe really must insist on data sovereignty, proper arms-length operation of European DCs.
Which wouldn't work in this case.
The data was for a US customer, Google merely moved it to an overseas data center for operational reasons. The microsoft case was for Irish customer's data hed in Ireland.
If the EU law applied to American data temporarily held in Europe then would Google be able to copy it back to its US user or would the Eu prevent this? Would the Eu have the right to spy on the American data because it happened to be taking advantage of winter in Finland to reduce the AC bill?
"History shows us that opposition parties are, but the day they get a riff of power they want all the power they can get."
The Libs had some degree of success in reining in the worst excesses of the Tories on civil liberties during the coalition government.
"The Libs had some degree of success in reining in the worst excesses of the Tories on civil liberties during the coalition government."
Then they crashed into the ground in a huge ball of flames. What does that tell you about them?
As for the Greens, yes, maybe strong on privacy, for now, but as another poster has mentioned, when you are in opposition to those in charge, you are strong on everything they aren't, right slap bang up until you're nose is in the trough (and your two front trotters). You want an example, look at Trump (through sun glasses). Sadly though, the Greens are staggeringly mental and unrealistic on pretty much everything else. They haven't a clue.
"It doesn't tell you anything about the Liberals. It tells you a lot about the electorate."
Yes. A large part of their vote was simply a protest vote. The thought that the party they'd voted for might actually do something responsible in helping form a government in the aftermath of the 2010 election was anathema to them. Voting against something might appear attractive but in reality it only makes sense to vote for something.
> As for the Greens, yes, maybe strong on privacy, for now, but
So were the Tories when they were in opposition.
If the Greens got into power how long would it be before the names of everyone who drives a diesel were posted out publicly in a name and shame exercise? Oh and everyone with a car with a more than 1.6L engine. Then anyone who ....
This post has been deleted by its author
"The lib dems also vowed to make marijuana legal should they ever ascend to parliament. Only they dropped it like a hot potato when the chance to govern alongside the tories came up..."
Oh dear, you seem to have no concept of how a coalition works, do you.
You state your position in advance of the election but when it comes down to creating a coalition, it's down to negotiating a deal with the other party. Some of your policies you drop as not being as important as others. Ditto for the other party. I am sure the Tories also had to compromise a bit - maybe not a lot, but you never know. If they are desperate for power then they may be willing to concede all sorts of 'principles'!
If the Lib-dems had acquired enough votes to govern alone, they may well have instituted a 'legalise marijuana' policy. We will never know, so it's rather useless speculating on it.
The US cannot be trusted with data.
In principle, few governments can. Signs that you can't trust your government are:
- inability to affect a law becoming effective (as in all non-direct democracies, despite pretences to the contrary)
- lack of transparency in how law enforcement operates and corrects errors in their approach (the only place where "what do you have to hide" is a justified question with respect to privacy)
- overly enthusiastic use of National Security as an excuse to forego the above transparency
- deficient application of Human Rights, such as retaining DNA after unlawful or erroneous arrests, and (worse) using the presence of such data as "evidence" that the person in question does not have a clean record
- lack of accountability. For example, nobody went to jail or got as much as a fine when GCHQ was found to break the law, they just caused the laws to be corrected retrospectively. In that context I think we may as well scrap any idea that data is safe in the US, because it simply is not.
What is happening to Google is something we recognised more than a decade ago, we call it "legal leverage". It is the idea that if you own something or stand higher in hierarchy you can be leveraged to do something that is otherwise impossible to enact - in this case, as Google owns the company and sits above its subsidiaries it is deemed to have access to the information. The fact that this creates a crime in the jurisdiction where the data is located is calmly ignored, US law as well as politics has never bothered to acknowledge the presence of anything outside its borders other than when there's a profit in it.
The fun part is that this too will play in the re-evaluation of the Privacy Shield agreement in September. As far as I can tell it is becoming more and more costly for the US to keep that in play.
The judge did the right thing.
The devil is in the details.
There is no sovereignty issue here. I know that sounds wrong, but you have to understand that its a US court demanding data on a US citizen which can be accessed in the US yet Google is storing it outside the US for whatever reason.
Were the US court asking for data on a NON US Citizen who never spent time in the US and the data was stored in the country of origin... you may have a case about data sovereignty.
The concern here is that this is salami tactics. TPTB found in the MS case that things weren't as easy as they thought. They've now gone for a somewhat muddier set of circumstances (rather like the iPhone case earlier). If they win on this they get a precedent which they'll then try to enlarge next time round.
There are treaties in place to go to the country where the data is held and make their case there; that route is being ignored and one has to ask why. Do they think they don't have a case that would stand up in a court that values privacy?
US business desperately wants the Privacy Figleaf and when that gets to court, as it will, I'm sure the ECJ will be looking at decisions like this and it will not be to US business' advantage when it does so.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
