The Fourth Amendment and the Cloud

CNET has up a blog post examining the question: does the Fourth Amendment apply to data stored in the Cloud? The US constitutional amendment forbidding unreasonable searches and seizures is well settled in regard to the physical world, but its application to electronic communications and computing lags behind. The post's argument outlines a law review article (PDF) from a University of Minnesota law student, David A. Couillard. "Hypothetically, if a briefcase is locked with a combination lock, the government could attempt to guess the combination until the briefcase unlocked; but because the briefcase is opaque, there is still a reasonable expectation of privacy in the unlocked container. In the context of virtual containers in the cloud...encryption is not simply a virtual lock and key; it is virtual opacity. ... [T]he service provider has a copy of the keys to a user's cloud 'storage unit,' much like a landlord or storage locker owner has keys to a tenant's space, a bank has the keys to a safe deposit box, and a postal carrier has the keys to a mailbox. Yet that does not give law enforcement the authority to use those third parties as a means to enter a private space. The same rationale should apply to the cloud." We might wish that the courts interpreted Fourth Amendment rights in this way, but so far they have not.

US Border Laptop Searches

[naz404]

Shouldn't the same privacy logic apply even more to your laptops and personal electronic devices when you're entering U.S. borders? Having these people search your hard drive is an invasion of privacy.

Re:US Border Laptop Searches

[FinchWorld]

The US is getting to the point were one should just ask "Does the Fourth Amendment apply anywhere now?".

Re:US Border Laptop Searches

[Calinous]

When you are a foreign citizen, searching laptops, personal electronic devices and so on is just a prerequisite for entering the country (if you don't want your laptops to be searched, you are free to leave, but if you want to enter we need to search your laptop).
      I don't know how this can be related to US citizens (as a country should not be/is not allowed to refuse entry to its citizens)

Remember that searching personal effects is rarely done, but entirely normal in border posts

Re:US Border Laptop Searches

[Tim+C]

if you don't want your laptops to be searched, you are free to leave, but if you want to enter we need to search your laptop

Need? Want I can see, and I appreciate that submitting to the search is a condition of being granted entry, but I really don't see where the need comes from.

I don't know how this can be related to US citizens (as a country should not be/is not allowed to refuse entry to its citizens)

So they can't refuse you entry; surely (assuming the law permits it) they can have you arrested and possibly charged for failing to comply?

Re:US Border Laptop Searches

[Attila+Dimedici]

Shouldn't the same privacy logic apply even more to your laptops and personal electronic devices when you're entering U.S. borders? Having these people search your hard drive is an invasion of privacy.

The logic has never applied when entering U.S. borders (or any other country for that matter). Searches that would be disallowed within the country have been ruled by the Supreme Court as allowed since the founding of the country. The people who wrote the Fourth Amendment did not question such border searches, which makes it hard to argue today that the Fourth Amendment was intended to apply.

Re:US Border Laptop Searches

[L4t3r4lu5]

They don't need to search my laptop at all. No picture, document, executable, or video on my laptop is a risk to the aircraft or any person on that aircraft.

The legality of the contents of the laptop can be contested if I am arrested within the US and the laptop seized as evidence. Until that point, that laptop is a sealed envelope; X-ray and perform a cursory physical examination all you like to ensure that it is a laptop computer, but like the documents inside the envelope, the content of the disk is not subject to being examined or duplicated.

Re:US Border Laptop Searches

[alen]

being searched at any border crossing in almost any country is normal. if you want to enter a country you have to agree to a search if they ask. same applies in the free loving europe as well. when i was in the military and we would return to the US after a deployment, they would take every 10th person and tear apart their stuff looking for contraband.

Re:US Border Laptop Searches

[MrNaz]

I see your point and raise you a generalization; The US is getting to the point where one should just ask "do any of the amendments apply now?".

Re:US Border Laptop Searches

[L4t3r4lu5]

Oh, crap, this is investigation at the US border after the flight, so it's nothing to do with bombing planes.

Sorry, I went off on a tangent. This is about finding out if you're a communist. Business as usual, then.

Re:US Border Laptop Searches

[MrNaz]

Hmm... perhaps you could just put your laptop in an envelope. I wonder if that would work.

Re:US Border Laptop Searches

The main reason the government is backing cloud computing is for this very reason. They want more warrantless searches. It's also why google is upset with Chinese. Google wants everyone to believe cloud computing is safe and secure, it's not.

Re:US Border Laptop Searches

[postbigbang]

I don't think the two can be joined in the way your logic presents. The US uses the aegis of terrorism for many of its searches, and I'll use the example of vacuuming NAP points with filters, monitoring most all cell calls in the world, and using spy sattelites to look at naked people on beaches.

Google itself performs searches, ostensibly to the point of robot.txt, but I'm guessing it goes beyond that sometimes, it just doesn't produce public results to queries. Any spider/crawler app with sufficient muscle can digest websites in the same way Google, Bing, Yahoo, etc do. We let them.

Google got black-hat cracked. They're unhappy about that, and with good reason. But extending Google's cloud offerings to join it with the Chinese hacks is a stretch, IMHO. Cloud is, and always has been, just as secure as you make it. Depending on others for security in resources outside of your own protection boundary has always required great care, and always will.

Re:US Border Laptop Searches

[maxume]

What does their intent matter?

The only thing that gives the Constitution any power at all is our collective acceptance of it.

For instance, the founders also intended that only landowning men could vote and that humans could be property (perhaps not universally, but they did all sign that document).

Re:US Border Laptop Searches

[mcgrew]

It doesn't apply in my garage or in my car. In fact, none of the bill of rights has any meaning left.

Re:US Border Laptop Searches

[Calinous]

Maybe even without a flight (Canada, Mexico, naval entry points)

Re:US Border Laptop Searches

[catmistake]

I don't know how this can be related to US citizens

You don't say it explicitly, but I get the feeling that you believe the Bill of Rights and the other rights enumerated in the US Constitution only applies to US Citizens. If so, I urge you and others that believe this to take a closer look at the document. The Founders were extrememly careful and deliberate. If it were the case surely the Preamble would begin "We the citizens...." It does not.

Re:US Border Laptop Searches

[eln]

The Fourth Amendment has long been held to apply to all people under US jurisdiction, whether citizens or not. However, as stated by another reply to your post, the Supreme Court has ruled, rightly or wrongly, that it does not apply to border searches. So, by current law, the government is within its rights to search you at the border regardless of your citizenship status.

It's a fallacy to state that the rights outlined in the Constitution (particularly the Bill of Rights) are granted only to citizens. The Constitution makes distinctions between "citizens" and "persons" all over the place. When the Constitution refers to "persons" or "people" (as it does in the fourth amendment), it is referring to ALL people, citizen or not. The founders believed in the concept of inalienable rights, which are rights granted to all people (or at least all white males in their day) by their Creator. The purpose of enumerating some of the more important of those rights in the Constitution was not to grant them, but to prevent the government from infringing on them.

How much the government has infringed on them anyway is, of course, a matter of much debate.

Re:US Border Laptop Searches

[dollargonzo]

I think an easier way to look at it is that it applies to the government, in that the articles place restrictions on what agents of the government can and cannot it. e.g.:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated"

...by the government

Re:US Border Laptop Searches

You don't get to just change what the Constitution says. There's a process for amending it.

Your two examples are fallacious. Article I section 4 leaves the rules for voting up to the states, and gives Congress the power to overrule them.
And Amendment 13 had to be passed to abolish slavery.

Sure, theoretically we could put together a new Constitutional Convention and draft a new constitution from scratch. Barring that, we have to work within what it says, including to change what it says.

Re:US Border Laptop Searches

[locallyunscene]

The Fourth Amendment has long been held to apply to all people under US jurisdiction, whether citizens or not. However, as stated by another reply to your post, the Supreme Court has ruled, rightly or wrongly, that it does not apply to border searches. So, by current law, the government is within its rights to search you at the border regardless of your citizenship status. It's a fallacy to state that the rights outlined in the Constitution (particularly the Bill of Rights) are granted only to citizens. The Constitution makes distinctions between "citizens" and "persons" all over the place. When the Constitution refers to "persons" or "people" (as it does in the fourth amendment), it is referring to ALL people, citizen or not. The founders believed in the concept of inalienable rights, which are rights granted to all people (or at least all white males in their day) by their Creator. The purpose of enumerating some of the more important of those rights in the Constitution was not to grant them, but to prevent the government from infringing on them.

Isn't it amazing that 218 years later even "activist judges" would consider the constitution a radical document with respect to "inalienable rights"? I fear that reflects more on the current society than on the wisdom of the founding fathers.

Re:US Border Laptop Searches

[maxume]

I'm not suggesting that it can simply be ignored, I am suggesting it is valuable because of the ideas that it contains, not because it happens to exist.

(Look at it this way: Is it a bigger deal that the government is trampling all over "The Constitution", or is it a bigger deal that the government is trampling all over "human rights"; I go with the latter.)

Re:US Border Laptop Searches

[L4t3r4lu5]

Ha, I've been modded Troll after commenting on the pertinence of my own post!

Sweet Jeebus, /. sort out some better criteria for who you give mod points too. The current method seems to hand them to idiots with the reading comprehension of a limp lettuce leaf.

Re:US Border Laptop Searches

[Registered+Coward+v2]

Shouldn't the same privacy logic apply even more to your laptops and personal electronic devices when you're entering U.S. borders? Having these people search your hard drive is an invasion of privacy.

Not really - at least not for US citizens, IMHO. Non-citizens are requesting to enter the country, a prerequisite to such permission is to search items being brought in. You should be able to refuse a search and leave on the next flight; entrance is a not a right. It's the same traveling to any country; you either meet their entrance requirements or don't enter.

Re:US Border Laptop Searches

[morgan_greywolf]

Need? Want I can see, and I appreciate that submitting to the search is a condition of being granted entry, but I really don't see where the need comes from.

It's all in the interests of national security, and not necessarily to only stop terrorists as the Department of Homeland Security purports. Just as they search your luggage for physical weapons, they're searching laptops for virtual weapons.

So they can't refuse you entry; (assuming the law permits it) they can have you arrested and possibly charged for failing to comply?

Border security is also about smuggling illegal items into the country. For instance, there are plenty of U.S. citizens who would cross the border hoping to smuggle in drugs, weapons and other illegal contraband. These laws apply to laptops as well.

Re:US Border Laptop Searches

[dkleinsc]

none of the bill of rights has any meaning left

Not true. The US government will not quarter troops in your home without your consent. In addition, jury trials are still available for federal lawsuits.

Re:US Border Laptop Searches

[Main+Gauche]

No string bets please. The pot stands at one 4th amendment plus the justice is blinds.

Re:US Border Laptop Searches

[TheCarp]

Speak for yourself.

I accept that it claims power for governing bodies who have men with guns. I am afraid of those thugs with their guns.

That is the entire extent to which I accept the constitution. I never signed it, I see no egitimate authority in it, or in the thugs with their guns, or the white haired old men who prattle about on topics that they know little about, who give them their orders.

-Steve

Re:US Border Laptop Searches

Nope!

I can recite a bunch of "Founding Father" quotes but nobody is listening. It appears to be a downward spiral where economic hard times and terrorism are causing our citizens to sell each other out over anything they can get away with . Privacy just means that you're not loyal.

What about Scarlet Letter laws? You deserve to harass and humiliate ex-cons, dui offenders and bad parents, right?

What's YOUR flavor of the day? Are you "entitled"?

Family man?
Minority?
Female?
Gay?
Jobs-creating small businessman?

The next crash is right around the corner. We can't get there fast enough.

Re:US Border Laptop Searches

[maxume]

'collective'. You can't argue with the fact that, as a whole, the American people accept the government that they have.

Re:US Border Laptop Searches

[MattSausage]

Whoa whoa whoa, interpreting what the founders "would have" put in the Constitution if they meant some certain thing is a ridiculous leap of logic. The argument can be made that people of the day and time felt more a 'citizen' of their state than the country as a whole. And the Constitution (well, the Bill of Rights) turns itself into knots in order to not restrict the powers of the states.

The Constitution was in many ways a communication to the world at large that if you attack New York State, the people of Pennsylvania and Georgia will join them in the fight, and vice versa. The suggestion that the Constitution was ratified with the intention that the rights applied to all PEOPLE living in the United States is simliarly discredited by the fact that from Day 1 after the ratification, the right delineated therein were only applied to while males. The majority of people living in the US at the time (women, children, slaves, prisoners) had no expectation of coverage by the Bill of Rights.

Effectively, you have no way of knowing what the framers "would have" said, and that argument smacks of the same assumptions as Born Again Christians (tm) who suggest there is no reference in the Constitution because the framers took their christian faith "as a given" since they were all such moral, strict Christians.

Re:US Border Laptop Searches

[TheCarp]

Your right, and its sad but true.

Re:US Border Laptop Searches

[Kjella]

Try applying that to say, driving across the border where you're no more a hazard than anywhere else on the road. Right or wrong, countries have asserted the right to search anyone and anything on the border before letting them into the country.

Re:US Border Laptop Searches

[fredrik_haard]

Shouldn't the same privacy logic apply even more to your laptops and personal electronic devices when you're entering U.S. borders? Having these people search your hard drive is an invasion of privacy.

What is it that they think this policy stops, anyway? If I wanted to import illegal electrons into the US, I'd just put them on a nice server right here in terrorist Europe, go to the US with a clean OS installation, and pull it encrypted over the intertubes.

Re:US Border Laptop Searches

[MattSausage]

Surprisingly enough, even to myself, I go with the former. The term "human rights" is ambiguous (is Internet access a human right? Is access to any form of media or news? Some say yes, others say no) The Constitution is the closest guide we have to a literal, physical reference to define human rights, and as such is at least equal in value to the rights themselves in my estimation. Others might say the same of the bible, and I would shudder at the thought. Perhaps I am incredibly stupid, but I believe a document which lays out, in amendable form, the philosophy of a country (and by extension, that country's view towards the world) as voted upon and ratified by the citizens of that country is just as valuable as "human rights" and in some ways, moreso.

Re:US Border Laptop Searches

The first has not been tested recently. The second is dependent on whether the government raises the State Secrets defense.

Re:US Border Laptop Searches

[prezpwns]

Thanks to the 'Patriot Act' this is required by law. You can thank all the senators who did not read the entire bill before it had passed.

Re:US Border Laptop Searches

[Limp_Lettuce_Leaf]

"method seems to hand them to idiots with the reading comprehension of a limp lettuce leaf." Wait - WHAT?!?!?!?

Re:US Border Laptop Searches

[Dragonslicer]

I see your point and raise you a generalization; The US is getting to the point where one should just ask "do any of the amendments apply now?".

I haven't been forced to house soldiers yet, so we've still got one.

Re:US Border Laptop Searches

[maxume]

The constitution doesn't actually list any human rights anywhere, it lists a bunch of things that the government it authorizes is not supposed to do.

And the Constitution was not voted on or ratified by any living person. It is all inertia at this point.

Re:US Border Laptop Searches

The people who wrote the Fourth Amendment did not question such border searches, which makes it hard to argue today that the Fourth Amendment was intended to apply.

Yeah, when Thomas Jefferson got on an airplane, he never complained about his laptop's hard disk being cloned!

Re:US Border Laptop Searches

[Eskarel]

Not that I'm agreeing with the laptop searches, but borders are funny places and the usual rules don't always apply. Customs officials can already search your belongings and/or your person(including rather invasive search procedures) with very little cause and certainly without a warrant. If they couldn't they couldn't do their jobs. To use the example from the summary, if you walk through customs with your locked briefcase you're expected to open it if they ask you. If it contained your confidential medical records, there's very little you could do to stop customs from looking at them if they wanted to. If you were importing pirated dvds in a physical format, you could be searched and charged.

Now there are certainly some new issues with computers that never existed before. Very few people travel with a folder full of their financial records for the last 5 years, but a lot of people store that on computers. It's certainly a thorny legal issue, but I'll make the prediction that the ACLU is going to lose the case they've brought about this particular issue. The search of laptops is an obvious application of the current rules, and while it may raise some issues that we've not encountered before, the legal premise is likely sound.

Re:US Border Laptop Searches

[Tim+C]

The current method seems to hand them to idiots with the reading comprehension of a limp lettuce leaf.

While avoiding giving them to those of us who have been registered users and frequent readers/contributors for years and who have been at the karma cap since it was still displayed as a number.

In fact for a long time I couldn't even meta-moderate; I have no idea what crime I committed (nor to be honest do I care anywhere near enough to try to find out).

Re:US Border Laptop Searches

This is why you should have a small partition that boots up a Windows OS with nothing on it, and several encrypted partitions that are only loaded when the system is booted using one of several USB devices, and the proper key-phrase is provided. Most border guards are grunts, having little or no real knowledge of the systems they are looking at. So the key is to provide them with what they expect. This is becoming increasingly common in business - after all, when entering France it is common knowledge that your information will be copied. While the US isn't quite that blatant - unless there is something that piques their interest - all citizens must protect their own privacy. While the Founding Fathers may have wanted warrantless searches to be illegal, that right has been trampled into the mud with many others.

Re:US Border Laptop Searches

[Qzukk]

it lists a bunch of things that the government it authorizes is not supposed to do.

Actually, it was originally an exhaustive list of the things the government can do, but since neither the Republicans nor the Democrats are happy with the idea of a small, weak federal government, they have both been doing their best to convince everyone the opposite.

The constitution, as amended, lists exactly three ways the government can take your stuff: they can tax it from you, they can use a warrant (or a "reasonable" criminal excuse) or they can pay you for it. The invention of new technologies neither changes the Constitution nor grants the government new powers.

Re:US Border Laptop Searches

[Animaether]

if you don't want your laptops to be searched, /you are free to leave/, but if you want to enter we need to search your laptop

(emphasis mine)
You don't honestly think that, do you?

I think you meant "you are free not to come here in the first place".

Re:US Border Laptop Searches

Instead, it says "We the people of the United States, in order to form a more perfect union...", which you aren't a part of if you are not a citizen. I love what you are trying to do, but purposely ignoring the sentence in part does not make you insightful, but instead ignorant.

I agree that border searches and the suspension of our rights is appalling. If you are not carrying any munitions or items that could cause immediate physical harm (weapons, explosives, etc), then I see no justification for additional searching and seizing of data products. Data has never been used as a murder weapon. It has non-physical ways to get into the US anyways.

Re:US Border Laptop Searches

Eric Schmidt says I have nothing to worry about as long as I am a good person with nothing to hide, so what's the problem here?

Re:US Border Laptop Searches

[catmistake]

Whoa whoa whoa, interpreting what the founders "would have" put in the Constitution if they meant some certain thing is a ridiculous leap of logic.

No, not so much. I'm not sure who you are quoting "would have" from. I'm not talking about what they "would have" anything. My argument stems from what is written. Further, The Constitution is not some document that sits isolated from understanding the intent of its authors. We have plenty of evidence, from the minutes of the Continental Congress, from the early drafts of the document, and from other writings from the framers themselves. We can draw on all these things in our attempt to more perfectly interpret their intentions. Every single word of that document is deliberate.

Effectively, you have no way of knowing what the framers "would have" said, and that argument smacks of the same assumptions as Born Again Christians (tm) who suggest there is no reference in the Constitution because the framers took their christian faith "as a given" since they were all such moral, strict Christians.

now... there's a leap of logic. My argument "smacks of"... ? I'm not saying anything, in any way shape or form, of what they would have said. You're trying to put words into my argument and then attack it. Your argument doesn't weaken my argument in the least because your argument is fallacious (of the straw man variety).

Re:US Border Laptop Searches

[catmistake]

Instead, it says "We the people of the United States, in order to form a more perfect union...", which you aren't a part of if you are not a citizen.

Stop right there, coward. Says who? Did you just make that up off the top of your head? Ignorance, indeed.

Re:US Border Laptop Searches

[31415926535897]

Yes, the one where the federal government gets to levy individual income tax.

Re:US Border Laptop Searches

[dkleinsc]

In the case of the Third Amendment, in its one and only significant use, it was upheld:
http://en.wikipedia.org/wiki/Engblom_v._Carey

Re:US Border Laptop Searches

[Attila+Dimedici]

What does their intent matter?

The only thing that gives the Constitution any power at all is our collective acceptance of it.

Intent is vitally important. If we interpret the Constitution according to the whim of the moment, we no longer have Rule of Law. Once we lose Rule of Law, the whole system breaks down.Part of the purpose of the Constitution is to prevent the majority from abusing the minority (Yes, I know about the clause you mentioned, but that was a special case codifying an abuse that was already in place).

For instance, the founders also intended that only landowning men could vote and that humans could be property (perhaps not universally, but they did all sign that document).

Yes and later the American people decided that that was bad and changed the Constitution according to the procedure laid out in the Constitution for changing it. They didn't just decide that they didn't like that and re-interpret it to something they liked. They followed the rules laid out in the Constitution and amended the Constitution.
If you think the search and seizure provisions of the Fourth Amendment should be extended to border crossings, start a movement to Amend the Constitution. Don't try and re-interpret the Fourth Amendment to apply, since it clearly was never intended to do so.

Re:US Border Laptop Searches

Though the laptop may not be a threat to flight safety for US international flights, the data on may be an illegal export or import. If you provide appropriate export licenses for your laptop and its contained data, then that may be a different matter.

Re:US Border Laptop Searches

[maxume]

They didn't just decide that they didn't like that and re-interpret it to something they liked. They followed the rules laid out in the Constitution and amended the Constitution

The difference between that first sentence and the second sentence is pretty minimal (sure, in the latter, there isn't any reinterpretation, but they went ahead and set aside the existing content and replaced it with something else).

And my point is not that we should use the constitution as toilet paper, my point is that we are much better served by making sure the constitution serves the intents that we have today than we are worrying about why the founders wrote it the way they did. That's a pipe dream in the current political climate, but I don't feel bad arguing from an ideal on some web forum (I might have a slightly more practical attitude if I were actually part of some political process).

So even though people coming into the country may not enjoy constitutional protection from search and seizure, that doesn't mean we need to alter the constitution in order to alter the actions of the government (the government could go ahead and respect their privacy out of courtesy, or some other silly concept; especially considering how easy it is to move large encrypted blobs of data across the internets).

Re:US Border Laptop Searches

[dgatwood]

The only way to get fourth amendment protection in the cloud is to protect your rights yourself. If you don't want the government reading everything you put in the cloud, use military-grade encryption. Remember: you only have rights if you are willing to defend those rights. Otherwise, they're just words on toilet paper.

Ha, I've been modded Troll after commenting on the pertinence of my own post!

Yeah, a lot of posts are getting modded Troll lately. I can only conclude that the last batch of mod points went to a bunch of people who haven't been around long enough to know the meaning of the word.

Hint to mods: real trolls include one or more of the following:

• Astroturfing by Microsoft.
• Unsolicited commercial advertising.
• Some mention of the GNAA.
• Description of a sexual encounter with the fecal matter of a prominent public figure.
• Links to "Goatse" picture.
• Links to "Tubgirl" picture.
• ASCII art depiction of one of the aforementioned images.
• ASCII art depiction of private parts of the human body.

Did I miss anything?

Re:US Border Laptop Searches

[bschorr]

That's true, though the government we have is a lot better than the government most people in the world have to endure. That's not to suggest that it couldn't be improved, just that flawed though it is, it's still better than most.

There's a reason why millions of people around the world still risk life and limb to try and come here and it's not because of American Idol.

Re:US Border Laptop Searches

[Eric+in+SF]

Are you fully aware of the controversy surrounding laptop searches at US Border points? Here is a quick article to get you up to speed:

http://www.washingtonpost.com/wp-dyn/content/article/2008/02/06/AR2008020604763.html

Basically the current thinking out of the US Government is that you are in a legal no-mans land when you re-enter the USA and the 4th amendment does NOT apply to anyone until the US grants them entry into the USA. When you're at an international airport in the USA, all areas before immigration and customs are legally not inside the USA, or so the legal reasoning goes. Furthermore, you have no choice but to submit your laptop for them to copy. I don't even think you have the option of simply returning from where you came, either.

It's disgusting.

Re:US Border Laptop Searches

Ha, I've been modded Troll after commenting on the pertinence of my own post!

Which is a real shame. I gave you a point to help remedy it, but it was just an underrated because I'd like to see you hit +5 troll.

>.>;

Re:US Border Laptop Searches

[Dan541]

My hard drive is full of what appears to be random data. Search away.

Re:US Border Laptop Searches

[Dan541]

What the hell is a "Virtual Weapon"?

Re:US Border Laptop Searches

[MattSausage]

Okay... Wait... what?

Here is the part of your post I am quoting.

If it were the case surely the Preamble would begin "We the citizens...."

That is the sentence I had a problem with. If what you put in that sentence does not imply that you understand what the framers "would have" done, as I suggested, please explain to me what that sentence does mean.

And by attacking my skills as a debater rather than the logic of my position, you sir, are the one presenting the strawman. I have not attributed anything to you except what you have said. If I was imprecise, you may sue me.

Re:US Border Laptop Searches

[JimFive]

Did I miss anything?

Yes, you missed, Trolling. You gave a great description of spam. But nothing that meets the definition of trolling, you know, to catch a fish.
--
JimFive

Re:US Border Laptop Searches

[CrimsonAvenger]

For instance, the founders also intended that only landowning men could vote and that humans could be property (perhaps not universally, but they did all sign that document).

A common myth, but not true. There was no property requirement specified in the Constitution in order to gain a vote - thanks be to Benjamin Franklin for his rather eloquent summary of the fallacy: (to paraphrase) I own a donkey. I may vote. The donkey dies. I lose my vote. Therefore, the franchise lies not in me, but in the ass.

Re:US Border Laptop Searches

[maxume]

Still, they did leave it up to the states, which led to the status quo.

Re:US Border Laptop Searches

[jmcvetta]

What the hell is a "Virtual Weapon"?

And more to the point, why on earth would you try to smuggle it physically into the country?

It's very simple

[Shrike82]

If you want your data to be safe,especially when you plan to store it online in this new-fangled cloud thing, then encrypt it. You can't trust a service provider to stand up to a government access order, and you can't rely on the security of a storage system that you didn't make yourself.

Be responsible for your own data privacy instead of relying on an ambiguous interpretation of an ammendment written before the days of digital data.

Re:It's very simple

Like cracking the encryption will take long. You are deluding yourself if you believe that.

Re:It's very simple

[khallow]

Like cracking the encryption will take long.

Using good encryption means the task is virtually impossible (even for someone like the NSA) unless they make a lucky guess or obtain the code key (via theft or subpoena).

Re:It's very simple

Encryption is pointless if you want to keep your data from the police in the UK. We have to supply encryption keys if they ask.

Re:It's very simple

[jimicus]

http://xkcd.com/538/

Re:It's very simple

especially when you plan to store it online in this new-fangled cloud thing, then encrypt it. You can't trust a service provider to stand up to a government access order, and you can't rely on the security of a storage system that you didn't make yourself.

I recommend simply carrying a bootable GNU/Linux distribution on a USB thumbdrive and remotely access your data once inside the USofA. If the Border Patrol wants to image your USB thumbdrive just be certain no configuration information pointing back to your data is stored on the USB thumbdrive. In fact, use a memory-resident GNU/Linux distribution or one without a swap file partition enabled for added protection against backdoor search and seizure.

The long-standing authority of border agents to search incoming materials is permitted under the law regarding protection against contraband being smuggled into the country. Contraband has been defined very loosely by legislation and the courts. The hamburg in the Big Mac you ate immediately prior to arrival at the border is contraband yet rarely enforced for obvious reasons.

Re:It's very simple

[Explodicle]

Wrong. You should consider installing TrueCrypt.

Re:It's very simple

[GargamelSpaceman]

Yes, good encryption can protect your data from brute force attacks, but ultimately, the government can stop you from encrypting your data at all with an act requiring data not be encrypted. The fourth ammendment protects your data from being snooped by the government more than any encryption because it would require passing a constitutional ammendment to overturn, or a series of court rulings that would set precedent for the 4th being interpreted extremely narrowly.

Of encryption and the 4th ammendment, the 4th ammendment is the strongest protection for your ability to keep your data private from the government.

Re:It's very simple

[bschorr]

How do you install TrueCrypt on a Cloud server? Do you suppose the company that owns that server might object

Re:It's very simple

[sconeu]

Banning encryption falls afoul of the First Amendment, and possibly the Second (depending on whether strong crypto is still considered a munition).

Re:It's very simple

[Kjella]

So what? The point is that if tons of people carry encrypted business laptops over the border, there's no particular reason to check or flag or beat the password out of you with a wrench. There's too much presumption here that a government being nasty wouldn't target you just for using encryption and staying off the radar, and steganography also involves having lots of random data that seems very unrandom to have. The only good hiding place is to blend in with the masses, which is a lot easier if the masses use encryption too.

Re:It's very simple

What makes you think that TrueCrypt can keep your data safe from the government?

Re:It's very simple

[Explodicle]

I'm only proposing using the cloud for storage, not for running your encryption programs. You should always encrypt/decrypt locally, possibly splitting your data into multiple volumes so you don't have to upload/download all of it every time.

Re:It's very simple

[Explodicle]

Because the government (or any other entity) has no way of knowing how many layers of hidden volumes you have.

Re:It's very simple

[Proteus+Child]

You can use TrueCrypt to create an encrypted datastore as a file on a VPS or server Out There Somewhere and mount/unmount it from the command line when you log in. Using it for full-disk encryption in such a situation would be problematic because you'd need to enter a passphrase if $cloudbox got rebooted somehow; your provider would need to provide access to a console of some sort (virtual or otherwise).

Depending upon how badly you needed that machine to be up, it might not be a good idea.

As for whether or not the VPS provider would object, I think it would depend on the particular company. Is there anybody who works for a VPS provider who is in a position to comment (anonymously or otherwise)?

Re:It's very simple

[khallow]

Yes, good encryption can protect your data from brute force attacks, but ultimately, the government can stop you from encrypting your data at all with an act requiring data not be encrypted.

If that ever turns out to the case, then government can do a lot more to you than merely ban encryption. As the cartoon in the other reply noted, they can just beat any passwords out of you.

Re:It's very simple

[Ardipithecus]

or harsh tone of voice or threat or twisting the thumb or the ear

Re:It's very simple

I would worry about the third party doing something wrong with the data. For example, if you have encrypted your data and that data winds up being stored in a data center in Iceland, then have you made an export? Has the cloud company made an export? Does US law apply to the Iceland servers? If the Iceland service provider destroys the data accidentally or maliciously, then what? Does the service contract allow the service provider to inspect troubleshoot their cloud in a way that involves snooping the network? What does that imply about your data privacy? If the Iceland government decides to decrypt your data and use it to further its national companies by taking a research shortcut funded via your company, then what? What about if your service provider does this purposefully outside US jurisdiction?

Odds are that any EULA around the cloud pretty squarely indemnifies the service provider from anything.

Re:It's very simple

[ChatHuant]

Yes, of course, but there is a major difference in public perception, consequences and even logistics between snooping into somebody's data (especially if you can without the owner's knowledge), and hauling him in for a meeting with the rubber hose. While even warantless privacy breaches are regarded with apathy by the majority of Americans (or even rationalized by some), picking up random people for rubber hosing without warrants would be politically much more difficult to justify and impossible to do on the same scale (if only because of the expense of industrial scale torturing).

It's also important to understand that some individuals are much more interesting to snoopers than others. Snoopers will look at your data because it's so easy and cheap (for them), but if the process becomes expensive (be it in units of CPU power, warrants or political fall-back), the snoopers will concentrate their effort onto the individuals of interest and let you alone

OTOH, given the lack of interest of the majority of people, the very act of encrypting your data will probably move you to the "interesting" category. It would therefore be really good if the commercial PCs would enable strong encryption by default.

Jesus Fucking Christ

Seriously. Can we just save everybody the trouble and travel 5 years into the future when this whole cloud FAD runs its course? Maybe by then all the hype surrounding Twitter and Facebook will have died down a bit. And hopefully use of the word "blogosphere" will be punishable by death.

Security is NOT an issue with The Cloud.

Wait a minute. I'm a manager, and I've been reading a lot of case studies and watching a lot of webcasts about The Cloud. Based on all of this glorious marketing literature, I, as a manager, have absolutely no reason to doubt the safety of any data put in The Cloud.

The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud. I don't know about you, but that sounds damn secure to me! Some Clouds even use SSL and HTTP. That's rock solid in my book.

And don't forget that you have to use Web Services to access The Cloud. Nothing is more secure than SOA and Web Services, with the exception of perhaps SaaS. But I think that Cloud Services 2.0 will combine the tiers into an MVC-compliant stack that uses SaaS to increase the security and partitioning of the data.

My main concern isn't with the security of The Cloud, but rather with getting my Indian team to learn all about it so we can deploy some first-generation The Cloud applications and Web Services to provide the ultimate platform upon which we can layer our business intelligence and reporting, because there are still a few verticals that we need to leverage before we can move to The Cloud 2.0.

Re:Security is NOT an issue with The Cloud.

[L4t3r4lu5]

You'll want to upscale the downstream synergies of a Cloud Services 2.0 deployment to be an enabler of Top-Tier Blue-Sky processes to your Crowd-sourced resources. Otherwise you'll not be utilising the future-thinking operational motivators of time-shift market deployments, and that can seriously anti-creationalise your interstabularistic practicalularisation performocarbunkle cheesewozzles.

Re:Security is NOT an issue with The Cloud.

[2names]

"Practicalularisation" is not a word, dumbass.

Re:Security is NOT an issue with The Cloud.

[Daimanta]

"Otherwise you'll not be utilising the future-thinking operational motivators of time-shift market deployments, and that can seriously anti-creationalise your interstabularistic practicalularisation performocarbunkle cheesewozzles."

Won't someone please think of the cheesewozzles!

Re:Security is NOT an issue with The Cloud.

[L4t3r4lu5]

I am anispeptic, frasmotic, even compunctuous to have caused you such pericombobulation.

Re:Security is NOT an issue with The Cloud.

[NightlordTW]

"The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud." - the word "secure" is very ambiguous. Of course a lock is more secure than no lock, but we all know several types of locks exist. - MD5 is actually outdated, cfr articles about MD5 collision attack. Even though mainstream computers are not powerful enough for such an attack, there are many trojans and other malicious software that allow infected computers to work as an attack unit in a whole cluster. - "RSS feeds" has nothing to do with security, and is just a document in XML format to frequently publish some summary data. Of course, you can add encrypted data in an RSS feed, but I dont see much interest in that since RSS is mainly meant for short messages - "encryption" is no guarantuee for security Even though many people are attracked by fancy security-related terms, many forget that: - security is determined by the weakest chain, not the strongest. Possible weaknesses are weak passwords, outdated encryption, data theft at the source or destination, ... - security is based on confidence, in the sense that the company you send secure data to can - in theory - do with it as he likes. - most fully encrypted data is only "secure" for a certain amount of time. After all, computers become more powerful every day and more and more people use to have one (or more).

Re:Security is NOT an issue with The Cloud.

You can usually identify a good programmer by the orange cheesewozzle stains on their keyboard, and the number of cans of Dew piled in the corner.

Hosting countries

And if the data center is in another country, would the 4th Amendment apply there?

If so, how would you enforce it? Soldiers with machine guns show up, grab all of your data, crack the encryption, and take what they want. And you'll do exactly what?

The data is gone and seen, so you're screwed. And even if you have super duper one hundred billion bit encryption, your data center and data are gone. So, you have up to the second back-ups?

Other than cost, I see no upside to cloud computing.

Re:Hosting countries

[MrNaz]

The upside to cloud computing is that clouds are in the sky. Other than that, there's not much.

Re:Hosting countries

[IBBoard]

Or any law on the Internet, for that matter. I'm in the UK but the servers I rent are in the US, so I'm aware that the American government may have no qualms at all about implementing their (stupid or otherwise) legislation on my site and it is reasonable enough, since that is where the server sits.

The problem comes if I had a server in the UK and they try the same thing - they'll sure as hell feel that they have a right to enforce their laws (because it is relevant to an American citizen, damnit) but if my nation doesn't have a DMCA law, I'm not in their nation and the server isn't in their nation then there is no way that any sensible implementation of cross-border justice should apply. Of course, "sensible" is the key stumbling block there.

I guess the 4th Amendment would still apply to info about US citizens on foreign servers being accessed by US authority (since the subject and the authority are American and not doing that would create one hell of a wonderful loophole for nations to target their own people by going outside their borders) but if it is a foreign server with foreign access then you're playing by foreign rules.

Re:Hosting countries

The upside is simple.

The general idea is that a service provider can provide a service to an end-user which is probably better (more secure, reliable, better redundancies, backups) than anything that end-user can do themselves, for lower cost.

It makes little sense if you already know how to do this stuff yourself. It does make sense if, for example, you're a smallish business with next to no technical expertise of your own, and a limited IT budget.

However, it only makes sense if you're paying for the service. If you aren't paying, there should be no expectation that the service won't disappear tomorrow, having first sold your data to someone else.

Re:Hosting countries

If you aren't paying, there should be no expectation that the service won't disappear tomorrow, having first sold your data to someone else.

That holds true even if you are paying for it. Companies go out of business and are bought and sold all the time.

Re:Hosting countries

More to the point, as a Canadian I have to know that my data will NOT be stored in the states because of the weird (Mostly PATRIOT) laws there that make a mockery of any security provisions we might want.

Re:Hosting countries

[betterunixthanunix]

"crack the encryption"

That is really nowhere near as easy as you make it sound, at least not with any modern cipher. Even the NSA, with the most vast computing resources in the entire world, would have a lot of difficulty cracking AES or Serpent, barring some completely novel attack that has eluded the crypto research community thus far.

If you want to break someone's crypto, you should not even think about attacking it directly. You should think about attacking the person, or at least planting recording devices in their home or on their computer, so that you can get the secret key. If a foreign government wanted to do this, they would have to either commit an act of war by attacking a US citizen on US soil, or wait until you enter their country and kidnap you (or if you bring your computer with you, plant a recording device or software).

Re:Hosting countries

[tmlwoodson]

All your base are belong to us.

Re:Hosting countries

[bschorr]

No, and that is exactly what I consider to be one of the biggest issues of the Cloud. The Terms of Service of many, if not most, Cloud Computing/SaaS providers explicitly allow them to outsource their storage (or either primary data or backups or both) to unnamed 3rd parties. Where are these mysterious 3rd parties located?

Like all businesses keeping costs down helps them keep profits up and since Cloud Computing IS largely sold as a low-cost solution (we can discuss price vs. cost later) we know that keeping costs low is imperative. As we know the Internet crosses International borders (most of them anyhow) effortlessly. Is there any reason to think that a Cloud/SaaS provider wouldn't gladly outsource their storage to a cut-rate data center in another country? Maybe even a country that isn't very friendly to the U.S.?

The 4th Amendment means nothing in Malaysia or China or Venezuela or ...you get the idea.

Re:Hosting countries

[bschorr]

So you'd be happier if your data was stored in China, where there's a decent chance it's being actively monitored?

Re:Hosting countries

[Tim+C]

Some reading for you. Just because the AC doesn't want his data in the US doesn't mean he'd be happy with it being in China either, or that that is his only alternative.

Re:Hosting countries

[bschorr]

Actually my point was that rather than being worried about keeping it out of the U.S. he should probably be more focused on keeping it IN Canada.

ANY country other than your home country exposes your data to laws and risks that are likely unfamiliar to you. At least at home you know what you're dealing with.

And I'd suggest that the U.S., while far from blameless (hence the thread) is actually one of the better ones. At least the government here is at least sort of transparent. In some countries they don't tell you what they're doing and they shoot you if you ask.

Re:Hosting countries

[ckaminski]

Have you actually run the numbers on a service like AWS? I did, for my hosting account (dedicated Linux hosting). What I pay $70/month for now would cost me nearly that much in just CPU costs alone.

EC2 (Small) * 720h == $61.2.

That's not even factoring in bandwidth or storage (I currently have 80GB of storage and 500GB of monthly bandwidth), which add another $16 bucks to the total based on my current actual usage.

Now add in IO request charges, and a high-traffic website could easily outpace dedicated hosting.

So called cloud services offer you an easy way to provision customized systems, that's about it, IMHO.

I'd rather contract with a decent server provisioner and have some easy way of getting my systems installed and running.

Re:Hosting countries

[ckaminski]

These clauses are so they can use facilities and services like Iron Mountain and it's ilk to secure store data offsite. Iron Mountain has been doing this for banks and hospitals for years with few issues - ideally your Cloud vendor encrypts their backups before the tapes get shipped offsite.

Re:Hosting countries

However, it only makes sense if you're paying for the service. If you aren't paying, there should be no expectation that the service won't disappear tomorrow, having first sold your data to someone else.

Or discovered that one of their boxes is owned and has been re-imaged out from under you.

Re:Hosting countries

[bschorr]

Yes, I know why they have these clauses. My point is that these clauses specifically allow them to ship your data off to unnamed third-parties who may be located anywhere in the world.

And that is a potentially serious issue for people storing confidential and/or mission-critical data in the cloud. Especially when they thought they were storing it with a domestic provider, only to discover later perhaps that their data was actually shipped off to a 3rd party in another part of the world.

The Fourth Amendment became a quaint notion

[Ellis+D.+Tripp]

at the point when urine drug testing was mandated by the government for any company receiving government contracts. You know back in the days of Ronnie Raygun and the "Just Say No" crusades?

If you aren't secure against government searches OF YOUR OWN BODILY FLUIDS, do you really think that they will respect your right of privacy regarding some random 1s and 0s stored on a private corporation's computers somewhere?

Re:The Fourth Amendment became a quaint notion

Except that you can choose not to submit to the drug testing, but you may not have a job after that. It is a pre-requisite of doing work for the government. Just like if a private employer has drug testing you can choose not to work for that employer. With your data it is a different story, you can choose not to use the cloud, but still the data itself is supposed to be secured, it's just like the government cannot just come into your house and start going through your filing cabinets. They should not be able to go through your virtual filing cabinet. On the other hand if you are not doing anything illegal do you have anything to worry about? Maybe not now but someday I might say yes. The way the US governement is heading both under Republican and Democrat leadership I worry that someday the first amendment isn't going to amount to a hill of beans. Ever read 1984?

4th Amendment and progress

[ElitistWhiner]

Wasn't it a core value of the Internet that it was abstracted above limitations of juridical boundaries, political division and secular belief systems to provide redundant fail-safe communication world wide enabling human progress in the face of systemic failed governance?

How does advocating _for_ juridical application of the 4th virutally annexing "the cloud" as the 51st state... tell me again how that abstracts the medium above the landscape.

Re:4th Amendment and progress

[bschorr]

The problem is that the abstracting ends when and where the government of the country wherein the server exists decides it does. Note the whole China/Google kerfluffle. In the utopian view of the Internet Google and their searches roam freely across the landscape, unencumbered by quaint political systems.

In reality the Chinese government actively restricts (or at least tries to) what passes into and out of their country by land, sea, air and cyberspace. Other countries have intervened on the Internet as well - jailing people for political postings, actively monitoring traffic, even trying to shut down the Internet (in their country) during times of crisis.

Whether we want to believe it or not, the Internet only rises as high as those political entities allow it to and that means that having the protection of the 4th Amendment is still important.

Part of the problem...

[Alarindris]

The US constitutional amendment forbidding unreasonable searches and seizures is well settled in regard to the physical world

Electrons in computers ARE part of the physical world.
Stop conceding that is it different!

IT'S NOT!

I have no problem testing my pee

[L4t3r4lu5]

They can scoop some out of the bowl when I'm done having my Morning Glory, if they're that bothered about how much I had to drink last night.

They can also just ask me. The answer is "If you haven't brought me some black coffee and dry toast in 5 minutes, I'm barfing on your shoes."

Dumb idea anyhow.

[lancejjj]

[T]he service provider has a copy of the keys to a user's cloud 'storage unit'

Why the hell would I want to give a copy of the keys to the service provider?

Just because you use the cloud to store bits of data doesn't mean that you'd want to store unencrypted bits of data there. Those that do risk distribution of your unencrypted data via a multitude of channels, including but certainly not limited to:

• Cloud configuration errors
• Service Policy changes
• Service Security failures
• Data theft by administrators
• Service scanning and reselling of your data

Why would anyone hand the keys to all their important data to a 3rd party that they don't personally know? Just because they're under a contract with that 3rd party? A contract drawn up exclusively by that 3rd party? With clauses designed to exclusively to protect that 3rd party?

Re:Dumb idea anyhow.

[Zerth]

Seriously, if you are going to do something important in the cloud, get data storage from a different cloud than the one you use for processing.

Even better, have the data only exist in an unencrypted form while it is in use on the zero-storage processing cloud and run the keyserver in a third location. Preferably somewhere you'd notice when the cops break the door.

Re:Dumb idea anyhow.

[0xG]

>Why the hell would I want to give a copy of the keys to the service provider?

Um, so that they could process the data?
Unless I am wrong, the "cloud" is not just about storing data.

Anyhow, any talk about "privacy" or fourth amendments, or whatever, is just so much noise.
The USA PATRIOT card trumps every thing.

Re:Dumb idea anyhow.

[bschorr]

But now that I have THREE(?) separate cloud providers to run a single application, where is my advantage over just hosting it in my own data center? How many different 3rd parties am I going to pay to touch my confidential data before all of the promised cost-benefits of the cloud disappear?

And if something goes wrong in my 3-headed cloud won't each provider just point at one (or both) of the other two and claim it's their problem?

Re:Dumb idea anyhow.

[PTBarnum]

Why would anyone hand the keys to all their important data to an employee they don't personally know? Why do you assume that your data will be perfectly safe as long as the people with access to it are direct employees rather than employees of a contractor?

Re:Dumb idea anyhow.

[bschorr]

It's true that keeping your data in-house doesn't guarantee it's security. However...I'd suggest that the more layers and people you put between you and your data the inherently less secure it becomes. The employee may not be 100% trustworthy but at least I know who they are. I have personally met each and every person with a key to our datacenter because I'm the one who handed them their keys.

Every additional contractor, sub-contractor, sub-sub-contractor means more hands and eyes with access to my data and increasingly they are hands and eyes that I don't know, have no direct control over, can't even monitor. That's not security.

Re:Dumb idea anyhow.

The USA PATRIOT card trumps every thing.

Not from where I'm sitting, Mr US-centric person.

The 4th amendment grants government.

[tjstork]

It is worth noting that under the Constitution, there is no federal power to search or seize, at all. Thus people who say that the 4th amendment doesn't list something as protected, like a computer file, miss that point. The 4th amendment is that the government is allowed to search mail, with a warrant, and nothing else.

Re:The 4th amendment grants government.

[edittard]

The actual text would appear to disagree.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The last bit seems to list a set of preconditions which, if met, do allow it.

Re:The 4th amendment grants government.

[tjstork]

The last bit seems to list a set of preconditions which, if met, do allow it.

Read this, and then you will see.

http://www.amazon.com/Republic-Letters-Correspondence-Between-Jefferson/dp/039303691X/ref=sr_1_3?ie=UTF8&s=books&qid=1263914845&sr=8-3

Re:The 4th amendment grants government.

[slimjim8094]

It's very interesting to read correspondence between the Framers - but the fact is, only the actual text applies. And the actual text says that a warrant allows governmental search and seizure.

Re:The 4th amendment grants government.

[GasparGMSwordsman]

You could also just request copies from the national archives for about $4.00 US...

As for warrants, the system of warrants was already established under the Common Law system in use in the Colonies. When we went from Colonies to States the powers of the judiciary were by and large already understood and well defined. If you look at case law you can see a chain of events that leads back, in some cases, 600 years.

Re:The 4th amendment grants government.

[edittard]

So why did they go to the trouble of writing the bit that starts with 'but upon probable cause...'?

If they'd meant no warrants shall issue, period - no, not even little tiny ones, then it'd have been a lot easier to just end the sentence right there.

Uh not so fast.

[Geofferic]

This post starts with a false statement. 4th amendment rights are not well settled. They've been challenged and altered repeatedly within the last decade.

Re:Uh not so fast.

[stocke2]

you would think we could settle something like that inside of 200 years though, wouldn't you?

But then again

[Dunbal]

If you know anything at all about security, you won't let your data be stored on someone else's computers and travel on someone else's network in the first place. (Spoken in the voice of Fat Tony) Off-site storage is absolutely necessary, but there are other, more expensive, more tedious, but far more secure methods of keeping your data off site. And please don't keep a paper trail.

Only in america

[petes_PoV]

US freedoms, protections and liberties only apply within US borders. If you put your data in "the cloud" is there any guarantee that your data will stay with US borders, or is it free to float (as clouds do) to any other geographic location.

Specifically, would it be wise to assume that all, or any, backups will only be taken in america, or that the data won't get routed to or through another country.?

It's a big world out there and the USA is only a small part of it.

This was addressed by the Stored Communications Ac

[Tobor+the+Eighth+Man]

t, way back in 1986.

http://en.wikipedia.org/wiki/Stored_Communications_Act

"With respect to the government’s ability to compel disclosure, the most significant distinction made by the SCA is between communications held in electronic communications services, which require a search warrant and probable cause, and those in remote computing services, which require only a subpoena or court order, with prior notice. This lower level of protection is essentially the same as would be provided by the Fourth Amendment—or potentially less, since notice can be delayed indefinitely in 90-day increments."

So no warrant is needed, just subpoena and notice. As the wiki article points out, this is essentially the "third party doctrine," which already exists for the Fourth Amendment. The third party doctrine basically states that if you reveal information to a third party, you can't make a fourth amendment claim against that info.

Re:This was addressed by the Stored Communications

[Tobor+the+Eighth+Man]

Rather... no warrant is needed for cloud computing services, which I'd say is the very definition of a remote computing service.

No easy access to a cloud if not the owner

Here in Holland the landlord does not have a key to a tenant's space. The landlord is not allowed to enter the tenant's space without the express permission of the tenant. I think the same should apply to a service provider in relation to the users storage unit in the cloud.

Stop insult people's intelligence

[Yvanhoe]

A bit offtopic but I think it is important for lawmakers : stop doing analogies. Cryptography does not work like a lock or like an opaque case, owning cryptographic keys does not make you the landlord of anything. Cryptography works by taking a clear message and a key and mix them in a way that produces a seemingly random information but that can be made sense of thanks to the decoding key and the decoding algorithm. It is not that hard to understand. It requires 30 secondes of focus to understand and twenty minutes of thinking about and around, and you have understood the basis of crypto.

Dear lawmakers, please make laws about cryptography, not about analogies of cryptography if you don't want me to just be an analogy of a law abiding citizen.

Thanks.

Re:Stop insult people's intelligence

Indeed. Stop insult people's intelligence. People insult own intelligence just fine.

Re:Stop insult people's intelligence

[gclef]

Lawyers don't do that because they think you're dumb...they do it as a way to build out existing precedent. If there already is law or precedent covering sealed envelopes, for example, and you can show that the situation you're looking at is functionally the same as a sealed envelope, then you can argue that existing precedent covers the situation and no new law is necessary. Creating new precedent and/or law is rare, and judges are hesitant to do it unless there's a clear need. If the lawyers can present their case as a simple analogy to existing laws and precedents, rather than having to break new ground, then they stand a much better chance of getting their case across to a judge.

Re:Stop insult people's intelligence

[srleffler]

The analogies are important here, because this is a legal argument. Besides written laws, there are judicial decisions covering thinks like the privacy of an item in a locked briefcase, or of material stored on a landlord's premises. By making analogies to these things, the author is arguing that the principles in those judicial decisions should be applied to cloud storage as well. If that argument succeeds, it may not be necessary to make any new laws at all, just to correctly interpret the existing ones.

IANAL, but I'm pretty sure from the wording that the "opaque case" idea is a specific reference to existing judicial opinions. It's an important principle, even for cryptography: it says that the government is not allowed to break your encryption merely because they can. By encrypting your data, you did more than just secure it, you also made it private, in the same way that an opaque container makes the contents private, even if the lock fails or can be broken or picked.

its different philosophically

[circletimessquare]

and therefore, it makes sense that it is also different legally

moving bits around is completely unlike moving pieces of paper around, in all sorts of fundamentally significant ways, with all sort of implications and ramifications for how society does work, could work, and should work

Re:its different philosophically

No, moving bits around is not unlike moving paper around. Both of them are merely a medium for information. The information is protected as much as, I'd say it should be more than, the physical piece. The fact that one is physical and one is not doesn't change that they're both carrying the same protected thing.

Time to change the test?

[wrencherd]

As far as US law is concerned in this regard, the 4th Amendment is not so much the problem as is the 40 yr old "expectation of privacy" test.

Perhaps it's time to change that one and bring it up to date particularly in light of the fact that it doesn't seem to apply to very much any longer.

The larger problem--as pointed out above by petes_PoV--is the international jurisdiction issue; "where" is the data cloud?

The answer to that question determines which laws--including any related "third party doctrines"--will apply.

Will google respect non-US law when it comes to turning over cloud data to non-US gov't agents?

folks

[circletimessquare]

if you want something private, don't put it on the internet

if you want a private conversation, walk with the person on a beach

everything else is subject to snooping, and not just by the government. there are other less savory entities out there that can pilfer your information

so if its important, just keep it off the wires. this is a complete shortcircuiting of all of the legal arguments

because even if you successfully clamped down on the government across all legal avenues, the government really is the least of your worries in terms of who can snoop on you and why. there is no protection that works except your own attempts to secure your data. that's your job, not the government's

there's people reading this comment who buy guns because they don't trust the government to protect them. so why would anyone trust the government to protect their privacy online?

protect yourself with your own protocols for how and when and what is disclosed over a wire. this shortcircuits all the needless legal arguments, since the potential list of online snoopers does not begin nor end with your friendly local government bureaucrat

Clueless Gov't

Our gov't is totally clueless when it comes to technology. We need to get rid of these Luddites and take over. Long Live the Technocracy!!!

Is the expectation of privacy legal?

[rickb928]

The analogy of a locked briefcase is instructive. If the government were to try to guess the combination, aren't they ignoring my intention of privacy? That is, I locked the briefcase, intending to shield the contents from disclosure without my consent. Being a combination lock means nothing, because picking a key lock is the same effort, indeed snipping off the lock is the equivalent. Does the means of entry matter? Indeed, coercing me to divulge the combination, or give them the key, aren't these also violations of the Fifth Amendment, allowed only in the most dire of circumstances, if at all?

So if I password protect my files in the 'cloud', don't I have a similar expectation of privacy? The government could indeed coerce the service provider to open the files (snip the lock). And if I encrypt the files, why should the government be allowed to even attempt to decrypt them by any means (guess the combination or pick the lock) including coercing me to offer the key (Fifth Amendment again)?

The slope we are slipping down is an old one - new technology doesn't change the principles. It just changes the means. As the government does not have the right to enter my home and search my papers without due process, so they should not have the right to rifle through my 'papers' online, either.

While any expectation of privacy in normal email is futile, if I choose to use Gmail, for instance, via SSL, then I should be granted the expectation of privacy also in that communication. And since I need my user ID and password to access my GMail account, I epxect my stored email data to also be granted that expectation of privacy.

The only reason that protections against unreasonable searches and seizures of electronically stored items should be 'lagging behind' the protections that 'more' physical items enjoys is twofold; 1. The government is charging in where they should not be, in the absence of court decisions, and 2. The courts have not yet handed down decisions that would retrain the governemnt.

But to point 1; Our goverment in the U.S. should not be seeking ways to expand their influence in the absence of restraint by the courts. They should act like the officers of the court they should be and consider the legality in favor of the people. And I'm sure they would claim to be doing so now and always. I disagree. Our government seeks to assume power in every area where the restrictions are unclear, or where the courts have not yet decided, or where they can justify the effort in the name of some greater good. We would be better off if our government considered first, "should we be doing this?".

I know I am probably in the minority with this belief. That doesn't make it wrong. Our government was devised from documents that also described its limits.

Re:Is the expectation of privacy legal?

[kwbauer]

Unfortunately, it seems to me that the majority in the US stopped expecting the government to find the least intrusive route long ago. I see the government always moving in the how intrusive can we be direction and, over time, the citizens stopped asking for this to be limited and started asking for it to be expanded. First we wanted limits on business practices (anti-trust laws to reign in the railroads by calling them robber barons), then we pass laws dictating with whom I must associate if I want to operate a business (first it was who I have to serve and then it is who I have to hire and how much I have to pay them). We are now in the middle of actually requiring that we all purchase a specific government-mandated financial product from a list of government-approved vendors. Many on here hailed the decision by the government to declare what we exhale when breathing to be a pollutant so we should probably not complain about government intrusion in a very small area when most of us (population in general) are constantly begging for major intrusions in nearly every other aspect of our lives.

Re:Is the expectation of privacy legal?

[rickb928]

Well, it is important to carefully describe our expectations and grievances with our government.

Reining in the railroads may have been a good and proper thing - they were using the commons, that is rights of way, to profit unfairly. But I see both sides. If our government is working to ensure freer markets, this is good. Sadly, they get it wrong a lot.

Telling you how much you must pay your employees over-simplifies the issue. The government tells you you must pay at least *this* much. If you're in the restaurant business, imagine how your servers feel having to declare a certain minimum amount of income, even if they don't in fact receive it... Amazing.

Many American citizens think it is ok to ask the government to do for them. They have no idea what they are giving up. My lunch mate wants healthcare costs reduced, so he's in favor of a single-payer government plan. Why does he believe this will be cheaper? Because it will share costs more equitably. Or to put it more honestly, because someone will pay for his care, in part, as they pay MORE.

Socialism. This was not our system. We need to be consulted, as a people, before our government enacts such changes. Time to call my representatives again, I'm getting upset...

Shouldn't the Government need a reason?

[flaptrap]

In order for a search to be 'reasonable' I think the Amendment should be interpreted to require a good reason to have a search. It says, 'probable cause', after all, and requires a sworn affidavit.

It is not good enough just because the Government can tax the people to raise funds and use those funds to spy on everything they do. Then everyone is a suspect, and since nobody is perfect, everyone is a criminal.

Sorry, I spend my time trying to do good for the world. I do not feel like a criminal and deeply resent being treated like one.

Re:Shouldn't the Government need a reason?

[bschorr]

Yes, certainly they should need a reason...but at assumes that the 4th Amendment applies at all. I believe that the 4th Amendment SHOULD apply to electronic communications, including in the cloud, but what I believe and what the U.S. Government does aren't always the same things.

the SCOTUS has already ruled against email.

it doesn't apply to email, so why would it apply here?

I guess those old fuddie duddies that PRINT everything have the right idea...

TSCOTUS only honors physical papers as your effects.

Encrypt/Decrypt at the client

[davidwr]

Ideally, encrypted data in the cloud would be decrypted at the user's computer, much like PGP-enabled email.

Constitution-Free Zone

If, like nearly 2/3 of the US population, you live within 100 miles of an international border or coastline -- the Constitution is a dead letter:

http://www.aclu.org/national-security_technology-and-liberty/are-you-living-constitution-free-zone

don't give anyone else the key

[StripedCow]

Solution: just don't give anyone else the key to your encrypted data. And certainly not the third-parties.

The problem is, though, that web-browsers don't (yet) have good support for encryption/decryption of data.
The only encryption supported well is the TLS connection to the webserver, but that one doesn't count since it merely allows you to talk to the webserver (i.e., the third-party).

Another problem with client-side-encryption is that the third-parties cannot manipulate or index your data, but that could also be done on the client, i suppose.

Two intermixed issues

[Registered+Coward+v2]

First issue - 4th Amendment protections in the US - what search and seizure protections do you have. Despite the so-called newness of the cloud (some of us remember big iron - dumb terminal models from way back) it is another way to electronically transmit information - so it would seem that all the existing wiretap laws would apply. Just like they can tap your phone they can intercept other electronic transmission, with a proper warrant. To the extent such information is publicly available (such as via a Google search), they should be able to get it without w warrant. if you fail to set security to prevent others from seeing it you, IMHO, have no expectation of privacy. To expand on the briefcase example, you may have an expectation of privacy for stuff in the briefcase, but the law can watch and videotape you putting something in in Starbucks.

The other issue, and to me the more important one, is collateral damage. As the referenced article pointed out, the physical search and seizure impacted a lot of innocent third parties. I doubt a court would say "you can't do a seizure because you'll grab other peoples stuff," but might say "you can only look at the target's info." So, rather tahn worry about the 4th companies should ensure their data centers have adequate disaster recovery plans to deal with such situations (along with fires, power outages, etc.) If a data center can't recover from the loss of some servers they have bigger problems than privacy rights.

Re:Two intermixed issues

[GasparGMSwordsman]

(some of us remember big iron - dumb terminal models from way back)

Some of us are still using a big dumb terminal to view this site, you insensitive clod!

Out of Control Supremes

Nothing is "well settled" with the current Supreme Court.

Obligatory George Carlin post

[Blue6]

http://www.youtube.com/watch?v=gaa9iw85tW8

#1: i have a piece of paper on my desk

[circletimessquare]

100 people around the world want that piece of paper

this will involve copying and mailing that paper, a lengthy task. it is indeed, protected, because it is a time consuming and expensive. therefore, there are natural hurdles to sharing this information, which means that publishing, or, the large scale movement of media, is the domain of a few rich players. laws governing their behavior can easily be enforced, mainly gentleman's agreements in the club house. a closet holding cd duplicators or a warehouse holding vhs machine copiers can be located and shut down, and it is expensive to set up these shops. for these many reasons, it is easy to enforce the rules

#2: i have a file on on my computer

100 people around the world want that file

this will involve nothing but installing a free easily available program, which requires no monitoring or effort to use to distribute. it is not protected, because it is effortless and cost-free. therefore, there are no natural hurdles to sharing this information, which means publishing, or, the large scale movement of media, can be performed by any teenager in any basement. a 13 year old in novosibirsk or johannesburg or pasadena has the same publishing might of bertelsmann or time warner or disney in 1980. laws governing the behavior of these teenagers cannot easily be enforced: they're teenagers. the sharing software is headless, encrypted, obfuscated, made sparse and otherwise untraceable. for these many reasons, it is no longer possible to enforce rules created in the age of vinyl records or even player pianos

this technological progress. it is not moved by legal standards, legal standards change in response to technological progress. read up on your history. when you say "The fact that one is physical and one is not doesn't change that they're both carrying the same protected thing" all i see is someone living in colossal denial about how the world is changing around them

the world is changing friend. the whole edifice of ip law is now completely unenforceable. and therefore completely useless. welcome to reality

Orthogonal

The two are Orthogonal and complimentary, so basically, use both.

The Cloud

[Stooshie]

If an American citizen has data stored on "the cloud" (be it email, documents, images, videos). Not all of that data is necessarily stored in the U.S. In fact, the citizen may have a video on the cloud that is split up and stored across the cloud in different countries. How does that fit with the 4th amendment. If their data is stored in another country, I'm not sure the U.S. could get that info without permission of another government.

Re:The Cloud

[IndustrialComplex]

If their data is stored in another country, I'm not sure the U.S. could get that info without permission of another government.

Or another more important question:

What if the US engages in a data sharing exchange with another government. You show us your database, and we will show you ours.

Suddenly you have the UK monitoring US citizens w/o 4th amendment protections, and you have the US monitoring UK citizens without their privacy protections and then they exchange the data.

Somewhere along the line, Rights were violated. But who did the violation?

Re:This was addressed by the Stored Communications

[Eskarel]

Well that's actually a fairly slim difference.

Generally speaking, if you can get a court order, you can get a warrant. It's not like the damned things are hard to get.

The 1st rule of email should also apply to cloud

[Locke2005]

Quite simply, don't store any data in "the cloud" that you would object to seeing printed on the front page of a newspaper the next morning. If you want to keep something confidential, store it on a server controlled by you, and use adequate encryption when transmitting it.

To be a pedant

[ari_j]

This is not a "law review article" - it is a "note." Published law review articles by students are extremely rare. Law review articles are also generally quite a bit longer and more in-depth. When a student who works on the school's law review writes something and it gets published, it is usually called a "note" or a "comment," specifically to distinguish it from the actual articles, which themselves are usually the product of a law professor or, in some cases, a practicing attorney.

But that's just pedantry at its finest. Mr. Couillard's note is now on my reading list and he should be proud of having tackled a controversial subject and certainly of having been published in a prestigious law review.

Safety deposit box keys

Banks don't have keys to your safety deposit box. If you lose your keys, they have to drill the box. That is a REAL expectation of privacy.

Reciprocity

[Zarf]

My issue is reciprocity: If it is legal for the government to "peer into" my private data they should not be allowed to take umberage if I peer into theirs. (note: this is a joke do not put me in jail)

If privacy is dead it should be dead for *everyone*.

If privacy is not dead then it should be enforced for everyone.

Tit for Tat

It's well known, for example, that the US agencies got around the prohibitions on spying on Americans by letting other countries do it. Heck, they even outsourced interrogation to countries where black rubber hose and jumper cables are cheaper. The only question is how much access to NSA tech do you want the Brits or Canadians or Germans to have, in return for eavesdropping on your fellow citizens? Of course, the USA scrateches their back too.

Donate to the EFF

[Blackbrain]

This is exactly why I donate to the Electronic Frontier Foundation every year. Until these rights are tested for the 'new' electronic medium in a court of law, we need a lobby group dedicated to securing them.

My bank does not have keys

[stabiesoft]

to my safety deposit box. There are 2 keys to open the box. The bank inserts their key and I insert mine
in order to open the box. If I lose mine, they have made it very clear that it will cost me a couple of hundred
bucks for them to drill open the lock and re-key it. I think they will also drill it open under a subpoena. But
I will know next time I go to open it...

Re:My bank does not have keys

[oasisbob]

Yes, in the US this is a standard practice. No financial institution I know of will keep a spare key to a safe deposit box. (The exception being those institutions which have switched to electronic locks, that technology doesn't easily allow for an institution to lock themselves out intentionally.)

That second key the bank possesses is known as a guard key. It's there to prevent what banks call "box hopping/jumping" where you sign-in on one box, and use a separate key to access another box unaudited. (eg if one has physical access to a safe deposit key, but isn't legally authorized to access the box).

If you were offering people the ability to store possessions of unknown value for a small fee, would you want a spare key, knowing the liabilities that having access to that box would bring?

Re:My bank does not have keys

[ShaunC]

I think they will also drill it open under a subpoena. But I will know next time I go to open it...

Not if they replace the drilled-out lock with another one keyed to the same key...

Wuala

That why I use wuala (wuala.com), my files are encrypted BEFORE they are given to the server, that way even the people storing my information can't access my files.

David A. Couillard = D Avid Cloud Liar (anagram!)

law student, David A. Couillard.

David A. Couillard anagrams:
- D Avid Cloud Liar
- D Liar A Cloud Diva
- Diovular Clad Aid
- Virucidal DAO Lad
- D Avid Cloud Rail
- Did AV Cloud Lair
- Cordial Dual Diva
- Lucid Variola Dad

How many more of the 1321 anagrams I found do I need to post for Slashdot users to realize this story is a hoax?
Freakin collective WHOOOSH!

Have you heard of George W. Bush

[twoHats]

4th Amendment to the Constitution - hahahahahahahahahaa I had a whole lot more hahas but the censor bot said - "oh no you don't..." Oh well - so much for attempting humor as a way of salving my broken heart...