Slashdot Mirror
Google Pushing Back On Law Enforcement Requests For Access To Gmail Accounts
Virtucon writes "Ars technica has an interesting article on how Google is handling requests from law enforcement for access to Gmail accounts. With the recent Petraeus scandal where no criminal conduct was found, it seems that they're re-enforcing their policies and standing up for their users. 'In order to compel us to produce content in Gmail we require an ECPA search warrant,' said Chris Gaither, Google spokesperson. 'If they come for registration information, that's one thing, but if they ask for content of email that's another thing.'"
http://tech.slashdot.org/story/13/01/23/1712213/google-report-shows-governments-want-more-private-data
Email and other services are way more robust when there are many providers, because there is not one central point for a government to apply pressure. In the 1990s everyone got email through their ISP, and there were a million little ISPs all around.
Now, there are fewer ISPs, and even though they all still provide email via the standardized protocols, everyone ignores that and uses webmail... and most of them use Google. Having the whole world's email in one place is a bad idea. It means there's one place to, say, block encryption if the powers-that-be decide they really should be able to read *every* email. It means there's just one place to censor. Just one place to move away from standard protocols to achieve lock-in.
The entire concept of the internet was about decentralization to achieve robustness. Once, robustness in the face of nuclear war, but it also provides other kinds of robustness, like robustness against censorship, against control, and against monitoring. Now, for some bewildering reason, we want to discard the robustness of decentralization and put all our eggs in one basket. I do not understand why everyone prefers that.
Contents are private, post office does not read it, and you need a warrant from a court to intercept and read mail, so google demands a warrant for contents of email. OK fine.
Now, in each letter, the from address and the to address are open in the public. Technically the post office could build a graph of who communicates with who and how frequently using just the public information. But it is expensive, painful and so USPS does not do it. Or I think it does not do it. But it is trivial for gmail to build all people who correspond with me, and rank them by the frequency of communication. In fact it already does, it suggests a CC list based on the addresses in the To list. Is it considered public information? Would google share it with the government without warrant? Or would it require a warrant?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Patriot Act federal requests do not require a warrant and cannot be reported when served against a company like Google when serviced. Even A fast Google search reveals dozens of specific instances of Patriot Act abuse, and the law itself at http://www.fincen.gov/statutes_regs/patriot/ shows that it wildly exceeds any sane Constitutional interpretation.
Similar abusive laws in other countries mean that Google, forced to follow local law enforcement in numerous countries, is wide open to abusive but legal requests for private content. There seems to be no sign that they do more than provide more than the slightest lip service to genuine privacy concerns, and many of their business modes are based on *selling* information about their customers.
Most folks focused on the whole sex scandal part. Some folks focused on the operational security and the fact that the FBI tanked Petraeus with no charges filed. Some of those folks may control Google Apps for Government and choose alternative providers, in case it may be a point of failure in future bureaucratic turf wars. Sadly, yes, this sort of thing does happen.
This summary is a bit loosely summarized. ECPA does not necessarily require a warrant. For this reason, Google is simply complying with ECPA and refusing to release details otherwise. Is this new?
Not "Patriot Act", it's the U.S.A. P.A.T.R.I.O.T. Act, and each of those letters stands for something, because US civil defense policy is now run by the marketing arm of Mattel.
No kidding!!! What do you say at this point?
This is spam - link is not related to this article.
If your Chromebook is stolen, do you think Google should provide law enforcement with the details on the new account to which it's been associated? Or do you write off your $400 and move on...
Thus, I say that email must not be placed in a cloud. Some companies like Google try to be no evil but have little wiggle room -- the bad guys (yes, the current crop of governments work against rather than for you) can access your mail at a whim. Unless you use email only to send Christmas greetings to aunt Jane, you have private and/or business data that should not be viewable by third parties.
If you host your own mail server (even at home), the bad guys at least need an actual warrant, and can't do this without your knowledge. Sorry, but that's the only way.
Another problem, this time technical, is that DANE becomes an absolute must. Current schemes for TLS encryption for SMTP are bad jokes that give an illusion of security: all an attacked has to do to completely override any mail security is to have port 25 connections to go somewhere else. Opportunistic encryption helps only passive snooping, and in almost all cases where passive snooping is possible, active is a matter of slightly more effort. DNSSEC can be subverted by ICANN and your top level domain's registry, but unlike issuing a request to an ISP, this would be a major undertaking that's moderately easy to detect, and in cases it would matter, you can have your private trust anchors. Or, if your data is important enough that the spooks mess with ICANN, just use gpg.
Why I'm speaking about DANE/DNSSEC? Because once they're supported well in common MTAs, deploying them is a matter of a single easy action by a sysadmin.
The bad guys can still know the IPs of both parties, ie, whom do you send mail to. This is a harder issue, with no obvious drop-in solutions. You may use a .onion email address, but that doesn't work without setup on both sides.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
But I still wouldn't trust it.
You are not what you own.
And WHO issues these warrants?
One of the reasons I don't use Google services. I don't recognize the 'ECPA search warrant'. the only warrant I recognize is a bonafide court issud warrant, issued by a bonafide seated judge. Anything else does not exist, and all access is denied.
Why is registration information any different?
Sendmail is free, so is clamav and spamassassin. Get you an old raggidy PC and set that shit up. It'd take a novice PC user less than a day to do it.
If you read the above and feel like that's not for you, there are other email services out there that are paid for by the providers of the things that you buy.
Was there a story here...?
He doesn't explicitly say that Google doesn't produce content in Gmail without that warrant. Just that warrant compels them.
I'd be happy if he said "Google never produces content in Gmail without receiving a valid ECPA search warrant first"
Of course an NSL is the trump card...
Basically Google will protect your private data to the upmost of their legal ability from everyone except themselves and their clients :( /cynic
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
I think you need to balance risks. If my mail is hosted outside my home, on my ISP or on Google, then it increases the risk of it being searched by the government without my knowledge. If I set up and run my own mail server on my own machine, then I need to correctly install and configure the OS and mail server and keep up with all the security patches and spam filters, or I severely risk having my mail accessed by script kiddies without my knowledge. Or maybe I will know about it because they'll reset passwords to all my other accounts and then delete my mail.
If given a choice between exposing my mail to government crooks or free enterprise crooks, I'll take the government.
Yes, we're raping it 10% more times a day, but we're allowing a lot more content through.
I swear to God...I swear to God! That is NOT how you treat your human!
I will quit email altogether if I have to.
Some people did not make the address first.last@retardedcorp.com for a reason.
Requirements from US's agencies done under PATRIOT Act are never accounted for on Google's Transparency Report, because they are issued along with gag orders. Google has never revealed how many of this did they fulfil, nor they do it now.
Cyrus Farivar's article on Ars Technica doesn't even mention PATRIOT Act, for a start - and when it refers to the break down of legal request types, we are linked to a Google page that breaks them down to three types - subpoenas, ECPA and other. Once again, PATRIOT Act request aren't even there.
I am deeply disappointed by this Ars Technica's article. It pretty much seems they completely forgot about this issue they previously cared for. It pretty much seems they are doing propaganda for Google.-Ignacio Agulló
No worries, your isp will just log your email anyway, and give the government full access whenever.
And, in fact, they have NEVER fought one of these requests. Ever. The only ISP operator to fight one of these requests is Nick Merrill, and he had to enlist the ACLU and others just to get the right to be represented by an attorney, much less make his fight public. Otherwise, the only other people to fight these requests were a few librarians. Considering that these requests can actually dragnet in huge amounts of data from multiple accounts, I wouldn't feel so sanguine about Google's "pushing back".
I need to correctly [...] keep up with all the security patches and spam filters
Uhm, and that's much work... how? You need to do a manual intervention once a couple years, to move to the next stable release. Security updates get pretty thoroughly tested (Microsoft aside...), so outside of especially complex deployments not having them as a cronjob tends to be a waste of time. Spamassassin updates its rules automatically, which is probably good enough if you don't feel like tweaking them.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
That's why we need a way to force encryption, limitting their knowledge to just the source and target IP.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Not "Patriot Act", it's the U.S.A. P.A.T.R.I.O.T. Act, and each of those letters stands for something, because US civil defense policy is now run by the marketing arm of Mattel.
If only. At least in that case, we would have fun things to play with in exchange for the freedoms we surrendered.
Unless you use email only to send Christmas greetings to aunt Jane, you have private and/or business data that should not be viewable by third parties.
If you send emails without encryption, you should certainly limit them to not much more than Christmas greetings to aunt Jane. I assume that any email I send is as secure as a letter, since I can't be arsed with encryption. My bank wouldn't send me a new PIN on a postcard, but it certainly would in an envelope.
To have a right to do a thing is not at all the same as to be right in doing it
As will many others. For a fee. And then only you read your email.