Slashdot Mirror
Anti-Terrorism Hypothetical: Bulk Scanning of Hosted Files? (justsecurity.org)
An anonymous reader writes: The tech community has spoken: we don't want the NSA or any other government agency running bulk surveillance on us, and we don't want tech companies to help them. But Bruce Schneier points out an interesting hypothetical raised by Harvard Law School professor Jonathan Zittrain: "Suppose a laptop were found at the apartment of one of the perpetrators of last year's Paris attacks. It's searched by the authorities pursuant to a warrant, and they find a file on the laptop that's a set of instructions for carrying out the attacks. ... The private document was likely shared among other conspirators, some of whom are still on the run or unknown entirely. Surely Google has the ability to run a search of all Gmail inboxes, outboxes, and message drafts folders, plus Google Drive cloud storage, to see if any of its 900 million users are currently in possession of that exact document.
If Google could be persuaded or ordered to run the search, it could generate a list of only those Google accounts possessing the precise file — and all other Google users would remain undisturbed, except for the briefest of computerized 'touches' on their accounts to see if the file reposed there." Zittrain asks: would you run the search? He then walks us through some of the possible complications to the situation, and the pros and cons of granting permission. His personal conclusion is this: "At least in theory, and with some real trepidation, I'd run the search in that instance, and along with it publicly establish a policy for exactly how clear cut the circumstances have to be (answer: very) for future cases to justify pressing the enter key on a similar search." What would you do?
If Google could be persuaded or ordered to run the search, it could generate a list of only those Google accounts possessing the precise file — and all other Google users would remain undisturbed, except for the briefest of computerized 'touches' on their accounts to see if the file reposed there." Zittrain asks: would you run the search? He then walks us through some of the possible complications to the situation, and the pros and cons of granting permission. His personal conclusion is this: "At least in theory, and with some real trepidation, I'd run the search in that instance, and along with it publicly establish a policy for exactly how clear cut the circumstances have to be (answer: very) for future cases to justify pressing the enter key on a similar search." What would you do?
What about false positives - like if a document has been mass-mailed or put as a part of a story etc.?
I an imagine that we would end up into a situation of "guilty unless proven innocent".
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Other email providers exist, which ones do we force or ask to scan all their documents?
Do we force companies to scan theirs too?
Get developers to add backdoors scanners to all their software?
This isn't a new problem.
Even though it's hypothetical, it's still dumb.
Once the government has the ability to scan files belonging to hundreds of millions of users for a specific document, it might be easy to broaden that. Searches for similar documents. Searches for a standard set of illegal materials - say known child porn images. Searches for copyrighted materials like movies and audio.
Specifically searching for a specific document with a known like to terrorism doesn't bother me, but the extensions do. I absolutely do not want to give the government the right to search for anything illegal - and I don't see a clear way to enforce the distinction.
The innocent have nothing to fear, but there are few absolutely innocent people
Just the briefest of touches of everyones personal papers would not be acceptable. Why would it be different for electronic documents? Because you can without being noticed is not acceptable. You cannot just search everyone.
Now imagine if it were someone like Snowden and the NSA was seeking others he had shared the docs with.
The key problem is that no can trust gov to be honest about 'why' they are searching...
Gov is corrupt...until that changes, don't give them the time of day.
Send or receive a known kiddie porn image through GMail and they will tip the authorities. That hash check can be used for anything the government wants to find people in possession of, just hand them a hash and a NSL.
Live today, because you never know what tomorrow brings
Ever notice we foil some real doozies? Probably a few kinks to work out.
will work for dragon quest localization
How about searching the account of the one person they've identified to find out which other accounts he had mailed that to?
Then the government can get warrants to search those accounts as well.
As long as they are not in another country or otherwise protected or delete all records after a certain time.
It can do whatever it wants. It can choose to cooperate with this search at whatever level it wants to. I suggest you do not use gmail and google docs to share bomb making recipes.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Too complicated for me. We should refer this one to Bennett Haselton.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
They *already* do this, not because they're scanning things, but because they index files on their hashes in the first place.
Remember "Dropship"? If you knew the hash of a file on Dropbox, you could "teleport" it into your Dropbox storage by using the API to tell Dropbox that you had a file with that hash locally. Since it got used for file-sharing, that was shut down - but it reveals that for de-duping purposes, Dropbox hashes all your files anyway.
It's a trivial matter to take that file, hash it, do a lookup in the table of files that belong to each user, and produce a list of the accounts. It's probably already been done for copyright-infringement suits.
No bulk scanning required. Just a lookup.
...except for the briefest of computerized 'touches' on their accounts to see if the file reposed there....
A search is a search, no matter how innocent you try to make it sound.
I wouldn't run it without the authorities being able to meet the requirements for a search warrant. Otherwise you have the problem of copies of the document in the inboxes of people with no involvement whatsoever who were sent the document in a deliberate attempt by the terrorists to bury their tracks in a crowd of false leads. Given that the sender, not the recipient, determines to whom a message is sent, merely receiving a message without anything more doesn't indicate any involvement or intent on the part of the recipient and can't reasonably be construed as any indication of probable cause to search. How about they first search the known terrorist's mailbox for the names and addresses he's corresponded with looking for who's replied to him about the plan? Then the authorities can target the searches of specifically those accounts and there isn't this problem.
Lets deal with threats like ISIS at their source rather than playing wack-a-mole with our liberties here at home.
The problem with this search is that government is too big and too unaccountable to be allowed that capability. Governments and law enforcement agencies routinely act unjustly. They use violence and threats needlessly, acting as bullies rather than public servants. And they are almost never punished when they commit crimes.
If governments showed humility and served the public, maybe you'd consider letting them search something occasionally. But that sort of government seems like an impossible fantasy these days. So no. Not until they prove they can be trusted -- which unfortunately means probably never.
Get a warrant and search away. It's the illegal searches and bulk collection of personal information that's the problem.
In the U.S. (where Paris is not, I realize - but neither is Harvard) we ostensibly are innocent until proven guilty. No, no, quit laughing... I'm trying to make a point. The searcher has no foreknowledge that I might be guilty, so they shouldn't be able to look through my "stuff" for evidence of guilt.
I don't see how this is materially different from, say, having permanent access to my home surveillance camera footage and routinely using bots to review them for the image of a rocket launcher. If you have no reason to suspect me of involvement with a crime, you can't just randomly search my house, stop me on the street to frisk me, or search my personal papers.
#DeleteChrome
I was just about to inform my cells where the nuke is located!
Obviously you wouldn't do an actual byte-by-byte search of every file; you'd first compare some metadata - like the file size, or the file hash/MD5sum/etc.
So, say that Google gives whoever is asking a list of files that match the metadata. They haven't actually looked at anyone's contents; no file has actually been opened or read. The list doesn't need to include the people's accounts or other details; it can just be a list of inodes. The people asking could then get a court order to look at those specific files to see if they actually match. Would that be acceptable?
Gee, almost like the government would have a legal and legitimate (search) warrant that Google et al would likely be happy to comply with. If the government uses it's powers correctly and within the letter of the law, not to mention the spirit, why shouldn't Google et al comply? It is only when they overstep and do BLATANTLY illegal things is when they tech companies push back.
My reading of this would be the government getting a search warrant for the provider in question, and a fully legal one at that. Legal warrants override privacy concerns, that is the point, no? If the laws won't allow a search of users, a warrant naming 'does 1-x' could do the same, at least from my limited legal knowledge.
-Charlie
As was pointed out by a commenter earlier when Bruce Schneier posted this.
This whole hypothetical is moot and has already been attempted for DMCA and Child Porn cases. This is because Deduplication is a feature of any large file sharing entity gmail included as drive space is not free.
Because of deduplication there will only ever be one copy of the relevant file clusters in existence and a table of assignments for which messages and or accounts to apply it too. Thus given an example of the file or the list of cluster hashes and a simple court order a company can expunge the one copy and/or return the list of holders with their association / upload / download dates.
Now one key issue would be that even a single bit changed in the file (mentioned in the article) would change the file hash and probably 50% of the bits in the specific cluster would flip. But for larger files >10MB it may be sufficient to match a percentage of cluster hashes and then inspect the misses further.
That said a savvy antagonist would recognise the above and suggest ways to defeat deduplication, even without using anything fancy. For a text file, simply running it through a compression algorithm would change it sufficiently and if you use one that does encryption correctly then each encipherment, even with the same key, would result in a different file. Plus since you are not actually interested in securing the file you could include the password as the filename.
Google already hashes known criminal-images-which-shall-not-be-named-by-name and scans for it. This isn't really intrusive because there can't be a SHA-256 false positive. Having Google do this versus banning encryption and having AT&T sniff the wire is preferable. Google already scans your crap for ads anyway :P
We get round that by either changing the payload itself (while rendering it still usable) e.g. by transcoding videos, adding filler pages to .pdfs and/or by zipping it together with a randomly gener
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
And why I dislike framing the argument against this sort of thing as a right to privacy like the EU does. I tried bringing this up way back in the 1990s when rumors of Carnivore began circulating. If you frame this in terms of privacy, then this type of surveillance becomes legal. It's not a person searching your files (or sniffing network traffic) for pattern matches, it's a machine. Only matches are turned over, and the data of innocents remain private despite having been searched.
It's not privacy which is sacrosanct here; it's the right to be free from government searches without sufficient suspicion. The way this needs to be framed is in terms of the limits of government power. If the government has this type of surveillance power, you may joke about the word "bomb" in your post triggering the FBI's monitoring software, but the chilling effect it has on free speech is the same whether the search was carried out by software or by an authoritarian government trying to control the populace.
To put it another way if we've decided that individual freedom is more important than government control, then this is one of the tools we simply cannot allow government to have. It is incompatible with the notion of government for the people, by the people, of the people. If that leads to the downfall of democracy, then so be it. The sole reason for democracy's existence is as a bulwark against authoritarian government control. If democracy self-implodes in this fashion - because people are too scared of terrorism they democratically choose to give government that authoritative control - then we'll either just have to accept that democracy is conceptually a failure, or we'll have to come up with a new idea for a system of government which respects and protects individual liberty.
The problem is that this is the precise definition of slippery slope. As attractive as it would be to scan for such content legally, this is not the kind of toys we want the government to have. Would the government as with a foreign enemy, we should be discussing capabilities, not intentions. The one inescapable truth is that any capabilities of a bureaucratic entity are going to be abused. If you don't want the abuse, don't give them these capabilities took begin with.
You're thinking too small. They can do draft messages via Tor, mass mail via a temporary account to other use-once-discard emails that are accessed via proxies.
Google is probably doing hashing on a filesystem level, alongside whatever technology mentioned in the Child Porn article someone posted here. It will always be faster to get Google to do your work for you. And when the stakes get higher and we start to sell out more of our freedom for safety, you can be sure these massive companies will be pressured into compliance. One way or another.
that terrorists figure out how to intentionally create misleading files on their computers and send out such files to 10000 random people in order to jam the system.
This didn't make the DHS smarter. It only made Bruce dumber.
Let's start with his example: the Paris attacks. The Paris attackers plotted everything using... wait for it... SMS. Just about the least-secure communications system ever devised. About the only way they could have fucked up worse would be if they planned the attacks inside a police station, talking to each other with bullhorns. That's not surprising, of course; the criminal geniuses whose masterplan was "get guns and shoot people with them" aren't going to think of using encryption, decentralized communication, or anything else that even the average slashtard knows how to do.
Now let's move on to Bruce's example. So the police capture or kill a suspect, find his place of residence, find his laptop, his laptop is unencrypted, the terrorist masterplan is just sitting there in plaintext, and... that's it? There aren't any other or better investigative leads? Their best and fastest strategy is to ask Google or whoever to scan all the data of 900+ million users? There's no other evidence on the laptop, no "electronic paper trail" from his online communications, nothing useful in his apartment, they couldn't recover his phone, they can't track the gun he used, they've got *nothing* except a mass surveillance dragnet? The cops just gotta twiddle their thumbs for several hours while Google/Apple/Microsoft/Yahoo/whoever process their request and get back to them? The same terrorist who was so smart he covered all of his tracks was also so dumb he left this vital, identifying, incriminating piece of evidence just waiting for the cops to find it?
It took me as long to read about this idea as it did for me to invent a countermeasure to it. Take some JPEG of a stupid meme, append the terrorist masterplan to the end of the file (or just stick it somewhere in the EXIF data), attach it to an email with the subject line "ch34p V14Gr4!!!!," and use a compromised webserver to bulkmail it your co-conspirators (and a few hundred thousand other people). I'm pretty sure even the dumbest terrorist can manage to download a JPEG, open it with Notepad, and scroll past the gibberish until he finds something he can actually read, and meanwhile the counterterrorism geniuses are working their way through a pool of suspects big enough to populate San Francisco.
This is fucking stupid, Bruce. You're asking me to buy some hypothetical scenario where the perpetrators are so dumb that this strategy would work and yet so smart that this is the best strategy that would work.
Instead of asking everyone else to find your boogey-men, how about modifying your foreign policy a bit ?
Yanno, quit acting like the World Police, quit the regime changes when leader X doesn't want to play your games, quit all the drone attacks, etc.
Focus on the problems at home and quit adding to them.
You might find that by not pissing off the Islamists, you'll have less bullshit to contend with.
Just a thought.
Yeah, that worked so well for the Persian Empire.
And the Byzantine Empire.
And the residents of the Levant.
And the Egyptians.
The rest of North Africa.
The Balkans.
And the Spanish.
The Merovingians.
Should I continue?
The Japanese attack on Pearl Harbour wasn't unusual; the US Navy imagined exactly that scenario. Similarly, bin Laden didn't predict the damage from flying a plane into a building; recently published novels did that. Also, the US DHS spent a few years discussing every kooky attack vector there was. What exactly qualifies as "instructions" in this description?
It gets worse: The FBI profile for a terrorist includes possessing a Casio digital watch, or a pocket reference to the US constitution. The slippery slope here, is the government can use any criteria to scream "look, terrorist". Everyone forgets the US government has a lot of difficulty dealing with slippery slopes, instead choosing an all-or-nothing policy.
These are weasel words like "suspicious people" justifying mass surveillance. How many times has a government stopped every car on a highway and searched it? How many times have the police done a house-to-house search of a neighbourhood? Yet, when that personal 'space' is stored on the hard drive of some corporation, ransacking the 'neighbourhood' is encouraged, which sets a precedent: The corporation is responsible for national security; the hard drive can be searched at any time the government has a problem; plus, the government can push the cost of such ransacking onto the corporation.
First and foremost: You think the 'bad guys' haven't already thought of something like this? You really think they're sending out their most secret plans out in the clear, or even sending them out at all? Anyone with half a brain would either encrypt them somehow (either digitally or by more traditional methods), or use stegonography, or hand-carry them, or commit them to memory, not leave a trail of breadcrumbs that any armchair detective could follow.
Second: This would set the precedent to bring about the absolute and total end of even a pretense of privacy for everyone. It would become leveraged for seaches of anything and everything; everyone's lives would in essence be laid bare for any government agency with a half-assed reason for a search. Not much longer after that the private sector would find a way in, and I wouldn't at all be surprised if not long after that, it would be used outright for marketing datamining.
This is a dangerous, stupid idea, and no way in Hell should it ever be allowed to even be so much as discussed as actual legislation.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
http://www.missingkids.com/Exp... and many providers are complying with that. I wouldn't be surprised if google and them would do this to avert more searches.
-- these are only opinions and they might not be mine.
"Just a thought"? You didn't put any thought into that. If you knew THE FIRST DAMN THING about ISIS, al Qaida, and all the rest you would know that their ultimate goal is to control the world. That means every country, all the people. That includes where you live now!!
Your crack about "modifying your foreign policy a bit" is the first sign you are clueless. They think your society has to change. They demand you convert is Islam. That is their goal! They want your society to convert to Islam, give up its laws, use Islamic Sharia law, kill gays, ban alcohol and drugs completely, kill people for adultery, no more loans with interest. It is a long list.
Do you know what bin Laden's demand was to the US after 9/11 in his letter to America? Covert to Islam! We're going to keep attacking until you do. Give up your constitution and use Sharia law.
(Q2) As for the second question that we want to answer: What are we calling you to, and what do we want from you?
(1) The first thing that we are calling you to is Islam.
(a) The religion of the Unification of God; of freedom from associating partners with Him, and rejection of this; of complete love of Him, the Exalted; of complete submission to His Laws; and of the discarding of all the opinions, orders, theories and religions which contradict with the religion He sent down to His Prophet Muhammad (peace be upon him). Islam is the religion of all the prophets, and makes no distinction between them - peace be upon them all.
Really, this shouldn't be news after 15 years! Try looking into this some time.
At least not in the practice of many Muslims. Living near a mosque, the range of clothing on the men coming to it ranges from standard Western to obviously ethnic. If they aren't dressing by that standard for attending the mosque, it's clear that they won't at other times.
As the full article mentioned, the Federal prosecutors asked informally about this were uncertain of the legality, And certainly the constraints on warrants of the 4th Amendment - requiring a warrant for each search, i.e. each email address - make it unconstitutional. So it's down to the companies.
It's an established fact that Google already does this for child pornography. This became public back in 2014. So it's not much of a stretch to move into scanning for this. Some would call it a "slippery slope", but that's the world we find ourselves in.
As the world gets bigger and bigger and certain nooks and crannies of the Internet concentrate and amplify violent ideologies I think this kind of bulk scanning will be necessary, Google already does it for business so maybe we should allow them to do it for public safety. I think regardless of what we do this will happen and we can either jump on the bandwagon and try to steer it in the right direction or let it careen down the hill in the control of the corrupt and elite. The biggest problem with the NSA in my opinion is transparency, yes they definitely crossed some lines but their biggest transgression against the American people and the entire world was hiding what they were doing which allowed gross misuse of the power they had. I've always said that technology is going in a dangerous direction and the reason is because only a few people understand it and fewer care that it is. We need a greater conversation with the general public. This idea applies to politics, privacy, technology, and society as a whole.
Or there was evidence it was printed 20 times. Do we search all homes in the country to see if anyone is in possession of the document.
In my mind each of these hypothetical searches is what they call in the US (or used to) unreasonable search and seizure.
These hypothetical situations are the tools that the over-zealous government security technocrats use to attain power. Power for mass surveillance, power to detain without warrant, power to torture, power to kill. They have done them all, because we let them. They are nearly as bad as the terrorists, and their legacy will be longer lasting.
Hillary and wall street bankers in jail would be a start.
The huge key factor in the linked article is "warrants."
Rather than a mass collection of data on the off chance some number of things in the data might be useful sometime, this is a very targeted search for a very specific document discovered via a search with a properly issued warrant. There are checks and balances in the system for reasons. Currently, things have swung to far to "collect everything in case we need it!" On the other side of the spectrum is "Collect nothing. Privacy is absolute." Somewhere in the middle is the appropriate area that balances the needs of societal protection against individual privacy rights. That pendulum will always swing. Wherever it happens to be, some group will always be unhappy.
To be clear on this ... while you may trust President A not to abuse this, that means that you must also trust Presidents B, C, D, etc. Eventually there will be someone elected that you really do not agree with.
And that person will have all the authority you supported for the people you did agree with.
And none of the inhibitions on abusing that authority.
Supposedly the USSR had copy machines etched so that it was possible to track down the source of aberrant materials. A means of tracking is also done with consumer copiers in the name of reducing fraud, but there is no law restricting it solely to that use.The Federalist Papers would be an anathema today.
Exactly how much further down this rabbit hole do we want to go? Yes, it is fine and good that these measures will only be used with the best of intentions, but if the difference between a police state and your liberal democracy is intentions, you are already fucked.
Such a search only "works" in the minds of a few people because they have a navel-gazing mindset that presumes all data is managed by a select group of companies they know about, and which are hosted by one country (usually the US in these narrow-minded viewpoints.)
In reality there are hundreds of thousands of service providers around the world, and you'd have to scan them all. Even Google mail is a drop in the bucket compared to the oceans of emails floating around the world.
I do not fail; I succeed at finding out what does not work.
The entire point of this is to first convince many people to say "why yes, that does seem reasonable" then advance to "but we can't do it if service providers use secure encryption, and that's why we must be provided back doors"! Granted, most email is not stored encrypted with the account owners' public keys, but that's what this "hypothetical" is about, require back doors, then apply that to all stored communications, not just email.
Which is a strong reason to never use gmail or the likes.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
No need to go into accounts if the files are in a form that is protected by a checksum you just need to flag all the owners of files that have that checksum in their file-system metadata. No innocent accounts are ever looked at. However it would be appropriate to get a warrant for every single account that got flagged before conducting a more direct investigation. So how is this a bad thing, the innocent are protected and their privacy is never compromised.
It is reasonable to assume the NSA monitors all email traffic, so they would know who got copies already. The US Constitution requirements for a search warrant appear to exclude searching "everyone's mailbox" as a viable warrant, so your proposed search can't be legal. Would the police have to prove the file was important to their investigation or would you take their word for it? The US government has worked hard to destroy their credibility, but I don't know about the government of France.
and write about it on my lap top surely because Google can do what they can do, they should let the gov/police access to all Google services that are used by my family, friends, co workers and neighbors? Crack pot much?
Terrorism is a crime just like any other and authorities should only have enough power to investigate it like any other crime.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
"Suppose a laptop were found ..... a file on the laptop that's a set of instructions for carrying out the attacks."
This is a hypothetical.
It's pretty easy to encrypt your way around this. You can use a different IV for every co-conspirator...
The likelihood of this being useful, cost of implementing something like this, and ease of subverting it; all brings me to the conclusion that it won't be worth it.
The money is better spent saving lives by other means.
It's kind of like the DRM discussion: You can't distribute videos without people copying them (you can make copying harder, but really you just make your product more error-prone).
Similar here, you can't stop two trusting parties from talking in secret (you can make it harder, but really you're just making your product more complex and error-prone.. Not to mention the enormous risk of making your product less secure).
In both cases you put in a lot of engineering effort into making a product that is defect by design.
The biggest problem with the NSA is transparency? How about they are not doing their job? They intercept and record all emails and sms messages, but they couldn't catch the Paris attackers. Even though several of them were on watch lists, and they openly planned their attack over (plain text) text messages.
all kinds of searches are possible when a judge grants a search warrant. over the phone.
if this is supposed to be a new economy, how come they still want my old fashioned money?
If a criminal is apprehended in a hotel room, do the police have the right to search all other rooms in the hotel as a result?
Would they be able to check everybody's regular mail at a sorting facility if they found that the document had been printed out, a box of envelopes with some missing, and a pack of stamps with some of those missing too and the investigators assumed that the suspect mailed any copies so that they would be at the facility at the time of the search?
It doesn't matter if the search is only "the briefest of computerized 'touches' on their accounts", it's still a search of the modern equivalent of the "papers" of nearly a billion people. The government may not rifle through the papers of a billion people because they suspect that a handful of them may possess an incriminating document. Absolutely not. And neither can they compel a private company to do the rifling for them.
Wouldn't publicly establishing such a policy mean that real terrorists will know to avoid such detection techniques?!
I mean wouldn't that defeat the purpose?
All those moments will be lost in time, like tears in rain... time... to... die...
"Just a thought"? You didn't put any thought into that. If you knew THE FIRST DAMN THING about ISIS, al Qaida, and all the rest you would know that their ultimate goal is to control the world. That means every country, all the people. That includes where you live now!!
So not much different then the Americans currently, with lots of previous contenders. The big difference is capability, the Americans have a good PR team and can act nice and can show up with an aircraft carrier and suggest signing this treaty, or better just threaten to isolate you. But as their vendetta against Saddam showed, they're willing to kill 100,000ths or more innocents to gain control.
https://en.wikipedia.org/wiki/Inverted_totalitarianism
Up to recently, SMTP traffic had only opportunistic encryption, ie, was trivially readable by any attacker. But fortunately, most server software gained support for DNSSEC/DANE, which, while not perfect, is _massively_ more secure. Unlike breaching CA-cartel certificates, breaching DANE pretty much requires suborning the TLD the target uses. Thus, as competent admins configure their MXes for DANE, bulk monitoring of email traffic shuts down.
On the other hand, any government with some clout has warrantless access to big email providers. So for now, we need to use small or individual mail servers.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Aside from the abominable intrusion of privacy this amounts to (because an action is a crime, not a belief of a sympathy)...
I work in security for a large company that uses gmail as its corporate email.
When we receive phishing or malware-containing emails, along with a robust response, we work with our admins to have the emails removed from the mailboxes of the recipients (better safe than relying on every user to not be an idiot.) This is enormously time-consuming, difficult, and all this on what one can only assume is a tiny fraction of over-all gmail. So let's call it impractical.
So where do we go from there? Well, naturally if you'd like better searching capabilities, we should index all the email, all the files. "Pre-search," as it were. I'm sure we'd all be happier with that.
Wait. That's what the NSA was already tasked to do by the US government. And we all lost our shit about it. And for good reason. (And BTW, the NSA, who has a ton of experience and lots of very smart people in this area, never managed to make this terribly illuminating.)
A warrant to search cloud files should only be issued if a similar warrant could be issued for the homes and offices of all those who files will be searched.
Given that few governments would be able to issue warrants to search all the homes and offices in their territory, cloud warrants should not issue.
One's right to privacy should be independent of the location of private data.
Where did anyone get the idea that information located somewhere on the internet is private? All the people commenting here are acting as if their data, help by a third party, is private and protected; it is not. Anything that you do on the internet can be easily viewed by various people. If you send plain text or images on the internet, someone can see it if they wish to. If you want privacy, you encrypt your message or use an application with, end to end encryption, that you trust. However, if a message could put you in jail, would you trust it to a third party?
The privacy that you think that you have now is only privacy by obscurity. The perception that you have of privacy is only that, so far, nothing that you have done has been shown to people other than the intended audience.
I have been using computers for a lot longer than the internet has been public. In the BBS days, anything that you do is visible to the BBS owner, they could watch you in real time. When I first started to use email, I knew that anyone at my isp or webhost could easily read my messages. Other people could, with greater effort, see my data if they really wanted to. If I want fair privacy, I use the phone, if I want more privacy, I speak in person.
I don't see the big deal about searching data help by third parties. Terrorist plots will not be found this way, except for very stupid terrorists. When I see law enforcement calling for spying on everyone as if it was the holy grail of police work, I just think that they must be incompetent.
What constitutes a search? Does it require consequences or an actual human? The idea here is that email accounts and the like will be automatically scanned for a certain document, which is going to be considered grounds to investigate and which may help make up probable cause for a warrant. Also, this wouldn't be a scan of email on individual users' machines, and the law is at best unclear on what can be searched on system A because person B is suspected.
We're not going to know how this works legally in the US until we have some legal interpretations making up case law.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Then, you ant to look for copies of the file in circulation. This is what virus scanners - at both individual computer AND at the gateways of large service providers are for, and do. So, either through a tame person at major virus vendors, or by crafting a version of the file that contains a piece of malware, you "inform" the virus industry of this particular file, with this particular fingerprint / set of heuristics, etc. Get those into the regular updates of the major anti-virus providers, and you should get alerts from the existing systems if the file is passing around.
And you still don't announce it. This information comes out at trial, if then.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
The data was voluntarily handed over to the service provider so it can be seized and searched at any time. As a practical manner, the government is going to do this anyway whether they say so or not making "should" and "legal" irrelevant despite laws like the Electronics Communications Privacy Act. If you want anything sent over the internet to remain private, encrypt it.
https://en.wikipedia.org/wiki/...
https://en.wikipedia.org/wiki/...
Note that encryption does *not* create an expectation of privacy. If the government can seize the data, then there is nothing to prevent them from decrypting it if they can.
http://papers.ssrn.com/sol3/pa...