Feeds

back to article US judge: YES, cops or feds so can slurp an ENTIRE Gmail account

A US judge has ruled that the Feds can have access to a Gmail user’s entire account to search for evidence in a money laundering case, a decision which clashes with at least two other recent rulings on email privacy. New York District Judge Gabriel Gorenstein said in an opinion that email accounts were the same as hard drives as …

Silver badge

Actually seems fairly reasonable...

They have a court order, based on evidence of wrong-doing. A court wouldn't order a telephone intercept "but only phone calls from criminals" - the intercept would cover everything. Ditto with an e-mail account. What I object to is GCHQ/NSA/other government agencies having access to electronic (or other) activities without a court order relating to a specific individual accused of a specific offence.

20
2
Silver badge

Re: Actually seems fairly reasonable...

The problem seems, to me at least, to be that the law isn't giving the judges enough boundary information regarding the information they are looking for.

For example

Law: M'lud, we are investigating this toe-rag for possible financial embezzlement and want to look at all his emails.

Judge: And just what exactly are you looking for?

Law: I dunno, let's just have a look and see what we find, yeah?

Judge: No, that's a fishing expedition.

If the Law responded with something along the lines of

'We are looking for any emails to or from the individual that relate to financial holdings with company X' the Judge might well say yes, because if the Law turn up some other dodgy info it would be inadmissible as evidence and they would only be able to use the information that matched the warrant.

Leaving it open ended is open to abuse.

8
1
Silver badge

Re: Actually seems fairly reasonable...

You seem to be correct on this, but reality can and is different. So if they take your HDD looking for embezzlement and find kiddie porn... will that stop prosecution on the port? I somehow don't think so. The cops have taken to searching random cars for drugs (allegedly random) with no warrant but using the reasonable suspicion belief and if they find anything illegal, the driver/owner will be arrested. There's just too much open-ended anymore and it's in the name of security... or "crime prevention", or "think of the children". How about someone thinking of the Constitution? Or the rights of citizens?

We have to bear in mind that US law is a tad different than UK law.

1
1
Bronze badge

sigh

title says it all really.

2
3
Silver badge
FAIL

Re: sigh

Actually in this case it says sweet FA. Care to enlighten us on which part you have issues with?

There seems very little commentard agreement on this particular topic.

3
1
Silver badge
Coat

Re: sigh

Seems reasonnable to me. I mean, I'm all for entrepreneurship and market freedom, all that, but doesn't Google Mail T&C stipulate that you shouldn't use it for business purpose?

0
0
Bronze badge

Re: sigh

"doesn't Google Mail T&C stipulate that you shouldn't use it for business purpose?"

Not their corporate mail offering, no. It would be subject to the same court order, as would an internal Exchange system.

0
0
Anonymous Coward

This makes sense

I know this opinion may be unpopular, but cops having access WITH A WARRANT is IMHO perfectly acceptable, provided that (a) that warrant is issued with due consideration of the evidence so far instead of a roll over "sign this because we think his dog is a terrorist" excuse and (b) the information so obtained is treated with the respect it deserves (after all, the target is as yet innocent).

Law enforcement needs the tools to enforce the law. However, those elevated privileges need to be controlled so they cannot be abused, and for that transparency and regular, strict oversight must be mandatory. In that case, all is well. The moment anyone tries to avoid such oversight we must ask what they have to hide.

After all, law enforcement should be able to prove they do things right. "Trust us" isn't cutting it..

14
0
Silver badge

Re: This makes sense

Well yeah, with a real warrant, not a Papal Bull from FISA, it's all different. It's the assuming everyone is a potential terrorist, paedo, drug lord, etc... simply because they are alive that's been the problem in all this. Proving a suspect in a crime is a criminal is far different than combing through someone's life in order to make them a suspect.

7
0
Silver badge

Re: This makes sense

Good for fishing trips.

Stop someone in the street for what used to be a non-arrestable offense and have an automatic warrant to search not only their person, all their computers but now any online account held anywhere in the world.

3
3
Gold badge

Re: This makes sense

"Stop someone in the street for what used to be a non-arrestable offense and have an automatic warrant to search not only their person, all their computers but now any online account held anywhere in the world."

E-mailing while black is about to become a thing.

1
0
Facepalm

"In his ruling, Gorenstein pointed out that very few criminals keep all their illegal activity information in a folder marked “drug records”.

Well, duh - putting information on the NSA blackmailing innocent people around the globe in a folder called "drug records" would be silly.

0
0
Silver badge

I keep all my records in a folder called 'Pharmaceutical Assets'. That way the Feds will think I'm into heavy farm equipment.

5
0

I have a folder called "crack dealers".. as of 2 seconds ago. It's full of recruiter spam.

2
0

What's the problem?

This is very sensible. Otherwise it'd be like the cops getting a warrant to search a house, but limited only to the kitchen.

2
1
M7S
Bronze badge

Re: What's the problem?

Actually, I believe that can be the case particularly in houses of shared/multiple occupancy. I think if (UK) police exercise the powers of search available immediately after arrest they can only go into common occupancy areas or those exclusive to the accused. The bedroom(s) etc belonging to other residents are supposed to be off limits.

I would expect that the same should be the case for any warrant issued for a "raid" but that might rely on the court being told of any such circumstances.

I'd be interested to learn of any misunderstanding of the current law I might have.

1
1
Silver badge

Re: What's the problem?

The problem with the typical "raid" warrant is that it is usually issued based on the word of a 'confidential informant' who may or may not have been high on meth at the time and may or may not be willing to give up anybody to make their day just a tad easier. As a result things often go wrong when police act on bad intelligence.

1
1
Cbb

Re: What's the problem?

ya your right that is true usually with houses with multiple tenants/renters. the better example would be to look at it like a search warrant for a persons paper mail. the court could issue a warrant to look at all letters and this would be the same but emails.

0
0
(Written by Reg staff)

Re: Re: What's the problem?

That's certainly what PACE says about searches, though bear in mind that PACE has been buggered about with so many times by various governments that there's probably a loophole the police use instead of the authorised procedure.

A little-known fact for you: police must apply for a warrant whenever they want to search premises - unless the occupier is under arrest. So all they do is cook up a vaguely plausible, if false, reason to nick their mark and then they can go to town without oversight.

3
0
Silver badge

Re: What's the problem?

"like the cops getting a warrant to search a house, but limited only to the kitchen."

I read the original rulings as being more akin to being able to search the entire house, but only for knives.

3
0

Re: What's the problem?

Hmmm ... and isnt that correct? AFAIK a search warrent must detail what is being searched for. "Bad Stuff" isnt acceptable. If for example they are searching your house for a missing child, they cant look in your matchboxes.

Of course the reality is that the cops word the warrent to permit searching as wide as possible.

0
0
Bronze badge

I guess the real analogy here is that this is similar to a court order allowing the feds to intercept and read all posted real world mail rather than just specific items. I am not sure on US law, so does this happen? Or do they have to say which mail they want opened? At the end of the day, email is more similar to real posted mail than it is a hard drive or telephone call.

0
0
Silver badge

Size matters...

There's got to be a difference between "We think Joe Bloggs is a criminal, we have this evidence and we want to look at his e-mails" and "We think Company X is doing something wrong, so we want to look at *ALL* the e-mails written by anyone in that company and *ALL* the data they have stored and..."

0
1
Cbb

Re: Size matters...

not really when it comes down to the purpose of it. Company X would be similar to Joe Bloggs creating a bunch of fake gmail accounts to try and hide stuff. so with the company you are concerned with the company's actions and that means any email sent.

0
0
Silver badge

It does seem fairly reasonable. Only problem is that it invite a huge amount of abuse. 'Oh what's this email to your mistress doing here. Not really relevant to our investigation but we might need to mention it to the missus if you don't starting doing what we want...'

1
1
Anonymous Coward

That sort of abuse is always possible with the police. If they want to do you, then they'll find something to charge you with. And unless you have all the money for lawyers in the world, they will get away with it.

0
0

Oh no. If you are rich and they really want you, they first have the court seize all your assets so you can't afford a good lawyer.

1
0
Silver badge

Folders

In his ruling, Gorenstein pointed out that very few criminals keep all their illegal activity information in a folder marked “drug records”.

Why do I have a sudden urge to create a folder called “drug records”, just to store my prescription details you understand ;-)

3
0
Bronze badge
FAIL

All folders in GMail?

Isn’t Gmail all one giant folder? Except for spam, aren’t all of the messages contained in the Inbox? Just tagged or labeled. “Search don’t sort” seems to ring a bell.

Must have been a slow day in that courtroom…

0
0

Looks like we need a distributed, P2P cryptomail solution. We can protect our virtual currencies from prying eyes and unauthorized access. Funny that we still can't do the same with our day to day communication.

0
0
Anonymous Coward

It's about time...

...that some folks got a clue. Thankfully there are a few competent judges.

0
0
Silver badge

What is the point of a warrant?

Bodies of Email like mine go back decades and involve thousands of people. How hard can it be to make the case that somewhere in there is evidence that leads to something by somebody that is unlawful? As things stand, we are subject to dragnet surveillance that regardless of how you feel about it, is illegal. Allowing a warrant to draw in so much data crosses the line, IMO.

If our protection is that 'fruit of the poison tree' cannot be used and things outside the warrant are ineligible to use as evidence, we open the door to wholesale destruction of evidence.

As a community, we need to install mechanisms that simply make it impossible for warrants like this to be exercised. All of the big companies hosting data like Email could easily set up systems that would make it impossible to inspect customer Email without the blessing of the individual involved *as well* as other key holders designed to make 'rubber hose' techniques ineffective.

It is possible to design a system that could be rapidly inspected for something like an amber alert, but still invulnerable to fishing expeditions, even if conducted under a warrant.

It can get complex, so it may not be apparent to some how we might construct a system largely invulnerable to such attacks. However, it should be clear to many that effectively storing your mail in the clear on a server controlled by someone else is certainly less secure than we can make it.

We have got to find someone other than the Fox to provide henhouse security.

3
0
Silver badge

Re: What is the point of a warrant?

There is little you can do about limiting reading to pairs of keys, as with email you have to be able to read it stand-alone from the other person being present. So with encrypted traffic either party can decrypt it, or its no good. You are always one of the two parties even when many others with different keys are present.

A much simpler and easier option is for the police to ask the judge "We believe that ABC and XYZ were involved in criminal actives between START and STOP dates, please can we get those emails?" and the judge to get a 3rd party to filter both ABC and XYZ's emails for the period START-STOP for communications each other.

Job done, police can look for the specific info the believe is needed to clinch prosecution and 3rd parties are not having their privacy invaded.

0
0
Silver badge

Re: What is the point of a warrant?

>> So with encrypted traffic either party can decrypt it, or its no good.

Not sure you meant to put that ... only the receiver has to be able to decrypt it. If they find a mail from me to you in my "SENT" folder and the content is encrypted with your public key (and I wasn't dumb enough to keep the plaintext), the only record of the content retrievable without the private key is what I (claim to) remember sending you.

0
0
Anonymous Coward

Re: What is the point of a warrant?

As a community, we need to install mechanisms that simply make it impossible for warrants like this to be exercised

Oh great, you remind me of the Lavaboom "ve vil eksplode ze server" people.

The warrant will demand cleartext data. If you make it impossible, you are placing yourself deliberately on the wrong side of the law, and it means they can shut you down instead. Hardly an approach for a sustainable business.

No, as a community you need to insist on returning to sensible laws that respect due process and that support transparency on their use instead of waving the "national security" flag as soon as it becomes evident that an audit could prove embarrassing. That's what a community is for - any other solution is beating around the bush and, at the same time, disables the work we WANT law enforcement to do. Their job is to catch bad people, and they need the tools for that - we just have to make sure the tools available are decent and fit for purpose, and that those tools are only used for their specified task and none other.

In some countries they have actually managed this, so the UK can do that too. Not sure about the US, because the rot has set in a bit too much there, it may be too hard to undo the damage by now.

0
0
Silver badge

Re: What is the point of a warrant?

@Paul Crawford:

Not quite sure what you have in mind and as I mentioned it can get complicated. With the proviso that the third party can be trusted due to the fact that it can be extended to as many different parties as required to be secure and that the PKI need not be limited to a single type and although significantly more involved it is possible to accomplish the same thing with conventional keys or even one time pads:

I have a message I wish to remain secret. I prepare it on a secure system and send a secure message to my trusted third party requesting a one time public key whose private key is known only to the third party. I encrypt my message on the requested public key and then encrypt an envelope containing the third party supplied public key with the receiver's public key. The original message is now gone and there is no way to recover the message without both the recipient's private key and the private key known only to the third party.

Details can get pretty hairy, but suffice it to say that it is possible, if needed, to make it so the third party actually cannot divulge the necessary key without the active permission of the sender and the receiver and an arbitrary number of nth parties if needed.

Security can be a PIA. If you want to secure something on a password and have reasonable confidence that it remains secure as long as the password is not known, you need to come up with a long password whose characters are effectively random. Something like this that has not been published (ie not this actual one because it is compromised now): MKMKtrsquRXKogec_zuxgKRfJmHQIoQW. That should give a nominal 192 bits and likely about a good 90 bits of real security against attack; simply not guessable in any reasonable amount of time. Unfortunately, it is so awkward to use such a thing in practice that it would not likely be used.

The reason for the above is to make it apparent that there are different levels of security available at the expense of given levels of inconvenience. Security is possible in a password, but inconvenient. You would not normally do that, but you might if the need was great enough. Similarly, to ensure that a scheme like the above was more secure against attack you could make it so that access to a particularly sensitive message was only available for a limited time beyond which it disappeared entirely. That way, particularly sensitive communications could vanish forever before anyone had a chance to beat the passwords out of you. This would be pretty inconvenient, but a lot more secure.

I have little doubt that schemes capable of securing systems can be built as long as we can build systems secure against things like side-channel attacks and we can trust the hardware. I have even less doubt that current systems do not approach anything like a level of security that even a duffer less skilled than me could put in place. Any of the big players like MS, IBM, Google, Facebook, Apple, HP, Oracle, etc, etc cannot possibly be trying in any meaningful way to secure their systems. This stuff can get pretty complicated pretty fast, there are gotchas everywhere and even experts who I trust have tried will make mistakes. However, virtually every barrier to entry on to our networks has been lowered to the point that even attackers with modest resources can mount a successful attack.

I have to do a search to see if such a thing has been patented already, but while writing this up I thought of a hugely amusing invention to cure shoulder surfing and related surveillance that had been a real puzzler for me.

1
0

Re: What is the point of a warrant?

@btrower

Once upon a time, I came up with an idea for encryption that seemed to me to be virtually unbreakable. I showed it to one of the grey eminences of crypto that I knew. He laughed hysterically (well, not really, but he did snicker a bit). Then he congratulated me on having reinvented the "one time pad" (first described in the late 1800s.) In short, if the message is short enough, the encryption key long enough and you only use it once (hence the term) it can, in fact, be made unbreakable.

I understand from other friends who are better informed than I that steganography (hiding data in images or music) while a pain to implement, is virtually unbreakable.

So bottom line, as btrower notes, there are ways to raise the bar to protect critical communications. It just hasn't been worth the effort. If present trends continue, however, that could change. What the public needs to be alert for, then, are moves by governments to criminalize individuals' use of encryption that is not specifically authorized by said government.

Never forget Miriam Carey

1
0
Silver badge

Re: What is the point of a warrant?

Re:"The warrant will demand cleartext data. If you make it impossible, you are placing yourself deliberately on the wrong side of the law"

The warrant can demand whatever it wishes. If neither cleartext nor ciphertext exists, the court is out of luck. They can insist that you do the impossible all they like. It will not come to pass. A proper mechanism would absolutely ensure that the ISP and the server provider never had the means to produce cleartext under any circumstances. Everything they store and everything they ever had is encrypted on a key they never possessed.

Mandating that people expose, in advance, their private communications so that they be available for government inspection is, as far as I know, entirely contrary to any reasonable reading of the law and such a legal requirement ought to be beyond the reach of a single legislature, judiciary or executive. We are entitled to our private thoughts and committing them to storage does not somehow make them public property.

It happens that sometimes the state is beyond reason and will capture, imprison and torture the innocent. We are in such a time now. Having come to such a pass, it is time for good people to oppose it, with civil disobedience if need be. Those in power are not always right. In fact, it seems to me that they are wrong more often than not.

People running the apparatus of the state would have you believe that you serve them and that you must follow what they say no matter how outrageous. These are bad people and rather than following what they say we should be opposing them with a mind to removing them from power and prosecuting them once sanity returns.

1
0
Silver badge

Re: What is the point of a warrant?

There are a couple of inventions that do something similar to what I have in mind, but not exactly same and a both less secure.

http://www.google.com/patents/US20020101988

I really like this, even though is unlikely to be secure against a sophisticated adversary:

http://www.instructables.com/id/Privacy-monitor-made-from-an-old-LCD-Monitor/

Check out the video because it shows how what I have in mind would behave. Unlikely this one, though, the data would actually be encrypted.

0
0
Anonymous Coward

Re: What is the point of a warrant?

Re:"The warrant will demand cleartext data. If you make it impossible, you are placing yourself deliberately on the wrong side of the law"

The warrant can demand whatever it wishes. If neither cleartext nor ciphertext exists, the court is out of luck. They can insist that you do the impossible all they like. It will not come to pass.

Ah, but that is exactly the problem with laws as they exist today: YOU are out of luck. The court doesn't care one iota about why you cannot deliver: the warrant says you should, and if you cannot, you're in contempt of court and go to jail. This is why you should *really* clean up after yourself if you've been experimenting with crypto archives: if you cannot open them, the presumption is that you deliberately refuse to collaborate. In other words, these specific laws assume you're guilty unless you can prove your innocence, and they have already been used to fine people or even send them to jail.

That's what I meant when I said that the type of crypto and wether you can access the data or not is irrelevant: as a provider, not delivering data on warrant will get you into deep sh*t in many countries.

0
0

"very few criminals keep all their illegal activity information in a folder marked “drug records”."

Looking ahead, this could well - and should - read: "very few judges acting outside the lawful scope of authority granted them under the Constitution keep all their illegal activity information in a folder marked “Bribes, Extortion Payoffs, NSA-Threats I Have Complied With”.

Law enforcement applications for access might read: "We need everything because you just know Judges are corrupt; look at the documented history of decisions tat contravene the plain language meaning of . . .,and in any case, we need to examine ALL records to fish for anything we can use to influence the judge to rule the way we want him to."

0
0
Anonymous Coward

If only there was some sort of search engine technology

that could "read" and categorize e-mails and only allow access to the ones that met the actual conditions of the warrant.

0
0
Silver badge

Scott Mc Nealy is right!

You have no privacy, get over it.

Note to self: Don't use the "cloud" for nefarious purposes. Talk person to person, and not where it could be recorded.

0
1

Re: Scott Mc Nealy is right!

You have no privacy, get over it.

OK this one hit a nerve.

No one should have to accept that simply because someone has the power to deprive them of privacy (or life, property, liberty, and peace of mind) that they do not have a right to it, and should simply "get over it." Humankind has spent millions of years clawing its way up from a "might makes right" social model.

The irony is that those who are willing to roll over are arguably the most likely to end up on the short end of the stick in a might-makes-right world.

I may not be able to avoid invasion of my privacy, But, there are some practical steps I can and do routinely take that help minimize some its more annoying effects.

As for the nerve this struck: Miriam Carey, whatever her troubles may have been, will never have the chance to "get over it." Her daughter, who now will never know her mother, cannot "get over it." Her parent and friends will not "get over it." Thank you, but as clever as the sound bite may be, I will not get over it.

NEVER forget Miriam Carey

1
0

Re: Scott Mc Nealy is right!

Miriam Carey was a schizoid who went off her meds at the wrong time and definitely at the wrong place. She paid for her crimes, and rightfully so. Even better that her innocent daughter didn't have to pay as well (at least those officers got THAT right).

And humanity has NEVER left a "might makes right" society--there has always been law enforcement and military actions since the dawn of civilization itself, and that is never going to change. What has changed is that we sometimes use a pen to threaten the weak instead of using a sword or a gun to kill them. That pen is always backed up by the guns being held by others who support the people holding that pen. And no, those guns aren't really controlled by silly things like 'laws', for if they were, we wouldn't have gone into Iraq or Vietnam in the first place. And yes, they really are supporting the people in power, rather than the laws that put them there. In effect, nothing has really changed at all.

Unless you have some way of keeping your government from forcibly decrypting your private information or otherwise invading your privacy, you have no privacy. At least in the U.S. (in the civilized parts, anyways), they can't (legally) force you to hand over your passwords yet.

0
0
Gold badge

Re: Scott Mc Nealy is right!

At least in the U.S. (in the civilized parts, anyways), they can't (legally) force you to hand over your passwords yet.

But that's the actual problem: they won't. They will go behind your back and ask your provider which means that you both no knowledge of the violation of your privacy, nor the ability to object and even act against it. You cannot verify what happens without your knowledge.

0
0

Seems Reasonable

tbh this seems reasonable and the judge's reasoning is sound. If you can get a warrant for the PC contents, I don't think you should be able to hide behind a cloud.

Ideally it would be nice if the law recognized the fast amount and scope of possible content and there were two types of warrant, a limited one where the authorities had to be more specific about which content they were after, and the less limited one mentioned in the article. The latter should be harder to get, i.e. must have some prior collaborating evidence.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon