back to article Google strongly opposes plans to let ANY US COURT authorise digi-snoops

Google has strongly opposed US government plans to expand federal powers to authorise remote searches of digital data - claiming in a letter the powers will weaken citizens' fourth amendment rights. The right is the part of the US Constitution that prohibits unreasonable searches and seizures and requires any warrant to be …

  1. Little Mouse

    I'm thinking of those local government authorities that moved / are moving to the Cloud under the justification of "Safe Harbour". They should be "Monumentally Concerned" over the developments of the past 6 months, but I've seen precious little evidence that they are.

    1. Anonymous Coward
      Anonymous Coward

      It's not just local authorities. Anyone storing users'/citizens'/customers'/whoever's personal data in the cloud with a supplier who is American owned is at risk of being in breach of the DPA if the safe harbor agreement collapses, as it may in the wake of this kind of US court case (the one everyone is watching with interest is the Microsoft Ireland one).

      If any of these cases are ruled in favour of the US Government by the Supreme Court then the Safe Harbor Agreement isn't worth the paper it's written on.

      I know the local authority I work for has this very high on its Information Governance agenda and has got contigency plans; however there is obviously a substantial cost involved in relocating to an entirely EU based supplier, which we would rather not spend (as it's taxpayers' money!) if we don't have to.

      Of course the prospect of the UK leaving the EU (and therefore no longer being part of the safe harbor agreement (which is between the EU and the USA) is also a complicating factor.

    2. Anonymous Coward
      Anonymous Coward

      They should also look at the American track record of abiding by international agreements. They do for the most part but are quick to do as they please when it suits them. Sometimes they tell us, sometimes we find out later, sometimes much much later, either way it does mean being very careful about assuming what agreements mean.

      1. Anonymous Coward
        Anonymous Coward

        They should also look at the American track record of abiding by international agreements

        And that is basically the core problem. If it's illegal internally they excuse it, retrospectively change the laws and nobody gets charged for it (as seen with the NSA), and when it's done to "aliens", the US basically shrugs its shoulders and depends on blackmail with trade agreements to avoid having to change its modus operandi.

        The problem is that this flat out destroys trust, and US industry is starting to notice that in its inability to sell to the larger EU companies whose lawyers have woken up to the threat of consequential liability - a far more costly side effect of losing client data that the frankly puny fines.

  2. Big_Ted
    Devil

    My thinking is that if the US enact this type of thing as law then they are saying that they are more than happy for any other country to do the same to them.

    Therefore all those countries they claim are conducting cyber attacks just need a court in their own country to ok it and its no longer an attack but a legal search for information......

    Oh the slippery slope approaches....

    1. EssEll

      But you just need to look at the status of extradition treaties between the UK and the US to know that it's one law for them and one law for everyone else.

      If someone conducted a cyber attack against the US, they're so damn trigger happy they'd probably treat it as an act of war.

  3. NoneSuch Silver badge

    The US government feels the only way to protect liberty and freedom is to monitor everyone everywhere all the time. What is said, where they go, who they associate with. All violations of the US constitution.

    Why has this not been changed changed? The typical American: "Yes, the NSA spies on everyone, but they would never do that to ME!"

    1. Anonymous Coward
      Anonymous Coward

      Well, for citizens we expect this to a degree, but this has little to do with spying and is more a "cop" thing. Can officer blow off Ohio issue a search warrant in Montana...ultimately yes. This proposal, on terms of "terrorists", could cut off as much as 16 hours for a search (guesstimate), but it would be highly ignorant to think it wouldn't be abused. I foresee Disney putting their "man" behind a desk that runs scripts to issue warrants for "terrorists". After all, people don't seem to believe that the "attack" on Sony pushes violation of copyright one step closer to being a terrorist attack, when it most certainly does. This it's all tin foil hatish I know, but is it REALLY beyond plausible?

      This proposal will open doors for abusive control of citizens rights even further, even if it makes sense on cases of real terrorism. But who defines what as terrorism is highly questionable, but this proposal isn't strictly about terrorism, any crime will do.

      Of course, why does this interest Google? Is Google planning a cloud service that issues warrants for the gmen?

    2. Anonymous Coward
      Mushroom

      I've always thought they monitor me (came with the security clearance). What is really relevant is that everyone I talk with thought they were already subject to such surveillance by any/all federal agencies. Or as they put it - "you meant they weren't already?" Kinda' hard to argue with that what with all the revelations since.

      What does concern me is the authorization of covert insertion in to "possibly foreign computer systems" which is hacking (cracking) by another name. To hand this authority to any federal court is practically handing the fed's an authorization to go venue-shopping (much like patent suits almost always ending up in east Texas). They already do that in far too many cases as is. Toss in hacking (cracking) being considered a casus belli, do we really, really want our courts to initiate hostilities with all and sundry? I thought that power was reserved to Congress, not the Executive (wink, wink) or Judiciary.

  4. Yet Another Anonymous coward Silver badge

    If it is a foreign machine

    Why does the constitution apply ?

    The court has demonstrated that the constitutional protection doesn't apply to US citizens abroad, to foreigners in the US or to anyone within 100miles of a border.

    1. Anonymous Coward
      Anonymous Coward

      Re: If it is a foreign machine

      It doesn't apply, but if we're allowing this we can't act all horrified when other countries hack the PCs of our citizens and claim it is justified because it was for law enforcement purposes.

  5. Anonymous Coward
    Anonymous Coward

    Why hasn't anyone called Google evil yet?

    1. Mr.Mischief

      Because Google is only "evil" when they release something for free, they innovate and create something new or when they try to do "business type things" to pay their employees.

      Oh and because the Apple fanbois are still asleep.

      1. Anonymous Coward
        Anonymous Coward

        Ahhh they're asleep. That explains it.

    2. Anonymous Coward
      Anonymous Coward

      Just because Google does a lot of good things, doesn't mean they don't also do a lot of evil things. This just wasn't one of them.

  6. Bob Wheeler

    I don't understand...

    On the grounds that the people in US government are not stupid, misguided maybe, but not totally stupid, how can they think/believe that they have the legal/moral right to utterly trounce over any overseas legal jurisdictions without a howl of protest from the rest of the world.

    1. gerryg

      Re: I don't understand...

      It's not new, here's an analysis of the extra-territorial effects of the PATRIOT Act.

      1. Bob Wheeler

        Re: I don't understand...

        @gerryg

        thanks for the link, a very interesting read.

  7. Gordon 10
    Joke

    Translated

    Google: only we should be allowed to remote search servers. robots.txt we've heard of it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Translated

      Is this really a joke? Also, 99.9% of the "web" people seem to think robots.txt works. Well, it might work for marketing/financial reasons, but it don't mean shit otherwise(tracking, datamining, ...government search warrants).

    2. Mike Moyle

      Re: Translated

      But you didn't phrase it in proper El Reg headline form:

      GOOGLE TO FEDS: "You can't snoop on users; that's OUR job!"

  8. Anonymous Coward
    Anonymous Coward

    The risk to UK firms is significant

    According to our ISO. He's stated that if there were to be a breach of safe harbour and/or personal data is leaked, our company would be liable - irrespective of whether it was to the US government or not.

    Being *very* conservative, our exec team have banned any US linked cloud provision.

    So either firms using the cloud are relying on incorrect counsel, or they haven't asked for counsel, or they have asked for it, or our ISO is mistaken (or overly cautious). Given I know their qualifications, and not that of anyone else, I trust their version of the truth.

    Or, is everyone using the cloud securely encrypting their data before it leaves their networks ?

    1. Anonymous Coward
      Anonymous Coward

      Re: The risk to UK firms is significant

      If you are choosing a cloud supplier now, then I would totally agree with your ICO; putting EU personal data in the US owned cloud now is not a smart move.

      If your data is already in the US-owned cloud, and was put there pre-Snowden, then the situation is more complicated (particularly if you're in the public sector where money is tight). The sensible thing to do here is to seek written assurances from your US supplier that they will resist this kind of pressure from the US courts. If you can't get that move your data. If you can get that then you are into the area of what is an acceptable risk for your organisation; we've developed contigency plans which would allow us to change suppliers quickly if it looks like the safe harbor agreement is in any more danger from US courts than it is now, but we're not going to spend money unless the risk grows significantly.

      If your data is already in the US-owned cloud, and was put there post-Snowden, then you may choose the epithet of your choice to put after the word "Stupid"...

      1. Anonymous Coward
        Anonymous Coward

        Re: The risk to UK firms is significant

        According to our ISO putting data in a US cloud is fine because personal medical data leaked to a US govt organisation like the NSA is OK because they have a duty of confidentiality - it is no different from an FDA inspection.

        But keeping patient data locally, unless we could demonstrate that we have the same level of disaster recovery, redundancy, n*9s uptime, physically separated data centers etc that Amazon,. Google,. Microsoft can boast - would make us liable for "failing to follow industry best practice".

        Strangely it was a US consultancy that advised us of this.

      2. Anonymous Coward
        Anonymous Coward

        Re: The risk to UK firms is significant

        Advice has been to steer clear since MS "stunned" the world back in 2010/2011 ? by stating that safe harbour or not, if they were served with a PATRIOT Act warrant, they would cough up the data

        A say "stunned" because it shouldn't have come as a shock - it was *exactly* what the PATRIOT Act was designed to do - steamroller Uncle Sam through any previous legislated safeguards. And it wasn't like it was kept secret - it was flagged at the time. However, I suspect the moneymen just made some vague noises, and said everything would be OK.

        I hope if a company clouding it is sued because Uncle Sam sneaks their data (it *is* encrypted isn't it ?), a UK court hands them their arse, and rubbishes any "how could we have known" wails.

        Another risk from the PATRIOT Act is it can be used to shut down *any* US controlled data centre. Irrespective of physical location. So if you go into work one day, and your data and/or service has gone AWOL because Uncle Sam figured a data centre in Manchester owned by AnyCorp inc.

  9. Dan Paul

    Rule 41 says......

    (3) a magistrate judge—in an investigation of domestic terrorism or international terrorism—with authority in any district in which activities related to the terrorism may have occurred has authority to issue a warrant for a person or property within or outside that district;

    (5) a magistrate judge having authority in any district where activities related to the crime may have occurred, or in the District of Columbia, may issue a warrant for property that is located outside the jurisdiction of any state or district, but within any of the following:

    (A) a United States territory, possession, or commonwealth;

    I suggest you read Rule 41. See the following link for the current rule. Most countries have this kind of law. It's not just the USA.

    http://www.law.cornell.edu/rules/frcrmp/rule_41

    1. Yet Another Anonymous coward Silver badge

      Re: Rule 41 says......

      Yes but when the KGB murders a journalist in London we tend to regard it as a bit naughty.

      When our own defenders of peace and liberty do it - that might cause a bit of introspection.

  10. Anonymous Coward
    Anonymous Coward

    Too bad

    The crims are going to use what ever means they feel will escape scrutiny by authorities, so eliminating those options is a necessary. Unless you're a crim you have nothing to fear as no one gives a rats arse what you do online.

    1. Brandon 2

      Re: Too bad

      If only the world could be so easily broken down into one simple dichotomy: criminal or citizen. Surely google cares what you do online. It only took me 10 seconds to come up with one example to prove your null hypothesis. Is my sample size of 1 too small? Would you like me to come up with 15 or 30 more entities that give a rats arse what you do online? If i remember from college stats, n=30 is usually capable of producing statistically significant correlations...

    2. Anonymous Coward
      Anonymous Coward

      Re: Too bad

      That's true if you live in the land of the free. But here under fascist oppressive Canadian regime - opposing an oil pipeline gets you listed as a threat to national security by the RCMP.

      Since Canadian "intelligence" is already allowed to monitor all Canadian web traffic be careful not to visit http://www.whitehouse.gov/sites/default/files/omb/legislative/sap/114/saphr3r_20150107.pdf or any other extremsiosts site promoting a commie conspiracy against oil pipelines.

      1. Greg J Preece

        Re: Too bad

        That's true if you live in the land of the free. But here under fascist oppressive Canadian regime - opposing an oil pipeline gets you listed as a threat to national security by the RCMP.

        Citation?

        1. Mr.Mischief

          Re: Too bad

          http://www.theglobeandmail.com/news/politics/anti-petroleum-movement-a-growing-security-threat-to-canada-rcmp-say/article23019252/

      2. Mr.Mischief

        Re: Too bad

        Have an upvote AC. It looks like the RCMP decided two downvote you twice.

    3. Greg J Preece

      Re: Too bad

      Unless you're a crim you have nothing to fear as no one gives a rats arse what you do online.

      Why do people who quote this absolute bullshit line not get the obvious problem with it? You're not a crim now, but once someone has complete control over your ability to dissent, and changes the rules, what then? The prudish UK government is constantly one moral outrage away from making kink illegal, for example. Yesterday you weren't a criminal, now you are and the proof is already in the government's hands.

      1. Anonymous Coward
        Anonymous Coward

        Re: Too bad

        But, haven't they already done that once with the "think of the children" laws which make it iffy to have photos of your own children online?

        Anon because... you just know the worst interpretation is going to be made

  11. Anonymous Coward
    Anonymous Coward

    It's hurting the US ...

    At a recent event organised by IBM in Hursley, they wheeled out their cloud specialists to woo us. We politely declined, and expressed an interest in self-hosting. Very off the record the (British) techies reported this was happening a lot, and that UK senior management had escalated it to the US ...

    So I suspect there's some golf going on somewhere with IBM execs and politicians.

  12. Tom 35

    Any court?

    In the same way patent trolls all go to Texas will we end up with a favorite "always say yes" court that everyone uses?

    If one court says NO, can they take a drive and ask again the next state over? until they get a yes?

  13. Anonymous Coward
    Gimp

    And to add to any European companies additional woes

    ...EU law is changing to make companies responsible for the Public's personal data that it holds. Most people will say so what until they realise that the risk of holding that data where they have been asked to delete it will result in a fine of 5% of global turnover or €100m, whichever is greater.

    So picture yourself in about 2 years sitting at your desk when an email comes through to the CDO (or Data Officer is in charge of the data to the company) from Joe Public asking for the company to verify what data is held on them whilst CCing in the Information Commissioners Office for the UK (or whatever European company). Every data source will have to be checked by the company and deleted, and a response to Joe Public attesting to that the company holds no personal data on said Joe Public. 3 months later marketing send out an email to Joe Public with a "Congratulations, its your birthday/work anniversary/ retirement day/ whatever day and they're doing a special in the are where your live for 30% discount on some irrelevant product that will make your life better, more desirable and better job! (TM)."

    Joe Public complains to ICO about data violation and the next thing you know you have the CEO/CFO/CIO/CSO/CDO/ whatever CxO(s) you happen to report to running into your department screaming about this and its your fault... not that they would spend any money getting you the tools that would have helped you clear up the mess in the first instance automatically.

    One P60 later and a boot print on your arse as your kicked out the door (hey, someone has to be the fall guy and your at the bottom of the ladder) the company apologises profusely and takes a slap on the wrist and gets their shit together. You on the other hand need to find a new job with a "dismissed" notification on your CV, nice and the new employee/manager/whatever position you were in gets the tools you asked for in the first place!

    May sound a bit pessimistic but remember 2 things, the law of gravity means shit always flows down so never be on the bottom and the EU Directive 95/46/EC (http://searchsecurity.techtarget.co.uk/definition/EU-Data-Protection-Directive) looks like it will be active by the end of 2015, with 18 months for companies to get their data in order.

    Add this to the fact that the US wants the company's data and your in charge of the infrastructure means that your job is about become really interesting!

    Gimp Mask Icon as you about to be that for your company, now where's the lube...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like