U.S. Magistrate Judge Thomas Reuter ruled on Friday that Google has to comply with an FBI request and hand over emails stored overseas in Dublin, Ireland. The ruling sets an alarming precedent for privacy advocates and the online community.
The Philadelphia court declared the search giant has to give foreign info to the bureau in spite of a recent case involving Microsoft and the Department of Justice in which the company did not have to turn over data stored outside the U.S.
Google used Microsoft’s case as a pillar of its defense, stating there was a precedent for this sort of situation and that just recently, in late January, the court had voted to not revisit the decision six months after the verdict.
The FBI’s argument is outdated
Just as the ruling on Microsoft’s case was a cornerstone of Google’s argument, the 1986 Stored Communications Act was both the DOJ and the FBI’s main weapon in court.
The Act does not adapt to today’s management and flow of information, a phenomenon that has grown exponentially over the last 20 years since it became legislation.
Not only has data become more massive with time, but also much more complicated in its transmission and storage. Online privacy is of the utmost importance nowadays, and measures like encryption and fragmentation serve as a way to keep information safe.
When Microsoft won the case against the Justice Department, the judge noted his concerns over the 1986 federal law.
Google “doesn’t know” where the emails are
Friday’s ruling states the FBI’s request does not qualify as a seizure of foreign information based on “no meaningful interference” with Google’s “possessory interest.”
Thus, the Bureau accessing and reviewing the emails in the U.S. regardless of where they are stored is “all good.” Except there is a problem: the company does not necessarily know where they keep their data.
Different from Microsoft, which holds local information stored in local servers precisely to avoid this kind of conflict, the search giant breaks up their emails into fragments that are collected separately all around the world.
While they might, in fact, know where the pieces are, they told the court they do not have to; probably as a cautionary measure just in case their main argument failed.
Google plans to appeal the decision according to a statement on Saturday, citing the magistrate has “departed from precedent” to broaden the scope of U.S. warrants on foreign data.
Source: Reuters
Potential encroachment on privacy rights has been anticipated and this article is an example that it might be conducted in a fashion that would not allow industry to react in a pragmatic way.
While the UK was distracted with Brexit parliament passed sweeping surveillance legislation that likely will be adopted by the US and will have global implications.
https://www.linkedin.com/pulse/government-security-myopia-andre-brisson-1?trk=mp-reader-card
A technologic approach to securing networks and communications offers an option that removes key management responsibility away from the service provider and onto the communicants that initiate or partake in the particular activity. Agencies would have to go to the originators of communications and not providers of connectivity. (Note that this is not the only way to configure Dynamic Distributed Key frameworks.)
http://www.linkedin.com/pulse/key-distribution-paradigm-removes-management-from-carriers-brisson?trk=mp-reader-card
This implementation uses the distribution of a generic key schedule by carriers and service providers to their clients. The endpoint client perturbs this generic key schedule with their own secret pass phrases to make a unique key secret to the endpoint client. When the client sends encrypted data through communications and uploads it into the cloud for storage the carrier or service provider does not have a copy of the key. As such, there is little other than the capture and retention of encrypted data that a service provider can be compelled to do.
When the upload or transmission is further encrypted (double encrypted) over TLS or SSL the carriers have no copies of the first key and cannot compromise client data themselves. Neither are they able to provide all the necessary key material to outside agencies pushing responsibility to the endpoint originator of communications.
This technique was originally developed as a method of allowing manufacture of electronic components requiring cryptography in non-friendly trading partner countries without compromising final security. This was because the US DoD had so many components which were manufactured in China.
It requires only a simple one-time upgrade for servers running PKI frameworks with a single one-time-pad key update for endpoints with an extension to LDAP/CAS or openSSL.
This particular deployment uses a generic key schedule of unlimited strength (minimum 25,000 bits) that is perturbed by the end user with a couple of arbitrary length pass phrase subkeys.
In order to bring the conversation of security & privacy to the forefront we have made The Whitenoise Strong Encryptor with the Whitenoise algorithm for free at over 400 freeware sites. This makes it available for anyone to rapidly validate, test and use for their own protection. http://www.wnlabs.com/products/emailenc.php
André Brisson abrisson@wnlabs.com – http://www.wnlabs.com