Forgot your password?
typodupeerror
Google Technology Your Rights Online

Google Pushing Back On Law Enforcement Requests For Access To Gmail Accounts 75

Posted by samzenpus
from the for-your-eyes-only dept.
Virtucon writes "Ars technica has an interesting article on how Google is handling requests from law enforcement for access to Gmail accounts. With the recent Petraeus scandal where no criminal conduct was found, it seems that they're re-enforcing their policies and standing up for their users. 'In order to compel us to produce content in Gmail we require an ECPA search warrant,' said Chris Gaither, Google spokesperson. 'If they come for registration information, that's one thing, but if they ask for content of email that's another thing.'"
This discussion has been archived. No new comments can be posted.

Google Pushing Back On Law Enforcement Requests For Access To Gmail Accounts

Comments Filter:
    • by Yebyen (59663)

      I don't think it's a dupe, granted I have only read both summaries and neither article, but the links are different and the headline text is certainly not the same. Two "Google Saves Your Privacy Heroically" articles in as many days, though. You would think they were trying to tell us something.

      • by Anonymous Coward

        They're both referring to the same 'Transparency Report'. Not duplicate articles, but duplicate story.

  • by Anonymous Coward on Thursday January 24, 2013 @09:31AM (#42679477)

    Email and other services are way more robust when there are many providers, because there is not one central point for a government to apply pressure. In the 1990s everyone got email through their ISP, and there were a million little ISPs all around.

    Now, there are fewer ISPs, and even though they all still provide email via the standardized protocols, everyone ignores that and uses webmail... and most of them use Google. Having the whole world's email in one place is a bad idea. It means there's one place to, say, block encryption if the powers-that-be decide they really should be able to read *every* email. It means there's just one place to censor. Just one place to move away from standard protocols to achieve lock-in.

    The entire concept of the internet was about decentralization to achieve robustness. Once, robustness in the face of nuclear war, but it also provides other kinds of robustness, like robustness against censorship, against control, and against monitoring. Now, for some bewildering reason, we want to discard the robustness of decentralization and put all our eggs in one basket. I do not understand why everyone prefers that.

    • Re: (Score:3, Interesting)

      by adamjgp (1229860)
      Users are going to choose the service that best fits their needs. If there were other options out there that offered services similar to gmail, and were widely advertised and known to the public, then email usage would be more distributed. Also, there's the perception that your email address gives others [theoatmeal.com]
    • Because GMail is more convenient to use and feature rich than running your own server, which you are still perfectly free to do.
      • by BlueStrat (756137)

        Because GMail is more convenient to use and feature rich than running your own server, which you are still perfectly free to do.

        Well, "free to do" if you pay for a commercial/business-class account with an ISP, and then one usually must make several calls to get them to open up the ports for your mail server(s).

        Your mail server is also likely to get on anti-spam blacklists and be filtered by mail services like Yahoo as well. Running small, private mail servers is generally discouraged among private individuals.

        Strat

    • by IndustrialComplex (975015) on Thursday January 24, 2013 @11:45AM (#42680483)

      I do not understand why everyone prefers that.

      I wanted to run my own email server. However, I do not do IT for a living. That's not a problem, most people say, email servers are simple. I agree, opening up the port and running a server would be simple, but what would crush me is trying to keep that server secure, and my email mostly free from spam.

      I just don't have the time to setup the server properly, with subscriptions to spammer blacklists, maintaining security patches, and the whole slew of work required to make that simple email server something that would work for me.

      I found that my old gmail account generally worked well with regard to keeping spam away from my account, and I never had to worry about making the server secure. So I signed up for google apps (back when it was free for small users), and setup my domain to use google to host my email.

      Now I have all the email addresses I want, associated with my domain, and google handles ALL the annoying work of maintaining the server, handling security, general administration and so on. I can be reasonably assured that whenever I want to access my email, I will be able to via a simple web browser. I don't need to worry that my ISP is crappy, or blocking me, or that I had a power outage at my home.

      For me, that amount of time savings and convenience is well worth the tradeoff that someone in the government could gain access to that specific email address' contents.

      And most importantly, nothing prevents me from creating or using a throw-away email address on another site if I wanted more obscurity. Privacy, unfortunately, requires a proactive effort, but the benefits I receive from a centralized, managed, and to date uncensored email service currently far outweighs the current drawbacks. If that ever shifts in the other direction, as I mentioned, nothing is really preventing me from just dropping google.

      • by everflow (635196)

        If that ever shifts in the other direction, as I mentioned, nothing is really preventing me from just dropping google.

        If that ever shifts you can drop Google only for future emails.

        When the shift comes (e.g. sudden government interest in your person) there will be much information at Google already you may not want to share: who your friends are, business contacts, personal views, ...

    • by tehcyder (746570)

      I do not understand why everyone prefers that.

      Convenience. Plus most people don't give a shit if the government reads all their emails anyway. I realise this isn't sufficiently paranoid for slashdot, but it's how the vast majority of people behave. How many people bother to encrypt their emails for instance?

      Also, if I was planning to overthrow the government, stage an armed robbery or even (if I was a public figure) conduct an extra-marital affair, I certainly wouldn't use email to exchange details with anyone about it.

  • by 140Mandak262Jamuna (970587) on Thursday January 24, 2013 @09:45AM (#42679557) Journal
    OK registration info on gmail is like the address on the envelop of a letter. It is not private, the mail man has to read it to deliver the letter. So yes, ok, google shares registration freely.

    Contents are private, post office does not read it, and you need a warrant from a court to intercept and read mail, so google demands a warrant for contents of email. OK fine.

    Now, in each letter, the from address and the to address are open in the public. Technically the post office could build a graph of who communicates with who and how frequently using just the public information. But it is expensive, painful and so USPS does not do it. Or I think it does not do it. But it is trivial for gmail to build all people who correspond with me, and rank them by the frequency of communication. In fact it already does, it suggests a CC list based on the addresses in the To list. Is it considered public information? Would google share it with the government without warrant? Or would it require a warrant?

    • by Sockatume (732728)

      It just occurred to me: does a Gmail message ever reach the public internet when it's sent to another Gmail user?

    • Now, in each letter, the from address and the to address are open in the public.

      Is a from address mandatory in the US?

    • by hedley (8715)

      In this case though, Patraeus and Broadwell did not actually send but just left unfinished drafts. w/o a warrent, gmail still handed over the drafts, nothing to graph if it all just sits there 'unfinished'.

      H.

    • But it is expensive, painful and so USPS does not do it. Or I think it does not do it.

      I never thought about that before, but those high speed scanning machines are doing OCR on the destination address, so the return address could be included as well. If the USPS were run like a company, they'd at least be using it for analytics and process optimization.

    • I believe that it doesn't matter what Google does. With all the wiretaps and Echelon type stuff going on, I would be surprised if the social graphs based on who is calling who does not include all email service by this point. Like you said, the sender and receiver are well-known, and if you have a MITM such as a slutty ISP who gives it up easily, then you really don't need Google or Yahoo to comply.

    • >> Or I think it does not do it.

      Letters are all machine processed anyhow. Wouldn't this be pretty easy to implement for most letters?

  • by Anonymous Coward on Thursday January 24, 2013 @09:46AM (#42679563)

    Patriot Act federal requests do not require a warrant and cannot be reported when served against a company like Google when serviced. Even A fast Google search reveals dozens of specific instances of Patriot Act abuse, and the law itself at http://www.fincen.gov/statutes_regs/patriot/ shows that it wildly exceeds any sane Constitutional interpretation.

    Similar abusive laws in other countries mean that Google, forced to follow local law enforcement in numerous countries, is wide open to abusive but legal requests for private content. There seems to be no sign that they do more than provide more than the slightest lip service to genuine privacy concerns, and many of their business modes are based on *selling* information about their customers.

    • by Sockatume (732728) on Thursday January 24, 2013 @10:12AM (#42679755)

      Not "Patriot Act", it's the U.S.A. P.A.T.R.I.O.T. Act, and each of those letters stands for something, because US civil defense policy is now run by the marketing arm of Mattel.

    • by KiloByte (825081)

      Thus, I say that email must not be placed in a cloud. Some companies like Google try to be no evil but have little wiggle room -- the bad guys (yes, the current crop of governments work against rather than for you) can access your mail at a whim. Unless you use email only to send Christmas greetings to aunt Jane, you have private and/or business data that should not be viewable by third parties.

      If you host your own mail server (even at home), the bad guys at least need an actual warrant, and can't do this

      • by PTBarnum (233319)

        I think you need to balance risks. If my mail is hosted outside my home, on my ISP or on Google, then it increases the risk of it being searched by the government without my knowledge. If I set up and run my own mail server on my own machine, then I need to correctly install and configure the OS and mail server and keep up with all the security patches and spam filters, or I severely risk having my mail accessed by script kiddies without my knowledge. Or maybe I will know about it because they'll reset pass

        • by KiloByte (825081)

          I need to correctly [...] keep up with all the security patches and spam filters

          Uhm, and that's much work... how? You need to do a manual intervention once a couple years, to move to the next stable release. Security updates get pretty thoroughly tested (Microsoft aside...), so outside of especially complex deployments not having them as a cronjob tends to be a waste of time. Spamassassin updates its rules automatically, which is probably good enough if you don't feel like tweaking them.

      • by tehcyder (746570)

        Unless you use email only to send Christmas greetings to aunt Jane, you have private and/or business data that should not be viewable by third parties.

        If you send emails without encryption, you should certainly limit them to not much more than Christmas greetings to aunt Jane. I assume that any email I send is as secure as a letter, since I can't be arsed with encryption. My bank wouldn't send me a new PIN on a postcard, but it certainly would in an envelope.

    • And, in fact, they have NEVER fought one of these requests. Ever. The only ISP operator to fight one of these requests is Nick Merrill, and he had to enlist the ACLU and others just to get the right to be represented by an attorney, much less make his fight public. Otherwise, the only other people to fight these requests were a few librarians. Considering that these requests can actually dragnet in huge amounts of data from multiple accounts, I wouldn't feel so sanguine about Google's "pushing back".

  • Most folks focused on the whole sex scandal part. Some folks focused on the operational security and the fact that the FBI tanked Petraeus with no charges filed. Some of those folks may control Google Apps for Government and choose alternative providers, in case it may be a point of failure in future bureaucratic turf wars. Sadly, yes, this sort of thing does happen.
  • If your Chromebook is stolen, do you think Google should provide law enforcement with the details on the new account to which it's been associated? Or do you write off your $400 and move on...
  • by Anonymous Coward

    And WHO issues these warrants?

    One of the reasons I don't use Google services. I don't recognize the 'ECPA search warrant'. the only warrant I recognize is a bonafide court issud warrant, issued by a bonafide seated judge. Anything else does not exist, and all access is denied.

  • In order to compel us to produce content in Gmail we require an ECPA search warrant

    He doesn't explicitly say that Google doesn't produce content in Gmail without that warrant. Just that warrant compels them.

    I'd be happy if he said "Google never produces content in Gmail without receiving a valid ECPA search warrant first"

    Of course an NSL is the trump card...

  • Basically Google will protect your private data to the upmost of their legal ability from everyone except themselves and their clients :( /cynic
    • by tlhIngan (30335)

      Basically Google will protect your private data to the upmost of their legal ability from everyone except themselves and their clients :( /cynic

      One could argue this isn't really about protecting your private data - it's just one of the times that Google's interest and yours align.

      I.e., if Gmail started giving access to your email, then it devalues Gmail's service to that of other free email providers like hotmail and such - disposable email and spam box. Google doesn't want that because they get more analy

  • Yes, we're raping it 10% more times a day, but we're allowing a lot more content through.

  • by Anonymous Coward

    Requirements from US's agencies done under PATRIOT Act are never accounted for on Google's Transparency Report, because they are issued along with gag orders. Google has never revealed how many of this did they fulfil, nor they do it now.
    Cyrus Farivar's article on Ars Technica doesn't even mention PATRIOT Act, for a start - and when it refers to the break down of legal request types, we are linked to a Google page that breaks them down to three types - subpoenas, ECPA and other. Once again, PATRIOT Act re

"Regardless of the legal speed limit, your Buick must be operated at speeds faster than 85 MPH (140kph)." -- 1987 Buick Grand National owners manual.

Working...